Load balancing on zones

Hi everybody,
I have question about load balancing in zones. Can we perform load balancing on zones? If so is what are the pros and con in doing that?
FYI i am asking about native zones. Any help will be greatly appreciaed.
Thanks,
John

If you are running Sun Cluster, you can set up a scalable farm of zones or application. You can also use Load Balancing features within Sun Cluster:
[http://blogs.sun.com/SC/entry/how_to_use_the_load1|http://blogs.sun.com/SC/entry/how_to_use_the_load1]

Similar Messages

Load Balance guest Internet access via two different DMZ zones at two sites

Hi Sir,
My customer has the following unified wireless guest access requirement:
- There are 2 internet links and dmz zones at two different locations, Site A and Site B
- Data centre is at Site A
- WiSM is proposed to be installed at the Cat 6500 in Site A
- Lightweight AP are distributed across Site A, Site B and other branches
- Only one anchor WLC is proposed at Site A, DMZ zone to provide guest internet access
My customer would like to load balance the guest via the two internet link at Site A and Site B but with the same SSID across all locations. Can it be done since only one anchor at Site A? How about puttting another anchor WLC at Site B, DMZ zone? But how can i establish two EoIP tunnel to two different anchor WLC from a single WiSM?
Thanks for your help
Delon

You can... but you can't control where the traffic will flow. The wlc will determine which DMZ wlc it will use. The wlc will load balance, but traffic in site A might go to site B. I currently have deployed that senerio in multiple client installations....

Forcing traffic through load balancer rather than zone to zone

I have several T5140s with 2 LDOMs. Within each LDOM I have multiple zones which contain 2 environments. Each environment comprises the following, an apache instance behind a BigIP load balancer, a JBoss instance, and several misc. The jboss zone has three IP address assigned for multiple applications. Each server is configured identically as far as zone and LDOM layout. We use mod_cluster to cluster our apache and Jboss environment. What I'm trying to accomplish is forcing the apache zone's traffic through the BigIP rather than zone to zone.
Referring to the information below, server2ldom1jboss is one jboss node which needs to connect to both server2ldom1japache and server1ldom1apache. server2ldom1jboss connects to server2ldom1apache via its DNS name which is a NAT address. So webserver2 resolves to 10.10.2.5 which NATs to 10.10.1.5 behind the BigIP. webserver2 responds directly to the jboss zone rather than through the BigIP. Not good. server1ldom1apache works correctly as it's not a local zone.
Referring to this document, https://blogs.oracle.com/solarium/resource/solaris-container-guide-en-v3.1.pdf
section 5.2.7.8
"Connection of zones via external routers using the shared IP instance"
I've created the following routes
route add 10.10.2.5 10.10.1.5
route add 10.10.0.34 10.10.1.5 -interface -reject
route add 10.10.0.35 10.10.1.5 -interface -reject
route add 10.10.0.87 10.10.1.5 -interface -reject
route add 10.10.1.5 10.10.0.87 -interface -reject
route add 10.10.1.5 10.10.0.34 -interface -reject
route add 10.10.1.5 10.10.0.35 -interface -reject
This does prevent the zone to zone traffic, but it also preventing any response. I've tried other options as well, but have not been successful yet. What concerns me is this "These interfaces must not be used elsewhere in the global zone." The 5140 has 4 ethernet ports, which are configured into two port channels. vnet0 and vnet1. The apache instances use vnet1. The remaining zones use vnet0, including the global zone (server2ldom1 10.10.0.21). I think this may be the issue, but do not see an easy resolution without breaking my port channels and losing redundancy and fail-over.
If there is anything I'm missing or a better/different way to do this, I would greatly appreciate any input on this matter.
Thank you.
webserver2 10.10.2.5 NATs to 10.10.1.5
jboss apps 10.10.0.34, 10.10.0.35, 10.10.0.87
10.10.0.0/24 is the lan
10.10.1.0/24 is the network behind the BigIP
10.10.2.0/24 is the webserver network (in front of the BigIP)
[1658]root@server2:~# ldm list-bindings
NAME STATE FLAGS CONS VCPU MEMORY UTIL UPTIME
primary active -n-cv- SP 4 2G 1.1% 138d 5h
MAC
00:14:4f:ec:20:ff
HOSTID
0x84ec20b8
VCPU
VID PID UTIL STRAND
0 0 2.0% 100%
1 1 1.4% 100%
2 2 0.7% 100%
3 3 2.1% 100%
MAU
ID CPUSET
0 (0, 1, 2, 3, 4, 5, 6, 7)
MEMORY
RA PA SIZE
0x8000000 0x8000000 2G
VARIABLES
boot-device=/pci@0/pci@0/pci@2/scsi@0/disk@0,0:a disk net
keyboard-layout=US-English
nvramrc=devalias rootdisk /pci@0/pci@0/pci@2/scsi@0/disk@0,0:a devalias rootmirror /pci@0/pci@0/pci@2/scsi@0/disk@1,0:a
security-mode=none
security-password=
use-nvramrc?=true
IO
DEVICE PSEUDONYM OPTIONS
pci@0 pci
niu@80 niu
VCC
NAME PORT-RANGE
primary-vcc0 5000-5010
CLIENT PORT
group1@primary-vcc0 5000
group1@primary-vcc0 5000
VSW
NAME MAC NET-DEV DEVICE DEFAULT-VLAN-ID PVID VID MODE
primary-vsw0 00:14:4f:f9:ff:ff aggr1 switch@0 1 1
PEER MAC PVID VID
vnet0@ldom2 00:14:4f:fb:7b:ff 1
vnet0@ldom1 00:14:4f:fb:1a:ff 1
NAME MAC NET-DEV DEVICE DEFAULT-VLAN-ID PVID VID MODE
primary-vsw1 00:14:4f:fb:8e:ff aggr2 switch@1 1 1
PEER MAC PVID VID
vnet1@ldom1 00:14:4f:f8:17:ff 1
vnet1@ldom2 00:14:4f:f8:c2:ff 1
VDS
NAME VOLUME OPTIONS MPGROUP DEVICE
primary-vds0 ldom2_swap /ldoms/swap/server2ldom2
ldom2_root /dev/dsk/c4t600601601CE1210018F9E37BD2AADD11d0s2
ldom1_swap /ldoms/swap/server2ldom1
ldom1_root /dev/dsk/c4t600601601CE121007E02166CD2AADD11d0s2
CLIENT VOLUME
ldom2_swap@ldom2 ldom2_swap
ldom2_root@ldom2 ldom2_root
ldom1_swap@ldom1 ldom1_swap
ldom1_root@ldom1 ldom1_root
VCONS
NAME SERVICE PORT
SP
NAME STATE FLAGS CONS VCPU MEMORY UTIL UPTIME
ldom1 active -n---- 5000 30 15G 3.7% 192d 6h
MAC
00:14:4f:f8:a5:ff
HOSTID
0x84f8a5f5
VCPU
VID PID UTIL STRAND
0 4 0.4% 100%
1 5 0.3% 100%
2 6 0.1% 100%
3 7 4.4% 100%
4 8 0.2% 100%
5 9 0.2% 100%
6 10 14% 100%
7 11 0.1% 100%
8 12 8.1% 100%
9 13 0.1% 100%
10 14 0.1% 100%
11 15 0.1% 100%
12 16 0.3% 100%
13 17 0.1% 100%
14 18 0.1% 100%
15 19 0.1% 100%
16 20 0.3% 100%
17 21 0.6% 100%
18 22 0.3% 100%
19 23 0.1% 100%
20 54 1.0% 100%
21 55 0.5% 100%
22 56 1.2% 100%
23 57 0.2% 100%
24 58 4.5% 100%
25 59 0.9% 100%
26 60 0.0% 100%
27 61 0.1% 100%
28 62 0.1% 100%
29 63 0.3% 100%
MAU
ID CPUSET
1 (8, 9, 10, 11, 12, 13, 14, 15)
2 (16, 17, 18, 19, 20, 21, 22, 23)
6 (48, 49, 50, 51, 52, 53, 54, 55)
7 (56, 57, 58, 59, 60, 61, 62, 63)
MEMORY
RA PA SIZE
0x8000000 0x88000000 10G
0x401800000 0x6b1800000 5G
VARIABLES
auto-boot?=true
boot-device=ldom1_root:b
NETWORK
NAME SERVICE DEVICE MAC MODE PVID VID
vnet0 primary-vsw0@primary network@0 00:14:4f:fb:1a:ff 1
PEER MAC MODE PVID VID
primary-vsw0@primary 00:14:4f:f9:ff:ff 1
vnet0@ldom2 00:14:4f:fb:7b:ff 1
NAME SERVICE DEVICE MAC MODE PVID VID
vnet1 primary-vsw1@primary network@1 00:14:4f:f8:17:ff 1
PEER MAC MODE PVID VID
primary-vsw1@primary 00:14:4f:fb:8e:ff 1
vnet1@ldom2 00:14:4f:f8:c2:ff 1
DISK
NAME VOLUME TOUT DEVICE SERVER MPGROUP
ldom1_swap ldom1_swap@primary-vds0 disk@0 primary
ldom1_root ldom1_root@primary-vds0 disk@1 primary
VCONS
NAME SERVICE PORT
group1 primary-vcc0@primary 5000
NAME STATE FLAGS CONS VCPU MEMORY UTIL UPTIME
ldom2 active -n---- 5000 30 15000M 0.8% 192d 6h
MAC
00:14:4f:fa:e8:ff
HOSTID
0x84fae839
VCPU
VID PID UTIL STRAND
0 24 1.0% 100%
1 25 1.0% 100%
2 26 0.0% 100%
3 27 0.0% 100%
4 28 0.1% 100%
5 29 0.3% 100%
6 30 0.0% 100%
7 31 0.0% 100%
8 32 0.0% 100%
9 33 0.1% 100%
10 34 1.3% 100%
11 35 0.0% 100%
12 36 0.1% 100%
13 37 1.0% 100%
14 38 1.9% 100%
15 39 0.0% 100%
16 40 0.0% 100%
17 41 0.0% 100%
18 42 0.1% 100%
19 43 0.5% 100%
20 44 0.2% 100%
21 45 0.0% 100%
22 46 0.2% 100%
23 47 0.4% 100%
24 48 0.2% 100%
25 49 0.0% 100%
26 50 0.0% 100%
27 51 0.0% 100%
28 52 0.0% 100%
29 53 0.0% 100%
MAU
ID CPUSET
3 (24, 25, 26, 27, 28, 29, 30, 31)
4 (32, 33, 34, 35, 36, 37, 38, 39)
5 (40, 41, 42, 43, 44, 45, 46, 47)
MEMORY
RA PA SIZE
0x8000000 0x308000000 15000M
VARIABLES
auto-boot?=true
boot-device=/virtual-devices@100/channel-devices@200/disk@1:b ldom2_root
keyboard-layout=US-English
NETWORK
NAME SERVICE DEVICE MAC MODE PVID VID
vnet0 primary-vsw0@primary network@0 00:14:4f:fb:7b:ff 1
PEER MAC MODE PVID VID
primary-vsw0@primary 00:14:4f:f9:ff:ff 1
vnet0@ldom1 00:14:4f:fb:1a:ff 1
NAME SERVICE DEVICE MAC MODE PVID VID
vnet1 primary-vsw1@primary network@1 00:14:4f:f8:c2:ff 1
PEER MAC MODE PVID VID
primary-vsw1@primary 00:14:4f:fb:8e:ff 1
vnet1@ldom1 00:14:4f:f8:17:ff 1
DISK
NAME VOLUME TOUT DEVICE SERVER MPGROUP
ldom2_swap ldom2_swap@primary-vds0 disk@0 primary
ldom2_root ldom2_root@primary-vds0 disk@1 primary
VCONS
NAME SERVICE PORT
group1 primary-vcc0@primary 5000
[1657]root@server2ldom1:~# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
zone server2ldom1z3
inet 127.0.0.1 netmask ff000000
lo0:2: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
zone server2ldom1z2
inet 127.0.0.1 netmask ff000000
lo0:3: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
zone server2ldom1z6
inet 127.0.0.1 netmask ff000000
lo0:4: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
zone server2ldom1jboss
inet 127.0.0.1 netmask ff000000
lo0:5: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
zone server2ldom1apache
inet 127.0.0.1 netmask ff000000
lo0:6: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
zone server2ldom1z1
inet 127.0.0.1 netmask ff000000
vnet0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 10.10.0.21 netmask ffffff00 broadcast 10.10.0.255
ether 0:14:4f:fb:1a:ff
vnet0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
zone server2ldom1z2
inet 10.10.0.33 netmask ffffff00 broadcast 10.10.0.255
vnet0:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
zone server2ldom1z6
inet 10.10.0.36 netmask ffffff00 broadcast 10.10.0.255
vnet0:3: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
zone server2ldom1jboss
inet 10.10.0.34 netmask ffffff00 broadcast 10.10.0.255
vnet0:4: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
zone server2ldom1jboss
inet 10.10.0.35 netmask ffffff00 broadcast 10.10.0.255
vnet0:5: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
zone server2ldom1z1
inet 10.10.0.32 netmask ffffff00 broadcast 10.10.0.255
vnet0:6: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
zone server2ldom1z1
inet 10.10.0.74 netmask ffffff00 broadcast 10.10.0.255
vnet0:7: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
zone server2ldom1jboss
inet 10.10.0.87 netmask ffffff00 broadcast 10.10.0.255
vnet1: flags=1000842<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
inet 0.0.0.0 netmask 0
ether 0:14:4f:f8:17:ff
vnet1:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
zone server2ldom1z3
inet 10.10.1.101 netmask fffffc00 broadcast 10.10.47.255
vnet1:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
zone server2ldom1apache
inet 10.10.1.5 netmask fffffc00 broadcast 10.10.47.255
[1701]root@server2ldom1:~# zonecfg -z server2ldom1jboss info
zonename: server2ldom1jboss
zonepath: /zones/server2ldom1jboss
brand: native
autoboot: true
bootargs:
pool:
limitpriv:
scheduling-class:
ip-type: shared
inherit-pkg-dir:
dir: /lib
inherit-pkg-dir:
dir: /platform
inherit-pkg-dir:
dir: /sbin
inherit-pkg-dir:
dir: /usr
inherit-pkg-dir:
dir: /opt/sfw
inherit-pkg-dir:
dir: /opt/
net:
address: 10.10.0.34
physical: vnet0
defrouter: 10.10.0.1
net:
address: 10.10.0.35
physical: vnet0
defrouter: 10.10.0.1
net:
address: 10.10.0.87
physical: vnet0
defrouter: 10.10.0.1
attr:
name: comment
type: string
value: server2ldom1jboss
[1702]root@server2ldom1:~# zonecfg -z server2ldom1apache info
zonename: server2ldom1apache
zonepath: /zones/server2ldom1apache
brand: native
autoboot: true
bootargs:
pool:
limitpriv:
scheduling-class:
ip-type: shared
inherit-pkg-dir:
dir: /lib
inherit-pkg-dir:
dir: /platform
inherit-pkg-dir:
dir: /sbin
inherit-pkg-dir:
dir: /usr
inherit-pkg-dir:
dir: /opt/sfw
inherit-pkg-dir:
dir: /opt/
net:
address: 10.10.1.5/22
physical: vnet1
defrouter not specified
attr:
name: comment
type: string
value: server2ldom1apache
Edited by: coreyva on Feb 18, 2012 11:36 AM

After further research, I think the best course of action will be to create a VLAN for the zone behind the BigIP and then create the corresponding interface in the vlan and zone. Using this links as my references in case anyone is interested. I'll post what I come up with.
https://blogs.oracle.com/stw/entry/using_ip_instances_with_vlans
https://blogs.oracle.com/stw/entry/solaris_zones_and_networking_common
http://docs.oracle.com/cd/E19253-01/816-4554/816-4554.pdf # AdministeringVirtualLocalAreaNetworks
http://docs.oracle.com/cd/E19053-01/ldoms.mgr11/820-4913-10/820-4913-10.pdf # Assign VLANs to a Virtual Switch and Virtual
Network Device

Site not accessible from the Load balanced web front end server - sharepoint 2010

I have a production environment with 2 WFE's(sp-wfe1 & sp-wfe2), 2 APP's and 2 SQL clustered VM's.
2 WFE's are load balanced using hardware load balancer.
An A-Record(PORTAL) is created in DNS for the virtual IP of the load balancer which points to the 2 WFE's.
A web application is created on the WFE's on port 80.
alternative access mapping is configured and the load balanced record "http://PORTAL" is used under the default zone.
Under IIS I have edited the bindings for the sharepoint site at port 80 and added the HOSTNAME as PORTAL.
Result: The site is accessible from outside the server and works fine.
ISSUE: The site is not accessible within the WFE's(sp-wfe1 & sp-wfe2).
When I browse the site from the WFE's server it ask for the credentials and when I enter the credentials and click OK it ask the credentials again and again and in the end displays a blank page.
Kindly help me in this issue because I am clueless and couldn't find anything helpful on the internet.
Regards,
Mudassar
MADDY-DEV Forum answers from Microsoft Forum

Loop back check.
http://www.harbar.net/archive/2009/07/02/disableloopbackcheck-amp-sharepoint-what-every-admin-and-developer-should-know.aspx

Site not found using Sharepoint Designer 2013, Load balance URL and the Front end servers.

Dears,
My SharePoint farm is with the below configuration in our office :
Batch processing server the with Central Administration
Web Front End Sever 1 (http://wfe01)
Web Front End Sever 2 (http://wfe02)
I do have the load balance URL as http://finance.mycompany.com and as per the system administrator it seems configured properly.
In AAM i have mapped the URLs as below for the web application in Central Administration portal:
http://finance.mycompany.com - Default Zone
http://wfe01 - Intranet Zone
http://wfe02 - Internet Zone
I was able to browse the site via the load balance URL : http://finance.mycompany.com, but couldn't open the site using the Share Point Designer 2013. It always says the site not found.
please advise,
thanks,
Ammar

What do the wfe01 and wfe02 aams do?
Are you browsing to the SharePoint site and using SPD on the same computer, is it part of the farm or a seperate client computer?
thanks Alex a lot for your response and appreciate the same.
WFE01, WFE01 is connected to the one central admin on Batch Processing Server (central admin URL is http://SharepointCA:5555 and the SharePoint Web Application is hosted under port 80 on the same server). So the AAM configured on the batch processing server
central admin.
I can connect to the site using the SPD inside the Batch Processing server if i mention the site urs as http://localhost. But not from other client computers by putting the load balance URL - http://finance.mycompany.com.
I can browse the sites directly putting http://wfe01, http://wfe02 and as well as the load balance URL (http://finance.mycompany.com). The custom webparts are getting crashed when i put the web application URL as http://finance.mycompany.com.
thanks,
Ammar

Load balancing host named site collection

I am jumping into the realm of host named site collection. While the learning experience has been good, still there are some questions unanswered. Please bare patience since my questions are long.
- I have a non host header site on port 80 that has https certificate added to IIS for supporting app store in https mode.
- I tried to created the host name site collection using https in this default port 80 non host header web application and was greeted with error. Then i extended the web app to different zone with port 443 . Then created the host header site collection
with https with web application name for extended 443 one. Creation went in fine.
- I tired to use IPs on now extended IIS site and bind certificates on that one. The site does not load. I do the same again in the default zone iss site, bind ips on that one and site loads. Now question is even though host header site collection was created
using extended web application url , why binding had to be done on default zone IIS site?
- Second test, i changed the authentication mode for extended, no effect on host named site collection but as soon as i changed it in default zone it reflected in host named site collection. I am confused why it needs extended zone url to create the https
site but every change done in default zone is getting reflected on this host named site collection.
Now for load balancing , it works fine with IP? But how to load balance these host named site collection using url. I talked with f5 team and they said i need to send some reply query string from each site. Where do i do that? Or is it even needed?
Accoring to this link : https://devcentral.f5.com/articles/name-based-virtual-hosting-with-ltm
. If the site hosts an application, though, the monitor should request a dynamic page on each webserver which forces a transaction with the application to verify its health and returns a specific phrase upon success.
For application monitoring, the recommended best practice is to create such a script specific to your application, configure the monitor Send string to call that script, and set the Receive string to match that phrase.
Has any one done this before? I tired to search for resource regarding this for iis or sharepoint but was not able to get anything.
Thank you for your patience for reading such a long question.
Adit

first part of question:
Default Web Appliction in port 80: Creating https host named site collection fails.
Extend default web application on port 443 : Https hostnamed site collection created when web application name is passed for extended web application on port 443. This means this site collection is associated with this extended web application correct? But
all the changes made in IIS only reflect if it is made to port 80 web application. Also changing authentication scheme from Central Admin, only changes on default zone reflects on site collection not the one in extended web application? Why if the site
was only created on extended web application paremeter, changes on default are reflecting on it but not from extended.
Second part of question:
Each Hostnamed site collection when load balanced thorough f5 using IP for 3 WFE uses 3 IPs for each. This way we will run out of IPs pretty soon. I want to know if there is way to load balance these sites using Hostname or anyother paramenter through f5
and if any body has done it?
https://devcentral.f5.com/articles/name-based-virtual-hosting-with-ltm link talks about sending reply string
from application but i do not know where to set it up or how to do it? No resources in the net. Just asking if any one else has done it.
Adit

Reverse Proxy and Load Balancer for SMP 2.3 and Agentry Application

Hi Expert,
I'm putting in place a mobile solution composed by SMP 2.3 SPS 4 and SAP ECC 6.0. In the SMP 2.3 I created the agentry server and I have deployed my agentry application.
My SMP/Agentry infrastructure is composed by two servers therefore I need a load balancer for balance the load into the several servers. Furthermore I need to use a reverse proxy in my DMZ zone.
Based on what indicated in the SAP note "1904213 - SAP Mobile Platform Server Release Information" the Apache Reverse Proxy is not supported for Agentry clients. Agentry uses nginx for Reverse Proxy.
I also found the following document How-to-Guide for Reverse Proxy and Load Balancing in SAP Mobile Platform 3.x that explain how to set-up a reverse proxy and load balancer with nginx and apache.
Both the SAP note and the HOW to document are refereed to SMP 3.0 and not to SMP 2.3.
I would know if the NGINX must be used also for SMP 2.3.
Any suggestion/information is appreciated.
Thanks in advance
g.

Please see Agentry Network Landscapes

Any concern on persistent search through a load balancer?

We have access manager 7 installed which make use of persistent search. My understanding is that persistent search required to maintain a connection so that the server can refresh/update the client whenever entry in the result set changed. If we configure the system to connect to ldap through load balancer, will that cause any problem? What will happen if the load balancer refresh connection after a period of time? Or , if the original ldap server failed and the load balancer try load balance the client to another ldap server, will the persistent search still works?
Also, if the ldap server that the persistent search initially established connection with crashed, will the client get error message and in that case, is it the client's responsibility to re-run/retry the persistent search with other failover ldap server?
Thanks,

Your best bet, even when using a hardware load balancer, is to front your DS instances with a pair of load-balanced Directory Proxy Servers. This way, you have physical redundancy at the load balancer level, and intelligent LDAP-aware load balancing at the proxy server level. DPS 6 is very nice in that you can split binds, searches, and updates amongst several backend DS instances, and the connection state is maintained by the proxy, not the DS instance (i.e. if an instance fails, you really shouldn't be forced to rebind, the proxy fails-over to another DS for searching).
We have our Directory Servers on a pair of Solaris 10 systems, each with a zone for a replicated Master DS, and another zone each for a DPS instance. The DPS instances are configured to round-robin binds/searches/updates/etc. among the DS master zones. This works out very well for us.

Https through load balancer breaks declarative security

Hello,
My desired setup is for a Jboss cluster serving requests behind a load balancer. Also I intend to use declarative security on the deployed units and have ssl client side authentication.
I need someone to please confirm/deny the following statements:
1) ssl has to be negotiated by the load balancer, whether hardware or software based (apache with mod_proxy/mod_jk).
2) if using apache with mod_jk it is possible to configure it to send the client side authentication details (certificate) in such a way that jboss may enforce declarative authorization as if it had done the authentication itself. This also means that the programatic means to get the authenticated user identity described in the ejb and servlet specs will still work.
3) there is no hardware load balancer that supports the behavior described in 2), which means that with a hardware load balancer it is impossible to use declarative authorization enforcement.
After a whole lot testing and digging up for info, I'm quite desperate to solve this question, so if someone could help me I would be most thankfull.
Nuno

After further research, I think the best course of action will be to create a VLAN for the zone behind the BigIP and then create the corresponding interface in the vlan and zone. Using this links as my references in case anyone is interested. I'll post what I come up with.
https://blogs.oracle.com/stw/entry/using_ip_instances_with_vlans
https://blogs.oracle.com/stw/entry/solaris_zones_and_networking_common
http://docs.oracle.com/cd/E19253-01/816-4554/816-4554.pdf # AdministeringVirtualLocalAreaNetworks
http://docs.oracle.com/cd/E19053-01/ldoms.mgr11/820-4913-10/820-4913-10.pdf # Assign VLANs to a Virtual Switch and Virtual
Network Device

Internet Based Clients via F5 Big-IP load balancer

Hi Guys,
Please help with below question....
We have the requirement to support internet based clients...we have a proper MS PKI infra in-place. The SCCM design is like this : Primary Server is on corporate LAN and I have attached a site system server which is in DMZ network ( Say ABC Zone ). Now as
per my knowledge DMZ SCCM Site System server should be accessible to clients over internet connection and to make this happen, FQDN of site systems that support Internet-based client management must be registered as host entries on public DNS servers.
Now the twist is... as per our company policy we cannot make that SCCM Site system server directly available on internet... Network team is saying there is another DMZ zone ( Say PQR Zone ) where they have F5 Big-IP load balancer which are internet facing
( HTTPS ). Now they are saying that our SCCM clients should hit those devices and then internally re-direct to our SCCM site system server kept in ABC Zone.
VeriSign certificates will be used to encrypt in-coming network traffic to the F5 Big-IP Load Balancers configured as ADFS reverse proxy servers residing in the PQR Zone.
Is this scenario supported ? Please let me know what alternates we can have to avoid our SCCM server not directly facing to internet.
Thanks,
Sam

Hi Jason,
Thanks for your quick and prompt reply as always. My answers in BOLD...
First a question, you said "we have a proper MS PKI infra in-place". Does this mean you have a CDP exposed to the Internet or is an OCSP responder Internet accessible? If not, you will have issues although this can be overcome by disabling CRL checking
on the clients, that does lower your security posture. With "Proper PKI infra" I meant... they have if available already and supporting SCCM 2007 environment with it...but not supporting internet based clients in SCCM 2007. They implemented PKI there
just for better security. At present PKI CRL server is on internal network and the assumption is that, machines will also VPN-in the corporate network for CRL and certificate renewal when required...at some point in time.
To your real question here, is the F5 bridging or can it be set to pass-through? Pass-through is generally easier. Ultimately though, ConfigMgr doesn't care as long as the traffic gets to the site system hosting the roles. The main difference will be with the
certificates used by each component. With bridging, the F5 will terminate the SSL traffic and then initiate a new SSL stream to the site system.
This is all pretty transparent to ConfigMgr and the client as long as the certs used are configured with the proper SANs and the F5 properly passes the traffic along.
I don't think Network team would allow 'pass-through' and would go for 'bridging' option. Can you please let me know the steps I need to follow to configure bridging in-between F5 Balancers and SCCM site system server...bottom line is...our SCCM clients
should be able to communicate to our site server to get the MP, SUP and DP service. I'm not clear with the statement I underlined in above para.
Is using a third-party product like an F5 supported by Microsoft. No not explicitly. They rarely support anyone else's technology. Is the scenario in general supported? Yes, however Microsoft only provides guidance for doing so in conjunction with TMG/ISA.
If you search the web for "internet based client management bridge" you'll get lots of hits. Most (if not all) will be for ConfigMgr 2007 but they are still applicable.
Not able to find much fruitful data... Can you please provide me with good links which would help me clear this technically.
Now, if your F5 is set to pass-through, then there's not much extra to do at all assuming the traffic is routed properly
THANKS AGAIN for your help in this regard.
Sam

Load balancing outgoing mail with 3 outgoing servers

We are trying to balance our mail out with 3 separate mail servers from our incoming server. Our organization sends alot of mail and we wanted to balance it with 3 outgoing SMTP servers. We have them all working, in the zone for the primary DNS and incoming mail server. And we can get mail to go out on the three servers, BUT and this is a problem if the mail includes any messages to the network (hence the incoming server) then the SMTP servers complain they cannot find it and give a error message about not being able to connect to deliver any local mails out of the bulk mail we send. Any ideas how to get the SMTP to see the incoming mail server (which is the DNS server for network) and deliver mail to accounts on the network? Maybe we are doing something that OS X SNL server cannot do? Any ideas.
I will post the error message later but I need to leave for meeting for now.
Thanks
Russ

Here is error message we get:
Mar 17 21:34:45 mailout1 postfix/smtp[32307]: connect to mail.vineyardil.net [173.161.44.97]:25 Operation timed out
Mar 17 21:34:45 mailout1 postfix/smtp[32307]: DE90A1AF591: to =<[email protected]>, relay=none, delay=23732, delays=23701/0.01/30/0, dsn4.4.1, status=deferred (connect to mail.vineyardil.net [173.161.44.97]:25 Operation timed out)
To explain mailout1 is the first one in priority of outgoing separate SMTP servers we set up in the zone of mail.vineyardil.net which is the DNS server. They send out ok all outgoing mail to other addresses as we wanted them (rather than having mail.vineyardil.net do it) but when we send to an address with vineyardil.net on it then we get this same message.
It seems like mailout1 cannot send to the incoming server. Note the ip address it gives is the ip of the cable modem on this network not the ip address locally in the net we have.
Our MX records all look good and things work with mail if we use it both as incoming and outgoing (SMTP) but when we use the secondary servers for outgoing they seem to not be able to send to this server. Is there something we should look for?
Is SL server not capable of what we are trying? Any feedback would be most appreciated. We would like to really use this setup as I explained to do load balancing of mail as part of our attempt on this new network to get our bulk mailing split up between the 3 outgoing servers so we will not be labeled spam by the security systems out there these days like it was on our old network.
Thanks for your time.
Russ Jacobson

Load balancing between application server and database

Hi,
is there any load balancing between the application server and the database? Consider we have a single instance of an application server that sends database queries from different clients to the database. Are the requests queued in some way at the application server, allowing to control the flow of the queries (e.g. queries from "more important" clients might be sent with a higher priority)?
Thanks for your help!

Hi Victor/Jim/Volker,
Thanks a lot for all the responses..
Just wanted to let you guys know that my installation finished successfully.
The thing which confused me was that my Qtime, Qdate and everything else was showing correct values..
Well, my problem I set the environmental variable PASE_TZ to the EST time zone on a SYS level using WRKENVVAR>F4>SYS and added the variable. I logged off and the sidofr logged off, but one user which should have logged off and didn't was the "SAPINST"(my installation user) which was logged in the subsystem TMKSVR00.
Even when I had closed the SAPINST installlation program, the user doesn't log off...it just sits there until and unless u shut him out of the system using the option 4 on wrkactjob for ending the JOB(SAPINST logged in the system below the TMKSVR00 subsystem)
So since the SAPISNT user never logged of, his environmental variables were not initilized properly, even after the changes...
This thought came to me almost after a 6 hours of wasting my time searching for notes here and there...
I think when u end/stop the install in SAPINST, the SAPINST user should log off the AS400 system, but I have noticed, it never does...although when u restart the installation, if u have noticed it shows you the log on for the SAPINST user in the TMKSVR screen...
Its kind of buggy, I would say...
I have noticed, that even when I log on to AS400 from home or from a remote PC using Emulator, it shows me logged in the subsystem and even after i have logged of, it still shows me there...
Anyway, thanks a lot guys...for all your responses..
Just wanted to let you know all.
Thanks
Abhi

Round robin DNS for load balancing between multiple network adapters (Xserve)

I'm attempting to use 'round robin' DNS to load balance between the two ethernet adapters of an Xserve.
Both ethernet adapters are connected to the same LAN and have static IP addresses of 192.168.2.250 and 192.168.2.251.
The DNS zone for the server's local domain/host (macserver.private) has a machine record with both IP addresses (set up in the Lion Server UI).
Having read up on round robin DNS, I would have expected DNS requests for 'macserver.private' to be answered with the two IP addresses ordered at random, achiving my aim of requests being served at random via each ethernet adapter.
However this doesn't seem to be the case. Doing a 'nslookup' from any of the network clients results in the two IP addresses being listed in the same order everytime. And pinging 'macserver.private' only ever results in a response from the same address.
Does anyone know why this is the case? Does Lion Server use a non-standard DNS configuration? Are there any additional settings I need to configure in Lion's DNS server to make adopt a round robin approach to responding to requests?
Thanks in advance for any help!

Be careful what you wish for
Round Robin DNS is rarely the best option for 'load balancing'. At the very least it's subject to caching at various point on the network - even at the client side, once the client looks up the address it will cache that response - this means that subsequent lookups may be served from the client's cache and not refer back to the server. Therfore any given client will always see the same address until the cache expires.
I suspect this is what you're seeing.
You can minimize this by setting a lower TTL on the records. This should result in the response being cached for a shorter period, meaning the client will make more requests to the server, with a higher change of using the 'other' address.
However, you're also going to run into issues with the server having two interfaces/addresses in the same LAN. This isn't recommended.
As Jonathon mentioned, you may be better off just bonding the two interfaces. This will provide an automatic level of dynamic load balancing without the latency of DNS caches, as well as automatic failover should one link fail (as opposed to round robin DNS which will cause 50% of requests to fail until the client cache expires and a new lookup is performed (and, even then, there's still a chance the client will try to use the failed link).

IOS gatekeeper Load Balancing?

To the experts
I have 3662 running IOS 12.3T with GK enabled.
I wonder if I can load balanced outgoing calls via different 02 GKs? (weighted or fair balanced 1-1)
Call1: MyGK (local zone) --> GK1 (remote zone1)
Call2: MyGK (local zone) --> GK2 (remote zone1, same zone)
Call3: MyGk (local zone)--> GK1 (remote zone1)
... so on ...
I think sequencial and blast does not help here. Also, GK1 and GK2 is not Cisco Based (3rd party GK)
Question: Is there any way for this scenario? DNS round-robin will help if I declare only one remote zone with DNS and I configure my BIND DNS Server to return multiple IP address to MyGk for load balancing?
Brgds
Thai Duy Hoa

The Cisco High-Performance Gatekeeper feature introduces new gatekeeper functionality and modifications for facilitating carrier class reliability, security, and performance into Cisco's Voice Network solution portfolio. These H.323 standard-based features have carrier grade reliability and performance characteristics with a robust open application protocol interface to enable development of enhanced applications like voice VPNs and wholesale voice solutions.
The new gatekeeper is characterized by the following:
"Increased support for back end applications.
"Increased performance on a single gatekeeper.
"Alternate gatekeeper support to the gatekeeper. Each alternate gatekeeper, or GK node, shares its local zone information so that the cluster can effectively manage all local zones within the cluster. Each alternate gatekeeper has a unique local zone. Clusters provide a mechanism for distributing call processing seamlessly across a converged IP network infrastructure to support IP telephony, facilitate redundancy, and provide feature transparency and scalability.

Cisco 1921 Dual ADSL Load Balancing/Failover?

Hello,
We have purchased a Cisco 1921 with twin ADSL after advice from a Cisco sales rep. However I am having trouble working out the load balancing/fail over config for the device.
I would like traffic to balance over both ADSL lines and if one goes down not to interrupt connectivity.
I had a look at ppp multilink but I am unsure our ISP (BT) support this?
This is my current config which I think only one ADSL line is being used. Some input would be appreciated
Robbie
! Last configuration change at 13:18:34 UTC Tue Mar 29 2011
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname xxxxxx
boot-start-marker
boot-end-marker
no logging buffered
enable secret 5 xxxxx
enable password xxxx
no aaa new-model
no ipv6 cef
ip source-route
ip cef
ip name-server 194.74.65.68
ip name-server 194.72.0.114
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-xxxxxx
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-xxxxx0
revocation-check none
rsakeypair TP-self-signed-xxxxx!
crypto pki certificate chain TP-self-signed-xxxxxx
certificate self-signed 02 nvram:IOS-Self-Sig#4.cer
license udi pid CISCO1921/K9 xxxxx
username admin privilege 15 secret 5 xxxxxxxxxx/
interface GigabitEthernet0/0
description lan$ETH-LAN$
ip address 10.0.8.1 255.255.248.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
dsl operating-mode adsl2
interface ATM0/0/0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
ip flow ingress
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface ATM0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
dsl operating-mode adsl2
interface ATM0/1/0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
ip flow ingress
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface Dialer0
mtu 1483
ip address negotiated
ip access-group spalding in
ip access-group spalding out
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxx
ppp chap password 0 xxxxx
ppp multilink
ppp multilink links minimum 2
ppp multilink fragment disable
ppp timeout multilink link add 2
no cdp enable
interface Dialer1
mtu 1483
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxx
ppp chap password 0 xxxxx
ppp link reorders
ppp multilink
ppp multilink links minimum 2
ppp multilink fragment disable
ppp timeout multilink link add 2
no cdp enable
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.0.15.201 3389 interface Dialer0 3389
ip nat outside source static tcp 195.194.75.218 3389 10.0.15.200 3389 extendable
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 1 remark INSIDE_IF=GigabitEthernet0/0
access-list 1 permit 10.0.0.0 0.254.255.255
dialer-list 1 protocol ip permit
control-plane
line con 0
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
scheduler allocate 20000 1000
end

Hi,
Can anyone help me with this config? not very reliable.
Building configuration...
Current configuration : 17349 bytes
! Last configuration change at 06:08:06 UTC Sun Apr 5 2015 by Shawn
version 15.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname Router
boot-start-marker
boot system flash0:c2900-universalk9-mz.SPA.154-3.M2.bin
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$sNeA$GB6.SMrcsxPf51tK2Eo9Z.
aaa new-model
aaa authentication login local_authen local
aaa authorization exec local_author local
aaa session-id common
no ip source-route
ip port-map user-protocol--8 port udp 3392
ip port-map user-protocol--9 port tcp 3397
ip port-map user-protocol--2 port udp 3391
ip port-map user-protocol--3 port tcp 14000
ip port-map user-protocol--1 port tcp 3391
ip port-map user-protocol--6 port udp 3394
ip port-map user-protocol--7 port tcp 3392
ip port-map user-protocol--4 port udp 14100
ip port-map user-protocol--5 port tcp 3394
ip port-map user-protocol--10 port udp 3397
ip dhcp excluded-address 192.168.1.1 192.168.1.49
ip dhcp excluded-address 192.168.10.1 192.168.10.49
ip dhcp pool DHCP_POOL1
import all
network 192.168.1.0 255.255.255.0
dns-server 139.130.4.4 203.50.2.71
default-router 192.168.1.1
lease infinite
ip dhcp pool ccp-pool1
import all
network 192.168.10.0 255.255.255.0
dns-server 139.130.4.4 203.50.2.71
default-router 192.168.10.1
lease infinite
no ip bootp server
ip host SHAWN-PC 192.168.1.10
ip host DIAG 192.168.1.5
ip host MSERV 192.168.1.13
ip name-server 139.130.4.4
ip name-server 203.50.2.71
ip cef
ip cef load-sharing algorithm include-ports source destination
no ipv6 cef
multilink bundle-name authenticated
cts logging verbose
crypto pki trustpoint TP-self-signed-1982477479
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1982477479
revocation-check none
rsakeypair TP-self-signed-1982477479
license udi pid
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
redundancy
controller VDSL 0/0/0
operating mode adsl2+
controller VDSL 0/1/0
operating mode adsl2+
no cdp run
track timer interface 5
track 1 interface Dialer0 ip routing
delay down 15 up 10
track 2 interface Dialer1 ip routing
delay down 15 up 10
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
class-map type inspect match-all sdm-nat-user-protocol--7-1
match access-group 104
match protocol user-protocol--7
match access-group 102
class-map type inspect match-all sdm-nat-user-protocol--4-2
match access-group 101
match protocol user-protocol--4
class-map type inspect match-all sdm-nat-user-protocol--6-1
match access-group 103
match protocol user-protocol--6
class-map type inspect match-all sdm-nat-user-protocol--5-1
match access-group 103
match protocol user-protocol--5
class-map type inspect match-all sdm-nat-user-protocol--4-1
match access-group 102
match protocol user-protocol--4
class-map type inspect match-all sdm-nat-user-protocol--7-2
match access-group 101
match protocol user-protocol--7
class-map type inspect match-all sdm-nat-user-protocol--3-1
match access-group 102
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 101
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--1-2
match access-group 102
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 101
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--2-2
match access-group 102
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--3-2
match access-group 101
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--8-2
match access-group 101
match protocol user-protocol--8
class-map type inspect match-all sdm-nat-user-protocol--9-2
match access-group 104
match protocol user-protocol--9
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-all sdm-nat-user-protocol--9-1
match access-group 101
match protocol user-protocol--9
match access-group 104
class-map type inspect match-all sdm-nat-user-protocol--8-1
match access-group 104
match protocol user-protocol--8
match access-group 102
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-nat-user-protocol--10-2
match access-group 104
match protocol user-protocol--10
class-map type inspect match-all sdm-nat-user-protocol--10-1
match access-group 101
match protocol user-protocol--10
match access-group 104
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-user-protocol--2-1
inspect
class type inspect sdm-nat-user-protocol--3-1
inspect
class type inspect sdm-nat-user-protocol--4-1
inspect
class type inspect sdm-nat-user-protocol--5-1
inspect
class type inspect sdm-nat-user-protocol--6-1
inspect
class type inspect sdm-nat-user-protocol--7-1
inspect
class type inspect sdm-nat-user-protocol--8-1
inspect
class type inspect sdm-nat-user-protocol--9-1
inspect
class type inspect sdm-nat-user-protocol--10-1
inspect
class type inspect CCP_PPTP
pass
class type inspect sdm-nat-user-protocol--7-2
inspect
class type inspect sdm-nat-user-protocol--8-2
inspect
class type inspect sdm-nat-user-protocol--1-2
inspect
class type inspect sdm-nat-user-protocol--2-2
inspect
class type inspect sdm-nat-user-protocol--9-2
inspect
class type inspect sdm-nat-user-protocol--10-2
inspect
class type inspect sdm-nat-user-protocol--3-2
inspect
class type inspect sdm-nat-user-protocol--4-2
inspect
class class-default
drop log
policy-map type inspect ccp-permit
class class-default
drop
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
interface Null0
no ip unreachables
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
interface GigabitEthernet0/0
description $ETH-LAN$
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
no mop enabled
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
no mop enabled
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
interface ATM0/0/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface ATM0/0/0.2 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
interface Ethernet0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
no mop enabled
interface ATM0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
interface ATM0/1/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 2
interface Ethernet0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
no mop enabled
interface GigabitEthernet0/3/0
no ip address
interface GigabitEthernet0/3/1
no ip address
interface GigabitEthernet0/3/2
no ip address
interface GigabitEthernet0/3/3
no ip address
interface GigabitEthernet0/3/4
no ip address
interface GigabitEthernet0/3/5
no ip address
interface GigabitEthernet0/3/6
no ip address
interface GigabitEthernet0/3/7
no ip address
interface Vlan1
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname [email protected]
ppp chap password 7 1444405858557A
ppp pap sent-username [email protected] password 7 135645415F5D54
ppp multilink
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 2
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname [email protected]
ppp chap password 7 01475E540E5D55
ppp pap sent-username [email protected] password 7 055F5E5F741A1D
ppp multilink
router eigrp as#
router eigrp 10
network 192.168.1.1 0.0.0.0
router rip
version 2
network 192.168.1.0
no auto-summary
ip forward-protocol nd
ip http server
ip http access-class 3
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source static tcp 192.168.1.10 3392 interface Dialer1 3392
ip nat inside source static udp 192.168.1.10 3392 interface Dialer1 3392
ip nat inside source static tcp 192.168.1.35 3391 interface Dialer0 3391
ip nat inside source static udp 192.168.1.35 3391 interface Dialer0 3391
ip nat inside source static tcp 192.168.1.5 3394 interface Dialer0 3394
ip nat inside source static udp 192.168.1.5 3394 interface Dialer0 3394
ip nat inside source static tcp 192.168.1.17 3397 interface Dialer0 3397
ip nat inside source static udp 192.168.1.17 3397 interface Dialer0 3397
ip nat inside source static tcp 192.168.1.10 14000 interface Dialer0 14000
ip nat inside source static udp 192.168.1.10 14100 interface Dialer0 14100
ip nat inside source route-map ADSL0 interface Dialer0 overload
ip nat inside source route-map ADSL1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 track 1
ip route 0.0.0.0 0.0.0.0 Dialer1 track 2
ip access-list extended NAT
remark CCP_ACL Category=18
permit ip 192.0.0.0 0.255.255.255 any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
remark CCP_ACL Category=1
ip access-list extended STATIC-NAT-SERVICES
permit ip host 192.168.1.35 any
permit ip host 192.168.1.5 any
permit ip host 192.168.1.10 any
permit ip host 192.168.1.17 any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
route-map ADSL0 permit 10
match ip address NAT
match interface Dialer0
route-map ADSL1 permit 10
match ip address NAT
match interface Dialer1
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 3 remark HTTP Access-class list
access-list 3 remark CCP_ACL Category=1
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 3 deny any
access-list 10 remark INSIDE_IF=NAT
access-list 10 remark CCP_ACL Category=2
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 139.130.227.0 0.0.0.255 any
access-list 100 permit ip 203.45.106.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.10
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.35
access-list 101 permit tcp any any eq www
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.35
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.10
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.1.5
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 192.168.1.17
control-plane
banner login ^CCE-Rescue Systems^C
line con 0
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
authorization exec local_author
login authentication local_authen
transport input telnet ssh
line vty 5 15
authorization exec local_author
login authentication local_authen
transport input telnet ssh
scheduler allocate 20000 1000
end
Thanks
Shawn

Load balancing on zones

Similar Messages

Maybe you are looking for