Global Load Balancing / Failover....what about dns entries being cached?
It is my understanding that DNS is used to provide data center redundancy. How does one resolve the problem of dns entries being cached across the Internet? For example, I fail-over to my secondary datacenter, the IP addresses of my primary datacenter will likely be cached in dns servers across the Internet. What are some options for datacenter redundancy that can overcome these issues of dns propogation delays?
Thanks!
The only option that you have is to run with a low TTL.
Unfortunately, there are applications out that that don't behave very well to a low TTL. Microsoft Internet Explorer, for example, needs to be restarted for it to do another name lookup. The same holds true for some proxies etc.
-A
Similar Messages
-
HTTP Redirect with Global Load Balancing
I've seen a lot of documentation about redirects and what I am trying to do seems simple enough yet I can't get it to work. Here is a summary:
We have two CSSs in different data centers with load balancing in a roundrobin fashion.
User types www.test.com:9086/test.html
User hits one of the CSSes configured to respond to www.test.com, CSS1 and CSS2.
If CSS1 gets the request, it should redirect request to server1:9086/test.html
If CSS2 gets the request, it should redirect request to server2:9086/test.html
Here is a sample of one of the CSSes:
content vTEST
dnsbalance roundrobin
add dns www.test.com
url "/*"
protocol tcp
port 9086
vip address 192.168.3.135
add service rTEST
active
service rTEST
protocol tcp
port 9086
type redirect
keepalive type none
ip address 2.2.2.2
redirect-string "server1:9086/test.html"
active
I've seen a lot of example of using HTTP Redirects, but none of them touch on using global load balancing as we are trying to accomplish.
Now, if I type in a browser:
http://www.test.com:9086/test.html
it fails. Why? because the CSS returns back an IP of 2.2.2.2 for www.test.com, which isn't a real IP address (this is by design). If I type:
http://192.168.3.135:9086/test.html
it works because it successfully redirects to:
http://server1:9086/test.html
because it is going directly against the VIP and redirecting as it should.
So the redirect function we know is working on the CSS as expected. However, the problem is this:
When I ping www.test.com I should get back the VIP address of the content rule (192.168.3.135) and I do UNTIL I ADD THE REDIRECT TYPE to the service. Once I do that if I ping www.test.com I will get back 2.2.2.2. Somehow once the redirect is added the IP address of the service (2.2.2.2) is returned instead of the content VIP (192.168.3.135). That shouldn't happen.
I hope this makes sense and any help would be greatly appreciated!!!I think what you want to do is explained at :
http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080094068.shtml
For your information, you should also look at this solution :
http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a00801dcd75.shtml
Regards,
Gilles. -
Hardware clustering/load balancing/failover with Tomcat
Hello forum!
I recently bought a Cisco 1801, and it sure is capable! Anyhow, I've got a hobby website that is getting a fair bit of traffic - approaching too much for one node to handle and it's time to start thinking about distributing the load.
I'd like to do a little clustering of server nodes running Apache Geronimo, which is J2EE running atop Apache Tomcat. For the sake of keeping things generic, let's just call it Tomcat because it configures the same way.
I do not run Apache HTTP Server as a proxy, I only run Tomcat directly connected to the internet. I do this for performance reasons.
Anyhow, I'm wondering if any of you evil geniuses could suggest a way that I could cluster Tomcat nodes directly using the router to serve as a hardware load balancer and have the whole sticky session thing with failover, etc... All of the documents I find on the subject discuss clustering by way of Apache HTTP with Mod_JK.
I have already asked this question on the hardware side, and got great information about the capable load balancing features my router sports (but limited compared to Cisco CSS products.)
Now I'm wondering if anyone has experience taking an open source application server like Geronimo or Tomcat or JBoss and clustering it using hardware load balancing. What kinds of Tomcat configurations, if any, do I need to add for things like sticky sessions and failover? Or, is all that automatic?
Thanks so much for reading and for any replies. If there is a better forum for my question, please direct me there.
Cheers,
Dave Woldrich
http://CardMeeting.comThis occurs rarely when the Tomcat process is not able to connect to the database. The database connection problem is an internal cause which manifests externally as missing fields in reports.
Workaround: Restart the Apache process and the Tomcat process. From the CLI on your CiscoWorks Server, enter the following commands in the specified sequence:
1. pdterm Apache
2. pdterm Tomcat
3. pdexec Tomcat
4. pdexec Apache -
Connection string in listener log file for loading balance/failover
Hi Experts,
I have 4 node RAC for oracle 10g2 in rad hate 5.0
We creaed service dbsale ( sale1,2 as pr imary and sale3/4 as available) with loading balance/failover.
The remote user created a local TNS as
localmarket =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = 155.206.xxx.xx)(PORT = 1521))
(LOAD_BALANCE = OFF)
(CONNECT_DATA = (SERVICE_NAME = dbsale))
From server side, I saw that user send two request connection string. one fail and another is OK.
It seems that fail connecting come from failover/loading balance from dbsale3?
Why do we get two connection string in listener log file?
Which difference is between two connection string?
Where does system change these connection string?
Thanks for your explaining.
Jim
==============listener.log message
[oracle@sale log]$ cat listener_sale.log|grep pmason
15-SEP-2009 13:52:24 * (CONNECT_DATA=(SERVICE_NAME=dbsale)(CID=(PROGRAM=oracle)(HOST=rock)(USER=test ))) * (ADDRESS=(PROTOCOL=tcp)(HOST=161.55.xxx.xx)(PORT=54326)) * establish * dbsale * 0
15-SEP-2009 13:52:25 * (CONNECT_DATA=(SERVICE_NAME=dbsale)(CID=(PROGRAM=oracle)(HOST=rock)(USER=test ))(SERVER=dedicated)(INSTANCE_NAME=sale3)) * (ADDRESS=(PROTOCOL=tcp)(HOST=161.55.xxx.xx)(PORT=54327)) * establish * dbsale * 12520
15-SEP-2009 13:52:30 * (CONNECT_DATA=(SERVICE_NAME=dbsale)(CID=(PROGRAM=oracle)(HOST=rock)(USER=test ))) * (ADDRESS=(PROTOCOL=tcp)(HOST=161.55.xxx.xx)(PORT=54329)) * establish * dbsale* 0
15-SEP-2009 13:52:47 * (CONNECT_DATA=(SERVICE_NAME=dbsale)(CID=(PROGRAM=oracle)(HOST=rock)(USER=test ))) * (ADDRESS=(PROTOCOL=tcp)(HOST=161.55.xxx.xx)(PORT=54332)) * establish * dbsale * 0
15-SEP-2009 13:52:47 * (CONNECT_DATA=(SERVICE_NAME=dbsale)(CID=(PROGRAM=oracle)(HOST=rock)(USER=test ))(SERVER=dedicated)(INSTANCE_NAME=sale3)) * (ADDRESS=(PROTOCOL=tcp)(HOST=161.55.xxx.xx)(PORT=54333)) * establish dbsale 12520
15-SEP-2009 13:52:49 * (CONNECT_DATA=(SERVICE_NAME=dbsale)(CID=(PROGRAM=oracle)(HOST=rock)(USER=test ))) * (ADDRESS=(PROTOCOL=tcp)(HOST=161.55.xxx.xx)(PORT=54334)) * establish * dbsale * 0
Edited by: user589812 on Sep 16, 2009 7:21 AMHi Jim,
I think the best way on this case is create one service with one instance as primary and another 3 as available.
Or use the connect string with two vip addresses, cause the service has two instances and the tnsnames.ora entry has only one.
Cheers,
Rodrigo Mufalani
http://mufalani.blogspot.com -
Load balancing, failover and fallback in Non-Clustered WebLogic environment
hi,
Has anyone implemented WebLogic 10.3.3 (or 10.3.4) in a Non-Clustered environment, but also got load balancing, failover and fallback work?
We were successful in getting failover working using t3://server1:7001,server2:7002 provider URL, but not load balancing or fallback.
The fallback is working when it was connecting to server2 and if we kill server2, then it switches to server1, but not when server2 is still running while server1 comes back.
All we need to find a way to enforce fallback to primary site, even if secondary which the client connected is still up and running and primary site comes back.
Any help appreciated.
Thanks.
Best regards,
Balahi,
Has anyone implemented WebLogic 10.3.3 (or 10.3.4) in a Non-Clustered environment, but also got load balancing, failover and fallback work?
We were successful in getting failover working using t3://server1:7001,server2:7002 provider URL, but not load balancing or fallback.
The fallback is working when it was connecting to server2 and if we kill server2, then it switches to server1, but not when server2 is still running while server1 comes back.
All we need to find a way to enforce fallback to primary site, even if secondary which the client connected is still up and running and primary site comes back.
Any help appreciated.
Thanks.
Best regards,
Bala -
A question about oc4j load balancing/ failover behaviour
Hi
I have been trying to set up load balancing using 9.0.2 standalone oc4j instances that share sessions.
- I set up two oc4j instances (say oc4j1 and oc4j2) pointing to a load balancer entering the following in <J2EE_HOME>config\http-web-site.xml:
<web-site host="<ip>" port="<port>" display-name="Oracle 9iAS Java HTTP WebSite" cluster-island="1" >
and
<frontend host="<host>" port="80" />
- I entered <cluster-config/> and <session-tracking/> in each oc4j instance's orion-web.xml, and <distributable/> in their web.xml files.
- I started the loadbalancer(java -jar loadbalancer.jar -debug) and the oc4j instances.
Everything works fine up to a point. They are both added to the cluster and the debug messages show that requests are being routed to oc4j1 and cluster session value update messages are sent by oc4j1 and received by oc4j2. When I shut down oc4j1 requests are routed to oc4j2 and session information is maintained.
However, when I start up oc4j1 again, it does not appear to be receiving the session value updates now being sent by oc4j2 so if I now shut down oc4j2 the session is lost. Can anyone please tell me what I have missed?
Thanks in advance
- AlHi
I have been trying to set up load balancing using 9.0.2 standalone oc4j instances that share sessions.
- I set up two oc4j instances (say oc4j1 and oc4j2) pointing to a load balancer entering the following in <J2EE_HOME>config\http-web-site.xml:
<web-site host="<ip>" port="<port>" display-name="Oracle 9iAS Java HTTP WebSite" cluster-island="1" >
and
<frontend host="<host>" port="80" />
- I entered <cluster-config/> and <session-tracking/> in each oc4j instance's orion-web.xml, and <distributable/> in their web.xml files.
- I started the loadbalancer(java -jar loadbalancer.jar -debug) and the oc4j instances.
Everything works fine up to a point. They are both added to the cluster and the debug messages show that requests are being routed to oc4j1 and cluster session value update messages are sent by oc4j1 and received by oc4j2. When I shut down oc4j1 requests are routed to oc4j2 and session information is maintained.
However, when I start up oc4j1 again, it does not appear to be receiving the session value updates now being sent by oc4j2 so if I now shut down oc4j2 the session is lost. Can anyone please tell me what I have missed?
Thanks in advance
- Al -
Loading balance/failover in JDBC
Hi experts,
we have a 4 nodes oracle 10g2 RAC in linux
we created a service as TNS have info for failover and loading balance
as
(LOAD_BALANCE = yes)
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = dbservice)
(FAILOVER_MODE =
(TYPE = SELECT)
(METHOD = BASIC)
(RETRIES = 180)
(DELAY = 5)
it works for no java application
I saw JDBC as
URL="jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=dbhost1)(PORT=1521))(ADDRESS=(PROTOCOL=TCP)(HOST=dbhost2)(PORT=1521))(FAILOVER=on)(LOAD_BALANCE=off))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=dbservice)))"
my question as why are difference setting in TNS and JDBC for load_balance and failover?
do we nned to copy exactly TNS into JDBC?
Do we need to set MultiPools for JDBC? this java application use connection pool to connect toRAC database. and seems that failover does not work.
Thanks for help
JImOk, TAF does not work with jdbc-thin: [http://download.oracle.com/docs/cd/B19306_01/java.102/b14355/overvw.htm#sthref18]
With TAF the client takes care of failover transparent to the application.
But TAF is not the only feature/function that will help with failover. If you have an application server that employs a connection pool, it will also take care of this. When the connection pool determines that a connection is lost/broken (or it receives a FAN event) it will try to reopen a connection and it will be redirected to a working instance. This should keep the application up but all transactions and sessions that were being executed on the failed node will still crash and generate application errors (a smart application could catch such an exception and re-execute all sql).
Maybe you can explain more what kind of behavior you expect during failover and why you think it is not working.
Bjoern -
Cisco 1921 Dual ADSL Load Balancing/Failover?
Hello,
We have purchased a Cisco 1921 with twin ADSL after advice from a Cisco sales rep. However I am having trouble working out the load balancing/fail over config for the device.
I would like traffic to balance over both ADSL lines and if one goes down not to interrupt connectivity.
I had a look at ppp multilink but I am unsure our ISP (BT) support this?
This is my current config which I think only one ADSL line is being used. Some input would be appreciated
Robbie
! Last configuration change at 13:18:34 UTC Tue Mar 29 2011
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname xxxxxx
boot-start-marker
boot-end-marker
no logging buffered
enable secret 5 xxxxx
enable password xxxx
no aaa new-model
no ipv6 cef
ip source-route
ip cef
ip name-server 194.74.65.68
ip name-server 194.72.0.114
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-xxxxxx
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-xxxxx0
revocation-check none
rsakeypair TP-self-signed-xxxxx!
crypto pki certificate chain TP-self-signed-xxxxxx
certificate self-signed 02 nvram:IOS-Self-Sig#4.cer
license udi pid CISCO1921/K9 xxxxx
username admin privilege 15 secret 5 xxxxxxxxxx/
interface GigabitEthernet0/0
description lan$ETH-LAN$
ip address 10.0.8.1 255.255.248.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
dsl operating-mode adsl2
interface ATM0/0/0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
ip flow ingress
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface ATM0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
dsl operating-mode adsl2
interface ATM0/1/0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
ip flow ingress
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface Dialer0
mtu 1483
ip address negotiated
ip access-group spalding in
ip access-group spalding out
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxx
ppp chap password 0 xxxxx
ppp multilink
ppp multilink links minimum 2
ppp multilink fragment disable
ppp timeout multilink link add 2
no cdp enable
interface Dialer1
mtu 1483
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxx
ppp chap password 0 xxxxx
ppp link reorders
ppp multilink
ppp multilink links minimum 2
ppp multilink fragment disable
ppp timeout multilink link add 2
no cdp enable
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.0.15.201 3389 interface Dialer0 3389
ip nat outside source static tcp 195.194.75.218 3389 10.0.15.200 3389 extendable
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 1 remark INSIDE_IF=GigabitEthernet0/0
access-list 1 permit 10.0.0.0 0.254.255.255
dialer-list 1 protocol ip permit
control-plane
line con 0
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
scheduler allocate 20000 1000
endHi,
Can anyone help me with this config? not very reliable.
Building configuration...
Current configuration : 17349 bytes
! Last configuration change at 06:08:06 UTC Sun Apr 5 2015 by Shawn
version 15.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname Router
boot-start-marker
boot system flash0:c2900-universalk9-mz.SPA.154-3.M2.bin
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$sNeA$GB6.SMrcsxPf51tK2Eo9Z.
aaa new-model
aaa authentication login local_authen local
aaa authorization exec local_author local
aaa session-id common
no ip source-route
ip port-map user-protocol--8 port udp 3392
ip port-map user-protocol--9 port tcp 3397
ip port-map user-protocol--2 port udp 3391
ip port-map user-protocol--3 port tcp 14000
ip port-map user-protocol--1 port tcp 3391
ip port-map user-protocol--6 port udp 3394
ip port-map user-protocol--7 port tcp 3392
ip port-map user-protocol--4 port udp 14100
ip port-map user-protocol--5 port tcp 3394
ip port-map user-protocol--10 port udp 3397
ip dhcp excluded-address 192.168.1.1 192.168.1.49
ip dhcp excluded-address 192.168.10.1 192.168.10.49
ip dhcp pool DHCP_POOL1
import all
network 192.168.1.0 255.255.255.0
dns-server 139.130.4.4 203.50.2.71
default-router 192.168.1.1
lease infinite
ip dhcp pool ccp-pool1
import all
network 192.168.10.0 255.255.255.0
dns-server 139.130.4.4 203.50.2.71
default-router 192.168.10.1
lease infinite
no ip bootp server
ip host SHAWN-PC 192.168.1.10
ip host DIAG 192.168.1.5
ip host MSERV 192.168.1.13
ip name-server 139.130.4.4
ip name-server 203.50.2.71
ip cef
ip cef load-sharing algorithm include-ports source destination
no ipv6 cef
multilink bundle-name authenticated
cts logging verbose
crypto pki trustpoint TP-self-signed-1982477479
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1982477479
revocation-check none
rsakeypair TP-self-signed-1982477479
license udi pid
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
redundancy
controller VDSL 0/0/0
operating mode adsl2+
controller VDSL 0/1/0
operating mode adsl2+
no cdp run
track timer interface 5
track 1 interface Dialer0 ip routing
delay down 15 up 10
track 2 interface Dialer1 ip routing
delay down 15 up 10
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
class-map type inspect match-all sdm-nat-user-protocol--7-1
match access-group 104
match protocol user-protocol--7
match access-group 102
class-map type inspect match-all sdm-nat-user-protocol--4-2
match access-group 101
match protocol user-protocol--4
class-map type inspect match-all sdm-nat-user-protocol--6-1
match access-group 103
match protocol user-protocol--6
class-map type inspect match-all sdm-nat-user-protocol--5-1
match access-group 103
match protocol user-protocol--5
class-map type inspect match-all sdm-nat-user-protocol--4-1
match access-group 102
match protocol user-protocol--4
class-map type inspect match-all sdm-nat-user-protocol--7-2
match access-group 101
match protocol user-protocol--7
class-map type inspect match-all sdm-nat-user-protocol--3-1
match access-group 102
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 101
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--1-2
match access-group 102
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 101
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--2-2
match access-group 102
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--3-2
match access-group 101
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--8-2
match access-group 101
match protocol user-protocol--8
class-map type inspect match-all sdm-nat-user-protocol--9-2
match access-group 104
match protocol user-protocol--9
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-all sdm-nat-user-protocol--9-1
match access-group 101
match protocol user-protocol--9
match access-group 104
class-map type inspect match-all sdm-nat-user-protocol--8-1
match access-group 104
match protocol user-protocol--8
match access-group 102
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-nat-user-protocol--10-2
match access-group 104
match protocol user-protocol--10
class-map type inspect match-all sdm-nat-user-protocol--10-1
match access-group 101
match protocol user-protocol--10
match access-group 104
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-user-protocol--2-1
inspect
class type inspect sdm-nat-user-protocol--3-1
inspect
class type inspect sdm-nat-user-protocol--4-1
inspect
class type inspect sdm-nat-user-protocol--5-1
inspect
class type inspect sdm-nat-user-protocol--6-1
inspect
class type inspect sdm-nat-user-protocol--7-1
inspect
class type inspect sdm-nat-user-protocol--8-1
inspect
class type inspect sdm-nat-user-protocol--9-1
inspect
class type inspect sdm-nat-user-protocol--10-1
inspect
class type inspect CCP_PPTP
pass
class type inspect sdm-nat-user-protocol--7-2
inspect
class type inspect sdm-nat-user-protocol--8-2
inspect
class type inspect sdm-nat-user-protocol--1-2
inspect
class type inspect sdm-nat-user-protocol--2-2
inspect
class type inspect sdm-nat-user-protocol--9-2
inspect
class type inspect sdm-nat-user-protocol--10-2
inspect
class type inspect sdm-nat-user-protocol--3-2
inspect
class type inspect sdm-nat-user-protocol--4-2
inspect
class class-default
drop log
policy-map type inspect ccp-permit
class class-default
drop
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
interface Null0
no ip unreachables
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
interface GigabitEthernet0/0
description $ETH-LAN$
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
no mop enabled
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
no mop enabled
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
interface ATM0/0/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface ATM0/0/0.2 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
interface Ethernet0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
no mop enabled
interface ATM0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
interface ATM0/1/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 2
interface Ethernet0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
no mop enabled
interface GigabitEthernet0/3/0
no ip address
interface GigabitEthernet0/3/1
no ip address
interface GigabitEthernet0/3/2
no ip address
interface GigabitEthernet0/3/3
no ip address
interface GigabitEthernet0/3/4
no ip address
interface GigabitEthernet0/3/5
no ip address
interface GigabitEthernet0/3/6
no ip address
interface GigabitEthernet0/3/7
no ip address
interface Vlan1
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname [email protected]
ppp chap password 7 1444405858557A
ppp pap sent-username [email protected] password 7 135645415F5D54
ppp multilink
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 2
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname [email protected]
ppp chap password 7 01475E540E5D55
ppp pap sent-username [email protected] password 7 055F5E5F741A1D
ppp multilink
router eigrp as#
router eigrp 10
network 192.168.1.1 0.0.0.0
router rip
version 2
network 192.168.1.0
no auto-summary
ip forward-protocol nd
ip http server
ip http access-class 3
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source static tcp 192.168.1.10 3392 interface Dialer1 3392
ip nat inside source static udp 192.168.1.10 3392 interface Dialer1 3392
ip nat inside source static tcp 192.168.1.35 3391 interface Dialer0 3391
ip nat inside source static udp 192.168.1.35 3391 interface Dialer0 3391
ip nat inside source static tcp 192.168.1.5 3394 interface Dialer0 3394
ip nat inside source static udp 192.168.1.5 3394 interface Dialer0 3394
ip nat inside source static tcp 192.168.1.17 3397 interface Dialer0 3397
ip nat inside source static udp 192.168.1.17 3397 interface Dialer0 3397
ip nat inside source static tcp 192.168.1.10 14000 interface Dialer0 14000
ip nat inside source static udp 192.168.1.10 14100 interface Dialer0 14100
ip nat inside source route-map ADSL0 interface Dialer0 overload
ip nat inside source route-map ADSL1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 track 1
ip route 0.0.0.0 0.0.0.0 Dialer1 track 2
ip access-list extended NAT
remark CCP_ACL Category=18
permit ip 192.0.0.0 0.255.255.255 any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
remark CCP_ACL Category=1
ip access-list extended STATIC-NAT-SERVICES
permit ip host 192.168.1.35 any
permit ip host 192.168.1.5 any
permit ip host 192.168.1.10 any
permit ip host 192.168.1.17 any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
route-map ADSL0 permit 10
match ip address NAT
match interface Dialer0
route-map ADSL1 permit 10
match ip address NAT
match interface Dialer1
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 3 remark HTTP Access-class list
access-list 3 remark CCP_ACL Category=1
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 3 deny any
access-list 10 remark INSIDE_IF=NAT
access-list 10 remark CCP_ACL Category=2
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 139.130.227.0 0.0.0.255 any
access-list 100 permit ip 203.45.106.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.10
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.35
access-list 101 permit tcp any any eq www
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.35
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.10
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.1.5
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 192.168.1.17
control-plane
banner login ^CCE-Rescue Systems^C
line con 0
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
authorization exec local_author
login authentication local_authen
transport input telnet ssh
line vty 5 15
authorization exec local_author
login authentication local_authen
transport input telnet ssh
scheduler allocate 20000 1000
end
Thanks
Shawn -
2 x 2911 HSEC router 3 ADSL connections each Site ti Site VPN Load Balancing Failover
Hello,
My senario is as described in Title.
Site A Headquarters. The router is Cisco 2911HSEC with 3 ADSL connections
Site B Remote Office. The router is Cisco 2911HSEC with 3 ADSL connections and 10 Users.
All ADSL connections have static IPs and belong to same ISP.
Need - Site to Site VPN between the routers.
Client requests to load balance the traffic, due to poor ADSL speed and have a failover senarion in case an ADSL line goes down.
Any help will be appreciated.I don't believe you will find a One solution for this.
An idea would be to have all three ADSLs paired with ADSL on the other side.
Have 3 VTI (or GRE) tunnels up all the time (VRF-lite anybody?) and advertise routes to the other side with same metric.
This will cause IOS to load balance natively.
Potential problem: return path might not be the same as forward path, but it should not matter much for most applications.
Potential cool thing you can do: All the "magical" things in routing world (Did I head PfR?). FlexVPN on top to make it more flexible.
Benefit: Rely on IKE to bring down connections which are going down. Little-to-no management once it's up and running. -
wondering if anyone would have advice for me on load
balancing with coldfusion either with software or hardware.
our basic set up is NAT through a firewall to local IPs. we
don't really have the option of assigning outward IPs to the
webservers.
it's not so much the load balancing that is important as much
as it is coldfusion availability as occasionally coldfusion stops
or crashes leaving a 503 msg for visitors (this is rare, but does
happen).
it would be nice to have a device or software switch the
incoming traffic to another server if CF is unavailable on the
other.
we are using MX 6.1 on win2003.
any help would be appreciated.These articles may help:
http://www.adobe.com/devnet/coldfusion/clustering.html -
Load balance on CSM with both Firewalsl and Cache engines
Hi,
I'm come from VDC#3 ( Vietnam) , we have 2 CSM , 3 firewall , and 8 CE 7325. We configed dual CSMs load balance for 3 FW, and now we want to use one CSM to load balance for CEs. Can you hint me best topylogy network?
Thanksyour topology is correct.
The problem is your config.
If you need access to the CE ip addresses, you need to configure a vserver to allow this traffic.
Something like
serverfarm FORWARD
no nat server
no nat client
predictor forward
vserver access2ce
vip x.x.x.0/24 any
serverfarm FORWARD
ins
Replace x.x.x.0/24 with the subnet used by the CE.
Regards,
Gilles.
Thanks for rating this answer. -
Global load balancing/active active vip and virtual interface redundancy
Is there a way to configure both of these technologies without exposing the external addressing to the internal network? I have active active within the data center and would like to have active/active across two data centers but I don't see any way to use internal addressing for my content rules and still use them for dns unless I can specify records without using content rules. Thanks.
http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a008009438a.shtml
http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a0080157898.htmlHi Victor,
In response to your questions regarding doing Active/Active GSLB using VIP and interface redundancy.
Rule Based GSLB will not work with VIP/Interface
redundancy.
The reason is because the CSS can not set up an app session to a redundant
interface, it needs to set the app session up to a real interface. Thus, a
full mess topology must be used for GSLB and vip/interface redudancy.
Bug ID CSddw27861 reported this problem and engineering added the command
"ap-kal-vip" to support a full mess topology. This command can only be used
under zone based GSLB and not rule based.
The syntax for the command would be:
dns-record a www.work.com 5.5.5.5 0 single kal-ap-vip 1.1.1.1
rule/ACL based GSLB with vip/int redundancy will not work.
Regards,
Mark -
CSS: BoxToBox and Global Server Load Balancing
Hi,
I'm going to setup a CSS based Global Load Balancing architecture in two different sites with 2xCSS11503 in each site.
I need DNS Sticky but I'm not going to configure a Global Sticky Database since I would like to configure the two CSS in each site in Box To Box redunancy.
Is it possible to configure on a CSS two app session, one for the Zone-based DNS with remote site and the other one for local Box-to-Box redund?
Thank you
Kind Regards
FulvioHi Fulvio,
Take a look at the NOTE on the below link
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20_v8.10/configuration/gslb/guide/DNS.html#wp1170057
Box to box should be at part of the caveat
Thanks
Venky -
Load-balancing of transparent cache + IP spoofing + RTSP + MMS not working
We have already in production an architecture with load-balancing of
transparent cache + ip spoofing.
We are unable to do the same for streaming flows (MMS and RTSP).
We are doing PBR from our core network (2 * C6K) to redirect port 80, 554 and
1755 toward CSS boxes, same in our access router (2* Ciso7200).
In this config desired flows are redirected toward the CSS.
Then CSS should load balance the traffic toward our BlueCoat proxy-cache farm.
It's working fine for HTTP but we are unable to make it works for MMS and
RTSP.
Note that we are requiered to use ECMP to perform IP Spoofing on the CSS, meaning we need 4 routes for each client subnet (one route toward upstream C6K, and 3 routes for each proxy cache). We use acl to get rid off looping condition.
Anyone who has already put in place Load-balancing of Streaming transparent cache + IP spoofing could give us some hint.
Many thanks.
Regards,
Pierre ViennetGilles, thanks for your input.
Here where we are at with streaming implementation:
- HTTP on all type off client is working
- RTSP: TCP 554 with Real Media client is working
- RTSP: TCP 554 with WMP not working, but it's due to a bug in Bluecoat implementation, the proxy send an error when he see a request with ( User-Agent: WMPlayer ) for RTSP content.
- MMS: TCP 1755 not working with IP spoofing enable on the proxy but OK without IP spoofing...
- UDP 554: not working
- UDP 1755: not working
I fully understand the limitation for UDP traffic.
But I don't see why it's not working for MMS over TCP traffic.
Note that I have the exact same configuration for RTSP and MMS.
Why is it not working for MMS with IP spoofing? Are you aware of a difference on the way CSS handle MMS flows? or a specificity of the MMS protocol?
Below what we can see on the different equipement when trying to launch a MMS over TCP Stream:
c6k-Faaa#sh mls ip source 195.83.182.72
Displaying Netflow entries in Supervisor Earl
DstIP SrcIP Prot:SrcPort:DstPort Src i/f:AdjPtr
Pkts Bytes Age LastSeen Attributes
202.3.225.5 195.83.182.72 tcp :1755 :1504 0 : 0
3 124 17 18:58:12 L3 - Dynamic
202.3.225.5 195.83.182.72 tcp :1755 :1527 0 : 0
2 84 3 18:58:20 L3 - Dynamic
202.3.225.5 195.83.182.72 tcp :554 :1503 0 : 0
4 360 17 18:58:06 L3 - Dynamic
c6k-Faaa#
CSS11503_CORE1# sho flows 202.3.225.5 | grep 1755
202.3.225.5 38531 195.83.182.72 1755 0.0.0.0 TCP
2/3 2/1
202.3.225.5 1527 195.83.182.72 1755 195.83.182.72 TCP
2/7 2/3
CSS11503_CORE1# sho flows 202.3.225.5 | grep 1755
202.3.225.5 38531 195.83.182.72 1755 0.0.0.0 TCP
2/3 2/1
202.3.225.5 1527 195.83.182.72 1755 195.83.182.72 TCP
2/7 2/3
CSS11503_CORE1# sho flows 202.3.225.5 | grep 1755
202.3.225.5 38531 195.83.182.72 1755 0.0.0.0 TCP
2/3 2/1
202.3.225.5 1527 195.83.182.72 1755 195.83.182.72 TCP
2/7 2/3
CSS11503_CORE1#
TCP 192.168.4.19:1491 195.83.182.72:554 TIME_WAIT
TCP 192.168.4.19:1492 195.83.182.72:554 TIME_WAIT
TCP 192.168.4.19:1493 195.83.182.72:1755 TIME_WAIT
TCP 192.168.4.19:1502 195.83.182.72:554 TIME_WAIT
TCP 192.168.4.19:1503 195.83.182.72:554 TIME_WAIT
TCP 192.168.4.19:1504 195.83.182.72:1755 TIME_WAIT
TCP 192.168.4.19:1525 195.83.182.72:554 TIME_WAIT
TCP 192.168.4.19:1526 195.83.182.72:554 TIME_WAIT
TCP 192.168.4.19:1527 195.83.182.72:1755 TIME_WAIT
Many Thanks for your input.
Pierre Viennet. -
Windows Event Collector - Built-in options for load balancing and high availability ?
Hello,
I have a working collector. config is source initiated, and pushed by GPO.
I would like to deploy a second collector for high availability and load balancing. What are the available options ? I have not found any guidance on TechNet articles.
As a low cost option, is it fine to simply start using DNS round-robin with a common alias for both servers pushed as a collector name through GPO ?
In my GPO Policy, if I individually declare both servers, events are forwarded twice, once for each server. Indeed it does cover high availability, but not really optimized.
Thanks for your help.Hi,
>>As a low cost option, is it fine to simply start using DNS round-robin with a common alias for both servers pushed as a collector name through GPO ?
Based on the description, we can utilize DNS round robin to distribute workloads and increase fault tolerance. By default, DNS uses round robin to rotate the order of RR data returned in query answers where multiple RRs of the same type exist for a queried
DNS domain name. This feature provides a simple method for load balancing client use of Web servers and other frequently queried multihomed computers. Besides, by default, DNS will perform round-robin rotation for all RR types.
Regarding DNS round robin, the following article can be referred to for more information.
Configuring round robin
http://technet.microsoft.com/en-us/library/cc787484(v=ws.10).aspx
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Best regards,
Frank Shen
Maybe you are looking for
-
Hey guys, so I purchased a retina MBP right before Christmas, and I would like to return it for a new one with more RAM. Can I return this to the Apple Store I purchased it at and pay for a new one with more RAM?
-
Can I use 2 ip addresses for 1 host in route.cfg?
Hi experts. I need to send encrypted e-mail to another domain. The mail server they list in DNS does not support encryption so I need to send to a different server there that does. They gave me 2 ip addresses - can I list them both for a domain in ro
-
Connecting to the printer, driver problem
I'm trying to connect to the printer (hp business inkjet1100) that's connected to a computer running xp (pro sp3) from my laptop running vista (home prem 64x). That just seems confusing reading that so: (printer)>>>(xp/desktop)<<<(vista/laptop). I al
-
Can you restrict a user in ASDM to only allow them to log a user out of a VPN session
We support many clients and we have found that many of them are sharing VPN credentials when logging in via AnyConnect/WebVPN. We were thinking about restricting simultaneous log in to 1. I also know that users may have situations where they lock up
-
im trying to restore my iphone to its factory settings but im having an error apear 1015 can any one help me ??