Per Packet load Balancing in Cisco Switches

Similar Messages

• CEF and per-packet load balancing

  We have four OC3 links across the atlantic and I was looking for a solution which would allow load balacing across the four links on a per-packet basis (not session). The objective is both resiliency i.e. being able to handle link failures transparently & balancing the load across all the links. BGP multptah looked like the ideal soultion. However, I was told that the CEF packet based load balancing is no longer supported by CISCO. Is this correct ? Is it applicable for all models ? Are there any other potential solutions?
  Appreciate a response from the experts.

  Hello Rittick,
  an MPLS pseudowire will use only one link of the 4 links based on inner MPLS label, it cannot be spread over multiple parallel links.
  The MPLS pseudowire can travel within an MPLS TE LSP that can be protected by FRR.
  per packet load balancing does not apply to your scenario.
  You need to mark traffic of the critical application with an appropriate EXP settings. The EXP bits are copied to the outer (external) label.
  On the OC-3 physical interfaces you will configure a CBWFQ scheduler providing 100 Mbps of bandwidth to traffic with specific EXP marking. This is elastic and over unused links bandwidth will be left available to other traffic.
  On the LAN interface you need to mark the EXP bits in received packets using a policy-map
  access-list 101 permit tcp host x.x.x.x host y,y,y,y
  class CLASSIFY-BACKUP
  match access-group 101
  policy-map MARKER
  class CLASSIFY-BACKUP
  set mpls exp 3
  class class-default
  set mpls exp 0
  int gex/y/z
  service-policy in MARKER
  class-map BACKUP
  match mpls exp 3
  policy-map SCHED-OC3
  class BACKUP
  bandwidth 100000
  class class-default
  fair-queue
  int posx/y/z
  service-policy out SCHED-OC3
  applied on all pos interfaces.  The MPLS pseudowire will use one link only. Different pseudowires can use different OC-3 links. Load balancing of MPLS traffic is based on internal label (the VC label of the pseudowire)
  Note:
  you should check if it is possible to mark traffic received on the incoming interface of the pseudowire otherwise you need to mark IP precedence nearer to the host.
  Hope to help
  Giuseppe

• Trying to load Balance several Cisco ISE servers.

  Trying to load Balance several Cisco ISE servers.  For persistence, Cisco recommends using Calling-Station-ID and Framed-IP-address...Session-ID is recommended if load balancer is capable of it.  I have documentation for the Cisco ACE, but using F5 LTM's.  Assuming this has to be done with an I-Rule as none of these are available as a default.  Not sue where to begin.  I tried attaching the Cisco PDF, but not able for whatever reason.

  Please also keep in mind that When using a Load-Balancer (anyone's) you must ensure a few things.
  Each PSN must be reachable by the      PAN /  MNT directly, without having to go through NAT (Routed mode LB,       not NAT). No Source-NAT. This includes the Accounting      messages, not  just the Authentication ones.
  This means the       Load-Balancer must be in the direct path between the clients and the ISE PSNs.
  Some       organizations have used Policy  Based Routing (PBR) to accomplish the       path, without physically  locating the Load-Balancer between the clients       and the PSNs.
  Endpoints (clients) must be able      to  reach each Policy Services Node Directly (not going through the VIP) for       redirections/Centralized Web Authentication/Posture  Assessments/Native      Supplicant Provisioning, and more.
  You may want to "hack"      the certs to include the VIP FQDN in the SAN field (my next blog post      should cover this trick).
  Perform sticky (aka: persistence)      based on Calling-Station-ID and Framed-IP-address.
  VIP gets listed as the RADIUS      server of each NAD for all 802.1X related AAA.
  Dynamic-Authorization (CoA):
  If you use       Server NAT to replace the  PSN IP address with the VIP Address for Change       of Authorization,  then you would use the VIP address as the       Dynamic-Authorization  (CoA) client.
  Otherwise, use       the real IP Address of the PSN, not the VIP.
  The LoadBalancers get listed as      NADs in ISE so their test authentications may be answered, to keep the      probes alive.
  ISE uses the Layer-3 Address      to  identify the NAD, not the NAS-IP-Address in the RADIUS packet. This       is a big reason to avoid SNAT.
  Failure Scenarios:
  The VIP is the RADIUS Server, so      if the  entire VIP is down, then the NAD should fail over to the Secondary       DataCenter VIP (listed as the secondary RADIUS server on the NAD).
  Use probes on the Load-Balancers      to ensure that RADIUS is responding, as well as HTTPS (at minimum).
  LB Probes       should send test RADIUS  messages to each PSE periodically, to ensure that       RADIUS is  responding, not just look for open UDP ports.
  LB Probe should       also examine the response for HTTPS, not just look for the open port(s).
  Use node-groups with the L2-adjacent      PSN's behind the VIP.
  If the       session was in process and one  of the PSN's in a node-group fails,       then another member of the  node-group will issue a CoA-reauth; forcing       the session to begin  again. 
  At this point,       the LB should have  failed the dead PSN due to the probes configured       in the LB; and so  this new authentication request will reach the LB &       be  directed to a different PSN…

• Packet per packet load sharing

  hi, my question:
  i have two routers which are connected over two links (same type, same speed).
  now i want to change from per destination to per packet load-sharing.
  i know there is the command "ip load-shar per packet" but my question:
  must i use this command on all 4 interfaces (2 interfaces - two router),
  or must i only configure this on one interface per router ??
  thanks for answer !

  hi there. I have one doubt pertaining to per-packet load-sharing. In order to connect my two remote sites- A & B, Site A is having two WAN links and Site B is having two WAN links - one from ISP1 (30Mbps link) and the other from ISP2 (50Mbps link). I am doing static route load balancing using same AD values for both the ISPs. I have configured "ip load-sharing per-packet" on both the outgoing interfaces.
  The load is getting distributed equally across both the links but total bandwidth utilization across both the links is not going beyond 30Mbps. The combined bandwidth of both links is 80Mbps (50+30). However links are not getting fully utilized even though heavy load is there on the links. Can you please tell me how to make full use of both the wan links at both the ends?

• Load balancing on cisco rv042

  Hi friends,
  This is regarding I am facing issue with configuring the load balancing in cisco rv042 .I had configured the load balancing between dual wan of leased line and adsl coonection but loadbalancing is not working fine kindly help me on this

  If i close one link it takes 20 seconds of downtime and then ping goes without loses.
  In the end i decided to go with PBR, since the deadline for our project was surpassed.
  I set up acl that matched every other 32 adress block:
      10 permit ip 192.168.100.32 0.0.0.31 any 
      20 permit ip 192.168.100.96 0.0.0.31 any 
      30 permit ip 192.168.100.160 0.0.0.31 any 
      40 permit ip 192.168.100.224 0.0.0.31 any
      50 deny ip any any
  Set a route map that sends that traffic trough one of the interfaces (Gi0/1) and let routing do the rest:
  track 1 interface dialer 0 line-protocol
  ip route 0.0.0.0 0.0.0.0.0 Dialer0 track 1
  ip route 0.0.0.0 0.0.0.0.0 GigabitEthernet0/1 10
  Its not exactly what i wanted but its close enough:) 
  Thanks for your advices.

• How can ftp service on non-standard port be load balanced using Cisco ACE.

  How can ftp service on non-standard port be load balanced using Cisco ACE.For example ftp service required on tcp 2000 port

  Hi Samarjit,
  you can do this by specifying the port number in the class map that you create . Please find the below mentioend config guide where you can specify the tcp/udp port , range or ports or even the wild card to match the port.
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/mapolcy.html#wp1318826
  Regards
  Abijith

• Two isp load balancing on cisco ACE(load balancer)

  I don't know much about load balancer(ACE).
  Is this is possible to load balance two isp's on load balancer (ACE). If so, how i can do so , any configuration example, or cisco document.

  Wrong forum, post in "Datacenter". You can move your posting with the Actions panel on the right.

• Load balancing via CHOC12/STS3

  Hi, our customer has a connection between 2 x 12012 via the 4 embedded channels of CHOC12/STS3 module.As every subinterface has its own ip-subnet we have 4 equal paths to every destinations.
  Customer wants to configure dCEF per-packet load balancing and is concerned if he can get packet sequence problems for his VoIP applications like it may happen on 'normal' equal path cost connections when load balancing per-packet instead of per-destination.
  Does anybody know if this can be a concern on the embedded channels ?
  Regards Guenther

  Generally speaking, for a given source-destination pair, with Per-packet load balancing enabled, packets might take different paths which could introduce reordering of packets. Thus Per-packet load balancing is inappropriate for voice over IP traffic and also for certain other types of data traffic that require packets received to be in sequence. For more information please see
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_configuration_guide_chapter09186a00800ca62c.html#3589. Whether the CHOC12/STS3 module has some special meachanism built in to take care of this is unknown to me. Per-packet load balancing via CEF is not supported on Engine 2 Gigabit Switch Router (GSR) line cards (LCs).

• RSPAN Load Balance

  Hi everybody! I go straight to the problem I'm facing:
  I need to send a data stream via RSPAN to a remote device for traffic analysis. Because of the large amount of data (>1Gbps) I need to put the remote VLAN, which carries the RSPAN traffic, on an etherchannel and to load-balance that traffic among the members of the etherchannel.
  The problem is that it seems that there's no algorithm I can use to load-balance the RSPAN traffic. The device I'm using  is a Cisco 3750 switch, so no per-packet load balancing algorithm is available (and I think that, even if I could use this technique, I would encounter some sort of out-of-sequence packets issue).
  Is there a way to efficiently load balance a RSPAN traffic on an etherchannel?

  Hey Enrico,
  Etherchannel will perform load balancing as per the selected hashing algorithm. In 3750 default is src-mac address so it will only check the source mac-address of RSPAN traffic while performing load balancing across etherchannel. So you may change it to a more granular value, available options are provided in link below:http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_53_se/configuration/guide/swethchl.html#wp1276203
  HTH.
  Regards,
  RS.

• Resources for designing redundancy and load balancing among data centers

  Hello all,
  I'm looking for resources for designing redundancy and load balancing between two physically separate data centers. I'm looking for some "best practice" links, tips, or recommendations. Any suggestions are appreciated!
  Thanks.

  I think that we can do per packet load balancing by using CEF.
  Please go to the following URL:
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fswtch_c/swprt1/xcfcefc.htm#xtocid5
  Also, you may need local director or distributed director. What resource/application is availalbe in the data centre? (e.g. http server, ftp server, TN3270 server, and so on)

• Load Balancing Rip version 2

  I have a lab scenario, that is confusing me greatly. I can get per packet load-balancing working when I ping from R2 to interfaces in the 192.168.1.0/30. However, when I'm pinging from R3 , I can't packet load-balance to interfaces in 192.168.4.0/30. I also can't packet load-balance from R1 pinging to interfaces in 192.168.4.4/30. Am I doing something wrong? Thanks...
  I have three routers: R1, R2, R3.
  R1: Eth0 192.168.1.1/30 connected to R3 eth0
  R1: Ser0 192.168.4.1/30 connect to R2 Ser0
  R2: Ser0 192.168.4.2/30 connect to R1 Ser0
  R2: Ser1 192.168.4.5/30 connect to R3 Ser0
  R3: Eth0 192.168.1.2/30 connect to R1 eth0
  R3: Ser0 192.168.4.6/30 connect to R2 Ser1
  All of the routers run:
  2500 Software (C2500-I-L), Version 12.2(29a), RELEASE SOFTWARE (fc1)
  Configs for R1, R2, R3 are attached as a plain text file and listed below:
  R1 config:
  version 12.2
  service timestamps debug uptime
  service timestamps log uptime
  service password-encryption
  service udp-small-servers
  service tcp-small-servers
  hostname R1
  ip subnet-zero
  ip host R1 192.168.1.1
  ip host R2 192.168.4.2
  ip host R3 192.168.1.2
  interface Ethernet0
  ip address 192.168.1.1 255.255.255.252
  no ip route-cache
  no ip mroute-cache
  interface Serial0
  ip address 192.168.4.1 255.255.255.252
  no ip route-cache
  no ip mroute-cache
  interface Serial1
  no ip address
  no ip mroute-cache
  shutdown
  interface Serial2
  no ip address
  no ip mroute-cache
  shutdown
  interface Serial3
  no ip address
  no ip mroute-cache
  shutdown
  interface BRI0
  no ip address
  encapsulation hdlc
  no ip mroute-cache
  shutdown
  router rip
  version 2
  network 192.168.1.0
  network 192.168.4.0
  ip classless
  no ip http server
  line con 0
  line aux 0
  line vty 0 4
  end
  R2 config:
  version 12.2
  no service pad
  service timestamps debug uptime
  service timestamps log uptime
  service password-encryption
  hostname R2
  ip subnet-zero
  ip host R1 192.168.1.1
  ip host R2 192.168.4.2
  ip host R3 192.168.1.2
  interface Ethernet0
  shutdown
  interface Serial0
  ip address 192.168.4.2 255.255.255.252
  no ip route-cache
  no ip mroute-cache
  clockrate 56000
  interface Serial1
  ip address 192.168.4.5 255.255.255.252
  no ip route-cache
  no ip mroute-cache
  clockrate 56000
  interface Serial2
  no ip address
  shutdown
  interface Serial3
  no ip address
  shutdown
  interface Serial4
  no ip address
  shutdown
  interface Serial5
  no ip address
  shutdown
  interface Serial6
  no ip address
  shutdown
  interface Serial7
  no ip address
  shutdown
  interface Serial8
  no ip address
  shutdown
  interface Serial9
  no ip address
  shutdown
  interface BRI0
  no ip address
  encapsulation hdlc
  shutdown
  router rip
  version 2
  network 192.168.4.0
  ip classless
  no ip http server
  line con 0
  line aux 0
  line vty 0 4
  end
  R3 config:
  version 12.2
  service timestamps debug uptime
  service timestamps log uptime
  service password-encryption
  hostname R3
  ip subnet-zero
  ip host R2 192.168.4.2
  ip host R1 192.168.1.1
  ip host R3 192.168.1.2
  interface Ethernet0
  ip address 192.168.1.2 255.255.255.252
  no ip route-cache
  no ip mroute-cache
  interface Serial0
  ip address 192.168.4.6 255.255.255.252
  no ip route-cache
  no ip mroute-cache
  interface Serial1
  no ip address
  no ip mroute-cache
  shutdown
  interface BRI0
  no ip address
  encapsulation hdlc
  no ip mroute-cache
  shutdown
  router rip
  version 2
  network 192.168.1.0
  network 192.168.4.0
  ip classless
  no ip http server
  line con 0
  line aux 0
  line vty 0 4
  end

  I figured it out. When I configur "no auto-summary" on each router it behaves nicely with per packet load balancing. I guess I needed to get rid of the summarized routes listing /24 for my VLSMed 4.0 4.4 /30 networks.
  Thanks

• MPLS Load Balancing/Sharing with TE or CEF or Both?

  So I am just playing around in GNS3 trying to set up multiple ECMP links between to P routers like this;
  CE1 -- PE1 -- P1 == P2 -- PE2 -- CE2
  (There are actually four links between P1 & P2!)
  I have set up a pseudoswire xconnect from PE1 to PE2 so CE1 & 2 can ping each other on the same local subnet range. That works just fine.
  My question is this:
  I have configured "ip load-sharing per-packet" on each of the four interfaces on P1 and P2 that are facing each other (I know per-packet balancing is frowned upon but lets not talk about that right now!) and this works, traffic is distributed across all links (I can see with packet captures in GNS3).
  Where does "ip load-sharing per-packet" fit in to the chain of events with regards to MPLS and CEF etc?; So, with MPLS enabled everywhere the two P routers are forwarding based on labels and not IP address. With MPLS enabled, does this command force the P routers to load-balance each MPLS frame as it comes in, round-robbin'ing the ingress frames across all links, the same as it would if it were a plain IP packet? So the command is ignorate of the kind of traffic being used? Or is the P router looking down into the MPLS frame for the IP in the IP packet?
  Also, in order to get the same sort of performance boost you get from per-packet load balancing, seeing as I am using MPLS here, should I be using some francy MPLE TE to do this instead of that interface sub-command?
  If I remove that command, I seem to always use link 2 for sending traffic towards P2 from P1, and link 3 for receiving the return traffic from P2 to P1. This is presumably because the ICMP packets have nothing to hash on except the source and destination IP addresses, so they always hash to the same physical links. Without using that command how else can I make use of the four links?

  Hello Jwbensley,
  first of all,
  "ip load-sharing per-packet" is not a viable option as it causes out  of order issues.
  Real world devices perform load balancing based on the second (more internal ) label value so to achieve some load balancing for example multiple pseudowires must be defined between the same pair of PE nodes.
  L3 VPN use different internal labels for different customer prefixes of the same VRF site ( unless some special command is used to say use one label per VRF site)
  >> f I remove that command, I seem to always use link 2 for sending traffic towards P2 from P1, and link 3 for receiving the return traffic from P2 to P1
  This is the expected behaviour in this scenario.
  With MPLS TE you can achieve results similar to the use of multiple pseudowires /LSPs : forms of load sharing not true load balancing. In all cases in MPLS world flow based and not per packet
  Hope to help
  Giuseppe

• Pix OSPF load balancing question

  I have a pix 515e with two default routes, learned via OSPF from two routers on the "outside" interface.
  Currently router#2 is being preferred way much more than router#1. There are many thousands of destinations for the traffic. These two routers are further doing NAT to nat rfc1918 ip's to the internet (the pix is NOT doing nat)
  Can someone please let me know how the PIX does load balancing? is it by IP address destination? is it something else?
  thanks,
  Joe

  Per TAC:
  "the PIX will do per-destination Load Balancing instead of per packet
  load balancing. The algorithm will look at the source and destination
  addresses. It does not do 1:1 load balancing. Given enough different
  source and destination addresses, the packets will more or less reach a
  50/50 spit between the two next-hops. However, in real world testing
  with the same source and destination addresses, it may not reach an even
  load balancing."

• Load balancing with Serial Leased Lines & Etherdrops

  This problem is a unique one.
  I have 6 Internet Leased Lines of 2 Mbps each. Keeping in view of the increasing thirst for Bandwidth, I ordered Etherdrops for the ease of on the fly upgrade, as & when needed.
  To my surprise, when these Etherdrops were terminated on router, there was no trafic flowing over these etherlinks. I had to forcefully put traffic on these links using PBR.
  I want to use all my links i.e. 6 serial + 2 etherlinks for per packet load-balancing.
  can some1 help.
  Regards,

  Hi
  are you running any routing protocols with your ISP ?
  also you can have a max of 6 equal cost route in routers.
  Thats the reason i feel you are unable to use the etherdrops.
  Y dont u think off going on upgrading the E1s into Fiber and take them as single ethernet output or a E3 output ?
  regds

• MPLS/VPN network load balancing in the core

  Hi,
  I've an issue about cef based load-balancing in the MPLS core in MPLS/VPN environment. If you consider flow-based load balancing, the path (out interface) will be chosen based on source-destination IP address. What about in MPLS/VPN environment? The hash will be based on PE router src-dst loopback addresses, or vrf packet src-dst in P and PE router? The topology would be:
  CE---PE===P===PE---CE
  I'm interested in load balancing efficiency if I duplicate the link between P and PE routers.
  Thank you for your help!
  Gabor

  Hi,
  On the PE router you could set different types and 2 levels of load-balancing.
  For instance, in case of a DUAL-homed site, subnet A prefix for VPN A could be advertised in the VPN by PE1 or PE2.
  PE1 receives this prefix via eBGP session from CE1 and keep this route as best due to external state.
  PE2 receives this prefix via eBGP session from CE2 and keep this route as best due to external state.
                               eBGP
                       PE1 ---------CE1
  PE3----------P1                          Subnet A
                       PE2----------CE2 /
                              eBGP
  Therefore from PE3 point of view, 2 routes are available assuming that IGP metric for PE3/PE1 is equal to PE3/PE2.
  The a 1rst level of load-sharing can be achieve thanks to the maximum-paths ibgp number command.
  2 MP-BGP routes are received on PE3:
  PE3->PE1->CE1->subnet A
  PE3->PE2->CE2->subnet A
  To use both routes you must set the number at 2 at least : maximum-paths ibgp 2
  But gess what, in the real world an MPLS backbone hardly garantee an equal IGP cost between 2 Egress PE for a given prefix.
  So it is often necessary to ignore the IGP metric by adding the "unequal-cost" keyword: maximum-paths unequal-cost ibgp 2
  By default the load-balancing is called "per-session": source and destination addresses are considered to choose the path and the outgoing interface avoiding reordering the packets on the target site. Overwise it is possible to use "per-packet" load-balancing.
  Then a 2nd load-sharing level can occur.
  For instance:
           __P1__PE1__CE1
  PE3           \/                   Subnet A
          \ __P2__PE2__CE2
  There is still 2 MP-BGP paths :
  PE3->P1->PE1->CE1->subnet A
  PE3->P1->PE2->CE2->subnet A
  But this time for 2 MP-BGP paths 4 IGP path are available:
  PE3->P1->PE1->CE1->subnet A
  PE3->P1->PE2->CE2->subnet A
  PE3->P2->PE1->CE1->subnet A
  PE3->P2->PE2->CE2->subnet A
  For a load-balancing to be active between those 4 paths, they must exist in the routing table thanks to the "maximum-path 4 "command in the IGP (ex OSPF) process.
  Therefore if those 4 paths are equal-cost IGP paths then a 2nd level load-balancing is achieved. the default behabior is the same source destination mechanism to selected the "per-session" path as mentionned before.
  On an LSP each LSR could use this feature.
  BR