CSS Scalable Load Balancing Method

Greetings All,
Looking to the brain trust here for some options on a requested load balancing schema.
I have a CSS11506 for which I need to configure some 'scalable' load balancing.
We have 2 servers configured for load balancing... we'll call the services S1 and S2.
The requirement is to have S1 to service all traffic until its related server CPU reaches 80%. Once this occurs, then traffic should start being sent to S2 for load balancing.
How can I accomplish this?
Thanks!
-Adam

Gilles,
Thanks for the reply.
I'm not real savvy with creating scripted keep-alives from scratch.
Can you direct me to some links where I can learn more about creating such a script on the CSS?
Thanks again!
-Adam

Similar Messages

Load Balancing Method

I want to lod balance two servers using CSS 11503. The requirement is to send all the traffic to Server1 untill it dies. Meaning that...Server2 will be sitting idle and only become active when Server 1 is not available. I am not sure which load balancing method should be used to acheive this result.
Any suggestions !!!!!

you should use the sorry server function.
Here is a link to a sample config.
http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080093de8.shtml
Gilles.

Using a single CSS to load balance multiple services

Is it possible to use a single CSS to load balance 3 different services (server farm) ? That mean the CSS need to advertise 3 VIP
I'm thinking of two scenarios:
1 - configure the CSS to use 4 interfaces: 1 to public, 3 to private (each interface will plug-in to a different vlan/server farm)
2 - configure the CSS to use 2 interfaces: 1 to public, 1 to private (all 3 server farms are in the same vlan)
Will both scenarios work ?
Thanks
--Phillip.

Hi Phillip,
both scenarios will work. One CSS can certainly manage more than 3 services! You can even use just one VIP for all traffic, then just create the proper rules to send specific traffic to the corresponding service(s). No need for 3 VIPs.
Regards
-juerg

Load Balance method for proxy - ISA or BlueCoat

Hi,
I would like to know that which load balance method such as src-ip, cookie or etc is most suitable for load balancing proxy servers such as ISA or Bluecoat. The Proxy will listen to many services - http, https, ftp, and etc. Thanks for the help.

The methods you mentioned are not loadbalancing technics, but stickyness features.
Stickyness is not always necessary.
Now, for caching devices, it is good to always send users requesting a same object to a single proxy, so that the same object is not cached in all the proxies.
Therefore, the solution in this case is loadbalancing with url hashing.
For HTTPs, if you terminate SSL on the loadbalancer, you can use the same solution.
For all the other traffic, I would suggest to start with roundrobin and see after a while if it requires some adjustments or not.
Gilles.

LACP Load Balancing Method

We have two stack of 3750-X switchs interconnected through LACP, and a CheckPoint Firewall connected to one of the stack. The Firewall use a LACP bond to connect to the 3750-X Stack. On the Cisco switches we don't use any Layer3 functionality.
Since the switch are used in Layer2 mode, can we define the a load balancing method that use IP informations ?
For example Can we change the load balancing method from src-mac to src-dst-ip ?
BRgds

Hi,
yes you can choose the method of Load balancing in LACP:
port-channel load-balance {dst-ip | dst-mac | src-dst-ip | src-dst-mac | src-ip | src-mac}
Configure an EtherChannel load-balancing method.
The default is src-mac.
Select one of these load-distribution methods:
•dst-ip—Load distribution is based on the destination-host IP address.
•dst-mac—Load distribution is based on the destination-host MAC address of the incoming packet.
•src-dst-ip—Load distribution is based on the source-and-destination host-IP address.
•src-dst-mac—Load distribution is based on the source-and-destination host-MAC address.
•src-ip—Load distribution is based on the source-host IP address.
•src-mac—Load distribution is based on the source-MAC address of the incoming packet.

Best HTTP load balancing method

This is probably basic, but how satisfactory is this http load balancing method:
service http-1
ip address 192.168.1.10
protocol tcp
port 80
keepalive type tcp
active
service http-2
ip address 192.168.1.9
protocol tcp
port 80
keepalive type tcp
active
owner http
content web-domains
vip address 10.0.0.1
add service http-1
add service http-2
protocol tcp
port 80
balance leastconn
active
Should I rather use sticky-mask 255.255.255.255 or advanced-balance sticky-srcip?

It really depends what you are doing.
Some people will find this acceptable and for others it will just not work.
Do you need persistency ?
To answer this question check with your webserver admin.
does this website have a shopping basket ?
Finally, changing the sticky-mask is useless if you do not have sticky-srcip. So your question should be ..or .. but .. and ..
Anyway, it all depends what is required for your website to work.
You can try this config and if you run into problem capture a sniffer trace and identify the problem to see if a configuration change is needed.
Regards,
Gilles.

Help choose the appropriate etherchannel load balance method

Hi
I have 2 network architectures :case A and case B (found architecture below)
Case A : one server connected on the switch on each site
Case B : 3 server connected on the switch behind a router on each site
2 site are connected by 2 wireless link :each wireless link have 105 Mbps bandwith (I absolutly need the agregate bandwith 210)
Site headquarter is the principal site and site backup is use to backup data located on the principal site
I use Gbit cisco 2960 switch
I use etherchannel to agregate the 2 switch port (port 1 and port 2) where the 2 wireless link are connected
I configure src-mac for case A but all trafic is send only on one wireless link .
Please help me to choose the more appropriate load balance method to load balance traffic between the 2 link for the case A and for the case B
Please advise
Thanks in advance

Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Your Case A might be handled by port hashing, but unfortunately most Cisco platforms don't support it.
Your Case B isn't much better, as you only have 3 hosts on each side, and according to your drawing, they are behind routers, so you don't want to use MAC hashes. If you don't have port hashing, next best choice might be src-dest-IP hashing. Again, though, with just 3 hosts, your distribution will likely not be very balanced, especially over shorter time intervals.
To obtain best utilization of your links, you need some kind of better link bonding, such as MLPPP (unfortunately, usually won't scale to FE rates) or a hardware MUX. Next best option, if you could route across the links, would be something like Cisco's OER/PfR which can dynamically load balance.

CSS 11503 Load Balancing Verification

Alright, so I have toiled long and hard to get this right. I think I have the config down but I am unsure on how to verify how this load balancing is working.
Here is the Content Config that I am speaking of:
content cad-rule
    add service wls1-e0
    add service wls1-e1
    add service wls2-e0
    add service wls2-e1
    add service wls3-e0
    add service wls3-e1
    add service wls4-e0
    add service wls4-e1
    add service wls5-e0
    add service wls5-e1
    add service wls6-e0
    add service wls6-e1
    arrowpoint-cookie expiration 00:00:15:00
    advanced-balance arrowpoint-cookie
    redundant-index 2
    vip address 172.30.194.195 range 2
    arrowpoint-cookie name TOQ
    protocol tcp
    port 8001
    url "/*"
    active
Each service in the rule above is configured as follows:
service wls1-e1
port 8001
protocol tcp
strin ags001-e1
ip address 172.30.193.81
keepalive type http
keepalive uri "/cad/index.html"
redundant-index 12
keepalive frequency 20
keepalive maxfailure 10
keepalive retryperiod 2
active
I am using the advanced arrowpoint cookies because I need some stickiness here. Straight round-robin would not have done what I needed it to do.
Now, when I go to my show summary, this is what I see for this rule:
                 cad-rule    Master   wls1-e0 84274
                                            wls1-e1 13144
                                            wls2-e0 96884
                                            wls2-e1 26374
                                            wls3-e0 71145
                                            wls3-e1 16592
                                            wls4-e0 76403
                                            wls4-e1 8657
                                            wls5-e0 118623
                                            wls5-e1 22760
                                            wls6-e0 30836
                                            wls6-e1 20464
The far right column indicates the services hits. I originally had the E1's suspended and activated them later on. So if this was true round robin, all the E0's should have the same number of service hits and all the E1's should have the same number of service hits. But as you can see, the wls5 server is getting hit the most while the wls6 server is sitting there twiddling its thumbs.
Now understanding how the arrowpoint cookies do their load balancing (inserting a cooking into the flow and then timing out after 15 mins as configured above) I would not expect a 1:1 ratio of load balancing between servers. But the distribution above seems rather extreme.
Does anyone have any suggestions on how to both A) verify that this is the right config and B) suggest to my boss that this is working the way it should be working?
Thanks!
James

Hi James,
There are several reasons of the uneven load balancing that you are seeing (based on the show summary). First
of all, the CSS is configured to do stickiness (advance-balance).
With arrowpoint-cookies (for HTTP only) method for stickiness, only the requests coming with the same cookie
are going to get stuck to the same server, since the cookie is
lost when the browser is closed (or based on the expiration), then the stickiness is going to be session
based and if the same client open a new session is going to be load balanced.
Is important to understand that when using stickiness, no real even load balancing is
going to happen since we are sticking new flows to the same server; even when layer 5 stickiness would
permit more even balancing than layer 3 stickiness (source IP based).
Also consider that the "show summary" is a command to see the hits (requests) being balanced to an specific
server, this is a good command to see the load balancing, anyway since the CSS balance
connections (flows), a persistent connection could have a lot of requests, so all those requests are
always going to the same server (incrementing the amount of hits in the counter) while a non-persistent
connection would be just one request (refer to HTTP persistence).
Also keep in mind that if a service is take out for maintenance, or is added to the load balancing later
than another, or if goes down for a period of time, then the CSS will be balancing among the remaining alive
servers. When you add the server again, the another servers are going to have connections
already established, so since the CSS is doing round robin, the server last added will
never have the same amount of connections (nor hits) that the other ones, because while one could
have 55 for example, the new one will have it first connection, and when the first one
gets the 56, the another will get the second, and so on.
Please let me know if this makes any sense.
Diego M

Load Balancing Methods in Planning

Ware planning on Load Balancing our two web servers for performance reasons and our consultant and IT side had two different ideas of what this would mean.
Our IT side wants to us IIS and set up a Virtual Machine/IP that sits on both web servers (which are NIC card connected) thus creating the virtual entry point that would move activity to the least busy server.
Our consultant was thinking we'd have a seperate piece of HW (like CISCO or Baracuda - F5) that would perform the load balancing on it's own and direct traffic accordingly. He was not aware of an install utilizing the first method and we're wondering if this IIS solution will work or not.
We are using TOMCAT out of the box here too.
Any help is appreciated! We're toast on getting a new piece of HW in here in time for us to complete our migration but I just want to make sure we don't waste time going down a path that isn't viable.

Hi Paul,
The bulk of the work of a Planning server is performed by the Java App Server.
To have a highly available Planning environment you will need to look at clustering Tomcat and may need to use something like BEA Weblogic instead.
Check out the Clustering EPM Web Applications in the below PDF document.
http://download.oracle.com/docs/cd/E12825_01/epm.111/epm_manual_deployment.pdf
Regards,
-John

CSS 11503 load-balancing with MS Print Servers

We are trying to load-balance print server connections between 2 MS print servers. When we try to connect to the print servers name, (\\PS01) or even the VIP address, we get a Path not found error. However, if we direct the path to the actual name or ip address of the print servers (not the VIP), we can view all the queues and connect/print to them. Is this possible to do on the CSS 11503? Thanks.

Pete- Here is our config. See any problems?
configure
!*************************** GLOBAL ***************************
ip route 0.0.0.0 0.0.0.0 1.100.100.100 1
!************************* INTERFACE *************************
interface 1/2
bridge vlan 2
!************************** CIRCUIT **************************
circuit VLAN1
ip address 1.100.101.110 255.0.0.0
circuit VLAN2
ip address 10.100.249.1 255.255.255.0
!************************** SERVICE **************************
service ps01
ip address 10.100.249.5
active
service ps02
ip address 10.100.249.6
active
!*************************** OWNER ***************************
owner printserver
content L3_Basic
add service ps01
add service ps02
vip address 1.100.100.35

CSS 11500 Load balancing

Hello,
We have a CSS 11503 with the following partial config
==================
service 10.10.10.221-1724
ip address 10.10.10.1
keepalive type tcp
port 1724
keepalive port 1724
active
service 10.10.10.222-1724
ip address 10.10.10.1
keepalive type tcp
keepalive port 1724
port 1724
string string1
active
content 10.10.10.1-80-website
    vip address 10.10.10.1
    no persistent
    advanced-balance arrowpoint-cookie
    add service 10.10.10.221-1724
    add service 10.10.10.222-1724
    port 80
    protocol tcp
    url "/*"
    active
============================
There is connectivity from CSS to both IP's, 10.10.10.221 and 10.10.10.222. Problem we face is as following:
A client can hit web site on both servers by going to http://10.10.10.221:1724 and http://10.10.10.222:1724.
With service started on 10.10.10.221 and 10.10.10.222, a client PC can hit website by using http://10.10.10.1.
With step 2 above, connection count increasing on "service 10.10.10.221-1724" service.
There is no activty on "service 10.10.10.222-1724"
When we stop services on 10.10.10.221, client can no longer access web site using http://10.10.10.1. In this situation, connection counter on "service 10.10.10.222-1724" increases with each attempt to access web site but the page on client machine times out.
With service stopped on 10.10.10.221, client can access web site using server IP, http://10.10.10.222:1724
Restarting service on 10.10.10.221 makes access to website usig http://10.10.10.1, load balancer IP.
When capturing packets using wireshark, we see that the client machine sends re-transmission on "HTTP Get" and evantually times out.
With behavior above, it is clear that the server at 10.10.10.222 is active. What we cannot understand is why web site is inaccessible thru load balancer using http://10.10.10.1.
Please help.
Thanks,
Paresh.

Hi Paresh,
To troubleshoot this, I would recommend doing a traffic capture on the server vlan to see what is really happening with the connection.
One thing worth checking would be comparing the routing configured on both servers. If the traffic back from the server towards the client is not going through the CSS, the connection would fail, with the exact symptoms you are describing.
Regards
Daniel

CSS 11501 Load Balancing with X-forwarded-for

Hi,
We have a pair of CSS 11501,
Currently it is using source ip for load balancing and 5 servers as backend , however we have users loggin in using http and based on its source IP (ISP PROXY) , it is forwarded to SERVER A.
However, we have a SSL page and when the client switches over to SSL , it is forwarded to SERVER B/C/D/E based on its source IP ( REAL CLIENT IP) .
This will cause the user to be terminated as the 5 servers are independent and not running in a cluster.
Is there any way that we can use the X-Forwarded-For address to load balance so that when users loging , they are sent to SERVER A (Based on X-Forwarded-For Header IP which translate to REAL CLIENT IP).
This way we are able to also send it back to the same server when it uses SSL.
I believe that we should be able to load balance using X-Forwarded-For IP or to rewrite the X-Forwarded-For IP into client source IP
Regards

Hi,
Unfortunately CSS does not support X-Forwarded-For, and even if CSS supports that, this wont work if you are not using SSL termination.
One option that you can use here, is using SSL termination, so you can manage the SSL traffic on HTTP on the CSS, in this way you can use the same HTTP content rule which is the one currently working.
In summary, you will have an SSL content rule that will decrypt the traffic, and this one will use the same content rule that already exist for HTTP, in case that the server is the one doing the redirect to SSL, but this is something that requires testing since depending on the redirect behavior we might have a redirect loop, but without details it is kind of hard to confirm that you will face this with this option.
Another option, which is less complex, is to use a portless content rule, so this content rule will match port 443 and 80 at the same time, and using sticky or balance based on source IP, you will get the same result with less config. The downside is the troubleshooting, but in this way you will have what you want.
content HTTP-HTTPS
    vip address 10.198.44.70
    advanced-balance sticky-srcip
    add service server1
    add service server2
    add service server3
    add service server4
    add service server5
    protocol tcp
    active
Here the content rule is not looking for the destination port, it is just looking for the source IP, and HTTP and HTTPS will end all the time on the same server.
Thanks,
Rodrigo

CSS 11501 Load Balancing Issue

Hi,
We are facing some issue in load balancing in cisco CSS 11501 as we are not able to access the application through virtual IP. Below is the ruuning configuration of the CSS:
CSS11501# sh running-config
!Generated on 10/06/2010 16:51:34
!Active version: sg0810106
configure
!*************************** GLOBAL ***************************
ip route 0.0.0.0 0.0.0.0 132.186.199.1 1
!************************** CIRCUIT **************************
circuit VLAN1
ip address 132.186.199.145 255.255.255.0
!************************** SERVICE **************************
service Server1
ip address 132.186.199.243
port 5001
protocol tcp
keepalive port 5001
active
service Server2
ip address 132.186.199.246
protocol tcp
port 5001
keepalive port 5001
active
!*************************** OWNER ***************************
owner L5_Owner
content L3_Rule
    vip address 132.186.199.146
    protocol tcp
    port 5001
    add service Server1
    add service Server2
    active
content L5_Rule
    vip address 132.186.199.146
    add service Server1
    add service Server2
    protocol tcp
    port 5001
    url "//132.186.199.146:5001/emi"
    active
CSS11501#
Observation : We are able to telnet on VIP: 132.186.199.146 on port 5001, but not able to access the application.
In Actual scenarion customer access application by accessing URL: http://132.186.199.243:5001/emi and once he enter this URL in web browser the request redirects ( by server itself) to URL: https://132.186.199.44:6002/cas/login?service=http%3A%2F%2F132.186.199.243%3A5001%2Femi%2Findex.jsp&acceptStrength=BASIC on backend server for user authenticaton and once user is authenticated then it again redirect to main URL ( http://132.186.199.243:5001/emi ) to access the application but when we are trying to access the application through VIP ( URL: http://132.186.199.146:5001/emi) we are not getting the login page as the request is not gettting redirected to backend server for user authentication.
Please suggest a solution here.

The problem is that you are in one-armed mode.
So you need to configure client nat.
Without nating the client ip address, the server response goes back directly to the client and bypasses the CSS.
Therefore the client receives a response from an unknown server ip address (not the vip).
So configure a group.
For example
group Client
    vip address 132.186.199.146
    add destination service Server1
     add destination service Server2
    active
Also, remove the url command from your content rule.
It is useless in your case and will just make performance worst.
Gilles.

CSS 11050 Load Balancing with Single VLAN (no NAT)

We have several CSS 11050's in use on our network, cheifly for load-balancing web servers. In a test network I've set up, I've configured our test servers' IP addresses and our load-balanced IP address to be on the same subnet. This way our developers can easily check both single servers as well as the LB configuration. This got me thinking...
All the config documentation I've seen on the CSS seems to assume that you are putting the VIP for the content rule on a different VLAN than the IPs for the services. Is there any particular need for this? I'm in the process of setting up another network that will have its services NATed behind a PIX. There are some services (WWW) that I want load balanced and some services (passive FTP with one server) where there's really no need. Would I do any harm by putting the content rules' VIPs on the same subnet as the servers themselves? I can still plug the servers into the other ports on the CSS so that I'm not really doing a "one-arm" configuration.
-Mark Romer

You shouldn't have any problem doing this. In addition to load balancing web servers we've also balanced terminal servers that are configured to be accessed by remote users through VPN connections. Because we have over 90 remote locations, I didn't want the services and the VIP addresses to be on different VLAN's because I'd have to reconfigure the routers in all the remote locations. I was in the same position you're in, all the documentation indicated different VLAN's but I thought it would be a worth a try. Everything works perfectly...
Cody Rowland

CSS and Oracle Load Balancing

Hi,
I have CSS in single arm deployment model. I have multiple servers load balancing on this CSS on port 80 etc. Today I am trying to load balance one Oracle server but I am facing problem with it.
Real servers are accessible on port 80 without any problem but when we are trying to access the same servers on VIP we are not able to see the web page.
real server http://192.168.17.12/irs.htm
real server http://192.168.17.14/irs.htm
real server http://192.168.10.37/irs.htm
VIP
http://192.168.200.58/irs.htm
Below is the configuration. I can do the telnet on port 80 and I can ping the VIP IP address.
I will only put 192.168.200.58 in browser I can see the oracle page but with the full URL i am not able to see it.
Though I have other oracle servers which I have load balance with the same configuration and I can access the web page.
==========================================================================================
http://tptest.enoc.com/forms/frmservlet?config=tp (This is working fine).
========================================================================
http://irs.enoc.com/irs.htm (This is not working).
By name and by IP address both are not working.
http://192.168.200.58/irs.htm (This is not working).
=============================================================================
service IRC_1
ip address 192.168.17.12
keepalive type tcp
keepalive port 80
active
service IRC_2
ip address 192.168.17.14
keepalive type tcp
keepalive port 80
service IRC_DR
ip address 192.168.10.37
keepalive type tcp
keepalive port 80
content ENOC_IRC
    add service IRC_1
    add service IRC_2
    add service IRC_DR
    vip address 192.168.200.58
    protocol tcp
    port 80
    advanced-balance sticky-srcip
    active
owner ENOC_GIT
content ENOC_IRC
    add service IRC_1
    add service IRC_2
    add service IRC_DR
    vip address 192.168.200.58
    protocol tcp
    port 80
    advanced-balance sticky-srcip
    active
group ENOC_IRC
add destination service IRC_1
add destination service IRC_2
add destination service IRC_DR
vip address 192.168.200.58
active
===================================================================================================
ENOCDC-CSS01(config)# show service summary
Service Name                     State     Conn Weight Avg   State
                                                         Load Transitions
IRC_1                            Alive         0      1     2            0
IRC_2                            Suspended     0      1   255            1
IRC_DR                           Suspended     0      1   255            1
ENOCDC-CSS01(config)# show summary
Global Bypass Counters:
   No Rule Bypass Count:     0
   Acl Bypass Count:         0
Owner            Content Rules    State     Services         Service Hits
ENOC_GIT
              ENOC_IRC         Active    IRC_1            103
                                            IRC_2            10
                                            IRC_DR           7
=======================================================================================================
Same setting I am doing for other servers and working fine only for these servers I am facing problem. Curently only one server is active in the configuration.
Kindly let me know what I am missing and how to fix the problem.
I have also attached the full configuration of CSS.

Hi,
My point of concern is that I did the same for Oracle server and this is working fine
http://192.168.200.95/forms/frmservlet?config=tp
only when I am doing the load balancing for
http://irs.enoc.com/irs.htm (This is not working).
By name and by IP address both are not working.
http://192.168.200.58/irs.htm (This is not working).
I dont have a option for TAC case is there a a way to fix the problem by apply other load balancing method. Is there something to do with the Circut VLAN. I didnt create the Circut VLAN 17 where this server is located.
I am doing almost 8 differenceservers load balancing in this CSS.
your expert opinion will definately help me.

CSS Scalable Load Balancing Method

Similar Messages

Maybe you are looking for