Shape traffic on multiple load balance interface

Similar Messages

• Using ACE to load balance HTTP/S traffic between client & proxy server using tcp 8080

  Folks,
  I have a scenario where ACE is in load balancing connections to a bunch of Websense servers in a one-armed topology.  ACE presents a single VIP to web browser clients and each client's browser proxy configuration is populated with the VIP DNS name.  Traffic then gets load balanced between the Websense servers.  The problem arises due to Websense requiring the 'X-Forwarded-For' HTTP header in order to obtain the source IP of the client.  
  ACE inserts this header into the standard HTTP 'proxied' traffic but doing this for HTTPS traffic has required the configuration of the ACE SSL proxy client server.
  So the problem I have is this:
  How to configure ACE to load balance both HTTP & HTTPS applications using a single VIP and tcp port number ie tcp 8080
  The ACE hardware being used is ACE20-MOD-K9  -  MODULE
  I have attempted to use a L7 class map to match all ciphers and attach this to a L7 Policy-Map but the documentation highlights the fact the 'match cipher' configuration is only available on the ACE appliance.  
  I believe I am on the correct track.  The HTTPS traffic must be identified and used to match against PolicyA and HTTP traffic matched against PolicyB
  I'm looking for ideas!  I'm hopeful someone must have solved this problem previously!!
  Regards,
  Simon

  Hi Simon,
  The classification has to work on different ports. Whether client types http or https doesn't matter to client. His request will reach VIP which will classify the traffic based on port, protocol first and then it can look into further detail to send the traffic to appropriate serverfarm.
  You can class-map match-any xxxxx
  2 match virtual-address x.x.x.x tcp any
  and then you configure further classification on the basis of L7 like  url, header etc. 
  But again, you will still need SSL termination on ACE.
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• N5K: PortChannel & Load Balancing

  Hello All,
  I've configured port-channel for my backup servers and also applied load balancing on the switch (NEXUS 5548 with 2248 FEX). The server is configured with NIC teaming and is set on auto, which negotiates to use 802.3ad for the channel.
  All seems to be working fine however the ports do not seem to be balancing the traffic when transmitting unicast traffic as shown from below N5K output:
  ChanId      Port     Rx-Ucst  Tx-Ucst  Rx-Mcst     Tx-Mcst   Rx-Bcst  Tx-Bcst
    20   Eth102/1/6  52.61%  99.99%    49.45%  63.29%  93.55%  51.27%
    20   Eth102/1/5  47.38%   0.00%     50.54%  36.70%   6.44%    48.72%
    21   Eth102/1/33  51.25%  99.99%  49.92%  63.01%   15.51%   51.40%
    21   Eth102/1/29  48.74%  0.00%  50.07%  36.98%     84.48%   48.59%
  The above shows the server is receiving traffic only on one port and not balancing it on another. Server is WIn 2008 R2. These are 1 Gig links with PO are 2 Gig, the backup server needs the 2 Gig but somehow it doesnt seem to utilize the port-channel for incoming traffic.
  Currently the load balancing on the N5K platform is set as follows:
  N5K# show port-channel load-balance
  Port Channel Load-Balancing Configuration:
  System: source-dest-port
  Port Channel Load-Balancing Addresses Used Per-Protocol:
  Non-IP: source-dest-mac
  IP: source-dest-port source-dest-ip source-dest-mac
  My question here is can i load balance the Tx-Ucst to both ports?
  Is there some other way I can utilize both NIC cards on the server to receive traffic?
  Any help would be much appreciated.
  Thank you.
  Regards,
  Adnan M F

  Adnan,
  You seem to be using the recommended hashing algorithm. I would use the "show port-channel load-balance forwarding-path" command to verify that your traffic would actually load balance. Because you mention these are backup servers, I'm concerned there may not be enough entropy in the packets to load balance as you'd like.
  example :
  show port-channel load-balance forwarding-path interface port-channel 301 vlan 1 src-ip 1.1.1.1 l4-dst-port 80 dst-ip 2.2.2.2 l4-src-port 20000
  Missing params will be substituted by 0's.
  Load-balance Algorithm on switch: source-dest-ip
  crc8_hash: Not Used     Outgoing port id: Ethernet1/9
  Param(s) used to calculate load-balance (Unknown unicast, multicast and broadcas
  t packets):
          dst-mac:  0000.0000.0000
          vlan id:  1
  If the "show port-channel load-balance forwarding-path" commands shows that your traffic should transmit out eth102/1/5 or eth102/1/29, then it's possible you are having bug issues. There are known bugs that were fixed in 5.2(9) and 6.1(4) that affect load balancing.

• Load balancing and HA for office web apps server Lync 2013

  Hi,
      I have 12000 users, 3 FE servers in a pool, 2 edge server in a pool, HA required, IM/presence, A/V, WEb conferencing required. plan to have 2 office web apps server a farm with HA, below are my queries
  1.  which type of load balancing i need....DNS or HLB for office web app servers? if its HLB then is it mandatory?
  2. i have already 2 HLB for FE pool .. one for externa url , one for internal URL...can i use the same HLB for office web app servers ?
  3. one more question regarding EDGE pool load balancing, can i use the same HLB  in EDge pool also that i am using for FE pool?

  Hi,
  1.  which type of load balancing i need....DNS or HLB for office web app servers? if its HLB then is it mandatory?
  WebApps runs on https and you cannot load balance http traffic using DNS load balancing. you need to have a HLB.
  2. i have already 2 HLB for FE pool .. one for externa url , one for internal URL...can i use the same HLB for office web app servers ?
  you can use the same HLB for that
  3. one more question regarding EDGE pool load balancing, can i use the same HLB  in EDge pool also that i am using for FE pool?
  for that one, you probably need a separate HLB.  
  Z-Hire -- Automate Lync User Account creation process ( AD / Exchange / Lync )

• Server Load Balance in one network using CSM Cat6509

  I have 2 Web Servers with real IP address 10.1.12.61 and 10.1.12.62 (subnet mask 255.255.255.0). The virtual IP address configured on CSM is 10.1.12.100
  I also have 2 Application Servers with real IP address 10.1.12.81 and 10.1.12.82 (subnet mask 255.255.255.0). The virtual IP address is 10.1.12.120.
  Users will access Web server using the virtual IP address (10.1.12.100) so that the traffic will be load balanced.
  But there is also requirement that those Web Servers access Application Servers using IP address 10.1.12.120 so that the traffic will be load balanced as well.
  Is this requirement feasible?
  Can CSM load balance between servers in one network address?

  Budiman,
  I am building the same situatiuon here. But the most simple part seems not to be working. I have two webservers in the same subnet as my VIP.
  The clients can be everywhere in every subnet.
  This is what happens:
  btpebgw70#sh mod contentSwitchingModule 9 conns
  prot vlan source destination state
  In TCP 401 192.6.53.42:1901 151.183.58.196:80 ESTAB
  Out TCP 401 151.183.58.196:80 192.6.53.42:1901 ESTAB
  ok this is good but:
  btpebgw70#sh mod contentSwitchingModule 9 reals detail
  151.183.58.201, ORBIS, state = OPERATIONAL
  conns = 0, maxconns = 4294967295, minconns = 0
  weight = 8, weight(admin) = 8, metric = 0, remainder = 0
  total conns established = 58, total conn failures = 58
  the failures have the same value as the established. Can you send me your config part of the csm because I am getting tired of this. Please email to [email protected]
  Thanks in advance!

• URL-Based Load Balancing

  I'm having a difficult time trying to configure load balancing on my CSM based on the URL entered. Here is my scenerio:
  Two web servers (WebA & WebB), load balanced on a CSM. WebA & WebB have 90% the same content, so most traffic can be load balanced between them without a problem. The problem (for me anyway) comes in where WebA has certain web sites that WebB doesn't, and vice versa. So I need to load balance to both for 90% of the traffic, and point traffic to a particular server the other 10% of the time based on the URL entered.
  Below is the test config I have so far (that doesn't work correctly), what I am trying for in this example is that any URL that contains /vhosts/ or /programs/ be directed to WebA, and any URL that contains /platform/ or /ssl/ be directed to WebB, and all other traffic be load balanced between the two evenly. (For testing purposes, the servers are being load balanced in "bridge-mode", in production they will be "routed-mode"....I did't want to go through the change controls to change the IP addresses for the test servers!).
  module ContentSwitchingModule 2
  vlan 605 client
  ip address 10.63.240.4 255.255.255.0
  gateway 10.63.240.1
  vlan 606 server
  ip address 10.63.240.4 255.255.255.0
  natpool URL-POLICY-TEST 10.63.240.204 10.63.240.204 netmask 255.255.255.254
  map SRV-A url
  match protocol http url /vhosts/*
  match protocol http url /programs/*
  map SRV-B url
  match protocol http url /platform/*
  match protocol http url /ssl/*
  serverfarm URL-POLICY-TEST
  nat server
  nat client URL-POLICY-TEST
  real 10.40.109.100
  inservice
  real 10.40.109.101
  inservice
  serverfarm URL-TESTA
  nat server
  nat client URL-POLICY-TEST
  real 10.40.109.100
  inservice
  serverfarm URL-TESTB
  nat server
  nat client URL-POLICY-TEST
  real 10.40.109.101
  inservice
  policy TESTWEB-A
  url-map SRV-A
  serverfarm URL-TESTA
  policy TESTWEB-B
  url-map SRV-B
  serverfarm URL-TESTB
  vserver URL-POLICY_TEST
  virtual 10.63.240.10 tcp 0
  vlan 605
  serverfarm URL-POLICY-TEST
  sticky 1
  persistent rebalance
  slb-policy TESTWEB-A
  slb-policy TESTWEB-B
  inservice

  Thanks for the reply Gilles....I've been out of the office for a while.
  Well, right now nothing is working....except that all traffic is going to the default server farm assinged to the vserver. Here are the URLs I am testing with:
  **************TEST A************
  http://10.63.240.10/manual/vhosts/fd-limits.xml
  http://10.63.240.10/manual/programs/apachectl.xml
  **************TEST B************
  http://10.63.240.10/manual/platform/ebcdic.xml
  http://10.63.240.10/manual/ssl/ssl_compat.xml
  ***************BOTH****************
  http://10.63.240.10/manual/howto/htaccess.xml
  http://10.63.240.10/manual/howto/cgi.xml
  When I try attaching to the first URL for example, here is the connection info (I trimmed it down so it will fit here):
  MOSL1S1A#sh mod csm 2 real
  real server farm Conns/hits
  10.40.109.100 URL-POLICY-TEST 1
  10.40.109.101 URL-POLICY-TEST 0
  10.40.109.100 URL-TESTA 0
  10.40.109.101 URL-TESTB 0
  MOSL1S1A#
  MOSL1S1A#sh mod csm 2 conn
  prot vlan source destination
  In TCP 605 10.47.10.10:3738 10.63.240.10:80
  Out TCP 605 10.40.109.101:80 10.63.240.204:8820
  I've tried changing the syntax on the URL statement in the map as such:
  /manual/*
  */manual/*
  /manual/
  *manual*
  /manual*

• How does IronPort assist in load balancing?

  There are plans to put a load balancer in front of an IronPort cluster of 6. As of now, we have Mx record priority (Round robin) based load balancing.
  Does an ESA has the intelligence to automatically reject incoming connections if other ESAs in the cluster is idol? Or, in other way, does ESA has the intelligence to reject incoming connections if it sees a series of connection attempts from the same source? Or, does it have intelligence to reject incoming connections if it is devoid of any resource to process any new messages?
  Thanks,
  Chandan

  No.  The ESA will still act in the same stand alone fashion - so, it will act independently with the traffic that is presented.  Other appliances in cluster would not recognize the other appliance's traffic or status for handling mail that is processed --- remember, with the ESA, in cluster - the only thing that is shared is the configuration between cluster appliances.
  The traffic handling and load balancing aspect would be based on the 3rd party software/appliance sitting in front of the appliances --- then control the pool of appliances that you have set from there.
  I hope this helps!
  -Robert
  (*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

• RSPAN Load Balance

  Hi everybody! I go straight to the problem I'm facing:
  I need to send a data stream via RSPAN to a remote device for traffic analysis. Because of the large amount of data (>1Gbps) I need to put the remote VLAN, which carries the RSPAN traffic, on an etherchannel and to load-balance that traffic among the members of the etherchannel.
  The problem is that it seems that there's no algorithm I can use to load-balance the RSPAN traffic. The device I'm using  is a Cisco 3750 switch, so no per-packet load balancing algorithm is available (and I think that, even if I could use this technique, I would encounter some sort of out-of-sequence packets issue).
  Is there a way to efficiently load balance a RSPAN traffic on an etherchannel?

  Hey Enrico,
  Etherchannel will perform load balancing as per the selected hashing algorithm. In 3750 default is src-mac address so it will only check the source mac-address of RSPAN traffic while performing load balancing across etherchannel. So you may change it to a more granular value, available options are provided in link below:http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_53_se/configuration/guide/swethchl.html#wp1276203
  HTH.
  Regards,
  RS.

• ISE 1.2 - Multiple NICs/Load Balancing for DHCP Probe

  Hello guys
  Just prepping an ISE 1.2 patch 8 setup in our organization. I am going for the virtual appliances with multiple NICs. It will be a distributed deployment with 4 x PSNs behind a load balancer and there is no requirement for wireless or guest user at the moment. I've got 2 points I will like to get some guidance on:
  Our DC has a dedicated mgmt network and I plan to IP the gig0 interface of the PANs, MNTs and PSNs from this subnet. All device admin, clustering, config replication, etc will be over this interface. However, RADIUS/probe/other user traffic to the ISE PSNs will be over the gig1 interface which will be addressed from another L3 network. Is this a supported configuration in ISE?
  I intend to use the DHCP probe as part of device profiling and will ideally like to have just an additional ip helper to add to our switch SVI config. Also, it will appear that WLCs can only be configured for 2 DHCP servers for a given network so another consideration for when we bringing our WLAN in scope. We however use ACE load balancers within our DC and from what I have read, they do not support DHCP load balancing. Are there any workarounds to using the DHCP probe with multiple PSNs without having to add each node as an ip helper/DHCP server on the NADs?
  Thanks in advance
  Sayre

  Hello Sayre-
  For Question #1:
  Management is restricted to GigabitEthernet 0 and that cannot be changed so you should be good there
  You can configure Radius and Profiling to be enabled on other interfaces
  Even though you are not using guest services yet, you can dedicate an interface just for that. As a result, you can separate guest traffic completely from your production network
  Take a look at this link for more info:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_c-ports.html
  For Question #2
  If you are using a Cisco WLC and running code 7.4 and newer you don't need to mess with the IP helper configurations. 
  The controller can be configured to act as a collector for client profiling and interact with the DHCP thread along with the RADIUS accounting task that is running on the controller. The controller receives a copy of the DHCP request packet sent from the DHCP thread and parses the DHCP packet for two options:
  –Option 12—HostName of the client
  –Option 60—The Vendor Class Identifier
  After this information is gathered from the DHCP_REQUEST packet, a message is formed by the controller with these option fields and is sent to the RADIUS accounting thread, which is in turn transmitted to the ISE in the form of an interim accounting message.
  Both DHCP and HTTP profiling settings are located under the "Advanced" configuration tab in the WLC
  On the other hand, you can also use Anycast for profiling. You can check out some of Cisco Live's sessions for more info on that. Here is one that is from a couple of years (There are more recent ones that are available as well):
  http://www.alcatron.net/Cisco%20Live%202013%20Melbourne/Cisco%20Live%20Content/Security/BRKSEC-3040%20%20Advanced%20ISE%20and%20Secure%20Access%20Deployment.pdf
  I hope this helps!
  Thank you for rating helpful posts!

• Forcing traffic through load balancer rather than zone to zone

  I have several T5140s with 2 LDOMs. Within each LDOM I have multiple zones which contain 2 environments. Each environment comprises the following, an apache instance behind a BigIP load balancer, a JBoss instance, and several misc. The jboss zone has three IP address assigned for multiple applications. Each server is configured identically as far as zone and LDOM layout. We use mod_cluster to cluster our apache and Jboss environment. What I'm trying to accomplish is forcing the apache zone's traffic through the BigIP rather than zone to zone.
  Referring to the information below, server2ldom1jboss is one jboss node which needs to connect to both server2ldom1japache and server1ldom1apache. server2ldom1jboss connects to server2ldom1apache via its DNS name which is a NAT address. So webserver2 resolves to 10.10.2.5 which NATs to 10.10.1.5 behind the BigIP. webserver2 responds directly to the jboss zone rather than through the BigIP. Not good. server1ldom1apache works correctly as it's not a local zone.
  Referring to this document, https://blogs.oracle.com/solarium/resource/solaris-container-guide-en-v3.1.pdf
  section 5.2.7.8
  "Connection of zones via external routers using the shared IP instance"
  I've created the following routes
  route add 10.10.2.5 10.10.1.5
  route add 10.10.0.34 10.10.1.5 -interface -reject
  route add 10.10.0.35 10.10.1.5 -interface -reject
  route add 10.10.0.87 10.10.1.5 -interface -reject
  route add 10.10.1.5 10.10.0.87 -interface -reject
  route add 10.10.1.5 10.10.0.34 -interface -reject
  route add 10.10.1.5 10.10.0.35 -interface -reject
  This does prevent the zone to zone traffic, but it also preventing any response. I've tried other options as well, but have not been successful yet. What concerns me is this "These interfaces must not be used elsewhere in the global zone." The 5140 has 4 ethernet ports, which are configured into two port channels. vnet0 and vnet1. The apache instances use vnet1. The remaining zones use vnet0, including the global zone (server2ldom1 10.10.0.21). I think this may be the issue, but do not see an easy resolution without breaking my port channels and losing redundancy and fail-over.
  If there is anything I'm missing or a better/different way to do this, I would greatly appreciate any input on this matter.
  Thank you.
  webserver2 10.10.2.5 NATs to 10.10.1.5
  jboss apps 10.10.0.34, 10.10.0.35, 10.10.0.87
  10.10.0.0/24 is the lan
  10.10.1.0/24 is the network behind the BigIP
  10.10.2.0/24 is the webserver network (in front of the BigIP)
  [1658]root@server2:~# ldm list-bindings
  NAME STATE FLAGS CONS VCPU MEMORY UTIL UPTIME
  primary active -n-cv- SP 4 2G 1.1% 138d 5h
  MAC
  00:14:4f:ec:20:ff
  HOSTID
  0x84ec20b8
  VCPU
  VID PID UTIL STRAND
  0 0 2.0% 100%
  1 1 1.4% 100%
  2 2 0.7% 100%
  3 3 2.1% 100%
  MAU
  ID CPUSET
  0 (0, 1, 2, 3, 4, 5, 6, 7)
  MEMORY
  RA PA SIZE
  0x8000000 0x8000000 2G
  VARIABLES
  boot-device=/pci@0/pci@0/pci@2/scsi@0/disk@0,0:a disk net
  keyboard-layout=US-English
  nvramrc=devalias rootdisk /pci@0/pci@0/pci@2/scsi@0/disk@0,0:a devalias rootmirror /pci@0/pci@0/pci@2/scsi@0/disk@1,0:a
  security-mode=none
  security-password=
  use-nvramrc?=true
  IO
  DEVICE PSEUDONYM OPTIONS
  pci@0 pci
  niu@80 niu
  VCC
  NAME PORT-RANGE
  primary-vcc0 5000-5010
  CLIENT PORT
  group1@primary-vcc0 5000
  group1@primary-vcc0 5000
  VSW
  NAME MAC NET-DEV DEVICE DEFAULT-VLAN-ID PVID VID MODE
  primary-vsw0 00:14:4f:f9:ff:ff aggr1 switch@0 1 1
  PEER MAC PVID VID
  vnet0@ldom2 00:14:4f:fb:7b:ff 1
  vnet0@ldom1 00:14:4f:fb:1a:ff 1
  NAME MAC NET-DEV DEVICE DEFAULT-VLAN-ID PVID VID MODE
  primary-vsw1 00:14:4f:fb:8e:ff aggr2 switch@1 1 1
  PEER MAC PVID VID
  vnet1@ldom1 00:14:4f:f8:17:ff 1
  vnet1@ldom2 00:14:4f:f8:c2:ff 1
  VDS
  NAME VOLUME OPTIONS MPGROUP DEVICE
  primary-vds0 ldom2_swap /ldoms/swap/server2ldom2
  ldom2_root /dev/dsk/c4t600601601CE1210018F9E37BD2AADD11d0s2
  ldom1_swap /ldoms/swap/server2ldom1
  ldom1_root /dev/dsk/c4t600601601CE121007E02166CD2AADD11d0s2
  CLIENT VOLUME
  ldom2_swap@ldom2 ldom2_swap
  ldom2_root@ldom2 ldom2_root
  ldom1_swap@ldom1 ldom1_swap
  ldom1_root@ldom1 ldom1_root
  VCONS
  NAME SERVICE PORT
  SP
  NAME STATE FLAGS CONS VCPU MEMORY UTIL UPTIME
  ldom1 active -n---- 5000 30 15G 3.7% 192d 6h
  MAC
  00:14:4f:f8:a5:ff
  HOSTID
  0x84f8a5f5
  VCPU
  VID PID UTIL STRAND
  0 4 0.4% 100%
  1 5 0.3% 100%
  2 6 0.1% 100%
  3 7 4.4% 100%
  4 8 0.2% 100%
  5 9 0.2% 100%
  6 10 14% 100%
  7 11 0.1% 100%
  8 12 8.1% 100%
  9 13 0.1% 100%
  10 14 0.1% 100%
  11 15 0.1% 100%
  12 16 0.3% 100%
  13 17 0.1% 100%
  14 18 0.1% 100%
  15 19 0.1% 100%
  16 20 0.3% 100%
  17 21 0.6% 100%
  18 22 0.3% 100%
  19 23 0.1% 100%
  20 54 1.0% 100%
  21 55 0.5% 100%
  22 56 1.2% 100%
  23 57 0.2% 100%
  24 58 4.5% 100%
  25 59 0.9% 100%
  26 60 0.0% 100%
  27 61 0.1% 100%
  28 62 0.1% 100%
  29 63 0.3% 100%
  MAU
  ID CPUSET
  1 (8, 9, 10, 11, 12, 13, 14, 15)
  2 (16, 17, 18, 19, 20, 21, 22, 23)
  6 (48, 49, 50, 51, 52, 53, 54, 55)
  7 (56, 57, 58, 59, 60, 61, 62, 63)
  MEMORY
  RA PA SIZE
  0x8000000 0x88000000 10G
  0x401800000 0x6b1800000 5G
  VARIABLES
  auto-boot?=true
  boot-device=ldom1_root:b
  NETWORK
  NAME SERVICE DEVICE MAC MODE PVID VID
  vnet0 primary-vsw0@primary network@0 00:14:4f:fb:1a:ff 1
  PEER MAC MODE PVID VID
  primary-vsw0@primary 00:14:4f:f9:ff:ff 1
  vnet0@ldom2 00:14:4f:fb:7b:ff 1
  NAME SERVICE DEVICE MAC MODE PVID VID
  vnet1 primary-vsw1@primary network@1 00:14:4f:f8:17:ff 1
  PEER MAC MODE PVID VID
  primary-vsw1@primary 00:14:4f:fb:8e:ff 1
  vnet1@ldom2 00:14:4f:f8:c2:ff 1
  DISK
  NAME VOLUME TOUT DEVICE SERVER MPGROUP
  ldom1_swap ldom1_swap@primary-vds0 disk@0 primary
  ldom1_root ldom1_root@primary-vds0 disk@1 primary
  VCONS
  NAME SERVICE PORT
  group1 primary-vcc0@primary 5000
  NAME STATE FLAGS CONS VCPU MEMORY UTIL UPTIME
  ldom2 active -n---- 5000 30 15000M 0.8% 192d 6h
  MAC
  00:14:4f:fa:e8:ff
  HOSTID
  0x84fae839
  VCPU
  VID PID UTIL STRAND
  0 24 1.0% 100%
  1 25 1.0% 100%
  2 26 0.0% 100%
  3 27 0.0% 100%
  4 28 0.1% 100%
  5 29 0.3% 100%
  6 30 0.0% 100%
  7 31 0.0% 100%
  8 32 0.0% 100%
  9 33 0.1% 100%
  10 34 1.3% 100%
  11 35 0.0% 100%
  12 36 0.1% 100%
  13 37 1.0% 100%
  14 38 1.9% 100%
  15 39 0.0% 100%
  16 40 0.0% 100%
  17 41 0.0% 100%
  18 42 0.1% 100%
  19 43 0.5% 100%
  20 44 0.2% 100%
  21 45 0.0% 100%
  22 46 0.2% 100%
  23 47 0.4% 100%
  24 48 0.2% 100%
  25 49 0.0% 100%
  26 50 0.0% 100%
  27 51 0.0% 100%
  28 52 0.0% 100%
  29 53 0.0% 100%
  MAU
  ID CPUSET
  3 (24, 25, 26, 27, 28, 29, 30, 31)
  4 (32, 33, 34, 35, 36, 37, 38, 39)
  5 (40, 41, 42, 43, 44, 45, 46, 47)
  MEMORY
  RA PA SIZE
  0x8000000 0x308000000 15000M
  VARIABLES
  auto-boot?=true
  boot-device=/virtual-devices@100/channel-devices@200/disk@1:b ldom2_root
  keyboard-layout=US-English
  NETWORK
  NAME SERVICE DEVICE MAC MODE PVID VID
  vnet0 primary-vsw0@primary network@0 00:14:4f:fb:7b:ff 1
  PEER MAC MODE PVID VID
  primary-vsw0@primary 00:14:4f:f9:ff:ff 1
  vnet0@ldom1 00:14:4f:fb:1a:ff 1
  NAME SERVICE DEVICE MAC MODE PVID VID
  vnet1 primary-vsw1@primary network@1 00:14:4f:f8:c2:ff 1
  PEER MAC MODE PVID VID
  primary-vsw1@primary 00:14:4f:fb:8e:ff 1
  vnet1@ldom1 00:14:4f:f8:17:ff 1
  DISK
  NAME VOLUME TOUT DEVICE SERVER MPGROUP
  ldom2_swap ldom2_swap@primary-vds0 disk@0 primary
  ldom2_root ldom2_root@primary-vds0 disk@1 primary
  VCONS
  NAME SERVICE PORT
  group1 primary-vcc0@primary 5000
  [1657]root@server2ldom1:~# ifconfig -a
  lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
  inet 127.0.0.1 netmask ff000000
  lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
  zone server2ldom1z3
  inet 127.0.0.1 netmask ff000000
  lo0:2: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
  zone server2ldom1z2
  inet 127.0.0.1 netmask ff000000
  lo0:3: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
  zone server2ldom1z6
  inet 127.0.0.1 netmask ff000000
  lo0:4: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
  zone server2ldom1jboss
  inet 127.0.0.1 netmask ff000000
  lo0:5: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
  zone server2ldom1apache
  inet 127.0.0.1 netmask ff000000
  lo0:6: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
  zone server2ldom1z1
  inet 127.0.0.1 netmask ff000000
  vnet0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
  inet 10.10.0.21 netmask ffffff00 broadcast 10.10.0.255
  ether 0:14:4f:fb:1a:ff
  vnet0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
  zone server2ldom1z2
  inet 10.10.0.33 netmask ffffff00 broadcast 10.10.0.255
  vnet0:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
  zone server2ldom1z6
  inet 10.10.0.36 netmask ffffff00 broadcast 10.10.0.255
  vnet0:3: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
  zone server2ldom1jboss
  inet 10.10.0.34 netmask ffffff00 broadcast 10.10.0.255
  vnet0:4: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
  zone server2ldom1jboss
  inet 10.10.0.35 netmask ffffff00 broadcast 10.10.0.255
  vnet0:5: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
  zone server2ldom1z1
  inet 10.10.0.32 netmask ffffff00 broadcast 10.10.0.255
  vnet0:6: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
  zone server2ldom1z1
  inet 10.10.0.74 netmask ffffff00 broadcast 10.10.0.255
  vnet0:7: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
  zone server2ldom1jboss
  inet 10.10.0.87 netmask ffffff00 broadcast 10.10.0.255
  vnet1: flags=1000842<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
  inet 0.0.0.0 netmask 0
  ether 0:14:4f:f8:17:ff
  vnet1:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
  zone server2ldom1z3
  inet 10.10.1.101 netmask fffffc00 broadcast 10.10.47.255
  vnet1:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
  zone server2ldom1apache
  inet 10.10.1.5 netmask fffffc00 broadcast 10.10.47.255
  [1701]root@server2ldom1:~# zonecfg -z server2ldom1jboss info
  zonename: server2ldom1jboss
  zonepath: /zones/server2ldom1jboss
  brand: native
  autoboot: true
  bootargs:
  pool:
  limitpriv:
  scheduling-class:
  ip-type: shared
  inherit-pkg-dir:
  dir: /lib
  inherit-pkg-dir:
  dir: /platform
  inherit-pkg-dir:
  dir: /sbin
  inherit-pkg-dir:
  dir: /usr
  inherit-pkg-dir:
  dir: /opt/sfw
  inherit-pkg-dir:
  dir: /opt/
  net:
  address: 10.10.0.34
  physical: vnet0
  defrouter: 10.10.0.1
  net:
  address: 10.10.0.35
  physical: vnet0
  defrouter: 10.10.0.1
  net:
  address: 10.10.0.87
  physical: vnet0
  defrouter: 10.10.0.1
  attr:
  name: comment
  type: string
  value: server2ldom1jboss
  [1702]root@server2ldom1:~# zonecfg -z server2ldom1apache info
  zonename: server2ldom1apache
  zonepath: /zones/server2ldom1apache
  brand: native
  autoboot: true
  bootargs:
  pool:
  limitpriv:
  scheduling-class:
  ip-type: shared
  inherit-pkg-dir:
  dir: /lib
  inherit-pkg-dir:
  dir: /platform
  inherit-pkg-dir:
  dir: /sbin
  inherit-pkg-dir:
  dir: /usr
  inherit-pkg-dir:
  dir: /opt/sfw
  inherit-pkg-dir:
  dir: /opt/
  net:
  address: 10.10.1.5/22
  physical: vnet1
  defrouter not specified
  attr:
  name: comment
  type: string
  value: server2ldom1apache
  Edited by: coreyva on Feb 18, 2012 11:36 AM

  After further research, I think the best course of action will be to create a VLAN for the zone behind the BigIP and then create the corresponding interface in the vlan and zone. Using this links as my references in case anyone is interested. I'll post what I come up with.
  https://blogs.oracle.com/stw/entry/using_ip_instances_with_vlans
  https://blogs.oracle.com/stw/entry/solaris_zones_and_networking_common
  http://docs.oracle.com/cd/E19253-01/816-4554/816-4554.pdf # AdministeringVirtualLocalAreaNetworks
  http://docs.oracle.com/cd/E19053-01/ldoms.mgr11/820-4913-10/820-4913-10.pdf # Assign VLANs to a Virtual Switch and Virtual
  Network Device

• SA520 load balancing for multiple IPSec connections

  Hello,
  I just would like to ask whether the following is possible or what other people think might be the best way to go.
  Let me describe the current setup:
  Our company has a main office which is connected to the internet through an SA520W appliance, and two satellite offices which have other IPSec routers installed. The SA520W is currently only connected through the main WAN interface to a DSL line (DSL 16000). The tunnels are established and it all works quite well.
  However, we have experienced lags and slow connections when someone transfers a larger file from the main office to the outside (either satellite office or, say, some FTP server on the internet). This is of course due to the limited upload capacity of the DSL line. Therefore, I am thinking about getting another DSL line for use as the optional WAN port of the SA520W.
  My question is: Is it possible to establish two IPSec tunnels from a satellite office to the main office, one to the main WAN port and one to the optional WAN port of the SA520W? The two main hurdles I see with that is that a) the SA520W can only bind IPSec to one port and b) the network mask of each IPSec phase 2 needs to identify the subnet uniquely. Am I correct with the assumption that this cannot be done?
  If so, the only way I can see right now is to bind all IPsec traffic to the optional port and have at least main office <-> internet traffic separated from all IPSec traffic. Or has anyone a better solution to this?
  Thanks in advance,
  Roland

  I honestly don't recall any issues with the load balancing. I've personally never seen an issue, opened a case for one or observed a problem in my lab using multiple T1 lines...
  That's not to say there could be a problem. But as far as I know this aspect of the router is solid.
  The only thing I strongly dislike about most modern DSL deployments, the ISP like to give out "residential" or "business" gateways. These things just make life terrible since it is a router/nat device.
  -Tom
  Please rate helpful posts

• Load Balancing using Virtual IP on DMZ interface of 5520 ASA

  We want to achieve a load balancing scenario using Virtual IP on DMZ interface on a Cisco ASA 5520.
  The IPs we are going to use on DMZ are 10.15.1.2 and 10.15.1.3
  These IPs are going to be NATted to all inside IPs.
  Lets say our outside IP is X.X.X.X
  This IP points to 10.15.1.2 and 10.15.1.3 with .2 being the primary and .3 being the secondary.
  When I hit the outside IP, it should point me to .2 and that .2 should take me to the inside IPs.
  I need configuration assistance with that.

  Hi Pratik,
  The ASA does not support having 1 global/translated IP address on the outside mapped to multiple local/real IP addresses on the DMZ. If it did, the ASA would have no way of deciding if traffic destined to X.X.X.X is really meant for 10.15.1.2 or 10.15.1.3. For this scenario, you should use a dedicated load balancer or a router that supports policy-based routing.
  -Mike

• Using a single CSS to load balance multiple services

  Is it possible to use a single CSS to load balance 3 different services (server farm) ? That mean the CSS need to advertise 3 VIP
  I'm thinking of two scenarios:
  1 - configure the CSS to use 4 interfaces: 1 to public, 3 to private (each interface will plug-in to a different vlan/server farm)
  2 - configure the CSS to use 2 interfaces: 1 to public, 1 to private (all 3 server farms are in the same vlan)
  Will both scenarios work ?
  Thanks
  --Phillip.

  Hi Phillip,
  both scenarios will work. One CSS can certainly manage more than 3 services! You can even use just one VIP for all traffic, then just create the proper rules to send specific traffic to the corresponding service(s). No need for 3 VIPs.
  Regards
  -juerg

• Cisco 886VA - Multiple PPPoE Line Load Balancing

  Dear Cisco Community,
  due to the need of increased bandwidth a customer ordered three ADSL6000/576Kbit lines from the same ISP. Dial-in is done with PPPoE and the IP is not static.
  - Is it possible to load balance between the three ISP lines with this router as the Cisco 886VA-K9 (Advanced IP Services) doesnt support PFR/OER I want to load balance per session, meaning each TCP session takes the same path, the next TCP session takes second path, next TCP session takes third path, then first path again and so on.
  - I did read the tutorials avaiable, but they don't discuss how the lines are used in round-robin fashion, just how to distribute different traffic on different lines. (https://supportforums.cisco.com/document/32186/dual-internet-links-nating-pbr-and-ip-sla?page=1) or (http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/100658-ios-nat-load-balancing-2isp.html)
  - How would you solve this challenge?
  Relevant config so far:
  vlan 1
   name #LAN#
  vlan 2
   name #WAN-Uplink1#
  vlan 3
   name #WAN-Uplink2#
  interface FastEthernet0
   description #LAN#
   switchport access vlan 1
  interface FastEthernet2
   description #WAN-Uplink1#
   switchport access vlan 2
   no ip address
   pppoe enable
   pppoe-client dial-pool-number 20
  interface FastEthernet3
   description #WAN-Uplink2#
   switchport access vlan 3
   no ip address
   pppoe enable
   pppoe-client dial-pool-number 30
  interface ATM0
   description #WAN-Uplink3#
   no ip address
   logging event atm pvc state
   logging event atm pvc autoppp
   logging event subif-link-status
   no atm ilmi-keepalive
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   dsl enable-training-log delay 0
   dsl bitswap both
  interface ATM0.1 point-to-point
   bandwidth 550
   bandwidth receive 6000
   pvc pvc 1/32
    pppoe enable
    pppoe-client dial-pool-number 10
    vbr-nrt 500 500 1
    service-policy out WAN-Control1-Parent
  interface Vlan1
   description #LAN#
   ip address 172.16.1.1 255.255.255.0
   ip nat inside
   ip virtual-reassembly in
  interface Dialer1
   description #WAN-Dialer1#
   bandwidth 550
   bandwidth receive 6000
   ip address negotiated
   ip mtu 1492
   ip nat outside
   ip virtual-reassembly in
   encapsulation ppp
   ip tcp adjust-mss 1452
   dialer pool 20
   dialer idle-timeout 0
   ppp authentication chap pap callin
   ppp chap hostname XXX
   ppp chap password XXX
   ppp pap sent-username XXX
   ppp ipcp dns request accept
   ppp ipcp route default
   ppp ipcp address accept
   no cdp enable
   service-policy output WAN-Control2-Parent
  interface Dialer2
   description #WAN-Dialer2#
   bandwidth 550
   bandwidth receive 6000
   ip address negotiated
   ip mtu 1492
   ip nat outside
   ip virtual-reassembly in
   encapsulation ppp
   ip tcp adjust-mss 1452
   dialer pool 30
   dialer idle-timeout 0
   ppp authentication chap pap callin
   ppp chap hostname XXX
   ppp chap password XXX
   ppp pap sent-username XXXX
   ppp ipcp dns request accept
   ppp ipcp route default
   ppp ipcp address accept
   no cdp enable
   service-policy output WAN-Control3-Parent
  interface Dialer3
   description #WAN-Dialer3-ATM#
   bandwidth 550
   bandwidth receive 6000
   ip address negotiated
   ip mtu 1492
   ip nat outside
   ip virtual-reassembly in
   encapsulation ppp
   ip tcp adjust-mss 1452
   dialer pool 10
   dialer idle-timeout 0
   ppp authentication chap pap callin
   ppp chap hostname XXX
   ppp chap password 7 XXX
   ppp pap sent-username xxx
   ppp ipcp dns request accept
   ppp ipcp route default
   ppp ipcp address accept
   no cdp enable
  ip nat inside source route-map ISP1 interface Dialer1 overload
  ip nat inside source route-map ISP2 interface Dialer2 overload
  ip nat inside source route-map ISP3 interface Dialer3 overload
  route-map ISP1 permit 10
   match ip address 100
   match interface Dialer1
  route-map ISP2 permit 10
   match ip address 100
   match interface Dialer2
  route-map ISP3 permit 10
   match ip address 100
   match interface Dialer3
  access-list 100 remark #NAT-LIST#
  access-list 100 permit ip 172.16.1.0 0.0.0.255 any
  Thank you for helping.

  Hey there,
  I managed to fulfill my requirement..
  If its a cluster on same machine or across machines, this should work
  1. Login to machine, cd $DOMAIN_HOME
  2. mkdir -p Apex_lsn_config/AdminServer Apex_lsn_config/<MS1> Apex_lsn_config/<MS2> # MS1 and MS2 are the Managed Server names as appropriate
  #If you are planning for cluster spawning MS's across machines, make sure you create the dir's on step 2 for each machine respectively. (in my case $DOMAIN_HOME is not shared)
  3. Copy apex-config.xml from the /tmp/apex or whatever location you have it currently to Apex_lsn_config/<MS1> Apex_lsn_config/<MS2>
  4. cd $DOMAIN_HOME/bin; cp -p SetDomainEnv.sh SetDomainEnv.sh.orig #Backup the file
  5. Append -Djava.io.tmpdir in SetDomainEnv.sh as below for JAVA_OPTIONS # Do it on both machine if you are not sharing DOMAIN_HOME and planning cluster across machines
  -Djava.io.tmpdir=$DOMAIN_HOME/APEX_CONFIG/${SERVER_NAME}
  Hint: Search for "iterativeDev" and append the same line with -Djava.jo.tmpdir
  6. Modify "java.io.tmpdir" from the web.xml file of apex.war as below and re-deploy the war
  <context-param>
       <param-name>config.dir</param-name>
       <param-value>${java.io.tmpdir}</param-value>
  </context-param>
  7. Bounce Weblogic Admin and Manged Servers. Make sure to tail the Managed Server log to see apex-config.xml is picked from the new location.
  8. Brew a Coffee for yourself :)
  - You find the instructions on creating a cluster from weblogic documentation, the steps mentioned above are only to overcome the bdb locking issue whilst creating a cluster.
  Did it help?
  Edited by: Oratime on Mar 25, 2013 2:44 AM

• CSS10500 Load Balancing Multiple Hosts

  Hello,
  I have a CSS10500 switch and i would like to load balance the connections to a couple of hosts. My setup (roughly) is as follows
  int e1-RTR1-------->int e2-Host1
                   -------->int e3-Host2
  and
  int e5-RTR2------>int e6-Host1
                   ------>int e7-Host2
  How can i assing different interfaces to the two sets of hosts??? I want all ports (0-65535 and tcp/udp)  to go to both sets. I made a circuit vlan 1 and assigned it an ip address but i cannot make a circuit vlan 2 and when i assign multiple addresses to vlan1 i cannot somehow assign interfaces to each ip.
  Is there anything i can do??
  Sorry for all the fuss i am new to the CSS concept.

  Let's start with the basic
  http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_example09186a008009438d.shtml
  If you can't make it work, get back to us with whatever you have configured.
  Verify that you can ping the CSS from the router and the server.
  Gilles.