6-7 Server Load Balancing (SLB)

  • SLB is used to provide a virtual server IP address to which clients can connect, representing a group of real physical servers in a server farm.

  • As clients open new connections to the virtual server, SLB decides which real server to use based on a load-balancing algorithm.

  • Server load balancing is performed by one of these methods :

    • Weighted round robin Each real server is assigned a weight that lets it handle connections relative to the other servers. For a weight n, a server is assigned n new connections before SLB moves on to the next server.

    • Weighted least connections SLB assigns new connections to the real server with the least number of active connections. Each real server is assigned a weight m, where its capacity for active connections is m divided by the sum of all server weights. SLB assigns new connections to the real server with the number of active connections furthest below its capacity.

      With weighted least connections, SLB controls the access to a new real server, providing a slow start function. New connections are rate-limited and are allowed to increase gradually to keep the server from becoming overloaded.

  • The virtual server can masquerade as the IP address for all TCP and UDP ports of the real server farm. In addition, the virtual server can appear as the IP address of a single port or service of a server farm.

  • Sticky connections allow SLB to assign new connections from a client to the last real server the client used.

  • SLB can detect a real server failure, take the failed server out of service, and return it to service as soon as it is working again.

  • SLB provides a control mechanism over incoming TCP SYN floods to the real servers. This can prevent certain types of denial-of-service attacks.

  • SLB can coexist with HSRP to provide a "stateless backup." If one SLB router fails, a redundant router can take over the SLB function.

  • A router performing SLB can also operate as a Dynamic Feedback Protocol (DFP) load-balancing manager. The DFP manager collects capacity information from DFP agents running on the real servers.

Configuration

  1. Define a server farm.

    1. Assign a name to the server farm:

       (global)  ip slb serverfarm   serverfarm-name  

      The server farm is identified by serverfarm-name (a text string of up to 15 characters ).

    2. (Optional) Select a load-balancing algorithm for the server farm:

       (server-farm)  predictor  {  roundrobin   leastconns  } 

      SLB selects a real server using roundrobin (weighted round robin, the default) or leastconns (weighted least connections).

    3. (Optional) Enable server NAT:

       (server-farm)  nat server  

      By default, the virtual server and real server addresses must be Layer 2-adjacent. In other words, SLB forwards packets between the virtual server and a real server by substituting the correct MAC addresses. Server NAT can be used instead, allowing the virtual and real servers to have addresses from separate IP subnets. SLB then substitutes the layer 3 IP addresses to forward packets between the virtual and real servers, allowing the servers to be separated by multiple routing hops.

    4. Specify one or more real servers.

      • Identify the real server:

         (server-farm)  real   ip-address  

        The real server has the IP address given by ip-address.

      • (Optional) Specify the maximum number of connections:

         (real-server)  maxconns   number  

        At any given time, the real server is limited to number (1 to 4294967295; the default is 4294967295) active connections.

      • (Optional) Assign a relative capacity weight:

         (real-server)  weight   weighting-value  

        The real server is assigned a weighting-value (1 to 155; the default is 8) that indicates its capacity relative to other real servers in the server farm. For weighted round robin, weighting-value defines the number of consecutive connections the server receives before SLB moves to the next server. For weighted least connections, the next connection is given to the server whose number of active connections is furthest below its capacity. The capacity is computed as the weighting-value divided by the sum of all real server weighting values in the server farm.

      • (Optional) Reassign connections when a server doesn't answer:

         (real-server)  reassign   threshold  

        SLB attempts to assign a new connection to a real server by forwarding the client's initial SYN. If the server doesn't answer with an SYN handshake before the client retransmits its SYN, an unanswered SYN is recorded. After threshold (1 to 4; the default is 3) unanswered SYNs occur, SLB reassigns the connection to the next server.

      • (Optional) Define a failed server threshold:

         (real-server)  faildetect numconns   number-conns  [  numclients   number-clients  ] 

        A server is determined to have failed if number-conns (1 to 255; the default is 8 connections) TCP connections have been reassigned to another server. You can also use the numclients keyword to specify the number-clients (1 to 8; the default is 2) of unique clients that have had connection failures.

      • (Optional) Specify the amount of time that must pass before a failed server is retried:

         (real-server)  retry   retry-value  

        After a real server is declared "failed," a new connection is assigned to it after retry-value (1 to 3600 seconds; the default is 60 seconds) time has elapsed. You can also use a value of 0 to indicate that new connections should not be attempted.

      • Allow SLB to begin using the real server:

         (real-server)  inservice  

        By default, the real server is not used by SLB unless it is placed in service. To remove a server from service, use no inservice.

  2. Define a virtual server for the server farm.

    1. Name the virtual server:

       (global)  ip slb vserver   virtserver-name  

      The virtual server is given the name virtserver-name (a text string of up to 15 characters).

    2. Assign the virtual server to a server farm:

       (virtual-server)  serverfarm   serverfarm-name  

      SLB uses the virtual server as the front end for the server farm named serverfarm-name (a text string of up to 15 characters).

    3. Define the virtual server capabilities:

       (virtual-server)  virtual   ip-address  {  tcp   udp  }  port  [  service   service-name  ] 

      The virtual server appears as IP address ip-address. It provides load balancing for the specified TCP or UDP port: dns or 53 (Domain Name System), ftp or 21 (File Transfer Protocol), https or 443 (HTTP over Secure Socket Layer), www or 80 (HTTP), telnet or 23 (Telnet), smtp or 25 (SMTP), pop3 or 110 (POPv3), pop2 or 109 (POPv2), nntp or 119 (Network News Transport Protocol), or matip-a or 350 (Mapping of Airline Traffic over IP, type A). A port number of 0 can be given to indicate that the virtual server will accept connections on all ports.

      The service keyword can be given to force SLB to assign all connections associated with a given service-name ( ftp ) to the same real server.

    4. (Optional) Allow only specific clients to use the virtual server:

       (virtual-server)  client   ip-address network-mask  

      Clients having IP addresses within the range given by ip-address (the default is 0.0.0.0, or all addresses) and network-mask (the default is 0.0.0.0, or all networks) are allowed to connect to the virtual server.

    5. (Optional) Assign connections from the same client to the same real server:

       (virtual-server)  sticky   duration  [  group   group-id  ] 

      For a given client, connections are assigned to the last-used real server for duration (0 to 65535 seconds). Virtual servers can be assigned to a group-id (0 to 255) so that related services requested by the same client are assigned to the same real server.

    6. (Optional) Hold connections open after they are terminated :

       (virtual-server)  delay   duration  

      After a TCP connection is terminated, SLB can maintain the connection context for duration (1 to 600 seconds; the default is 10 seconds). This can be useful when packets arrive out of sequence and the connection is reset before the last data packet arrives.

    7. (Optional) Hold connections open after no activity:

       (virtual-server)  idle   duration  

      When SLB detects an absence of packets for a connection, it keeps the connection open for duration (10 to 65535 seconds; the default is 3600 seconds, or 1 hour ) before sending an RST.

    8. (Optional) Prevent a SYN flood to the real servers:

       (virtual-server)  synguard   syn-count interval  

      SLB monitors the number of SYNs that are received for the virtual server. If more than syn-count (0 to 4294967295; the default is 0, or no SYN monitoring) SYNs are received within the interval (50 to 5000 milliseconds ; the default is 100 ms), any subsequent SYNs are dropped.

    9. (Optional) Prevent advertisement of the virtual server:

       (virtual-server)  no advertise  

      By default, SLB creates a static route for the virtual server address to the Null0 logical interface. This static route can then be redistributed and advertised by a routing protocol. Disabling advertisement prevents the static route from being created.

    10. Allow SLB to begin using the virtual server:

       (virtual-server)  inservice  [  standby   group  ] 

      By default, the virtual server is not used by SLB unless it is placed in service. To remove a virtual server from service, use no inservice. HSRP can be used to provide virtual server redundancy. Use the standby keyword to associate the virtual server with the HSRP group that is defined on the appropriate interface. Refer to Section 6-3 for further configuration information.

  3. (Optional) Use SLB Dynamic Feedback Protocol (DFP).

    1. Enable DFP:

       (global)  ip slb dfp  [  password   password  [  timeout  ]] 

      The router can become a DFP load-balancing manager. DFP can be configured with a password (text string) for MD5 authentication with a host agent. The optional timeout (the default is 180 seconds) defines a time period when the password can be migrated from an old value to a new one. During this time, both old and new passwords are accepted.

    2. Specify a DFP agent:

       (dfp)  agent   ip-address port  [  timeout  [  retry-count  [  retry-interval  ]]] 

      A DFP agent on a real server is identified by its ip-address and the port number used. The DFP agent (the server) must contact the DFP manager (the router) at timeout intervals (the default is 0 seconds, no timeout period). The DFP manager attempts to reconnect to the agent retry-count (the default is 0 retries, infinite number) times, at intervals of retry-interval (the default is 180 seconds).

Example

Figure 6-5 shows a network diagram for this example. SLB is configured on a router to provide load balancing to a server farm of four Web servers. The real Web servers are grouped into a server farm called WWW, having IP addresses 192.168.254.10, 192.168.254.11, 192.168.254.12, and 192.168.254.13. SLB uses the weighted least connections algorithm for load balancing between the real servers.

Figure 6-5. Network Diagram for the SLB Example

graphics/06fig05.gif

Two servers are given weights of 32, one server has a weight of 16, and one server has a weight of 8. New connections will be assigned to the server with the least number of active connections, as measured by the server capacities . For example, servers 192.168.254.10 and 192.168.254.11 have a weight of 32 and a capacity of 32/(32+32+16+8), or 32/88. Server 192.168.254.12 has a weight of 16 and a capacity of 16/(32+32+16+8), or 16/88. Server 192.168.254.13 has a weight of 8 and a capacity of 8/(32+32+16+8), or 8/88. At any given time, the server with the number of active connections furthest below its capacity is given a new connection.

A virtual server named ExtranetWeb is configured as IP address 172.30.29.100 to load-balance only WWW (TCP port 80) traffic. Only clients on the 172.16.0.0 network are allowed to initiate connections to the virtual server. New connections are made sticky (passed to the real server last used by the same client) for 120 seconds. SLB also performs SYN guard to prevent SYN attacks of more than 1000 new SYN requests per 1000 milliseconds (1 second).

  interface fastethernet 1/0   description Server farm LAN   ip address 192.168.254.1 255.255.255.0   interface fastethernet 2/0   description Corporate network   ip address 172.30.29.1 255.255.255.0   ip slb serverfarm WWW   predictor leastconns   nat server   real 192.168.254.10   weight 32   inservice   real 192.168.254.11   weight 32   inservice   real 192.168.254.12   weight 16   inservice   real 192.168.254.13   weight 8   inservice   ip slb vserver ExtranetWeb   serverfarm WWW   virtual 172.30.29.100 tcp www   client 172.16.0.0 255.255.0.0   sticky 120   synguard 1000 1000   inservice  


Cisco Field Manual[c] Router Configuration
Cisco Field Manual[c] Router Configuration
ISBN: 1587050242
EAN: N/A
Year: 2005
Pages: 185

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net