VPN Concentrator Load Balancing

Previous page
Table of content
Next page

When presented with an enterprise network installation with VPN concentrators running in parallel, it does not make logical sense to have all remote clients connecting to the same concentrator. This is especially true if there is a particularly high session load that is due to a substantial number of remote users. In these particular networks, it would be practical to have the parallel concentrators share session loads (load balance) so that a single concentrator does not get overwhelmed.

Concentrator load balancing is extremely similar to concentrator redundancy; however, redundancy and load balancing cannot run simultaneously. Load balancing is a way to offload connecting sessions to other underutilized concentrators in a cluster that are running in parallel to the master. All the concentrators agree on a virtual IP address and report their utilization to the master by using the Virtual Clustering Agent (VCA) protocol. At any given time, the master concentrator learns the session load of each concentrator in the cluster by calculating the percentage of current active sessions divided by the configured maximum allowed connections. When devices initiate their IPSec tunnels to the virtual IP address, the master concentrator processes the request. If there is another parallel concentrator that has a low session load, the master can send a redirect message in IKE phase 1 to tell the connecting client with which concentrator it is to initiate a connection.

To configure load balancing, you have to define the virtual IP address and listening port, as shown in Figure 6.10. You can also implement security for these VCA advertisements by encrypting the contents and assigning a password that must match in all concentrators in the cluster. For the device parameters section of this page, you must enable the load balancing on the concentrator (it is disabled by default) and specify a priority. The master of the cluster is typically the first concentrator to come online. If the concentrators come online at the same time, the highest priority becomes the master concentrator of the cluster. Table 6.1 shows the default priorities according to the concentrator model.

Figure 6.10. Reverse load balancing configuration screen.

graphics/06fig10.gif

Table 6.1. Default Load Balancing Priorities

Concentrator

Priority

3005

1

3015

3

3030

5

3060

7

3080

9

The "NAT Assigned IP Address" field must be configured if an outside device is performing NAT on the virtual IP address. In this field, specify the public IP address to which the virtual address is translated by the NAT device.

graphics/tip_icon.gif

For the VCA protocol to be sent and received on interfaces, you must apply the VCA filters on the public and the private interfaces.



Previous page
Table of content
Next page
CSVPN Exam Cram 2 (Exam 642-511)
CCSP CSVPN Exam Cram 2 (Exam Cram 642-511)
ISBN: 078973026X
EAN: 2147483647
Year: 2002
Pages: 185
Authors: David Minutella
BUY ON AMAZON
The .NET Developers Guide to Directory Services Programming
Cisco IP Telephony (CIPT) (Authorized Self-Study) (2nd Edition)
Documenting Software Architectures: Views and Beyond
Making Sense of Change Management: A Complete Guide to the Models, Tools and Techniques of Organizational Change
Service-Oriented Architecture (SOA): Concepts, Technology, and Design
Java All-In-One Desk Reference For Dummies
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy