Dual Nic Load Balancing Solution

Similar Messages

• Acrhitecture of network load balancing solution

  i'm working on a setup that will transition our existing data center setup to a network load balancing solution. i'm far from understanding what components to use and how to approach the problem so any help would be very welcome. here is what we currently have:
  1. 3 web servers (serverA, serverB, serverC)
  2. 1 sql server
  3. 2 layer two unmanaged switches
  4. 1 cisco firewall
  each one of the web servers runs a dedicated web app. what i would like is to replace serverA with a NLB cluster of 3 servers and replace serverB with another NLB cluster of 3 servers. serverC is not getting that much usage and it can stay as is.
  i have looked at possible solution with Windows Server 2008 NLB and it seems that the best way to do it would be using multicasting which requires upgrading out switches. at the same time if would much more prefer to use hardware load balancing than Windows Server. so i looked at Cisco ACE 4710 appliance. however it seems that some of the cisco switches will also do load balancing. now i'm completely confused whether to upgrade the switches and use them for load balancing or use the ACE appliance. i would appreciate any advices and suggestions. also, any recommendations on breaking up the network using VLANs - if it is necessary with either one of the solutions or if there is some benefit. i guess i'm looking for a "best practices" solution...
  any links or documents would be very welcomed.
  thanks.

  thanks for your response. i think i'm going with ace 4710. now, as far as vlans go why would i need internet, dmz and internal vlan in my datacenter? i understand that this may be a bit off topic but what is really bugging me is this: with the current setup all of the web servers have 2 nics - one with public IP and one with private IP. same goes with the sql server. on web servers nics with private IPs are used for communicating with the database server. they could very well communicate using nics with public IPs but the person that set this up (i recently inherited it) was convincing me that with the existing setup "public" nics are not burdened with communication between web servers and database server. is this "correct" way of doing it?

• Load Balancing Solution

  Folks:
  I need to implement a load balancing solution pretty soon and I would like some ideas regarding topology, design and methodology.
  This is what I have:
  1.) Two 7600 Aggregation routers with 4500 L2 server farm switches hanging off of them in a looped topology.
  2.) Load balancers (either an ACE module or an ACE appliance).
  3.) 4 vlans with a cluster of DNS servers in one, a cluster of DHCP in another, and 2 application server clusters in the 3rd and 4th.
  What I need to know is what approahes I can take regarding routing methodology, L2 adjacency, general approach, connectivity, etc.
  I know this is a loaded question, but if I can get 2 or 3 complete solutions from the folks on this board, that would be awesome!
  Im about to board aplane, so I cant respond to queries until about 3 hours or so.
  Thanks!
  Victor

  Jason,
  Quite simple....
  content rule 1 (site1)
  vip address xxx.xxx.xxx.xxx
  port xx
  prot tcp
  url "//site.com/*"
  advance-balance arrow-point cookies
  no persistance
  add service server1
  add service server2
  active
  Second content:
  content rule 2 (site2)
  vip address xxx.xxx.xxx.xxx
  port xx
  prot tcp
  url "//site2.com/*"
  advance-balance arrow-point cookies
  no persistance
  add service server1
  add service server2
  add service server3
  add service server4
  active
  Services for CSS:
  Server1
  ip address xyz.sss.ddd.ddd (ip address of web server1)
  port xx
  prot tcp
  act
  Server2
  ip address xyz.sss.ddd.ddd (ip address of web server2)
  port xx
  prot tcp
  act
  Server3
  ip address xyz.sss.ddd.ddd (ip address of web server3)
  port xx
  prot tcp
  act
  Server4
  ip address xyz.sss.ddd.ddd (ip address of web server4)
  port xx
  prot tcp
  act

• Best Load Balancing solution for NMS 4.15

  What is the best load balancing solution for Messaging Server with 250 users?

  What are you trying to achieve? I do not understand from your question what it is you are trying to accomplish. What component(s) of NMS are you trying to load balance?

• Load balancing solution for 2-3 web servers

  i am looking for a solution for load balancing between 2-3 servers in the same datacenter. i saw the ACE 4710 but that seems expensive compared to the rest of the the cisco gear in that datacenter. anybody knows what would be an entry level load balancing solution (2-3 web servers)? thanks in advance.

  the Ace appliance is the new generation and if you take the lowest license 1/2 Gig you should pay a lower price.
  You can still buy the old generation.
  This would be the CSS11501.
  If you need SSL offload this comes by default with ACE but no the CSS.
  CSS11501-K has the SSL offload feature.
  Also note the appliance has many more features which can be turned on by simply adding a new license.
  So, if your site grows and you require more functionalities or more BW, you won't need new hardware.
  Gilles.

• ISE 1.2 - Multiple NICs/Load Balancing for DHCP Probe

  Hello guys
  Just prepping an ISE 1.2 patch 8 setup in our organization. I am going for the virtual appliances with multiple NICs. It will be a distributed deployment with 4 x PSNs behind a load balancer and there is no requirement for wireless or guest user at the moment. I've got 2 points I will like to get some guidance on:
  Our DC has a dedicated mgmt network and I plan to IP the gig0 interface of the PANs, MNTs and PSNs from this subnet. All device admin, clustering, config replication, etc will be over this interface. However, RADIUS/probe/other user traffic to the ISE PSNs will be over the gig1 interface which will be addressed from another L3 network. Is this a supported configuration in ISE?
  I intend to use the DHCP probe as part of device profiling and will ideally like to have just an additional ip helper to add to our switch SVI config. Also, it will appear that WLCs can only be configured for 2 DHCP servers for a given network so another consideration for when we bringing our WLAN in scope. We however use ACE load balancers within our DC and from what I have read, they do not support DHCP load balancing. Are there any workarounds to using the DHCP probe with multiple PSNs without having to add each node as an ip helper/DHCP server on the NADs?
  Thanks in advance
  Sayre

  Hello Sayre-
  For Question #1:
  Management is restricted to GigabitEthernet 0 and that cannot be changed so you should be good there
  You can configure Radius and Profiling to be enabled on other interfaces
  Even though you are not using guest services yet, you can dedicate an interface just for that. As a result, you can separate guest traffic completely from your production network
  Take a look at this link for more info:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_c-ports.html
  For Question #2
  If you are using a Cisco WLC and running code 7.4 and newer you don't need to mess with the IP helper configurations. 
  The controller can be configured to act as a collector for client profiling and interact with the DHCP thread along with the RADIUS accounting task that is running on the controller. The controller receives a copy of the DHCP request packet sent from the DHCP thread and parses the DHCP packet for two options:
  –Option 12—HostName of the client
  –Option 60—The Vendor Class Identifier
  After this information is gathered from the DHCP_REQUEST packet, a message is formed by the controller with these option fields and is sent to the RADIUS accounting thread, which is in turn transmitted to the ISE in the form of an interim accounting message.
  Both DHCP and HTTP profiling settings are located under the "Advanced" configuration tab in the WLC
  On the other hand, you can also use Anycast for profiling. You can check out some of Cisco Live's sessions for more info on that. Here is one that is from a couple of years (There are more recent ones that are available as well):
  http://www.alcatron.net/Cisco%20Live%202013%20Melbourne/Cisco%20Live%20Content/Security/BRKSEC-3040%20%20Advanced%20ISE%20and%20Secure%20Access%20Deployment.pdf
  I hope this helps!
  Thank you for rating helpful posts!

• Dual ISP load balancing with 2 routers and 2 FW without using BGP

  Hi all,
  Based on the attachment diagram, is the design viable?
  Do anyone has a similar deployment before and can you share with me the config guide to this because I'm at lost on a few configs:
  1. On core switch A and B, I understood we need to have a default route pointing to the firewall interface. For this case, I have different IPs for the same context on both the firewalls.
  So, how should the config be?
  CoreSW_A(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.110
  CoreSW_A(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.111
  I don't think the above will work as the core switch will load balance the traffic to both firewalls even if one of the context is on standby mode?
  2. The area from the firewall to the internet would all be public IP. Thus, if i put a switch in between the firewall and the router, then i would waste some public IP addresses but if i remove the switch, I would not have enough ports on the ASA firewall. What is the best recommended solution for this?
  3. How do I load balance traffic to both R1 and R2 to their respective ISPs without using BGP? I may be using only a 2811 router.
  Thanks alot!!.. really much looking forward for some guidance and tips on this as I havent found any guides on this deployment yet.. mostly are LAN HA.

  For policy based routing, I would need to create route maps on the core switch itself right?
  Correct me if I'm wrong, if i use route-maps, i would be assigning e.g. internal network A to go through firewall context A and internal network B to go through firewall context B.
  Context A will only have path to Router A and context B will only have path to Router B. But if router B goes down, network B won't be able to access the Internet, right?
  I'm not sure whether it's a PI or PA for this as the ISP will assign us a block of IP address, for example 202.111.1.8/29 (these IPs can be used for webservers, etc). There will also be a public IP of /30 on the serial interface to connect to their router.
  Thanks alot..

• Dual wireless/ Load Balancing/ Link Aggregation

  Hi all,
  I've been reading up on this topic all day, with multiple Google and Apple searches, but haven't found the exact answer to this query. There was another post on this forum http://discussions.apple.com/thread.jspa?threadID=1660762 which was vaguely similar.
  Basically I'm looking to experiment with combining 2 wireless connections, and therefore 2 seperate internet connections into one Mac.
  I have seen suggestions of using a couple of wireless -> ethernet bridges, since Leopard supports Link Aggregation of ethernet devices. But the first question I have is: since I use a 3rd party wireless adaptor (Netgear wg111v3 USB dongle), it already shows up in Network Preferences as an Ethernet port. Leopard treats it as an actual ethernet device, hence is oblivious to the fact it is a wireless adaptor. Since Leopard thinks it's an ethernet port, could I use a second wireless dongle and then use Link Aggregation on them both?
  Additionally, if that idea were to work, would it then be possible to connect each wireless adaptor to a seperate wireless network, or would they both have to connect to the same access point?
  My DSL connection is roughly 512k on a good day, but I find this bandwidth to be choked when someone else at home is streaming videos etc. So in principle my idea was to have one connection using the regular DSL line as usual, plus connect the secondary wireless to my friend's wireless over the road when needed (and yes he's already agreed to my use since he rarely accesses the net). Therefore, giving a total theoretical bandwidth of 512k x2.
  Since I aim for a load-balancing idea (spreading traffic over both connections), the main issue I can forsee is that this Mac will have problems routing traffic with both IPs since I read somewhere else that DNS problems might occur.It seems relatively easy to use Terminal to add a default route for specific destinations (e.g. all traffic to apple.com out of one interface, all traffic to yahoo.com out the other). However, I wondered if web traffic could be forwarded out one connection, whilst email traffic goes through the other. Alternatively, it would be great if web traffic could be "halved" and sent out both wireless connections simultaneously, though I don't think there's an easy way to do this (it would just be a nice feature if possible).
  Your thoughts and advice on the matter would be much appreciated, and I'm going to continue experimenting with various ideas and see what I come up with.

  Hi all,
  I've been reading up on this topic all day, with multiple Google and Apple searches, but haven't found the exact answer to this query. There was another post on this forum http://discussions.apple.com/thread.jspa?threadID=1660762 which was vaguely similar.
  Basically I'm looking to experiment with combining 2 wireless connections, and therefore 2 seperate internet connections into one Mac.
  I have seen suggestions of using a couple of wireless -> ethernet bridges, since Leopard supports Link Aggregation of ethernet devices. But the first question I have is: since I use a 3rd party wireless adaptor (Netgear wg111v3 USB dongle), it already shows up in Network Preferences as an Ethernet port. Leopard treats it as an actual ethernet device, hence is oblivious to the fact it is a wireless adaptor. Since Leopard thinks it's an ethernet port, could I use a second wireless dongle and then use Link Aggregation on them both?
  Additionally, if that idea were to work, would it then be possible to connect each wireless adaptor to a seperate wireless network, or would they both have to connect to the same access point?
  My DSL connection is roughly 512k on a good day, but I find this bandwidth to be choked when someone else at home is streaming videos etc. So in principle my idea was to have one connection using the regular DSL line as usual, plus connect the secondary wireless to my friend's wireless over the road when needed (and yes he's already agreed to my use since he rarely accesses the net). Therefore, giving a total theoretical bandwidth of 512k x2.
  Since I aim for a load-balancing idea (spreading traffic over both connections), the main issue I can forsee is that this Mac will have problems routing traffic with both IPs since I read somewhere else that DNS problems might occur.It seems relatively easy to use Terminal to add a default route for specific destinations (e.g. all traffic to apple.com out of one interface, all traffic to yahoo.com out the other). However, I wondered if web traffic could be forwarded out one connection, whilst email traffic goes through the other. Alternatively, it would be great if web traffic could be "halved" and sent out both wireless connections simultaneously, though I don't think there's an easy way to do this (it would just be a nice feature if possible).
  Your thoughts and advice on the matter would be much appreciated, and I'm going to continue experimenting with various ideas and see what I come up with.

• Cisco RV042 - Dual Wan Load Balancing - Secure Site (HTTPS) Trouble

  PID VID :
  RV042 V03
  Firmware Version :
  v4.0.0.07-tm (Aug 19 2010 19:19:50)
  Ever since I setup my RV042 with load balancing using the Dual Wan system I have had trouble staying connected to some secure sites. After doing some searching I found that the potential issue is the IP change mid session.
  "http://www.broadbandreports.com/forum/r25537589-Cisco-RV042-can-not-use-load-balancing-for-some-web-sites"
  Although my interface is significantly different I was able to find the same area in my RV042 admin area however, it doesn't seem to work.
  System Management
  > Dual Wan
  In Wan 1 & Wan 2 I have HTTPS and HTTPS Secondary all forwarded to use Wan 2 under Protocol Binding
  This however has not managed to do anything at all for my network and every computer conneceted experiences the same HTTPS irregularities at some websites.
  I'm sure I must be doing something wrong, but I don't know what it is.
  Both incoming connections are from the same service provider although the plans are different.
  Any help with this would greatly help me stop losing my mind trying to fight with my website control panel for 10 minutes to just login and get something done.
  Thanks

  Any ideas or advice from anyone?

• RV320 - Dual WAN - Load Balance Problem

  Hi all,
  I've just bought a RV320 Dual WAN router an try to get it running. My network setup looks lice the picture attached.
  I have 2 WAN Connections:
  - Router 1 (16Mbit Down / 512kbit up) - no public WAN IP
  - Router 2 (3 Mbit Down / 512kbit up) - Fixed public IP
  Router 1 ist connected to WAN1 and router 2 to WAN2 port on the RV320.
  I have enabled load balancing mode.
  Qustions:
  1.
  I want WAN1 to be the primary line to be used until capacity reached.
  Currently for some reason I don't understand the cisco always uses WAN2.
  That's not good as all browsing and downloading is limited to 3mbit.
  When I switch to "fail-over" mode and set primry live to WAN1 that works, but WAN2 is not kept alive.
  2.
  I am using VOIP and need to route all VOIP traffic to WAN2 interface.
  The best would be to tell the router IP 192.168.177.9 (voip phone) should use WAN2. So far I didn't figure out how to do that.
  Can I put VOIP into one VLAN group and allocated VLAN to one specific WAN interface?
  Brgds

  So, you can hear the phone ringing and answer it? which means that SIP pakets are coming through WAN to LAN and well redirected to the phone IP, but you cannot hear after that, which means that there could be a problem with the RTP packets. 
  If you have problem only with the incoming calls and not the outgoing, than try enable/disable SIP ALG (Firewall). If that doesn't fix the issue, try to allow (or even forward) from WAN to LAN RDP -  UDP ports 16384-32767 to the phone IP.
  Regards,
  Kremena

• Cisco 1921 Dual ADSL Load Balancing/Failover?

  Hello,
  We have purchased a Cisco 1921 with twin ADSL after advice from a Cisco sales rep. However I am having trouble working out the load balancing/fail over config for the device.
  I would like traffic to balance over both ADSL lines and if one goes down not to interrupt connectivity.
  I had a look at ppp multilink but I am unsure our ISP (BT) support this?
  This is my current config which I think only one ADSL line is being used. Some input would be appreciated
  Robbie
  ! Last configuration change at 13:18:34 UTC Tue Mar 29 2011
  version 15.0
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname xxxxxx
  boot-start-marker
  boot-end-marker
  no logging buffered
  enable secret 5 xxxxx
  enable password xxxx
  no aaa new-model
  no ipv6 cef
  ip source-route
  ip cef
  ip name-server 194.74.65.68
  ip name-server 194.72.0.114
  multilink bundle-name authenticated
  crypto pki trustpoint TP-self-signed-xxxxxx
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-xxxxx0
  revocation-check none
  rsakeypair TP-self-signed-xxxxx!
  crypto pki certificate chain TP-self-signed-xxxxxx
  certificate self-signed 02 nvram:IOS-Self-Sig#4.cer
  license udi pid CISCO1921/K9 xxxxx
  username admin privilege 15 secret 5 xxxxxxxxxx/
  interface GigabitEthernet0/0
  description lan$ETH-LAN$
  ip address 10.0.8.1 255.255.248.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  interface GigabitEthernet0/1
  no ip address
  shutdown
  duplex auto
  speed auto
  interface ATM0/0/0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  no atm ilmi-keepalive
  dsl operating-mode adsl2
  interface ATM0/0/0.1 point-to-point
  description $ES_WAN$$FW_OUTSIDE$
  ip flow ingress
  pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
  interface ATM0/1/0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  no atm ilmi-keepalive
  dsl operating-mode adsl2
  interface ATM0/1/0.1 point-to-point
  description $ES_WAN$$FW_OUTSIDE$
  ip flow ingress
  pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
  interface Dialer0
  mtu 1483
  ip address negotiated
  ip access-group spalding in
  ip access-group spalding out
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp authentication chap callin
  ppp chap hostname xxxxx
  ppp chap password 0 xxxxx
  ppp multilink
  ppp multilink links minimum 2
  ppp multilink fragment disable
  ppp timeout multilink link add 2
  no cdp enable
  interface Dialer1
  mtu 1483
  ip address negotiated
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp authentication chap callin
  ppp chap hostname xxxxx
  ppp chap password 0 xxxxx
  ppp link reorders
  ppp multilink
  ppp multilink links minimum 2
  ppp multilink fragment disable
  ppp timeout multilink link add 2
  no cdp enable
  ip forward-protocol nd
  no ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip nat inside source list 1 interface Dialer0 overload
  ip nat inside source static tcp 10.0.15.201 3389 interface Dialer0 3389
  ip nat outside source static tcp 195.194.75.218 3389 10.0.15.200 3389 extendable
  ip route 0.0.0.0 0.0.0.0 Dialer0
  access-list 1 remark INSIDE_IF=GigabitEthernet0/0
  access-list 1 permit 10.0.0.0 0.254.255.255
  dialer-list 1 protocol ip permit
  control-plane
  line con 0
  line aux 0
  line vty 0 4
  privilege level 15
  login local
  transport input telnet ssh
  line vty 5 15
  privilege level 15
  login local
  transport input telnet ssh
  scheduler allocate 20000 1000
  end

  Hi,
  Can anyone help me with this config?  not very reliable.
  Building configuration...
  Current configuration : 17349 bytes
  ! Last configuration change at 06:08:06 UTC Sun Apr 5 2015 by Shawn
  version 15.4
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  hostname Router
  boot-start-marker
  boot system flash0:c2900-universalk9-mz.SPA.154-3.M2.bin
  boot-end-marker
  security authentication failure rate 3 log
  security passwords min-length 6
  logging buffered 51200
  logging console critical
  enable secret 5 $1$sNeA$GB6.SMrcsxPf51tK2Eo9Z.
  aaa new-model
  aaa authentication login local_authen local
  aaa authorization exec local_author local
  aaa session-id common
  no ip source-route
  ip port-map user-protocol--8 port udp 3392
  ip port-map user-protocol--9 port tcp 3397
  ip port-map user-protocol--2 port udp 3391
  ip port-map user-protocol--3 port tcp 14000
  ip port-map user-protocol--1 port tcp 3391
  ip port-map user-protocol--6 port udp 3394
  ip port-map user-protocol--7 port tcp 3392
  ip port-map user-protocol--4 port udp 14100
  ip port-map user-protocol--5 port tcp 3394
  ip port-map user-protocol--10 port udp 3397
  ip dhcp excluded-address 192.168.1.1 192.168.1.49
  ip dhcp excluded-address 192.168.10.1 192.168.10.49
  ip dhcp pool DHCP_POOL1
   import all
   network 192.168.1.0 255.255.255.0
   dns-server 139.130.4.4 203.50.2.71
   default-router 192.168.1.1
   lease infinite
  ip dhcp pool ccp-pool1
   import all
   network 192.168.10.0 255.255.255.0
   dns-server 139.130.4.4 203.50.2.71
   default-router 192.168.10.1
   lease infinite
  no ip bootp server
  ip host SHAWN-PC 192.168.1.10
  ip host DIAG 192.168.1.5
  ip host MSERV 192.168.1.13
  ip name-server 139.130.4.4
  ip name-server 203.50.2.71
  ip cef
  ip cef load-sharing algorithm include-ports source destination
  no ipv6 cef
  multilink bundle-name authenticated
  cts logging verbose
  crypto pki trustpoint TP-self-signed-1982477479
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-1982477479
   revocation-check none
   rsakeypair TP-self-signed-1982477479
  license udi pid 
  license boot module c2900 technology-package securityk9
  license boot module c2900 technology-package datak9
  redundancy
  controller VDSL 0/0/0
   operating mode adsl2+
  controller VDSL 0/1/0
   operating mode adsl2+
  no cdp run
  track timer interface 5
  track 1 interface Dialer0 ip routing
   delay down 15 up 10
  track 2 interface Dialer1 ip routing
   delay down 15 up 10
  ip tcp synwait-time 10
  ip ssh time-out 60
  ip ssh authentication-retries 2
  class-map type inspect match-all sdm-nat-user-protocol--7-1
   match access-group 104
   match protocol user-protocol--7
   match access-group 102
  class-map type inspect match-all sdm-nat-user-protocol--4-2
   match access-group 101
   match protocol user-protocol--4
  class-map type inspect match-all sdm-nat-user-protocol--6-1
   match access-group 103
   match protocol user-protocol--6
  class-map type inspect match-all sdm-nat-user-protocol--5-1
   match access-group 103
   match protocol user-protocol--5
  class-map type inspect match-all sdm-nat-user-protocol--4-1
   match access-group 102
   match protocol user-protocol--4
  class-map type inspect match-all sdm-nat-user-protocol--7-2
   match access-group 101
   match protocol user-protocol--7
  class-map type inspect match-all sdm-nat-user-protocol--3-1
   match access-group 102
   match protocol user-protocol--3
  class-map type inspect match-all sdm-nat-user-protocol--2-1
   match access-group 101
   match protocol user-protocol--2
  class-map type inspect match-all sdm-nat-user-protocol--1-2
   match access-group 102
   match protocol user-protocol--1
  class-map type inspect match-all sdm-nat-user-protocol--1-1
   match access-group 101
   match protocol user-protocol--1
  class-map type inspect match-all sdm-nat-user-protocol--2-2
   match access-group 102
   match protocol user-protocol--2
  class-map type inspect match-all sdm-nat-user-protocol--3-2
   match access-group 101
   match protocol user-protocol--3
  class-map type inspect match-all sdm-nat-user-protocol--8-2
   match access-group 101
   match protocol user-protocol--8
  class-map type inspect match-all sdm-nat-user-protocol--9-2
   match access-group 104
   match protocol user-protocol--9
  class-map type inspect match-any ccp-skinny-inspect
   match protocol skinny
  class-map type inspect match-all sdm-nat-user-protocol--9-1
   match access-group 101
   match protocol user-protocol--9
   match access-group 104
  class-map type inspect match-all sdm-nat-user-protocol--8-1
   match access-group 104
   match protocol user-protocol--8
   match access-group 102
  class-map type inspect match-any ccp-h323nxg-inspect
   match protocol h323-nxg
  class-map type inspect match-any ccp-cls-icmp-access
   match protocol icmp
   match protocol tcp
   match protocol udp
  class-map type inspect match-all sdm-nat-user-protocol--10-2
   match access-group 104
   match protocol user-protocol--10
  class-map type inspect match-all sdm-nat-user-protocol--10-1
   match access-group 101
   match protocol user-protocol--10
   match access-group 104
  class-map type inspect match-any ccp-h225ras-inspect
   match protocol h225ras
  class-map type inspect match-any ccp-h323annexe-inspect
   match protocol h323-annexe
  class-map type inspect match-any ccp-cls-insp-traffic
   match protocol pptp
   match protocol dns
   match protocol ftp
   match protocol https
   match protocol icmp
   match protocol imap
   match protocol pop3
   match protocol netshow
   match protocol shell
   match protocol realmedia
   match protocol rtsp
   match protocol smtp
   match protocol sql-net
   match protocol streamworks
   match protocol tftp
   match protocol vdolive
   match protocol tcp
   match protocol udp
  class-map type inspect match-all SDM_GRE
   match access-group name SDM_GRE
  class-map type inspect match-any ccp-h323-inspect
   match protocol h323
  class-map type inspect match-all ccp-invalid-src
   match access-group 100
  class-map type inspect match-any ccp-sip-inspect
   match protocol sip
  class-map type inspect match-all ccp-protocol-http
   match protocol http
  class-map type inspect match-any CCP_PPTP
   match class-map SDM_GRE
  class-map type inspect match-all ccp-insp-traffic
   match class-map ccp-cls-insp-traffic
  class-map type inspect match-all ccp-icmp-access
   match class-map ccp-cls-icmp-access
  policy-map type inspect ccp-inspect
   class type inspect ccp-invalid-src
    drop log
   class type inspect ccp-protocol-http
    inspect
   class type inspect ccp-insp-traffic
    inspect
   class type inspect ccp-sip-inspect
    inspect
   class type inspect ccp-h323-inspect
    inspect
   class type inspect ccp-h323annexe-inspect
    inspect
   class type inspect ccp-h225ras-inspect
    inspect
   class type inspect ccp-h323nxg-inspect
    inspect
   class type inspect ccp-skinny-inspect
    inspect
   class class-default
    drop
  policy-map type inspect sdm-pol-NATOutsideToInside-1
   class type inspect sdm-nat-user-protocol--1-1
    inspect
   class type inspect sdm-nat-user-protocol--2-1
    inspect
   class type inspect sdm-nat-user-protocol--3-1
    inspect
   class type inspect sdm-nat-user-protocol--4-1
    inspect
   class type inspect sdm-nat-user-protocol--5-1
    inspect
   class type inspect sdm-nat-user-protocol--6-1
    inspect
   class type inspect sdm-nat-user-protocol--7-1
    inspect
   class type inspect sdm-nat-user-protocol--8-1
    inspect
   class type inspect sdm-nat-user-protocol--9-1
    inspect
   class type inspect sdm-nat-user-protocol--10-1
    inspect
   class type inspect CCP_PPTP
    pass
   class type inspect sdm-nat-user-protocol--7-2
    inspect
   class type inspect sdm-nat-user-protocol--8-2
    inspect
   class type inspect sdm-nat-user-protocol--1-2
    inspect
   class type inspect sdm-nat-user-protocol--2-2
    inspect
   class type inspect sdm-nat-user-protocol--9-2
    inspect
   class type inspect sdm-nat-user-protocol--10-2
    inspect
   class type inspect sdm-nat-user-protocol--3-2
    inspect
   class type inspect sdm-nat-user-protocol--4-2
    inspect
   class class-default
    drop log
  policy-map type inspect ccp-permit
   class class-default
    drop
  policy-map type inspect ccp-permit-icmpreply
   class type inspect ccp-icmp-access
    inspect
   class class-default
    pass
  zone security in-zone
  zone security out-zone
  zone-pair security ccp-zp-self-out source self destination out-zone
   service-policy type inspect ccp-permit-icmpreply
  zone-pair security ccp-zp-in-out source in-zone destination out-zone
   service-policy type inspect ccp-inspect
  zone-pair security ccp-zp-out-self source out-zone destination self
   service-policy type inspect ccp-permit
  zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
   service-policy type inspect sdm-pol-NATOutsideToInside-1
  interface Null0
   no ip unreachables
  interface Embedded-Service-Engine0/0
   no ip address
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip flow ingress
   shutdown
  interface GigabitEthernet0/0
   description $ETH-LAN$
   ip address 192.168.10.1 255.255.255.0
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip flow ingress
   duplex auto
   speed auto
   no mop enabled
  interface GigabitEthernet0/1
   no ip address
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip flow ingress
   shutdown
   duplex auto
   speed auto
   no mop enabled
  interface ATM0/0/0
   no ip address
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip flow ingress
   no atm ilmi-keepalive
  interface ATM0/0/0.1 point-to-point
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip flow ingress
   pvc 8/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
  interface ATM0/0/0.2 point-to-point
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip flow ingress
  interface Ethernet0/0/0
   no ip address
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip flow ingress
   shutdown
   no mop enabled
  interface ATM0/1/0
   no ip address
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip flow ingress
   no atm ilmi-keepalive
  interface ATM0/1/0.1 point-to-point
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip flow ingress
   pvc 8/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 2
  interface Ethernet0/1/0
   no ip address
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip flow ingress
   shutdown
   no mop enabled
  interface GigabitEthernet0/3/0
   no ip address
  interface GigabitEthernet0/3/1
   no ip address
  interface GigabitEthernet0/3/2
   no ip address
  interface GigabitEthernet0/3/3
   no ip address
  interface GigabitEthernet0/3/4
   no ip address
  interface GigabitEthernet0/3/5
   no ip address
  interface GigabitEthernet0/3/6
   no ip address
  interface GigabitEthernet0/3/7
   no ip address
  interface Vlan1
   description $FW_INSIDE$
   ip address 192.168.1.1 255.255.255.0
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip nbar protocol-discovery
   ip flow ingress
   ip nat inside
   ip virtual-reassembly in
   zone-member security in-zone
  interface Dialer0
   description $FW_OUTSIDE$
   ip address negotiated
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip nbar protocol-discovery
   ip flow ingress
   ip nat outside
   ip virtual-reassembly in
   zone-member security out-zone
   encapsulation ppp
   dialer pool 1
   dialer-group 1
   ppp authentication chap pap callin
   ppp chap hostname [email protected]
   ppp chap password 7 1444405858557A
   ppp pap sent-username [email protected] password 7 135645415F5D54
   ppp multilink
  interface Dialer1
   description $FW_OUTSIDE$
   ip address negotiated
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip nbar protocol-discovery
   ip flow ingress
   ip nat outside
   ip virtual-reassembly in
   zone-member security out-zone
   encapsulation ppp
   dialer pool 2
   dialer-group 2
   ppp authentication chap pap callin
   ppp chap hostname [email protected]
   ppp chap password 7 01475E540E5D55
   ppp pap sent-username [email protected] password 7 055F5E5F741A1D
   ppp multilink
  router eigrp as#
  router eigrp 10
   network 192.168.1.1 0.0.0.0
  router rip
   version 2
   network 192.168.1.0
   no auto-summary
  ip forward-protocol nd
  ip http server
  ip http access-class 3
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip dns server
  ip nat inside source static tcp 192.168.1.10 3392 interface Dialer1 3392
  ip nat inside source static udp 192.168.1.10 3392 interface Dialer1 3392
  ip nat inside source static tcp 192.168.1.35 3391 interface Dialer0 3391
  ip nat inside source static udp 192.168.1.35 3391 interface Dialer0 3391
  ip nat inside source static tcp 192.168.1.5 3394 interface Dialer0 3394
  ip nat inside source static udp 192.168.1.5 3394 interface Dialer0 3394
  ip nat inside source static tcp 192.168.1.17 3397 interface Dialer0 3397
  ip nat inside source static udp 192.168.1.17 3397 interface Dialer0 3397
  ip nat inside source static tcp 192.168.1.10 14000 interface Dialer0 14000
  ip nat inside source static udp 192.168.1.10 14100 interface Dialer0 14100
  ip nat inside source route-map ADSL0 interface Dialer0 overload
  ip nat inside source route-map ADSL1 interface Dialer1 overload
  ip route 0.0.0.0 0.0.0.0 Dialer0 track 1
  ip route 0.0.0.0 0.0.0.0 Dialer1 track 2
  ip access-list extended NAT
   remark CCP_ACL Category=18
   permit ip 192.0.0.0 0.255.255.255 any
  ip access-list extended SDM_GRE
   remark CCP_ACL Category=1
   permit gre any any
   remark CCP_ACL Category=1
  ip access-list extended STATIC-NAT-SERVICES
   permit ip host 192.168.1.35 any
   permit ip host 192.168.1.5 any
   permit ip host 192.168.1.10 any
   permit ip host 192.168.1.17 any
  dialer-list 1 protocol ip permit
  dialer-list 2 protocol ip permit
  route-map ADSL0 permit 10
   match ip address NAT
   match interface Dialer0
  route-map ADSL1 permit 10
   match ip address NAT
   match interface Dialer1
  access-list 1 remark INSIDE_IF=Vlan1
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 192.168.1.0 0.0.0.255
  access-list 2 remark HTTP Access-class list
  access-list 2 remark CCP_ACL Category=1
  access-list 2 permit 192.168.1.0 0.0.0.255
  access-list 2 deny   any
  access-list 2 remark HTTP Access-class list
  access-list 2 remark CCP_ACL Category=1
  access-list 3 remark HTTP Access-class list
  access-list 3 remark CCP_ACL Category=1
  access-list 3 permit 192.168.1.0 0.0.0.255
  access-list 3 deny   any
  access-list 10 remark INSIDE_IF=NAT
  access-list 10 remark CCP_ACL Category=2
  access-list 10 permit 192.168.1.0 0.0.0.255
  access-list 100 remark CCP_ACL Category=128
  access-list 100 permit ip host 255.255.255.255 any
  access-list 100 permit ip 127.0.0.0 0.255.255.255 any
  access-list 100 permit ip 139.130.227.0 0.0.0.255 any
  access-list 100 permit ip 203.45.106.0 0.0.0.255 any
  access-list 101 remark CCP_ACL Category=0
  access-list 101 permit ip any host 192.168.1.10
  access-list 101 remark CCP_ACL Category=0
  access-list 101 permit ip any host 192.168.1.35
  access-list 101 permit tcp any any eq www
  access-list 102 remark CCP_ACL Category=0
  access-list 102 permit ip any host 192.168.1.35
  access-list 102 remark CCP_ACL Category=0
  access-list 102 permit ip any host 192.168.1.10
  access-list 103 remark CCP_ACL Category=0
  access-list 103 permit ip any host 192.168.1.5
  access-list 104 remark CCP_ACL Category=0
  access-list 104 permit ip any host 192.168.1.17
  control-plane
  banner login ^CCE-Rescue Systems^C
  line con 0
   login authentication local_authen
   transport output telnet
  line aux 0
   login authentication local_authen
   transport output telnet
  line 2
   no activation-character
   no exec
   transport preferred none
   transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
   stopbits 1
  line vty 0 4
   authorization exec local_author
   login authentication local_authen
   transport input telnet ssh
  line vty 5 15
   authorization exec local_author
   login authentication local_authen
   transport input telnet ssh
  scheduler allocate 20000 1000
  end
  Thanks
  Shawn

• Dual ADSL Load Balancing and Fault tolerance

  Just wonder if this is doable with for example 2 WIC-1ADSL cards on say a 2800 series platform. The application would be simple internet access. If so could someone provide a sample config? Just a note...this application would include two static ip ADSL services. Thanks, Shawn

  That is definitely doable. Here's a sample config:
  ip cef
  interface atm1/0.32
  ip address 255.255.255.252
  ip nat outside
  pvc 1/32
  oam-pvc manage
  interface atm2/0.32
  ip address 255.255.255.252
  ip nat outside
  pvc 1/32
  oam-pvc manage
  interface GigabitEthernet0/0
  ip address 10.1.1.1 255.255.255.0
  ip nat inside
  ip route 0.0.0.0 0.0.0.0 atm1/0.32
  ip route 0.0.0.0 0.0.0.0 atm2/0.32
  ip nat inside source route-map ISP1-map interface atm1/0.32
  ip nat inside source route-map ISP2-map interface atm2/0.32
  route-map ISP11-map permit 10
  match interface atm1/0.32
  route-map ISP12-map permit 10
  match interface atm2/0.32
  Explanation:
  - the use of two static routes will allow you to load-balance over the two links and provide redundancy at the same time
  - the NAT config will dynamically choose the NAT'ed address depending on which interface CEF has chosen to send the packet out of...
  Hope that helps - pls rate the post if it does.
  Regards,
  Paresh

• NIC load balancing

  Hello,
  I installed a VMWare Hypervisor 5.5 server and put 2 virtual machines on it.
  The physical server has 2 NICs and connected to the LAN.
  When I go to the virtual machine performance tab and look at the network data I see that most traffic is going over 1 vmnic.
  The stats of the other NIC are most of the time plain 0 values.
  see attachment...
  Isn't this supposed to be spread over vmnic0 & vmnic1 ?
  The vSwitch has loadbalancing on, if I turn loadbalancing on for the VMNetwork it doesn't seem to change much either.
  When I add another virtual NIC and leave it unteamed I get the same result.
  Will this only work when teaming 2 virtual NICs in the virtual machine or will it only use the second NIC when it reaches almost full load?
  The problem is that I have issues with teaming the microsoft way, the server becomes unreachable for some reason (previous HP soft messed up something?)
  I'm using the VMXNET3 NICs.

  I checked another host.
  this has a mail and rdp server as 2 virtual machines.
  the only issue I have under rds is that sometimes outlook freezes for a few seconds and gives this white/blurred screen.
  so I wonder...
  as these 2 VMs are on the same VM host does the traffic leave the host or is it kept internal?
  if it is internal then it couldn't be a physical nic overload issue, right?
  then I need to look elsewere (the vm cpu/nic stats don't give a reason for the slow down either)

• Using StoneBeat WebCluster load balancing with WebLogic

            Hi,
            I have done some testing of WebLogic Server with my company's StoneBeat WebCluster
            distributed load balancing software. This might be one more option to consider
            as a load balancing solution for WLS. It is advanced in the sense that load balancing
            is really dynamic, there are no single-points of failure (distributed architecture)
            and there is a very good, configurable test subsystem that runs on each cluster
            node to check for overload situations, HW/OS failures, ...
            In the initial testing, the WebCluster load balancing works with WebLogic replication,
            although there are some cases that need mroe consideration (please see below).
            I had to get a patch to WLS6SP1 on NT to make WLS' multicast work when there are
            several NICs on the cluster nodes.
            However, there is one case which causes problems:
            - I have 3 cluster nodes
            - P: 2, S: 3 (SessionServlet = 1)
            - 2: offline - P: 3, S: 1 (SessionServlet = 2; WebCluster randomly selected a
            new node to handle the connection)
            - 2: online - P: 2, S: ? (SessionServlet = 3, WebCluster redistributes the load
            when a node goes online)
            - 2: offline
            - P: 3, S: 1 (__SessionServlet = 1__) NB!
            The log messages show that when node 2 comes back online it retrieves the replica
            from the secondary (node 1) and not from the primary (node 3). After a while (5-6
            minutes), node 3 tries to update the replica on node 1. Node 1 considers this
            a stale update request and removes the Primary 16... (node name) and then the
            secondary for 16... (the replicated object). Then there's a message (still on
            node 1) that it is unable to find object 16... Back on node 3 the primary for
            16... is removed.
            From the WLS6 documentation (under the discussion of using replication with external
            HW load balancing solutions) I thought that this case would have been handled:
            - it is stated that after the failure of a node, if the HWLB box sends the next
            request to a node where there is no replica, WLS is able to retrieve the replica
            - to be fair, this is what happens: when node 2 came back online, it retrieved
            the replica from node 1 (the secondary) - I suppose that there is an assumption
            that if a request arrives to a node without a replica, the primary __must have
            failed__
            Is there any way to get around this problem?
            Admittedly, WebCluster has a problem in that the stickyness of connections is
            not perfect: - when a node goes online, a connection that was correctly persisted
            (based on either source-ip or source-network address) may be moved to a new node
            since the load is redistributed. Our load balancing is very dynamic, but doesn't
            maintain a list of who is connected to which node when resistribution takes place
            Regards,
            Frank Olsen
            Stonesoft
            

  Rick,
  You may want to look at the Alteon and F5 configuration we have on edocs.
  Take a look at the following URLs for a possible solution
  http://edocs.bea.com/wls/docs61/cluster/alteon.html#591902
  http://edocs.bea.com/wls/docs61/cluster/bigip.html#591902
  Chuck Nelson
  DRE
  BEA Technical Support

• OS level load balancing in OEL

  Hi,
  Would like to know if we can do OS level load balancing with OEL?
  I know in Windows there is Network Load Balancing NLB, that would do this, so I am hoping is there something similar in OEL?
  Thanks.

  Optimus prime wrote:
  Would like to know if we can do OS level load balancing with OEL?Any kernel automatically "+load balances+" processing across the resources (e.g. CPUs) available to the kernel. The 2.6 kernel uses the Completely Fair Scheduler
  I know in Windows there is Network Load Balancing NLB, that would do this, so I am hoping is there something similar in OEL?Kind of. There are a number of clustering options for Linux. Including commercial products like Oracle Grid.
  I think the one of the oldest (and well known) Linux clustering s/w projects is Beowulf.
  For networking specifically (comparing it with what I read in Microsoft's FAQ for NLB) is Linux Virtual Server. Quote:
  "<i>The Linux Virtual Server as an advanced load balancing solution can be used to build highly scalable and highly available network services, such as scalable web, cache, mail, ftp, media and VoIP services.</i>"
  There are also other options - such a network devices (in addition to standard switches and routers) that specifically provides load balancing for networking. Though personally, I did not like this approach much for Oracle RAC and we rolled our own load balancing using NAT and iptables.
  Bonding, as mentioned above, is one of many technical considerations when implementing a load balancer. This is (in my experience) primarily for high availability - and provides redundant paths from the server to a resource. Does not need to be IP based - it can be Infiniband based too (e.g. like used by Oracle Database Machine for redundant storage fabric paths to the Exadata Storage Server).
  Typically 2 separate interfaces/dual ports will be wired into separate switches that in turn will be wired into the greater network or storage system or whatever. This is then bonded on the server as a single logical interface. If an interface, port, cable or even switch fail, that logical interface still have a secondary path providing full connectivity. Bonding is discussed at http://www.linuxfoundation.org/collaborate/workgroups/networking/bonding.
  This is however a very low level of dealing with load balancing (and redundancy). It alone should not be considered as a load balancing solution.