HP Load Balancing Module

HP Load Balancing Module Load Balancing Configuration Guide Part number: 5998-2685 Document version: 6PW101-20120217

Legal and notice information Copyright 2012 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Contents Load balancing configuration 1 Load balancing overview 1 Classification of LB 1 Working mechanism of server load balancing 1 Working mechanism of firewall load balancing 5 Configuring IPv4 server/firewall load balancing 6 Configuration considerations 6 Configuration task list 7 Configuring global parameters 8 Creating a real service group 9 Creating a real service 12 Enabling stopping service or slow-offline 13 Creating a virtual service 14 Displaying server load balancing statistics 16 Setting health monitoring parameters 17 Load balancing configuration examples 19 Server load balancing configuration example 19 Firewall load balancing configuration example 23 Support and other resources 28 Contacting HP 28 Subscription service 28 Related information 28 Documents 28 Websites 28 Conventions 29 Index 31 i

Load balancing configuration NOTE: The SecBlade LB module supports configuring IPv4 server load balancing and firewall load balancing only in the web interface. Load balancing overview Load balancing (referred to as LB hereinafter) is a cluster technology to distribute some specific services such as network services and network traffic among multiple network devices (for example servers and firewalls), enhancing service processing capability and ensuring high reliability of services. LB features the following advantages: High performance: LB distributes services to multiple network devices, enhancing the performance of the whole system. Scalability: LB facilitates the addition of network devices in a cluster, meeting the ever-increasing service requirements for servers, without decreasing service quality. Reliability: Failure of a single or multiple devices will not result in service interruption, enhancing the reliability of the entire system. Manageability: Administration is performed only on LB-enabled device(s), and devices need only common configuration and maintenance. Transparency: A cluster is like a device with high availability and performance, and users are not aware of and do not care the specific network structure. In addition, increase or decrease of devices will not affect normal services. Classification of LB LB generally falls into two types: Server load balancing Firewall load balancing The two types of load balancing can be applied in the following scenarios: Server load balancing: Data centers generally adopt server load balancing for networking. Network services are distributed to multiple servers to enhance service processing capabilities of the data centers. Firewall load balancing: In the networks where firewall processing capabilities have become the bottleneck, firewall load balancing can be adopted to balance the network traffic among multiple firewalls to enhance the processing capabilities of firewalls. Working mechanism of server load balancing Server load balancing can be applied in two ways: Network Address Translation (NAT)-mode server load balancing 1

Direct routing (DR)-mode server load balancing NAT-mode server load balancing Figure 1 Network diagram for NAT-mode server load balancing NAT-mode server load balancing includes the following basic elements: Cluster: A cluster that provides specific services, including an LB device and multiple servers. LB device: A device that distributes different service requests to multiple servers. Server: A server that responds to and processes different service requests. VSIP: Virtual Service IP address of the cluster, used for users to request services. Server IP: IP address of a server, used for an LB device to distribute service requests. Figure 2 Work flow of NAT-mode server load balancing The following describes the work flow of NAT-mode server load balancing. 1. The host sends a request, with the host IP being the source IP and VSIP being the destination IP. 2

2. Upon receiving the request, the LB device uses an algorithm to calculate to which server it distributes the request. 3. The LB device uses the Destination NAT (DNAT) technology to distribute the request, with the host IP being the source IP and Server IP being the destination IP. 4. The server receives and processes the request and then sends a response, with the server IP being the source IP, and the host IP being the destination IP. 5. The LB device receives the response, translates the source IP, and forwards the response, with VSIP being the source IP, and the host IP being the destination IP. The above work flow indicates that NAT is used in server load balancing, and NAT-mode server load balancing is thus called. DR-mode server load balancing Figure 3 Network diagram for DR-mode server load balancing DR mode is different from NAT mode in that NAT is not used in load balancing. This means that besides its local IP address, a server must have the VSIP configured. DR-mode server load balancing includes the following basic elements: Cluster: A cluster consists of an LB device, a general device and multiple servers to provide specific services. LB device: A device that distributes different service requests to multiple servers. General device: A device that forwards data according to general forwarding rules. Server: A server that responds to and processes different service requests. VSIP: Virtual service IP address of the cluster, used for users to request services. Besides configuring the VSIP on the LB device, you need to configure it on servers (Because the VSIP on the server cannot be contained in an ARP request and response, you can configure the VSIP on a loopback interface). Server IP: IP address of a server, used by the LB device to distribute requests. 3

Figure 4 Work flow of DR-mode server load balancing The following describes the work flow of DR-mode server load balancing: 1. The host sends a request, with VSIP being the destination address. 2. Upon receiving the request, the general device forwards it to LB device. Note that the VSIP cannot be contained in an ARP request and response; therefore the general device only forwards the request to the LB device. 3. Upon receiving the request, the LB device uses an algorithm to calculate to which server it distributes the request. 4. The LB device distributes the request. 5. The LB device encapsulates VSIP as the destination IP address, and the server s MAC address (obtained through ARP) as the destination MAC address. In this way, the request can be forwarded normally to the server. 6. The server receives and processes the request, and then sends a response. Note that the destination IP address of the response is the host IP. 7. After receiving the response, the general device forwards the response to the host. The response is addressed to the host rather than the LB device, so DR-mode server load balancing is thus called. 4

Working mechanism of firewall load balancing Figure 5 Network diagram for firewall load balancing Firewall load balancing includes the following basic elements: Cluster: A cluster consists of LB devices and firewalls to provide network traffic load balancing. LB device: A device that distributes traffic from the request sender to multiple firewalls. LB devices fall into level 1 LB devices and level 2 LB devices. In the above figure, if traffic is from Host A to Host B, LB device A is level 1, and LB device B is level 2; if traffic is from Host B to Host A, LB Device B is level 1, and LB Device A is level 2. Firewall: A firewall filters packets. Figure 6 Work flow of firewall load balancing LB device A Firewall LB device B (1) Traffic from source (2) Scheduler & Forward (3) Forward (4) Record & Forward to destination (5) Traffic from destination (6) Forward (7) Forward (8) Forward to source The following describes the work flow of firewall load balancing: 1. LB device A receives the traffic from the source. 2. LB device A forwards the traffic to a firewall based on the destination IP address range and the pre-configured load balancing rules of the traffic. 3. The firewall forwards the traffic to LB device B. 5

4. As a level 2 LB device, LB device B records the firewall that forwards the traffic and then forwards the traffic to the destination. 5. LB device B receives the traffic sent from the destination. 6. LB device B forwards the traffic to the firewall recorded in step 4. 7. The firewall forwards the traffic to LB device A. 8. LB device A forwards the traffic back to the source. The load balanced firewalls between two LB devices perform network traffic load balancing, so network performance is increased. This load balancing mode has another name: sandwich load balancing. Firewall load balancing can be used together with server load balancing, as shown in Figure 7. Figure 7 Network diagram for combination of firewall and server load balancing Cluster A adopts firewall load balancing, and Cluster B adopts NAT-mode server load balancing. The combination of these two modes is to combine the work flows of them. This networking mode not only prevents firewalls from being the bottleneck in the network, but also enhances the performance and availability of multiple network services such as HTTP and FTP. Configuring IPv4 server/firewall load balancing NOTE: The configuration of IPv4 firewall load balancing is similar to that of server load balancing. Server load balancing configuration is described in this section. Configuration considerations Server load balancing The server load balancing module comprises mainly a real service group, real services, and a virtual service, as shown in Figure 8. 6

Figure 8 Relationship between the components of the server load balancing module Real service group: A group of real services. Real services: Entities that process services in a cluster (such as servers in Figure 1, and Figure 3, and firewalls Figure 5. Virtual service: A logical entity that faces users. A virtual service can correspond to multiple real services. Server load balancing is implemented through the following procedure: After a user sends a request to the virtual service of the LB device, if a persistence method is specified in the virtual service, and matched persistence entries exist, the request is distributed according to the persistence entries; otherwise, the virtual service obtains the information of the related real service group, and then it distributes the request to a real service in the group based on the algorithm configured in the real service group. See Table 5 for the introduction to the persistence method. Configuration task list Perform the tasks in Table 1 to configure server load balancing. Table 1 Server load balancing configuration task list Task Configuring global parameters Creating a real service group Creating a real service Remarks Allows you to enable the saving of the last hop information and unidirectional traffic detection. The saving of the last hop information must be enabled on a level 2 LB device in firewall load balancing, and unidirectional traffic detection must be enabled on an LB device in DR server load balancing. This task is optional in other cases. By default, the saving of the last hop information function and unidirectional traffic detection function are disabled. Required Allows you to create a real service group, and configure the real service group parameters. By default, no real service group exists in the system. Required Allows you to create a real service and add the real service to the real service group. By default, no real service exists in the system. 7

Task Creating a virtual service Remarks Required Allows you to create a virtual service and reference the related real service group. By default, no virtual service exists in the system. Optional Displaying server load balancing statistics Enabling stopping service or slow-offline Optional Optional To remove the server or network device corresponding to a real service from a cluster, you can enable slow-offline for the real service. After slow-offline is enabled, the LB device will not assign new services to the real service and you can remove the server or network device from the cluster after the original services of the real service are processed. The slow-offline function can avoid the service interruption caused by sudden removal of a server or network device. Configuring global parameters Select Load Balance > Global Setting from the navigation tree to enter the page as shown in Figure 9. Figure 9 Global configuration Table 2 Global parameters configuration items Item Keep Last-hop Information Description Set whether to enable the saving last hop information function. Enabling of this function can ensure that response packets can be returned on the original path. This function must be enabled on level 2 LB devices in firewall load balancing. 8

Item Enable unidirectional traffic detection Description Set whether to enable unidirectional traffic detection. A unidirectional traffic indicates that only packets in one direction pass the device for one session. In this case, the state machine of the device cannot process the packets. After unidirectional traffic detection is enabled, a special state machine will be used to process both bidirectional and unidirectional traffic. This function must be enabled on DR-mode server load balancing LB devices. CAUTION: When unidirectional traffic detection is enabled, some service functions are not supported (for example, ASPF will not support first TCP packet check of non SYN packets), and the system becomes less secure. Therefore, decide whether to enable unidirectional traffic detection according to your network environments. If unidirectional traffic exists in the network, enable the function; otherwise unidirectional traffic cannot be processed correctly; if no unidirectional traffic exists in the network, disable the function to avoid affecting the system security.) Return to Server load balancing configuration task list. Creating a real service group Select Load Balance > Server Load Balancing from the navigation tree to enter the Real Service Group tab page, as shown in Figure 10. Click Add to enter the real service group configuration page, as shown in Figure 11. Figure 10 Real service group Figure 11 Add a real service group 9

Table 3 Real service group configuration items Item Real Service Group Name Scheduler Description Set a real service group name, which uniquely identifies a real service group. Select an algorithm that a real service group uses to distribute services and traffic: Round Robin: Assigns new connections to each real service in turn. Weighted Round Robin: Assigns new connections to real services based on the weights of real services; a higher weight indicates more new connections will be assigned. Least Connections: New connections are always assigned to the real service with the fewest number of active connections. Weighted Least Connections: New connections are always assigned to the real service with the fewest number of weighted active connections (the number of active connections/weight). Random: Assigns new connections to real services randomly. Weighted Random: Assigns new connections randomly to real services based on their weights; a higher weight indicates more new connections will be assigned. Source Address Hashing: Assigns a new connection to a specific real service based on the source address of the connection. This algorithm ensures that new connections with the same source address can be assigned to the same real service. Source Address Port Hashing: Assigns a new connection to a specific real service based on the source address and port of the connection. This algorithm ensures that new connections with the same source address and port can be assigned to the same real service. Destination Address Hashing: Assigns a new connection to a specific real service based on the destination address of the connection. IMPORTANT: Destination address hashing is applicable to firewall load balancing mode and other algorithms are applicable to server load balancing. 10

Item Health Monitoring Type Description Select a health monitoring method that a real service group uses to monitor a real service: TCP: Monitors the availability of an application port by establishing TCP connections. ICMP: Monitors the reachability of a server by sending ICMP packets. HTTP: Monitors the availability of an HTTP service through HTTP access. FTP: Monitors the availability of an FTP server through FTP. DNS: Monitors the availability of a DNS server through DNS. RADIUS: Monitors the availability of a RADIUS server through RADIUS authentication. SSL: Monitors the availability of an SSL server through an SSL connection. TIP: When you adopt SSL health monitoring, you must configure the Client Certificate; otherwise, health monitoring cannot be performed. You can display and configure health monitoring by selecting Load Balance > Health Monitor. For more information, see Setting health monitoring parameters. Real Service Troubleshooting Select a method that the real service group uses to handle existing connections when it detects that a real service fails, including the following: Keep Connection: Does not actively terminate the connection with the failed real service. Keeping or terminating the connection depends on the timeout mechanism of the protocol. Disconnection: Actively terminates the connection with the failed real service. Redirection: Redirects the connection to another available real service in the real service group. Advanc ed Configu ration Enable Slow-Online Standby Time Ramp-Up Time TIP: At present, redirection is applied to firewall load balancing mode and other methods are applied to server load balancing. When you add a server or a network device to a cluster, because some servers or network devices cannot take on a large amount of services immediately, you can enable the slow-online function. With slow-online enabled, when the server or network device goes online, the LB device does not assign services to it in the standby time. When the standby time is reached, the LB device assigns services to the server or network device gradually within the slow-online time. When the slow-online time is reached, the LB device assigns services to the server or network device normally. Return to Server load balancing configuration task list. 11

Creating a real service Select Load Balance > Server Load Balancing from the navigation tree, and then click the Real Service tab to enter the page as shown in Figure 12. Click Add to enter the real service group configuration page, as shown in Figure 13. Figure 12 Real service Figure 13 Create a real service Table 4 Real service configuration items Item Real Service Name Real Service IP Description Set a real service name, which uniquely identifies a real service. Specifies the IP address of a server or network device that processes services. 12

Item Port Weight Connection Limit Real Service Group Description Set a port number that is related to the following parameters: Health monitoring method for a service group: If the health monitoring type is TCP, then the port number is used for TCP health monitoring. Forwarding mode for a virtual service: If the forwarding mode is set to NAT, then the port number is taken as the destination port of a packet after NAT translation, and the port number must be consistent with that of the server; if the forwarding mode is set to direct routing or firewall forwarding, the port number is used only for health monitoring. Set the weight to be used in the weighted round robin and weighted least connections algorithms. A smaller weight indicates that the real service is less scheduled. Set the maximum number of concurrent connections of the real service. Specifies the real service group to which the real service belongs. ACL Advanced Configuration Response Content Associated Servers Real Service Domain Name ACL configured for a real service. To configure an ACL, select Security > ACL. TIP: This option can take effect only when you select the Enable Policy check box in virtual service. Content of a user s response that HTTP health monitoring detects. If the response that the user returns contains the specified content, the HTTP health monitoring succeeds; otherwise, the HTTP health monitoring fails. The server to be associated when health monitoring is performed on the real service, that is, health monitoring of the real service is successful only when the health monitoring of both the real service and specified server is successful. Domain name of the server that is processing services. The domain name is filled into the HOST header of a request in HTTP health monitoring. If you do not configure this option, the IP address of the server is filled into the HOST header of the request. Return to Server load balancing configuration task list. Enabling stopping service or slow-offline Select Load Balance > Server Load Balance from the navigation tree, and then click Real Service to enter the page as shown in Figure 12. Click the icon of the target real service to enter the Modify Real Service page, and then click the Advanced Configuration expansion button, as shown in Figure 14. 13

Figure 14 Modify real service To enable slow-offline of a real service, select the Enable Slow-Offline option, and then click Apply. After slow-offline is enabled, you can view the server load balancing statistics, and then remove the corresponding server or network device from the cluster after the original services of the real service are processed. After slow-offline is enabled, the status LED of the real service changes from to. To stop assigning traffic to a real service, select the Stop Service option, and click Apply. NOTE: If you select both the Enable Slow-Offline and Stop Service options for a real service, the LB device immediately stops assigning traffic to the real service, but the slow-offline function does not take effect. Return to Server load balancing configuration task list. Creating a virtual service Select Load Balance > Server Load Balance from the navigation tree, and then click Virtual Service to enter the page as shown in Figure 15. Click Add to enter the virtual service configuration page, as shown in Figure 16. 14

Figure 15 Virtual service Figure 16 Create a virtual service Table 5 Virtual service configuration items Item Virtual Service Name VPN Instance Virtual Service IP Mask Protocol Port Description Set a virtual service name, which uniquely identifies a virtual service. Select the VPN instance to which the virtual service belongs. Specifies the VSIP and VSIP mask of the cluster, used for requesting services. Select the protocol used by the cluster to provide services. Set the port number used by the cluster to provide services. 15

Item Forwarding Mode Description Load balancing mode adopted: NAT: NAT-mode server load balancing Direct Routing: DR-mode server load balancing Firewall: firewall load balancing Enable source address NAT translation, which changes the source address of a packet during load balancing. It can be set only when the forwarding mode is NAT. Enable SNAT TIP: In stateful failover networking, if you enable SNAT, the addresses in the SNAT IP address pool cannot be in the same network segment as the interface address of the device. Configure an SNAT IP address pool. It can be set only when Enable SNAT is selected. SNAT IP Pool TIP: The SNAT IP address pool cannot overlap the NAT IP address pool configured on the interface that connects the device to the real server. Persistence Method Select a method for associating real services and connections that access the same virtual service. If you do not select a persistence method, no real services or connections are associated. Source IP: Connections that have the same source address will be associated with the same real service. In this mode, if the service port number is configured as any, then any connection with the same source address and protocol type indicates access of the same real service. The source IP mode can reduce times that LB device distributes traffic and services. Set the aging time of a persistence entry. Persistence Timeout When a persistence method is configured, persistence entries are generated according to the persistence method. If a persistence entry is not matched within the persistence timeout time, the persistence entry is deleted. This option is not available if you do not select a persistence method. Connection Limit Real Service Group Enable Virtual Service Enable Policy Set the maximum number of concurrent connections of the virtual service. Reference a real service group for the virtual service. Whether to enable a virtual service after it is configured. This option is not available if you do not select a real service group. Whether to enable the ACL rule specified by the real service in the referenced real service group. Return to Server load balancing configuration task list. Displaying server load balancing statistics Select Load Balance > Server Load Balance from the navigation tree, and then click Statistics, and statistics of all the virtual services of server load balancing are displayed on the page, including total number of connections, average of active connections/peak of active connections, connection average 16

rate/peak rate, number of forwarded/ignored packets in the inbound direction, and number of forwarded packets in the outbound direction. If you click the link of a virtual service name, the statistics of all the real services of the virtual service will be displayed on the lower part of the page, including total number of connections, average of active connections/peak of active connections, connection average rate/peak rate, packets received, and packets sent, as shown in Figure 17. Figure 17 Statistics Return to Server load balancing configuration task list. Setting health monitoring parameters Select Load Balance > Health Monitor from the navigation tree to enter the page as shown in Figure 18. Health monitoring falls into eight modes: TCP, ICMP, TCP Half Open, HTTP, FTP, DNS, RADIUS and SSL. This section introduces the seven modes supported by server load balancing only: TCP, ICMP, HTTP, FTP, DNS, RADIUS and SSL. Click the icon of a corresponding mode, and you can enter the page for setting health monitoring parameters, as shown in Figure 19. Figure 18 Health monitoring 17

Figure 19 Modify health monitoring parameters Table 6 Configuration items for setting health monitoring parameters Item Health Monitoring Check Interval Timeout Retry Times URL Remarks A method to be used in health monitoring The interval at which health monitoring is performed. Timeout for each health monitoring operation When the retry times is n, if health monitoring is performed for n times, and the corresponding server or port is unavailable, the health monitoring of this type is considered failed. URL to be accessed in HTTP health monitoring. It must begin with /, and is case sensitive. For example, /test.html. This parameter is available only on the page for setting HTTP health monitoring parameters. Username Password Filename Hostname Host IP A case sensitive username and password used for logging in to an FTP server in FTP health monitoring Filename to be downloaded from the FTP server in FTP health monitoring, which is case sensitive. The file with this name must be put under the main directory of the login host. Domain name to be resolved in DNS health monitoring The default hostname is A.ROOT-SERVER.NET. A DNS health monitoring is considered successful only when the specified host IP address is contained in the received DNS result packet if the host IP address is specified to enhance the precision of DNS health monitoring. These three parameters are available only on the page for setting FTP health monitoring parameters. These two parameters are available only on the page for setting DNS health monitoring parameters. 18

Item Username Password Authentication Server Shared Key RADIUS Packet Source IP Port Client Certificate Ciphersuite Remarks Username and password for logging in to the RADIUS server in RADIUS health monitoring, case sensitive. The default username is admin. Shared key for RADIUS authentication packets in RADIUS health monitoring The default authentication server shared key is 0123456789. Source IP address of RADIUS authentication packets in RADIUS health monitoring By default, no source IP address is specified for RADIUS authentication packets. Port number of the RADIUS server in RADIUS health monitoring Local certificate of an SSL client policy in SSL health monitoring, used for an SSL server to authenticate the client based on certificate. To apply a certificate, select Security > PKI. Preferred cipher suite(s) for an SSL server policy to support in SSL health monitoring: RSA_RC4_128_MD5: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit RC4, and the MAC algorithm of MD5. RSA_RC4_128_SHA: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit RC4, and the MAC algorithm of SHA. RSA_DES_CBC_SHA: Specifies the key exchange algorithm of RSA, the data encryption algorithm of DES_CBC, and the MAC algorithm of SHA. RSA_3DES_EDE_CBC_SHA: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 3DES_EDE_CBC, and the MAC algorithm of SHA. These five parameters are available only on the page for setting RADIUS health monitoring parameters. These two parameters are available only on the page for setting SSL health monitoring parameters. Return to Server load balancing configuration task list. Load balancing configuration examples Server load balancing configuration example Network requirements As shown in Figure 20, three servers Server A, Server B and Server C can provide HTTP services. Server A has the highest hardware configuration, and Server B the second. It is required to make these three servers provide HTTP services together, and all HTTP traffic is required to be filtered by the firewall. Cluster provides HTTP service: server load balancing. 19

All traffic will pass the firewall: NAT-mode server load balancing (Responses in DR mode do not pass the firewall). The performance of the three servers is different and therefore weighted round robin algorithm is adopted. Figure 20 Network diagram for NAT-mode server load balancing Configuration procedure NOTE: Assume that Server A, Server B, and Server C have been configured (including routing information that ensures normal packet forwarding). The configurations of the HTTP server are omitted here. Please refer to related manuals. Assume that the IP addresses of the interfaces on the LB device and the zones to which they belong have been configured. The following describes the configurations of load balancing in detail. # Create a real service group HTTPGroup. Select Load Balance > Server Load Balance from the navigation tree, and you will enter the Real Service Group tab page. Then click Add to perform the following configurations, as shown in Figure 21. Figure 21 Create a real service group 20

Type the real service group name HTTPGroup. Select the algorithm Weighted Round Robin. Select the health monitoring type ICMP. Select the troubleshooting method Keep Connected. Click Apply. # Create real service ServerA for Server A. Click the Real Service tab, and click Add to perform the following configurations, as shown in Figure 22. Figure 22 Create a real service Type the real service name ServerA. Type the IP address of the real service 192.168.1.1. Type the port number 8080. Type the weight 150. Select the real service group HTTPGroup. Click Apply. # Create real service ServerB for Server B. Click Add on the Real Service tab page to perform the following configurations, as shown in Figure 22. Type the real service name ServerB. Type the IP address of the real service 192.168.1.2. Type the port number 8080. Type the weight 120. Select the real service group HTTPGroup. Click Apply. # Create real service ServerC for Server C. Click Add on the Real Service tab page to perform the following configurations, as shown in Figure 22. Type the real service name ServerC. 21

Type the IP address of the real service 192.168.1.3. Type the port number 8080. Type the weight 100. Select the real service group HTTPGroup. Click Apply. # Create virtual service VS. Click Virtual Service, and click Add to perform the following configurations, as shown in Figure 23. Figure 23 Create virtual service VS Type the virtual service name VS. Type the IP address of the virtual service 61.159.4.100. Select the mask 32 (255.255.255.255). Select the protocol type TCP. Type the port number 80. Select the forwarding mode NAT. Select the real service group HTTPGroup. Select the Enable Virtual Service check box. Click Apply. Configuration verification After the server runs normally for a period of time, you can display the statistics to verify the configuration of load balancing. 22

Select Load Balance > Server Load Balance from the navigation tree, and click the Statistics tab. Click the virtual service name link of virtual service VS, and you can see the statistics on the corresponding page, as shown in Figure 24. Figure 24 Statistics From Figure 24, you can see that the total number of connections of Server A, Server B and Server C is in a ratio of 15:12:10, which is the same as that of the configured weights. Therefore, the server load balancing function has taken effect. Firewall load balancing configuration example Network requirements As shown in Figure 25, two firewalls Firewall A and Firewall B are connected to Network A and Network B through an LB device respectively to balance load between the internal network and the Internet to enhance network performance. Firewall load balancing is adopted to balance traffic load from Network A to Network B. LB device A works as the level 1 LB device, and LB device B works as the level 2 LB device. Firewall load balancing is adopted to balance traffic load from Network B to Network A. LB device B works as the level 1 LB device, and LB device A works as the level 2 LB device 23

Figure 25 Network diagram for firewall load balancing Configuration procedure NOTE: Assume that Firewall A and Firewall B have been configured (including routing information that ensures normal packet forwarding). Assume that the IP addresses of the interfaces on the LB devices and the zones to which they belong have been configured. The following describes the configurations of load balancing in detail. # Enable the function of keeping the last hop information on LB device B. Select Load Balance > Global Setting from the navigation tree to perform the following configuration, as shown in Figure 26. Figure 26 Enable the function of keeping the last hop information Select the Keep Last-hop Information option. Click Apply. # Create real service group FirewallGroup on LB device A. Select Load Balance > Server Load Balance from the navigation tree, and you will enter the Real Service Group tab. Then click Add to perform the following configuration, as shown in Figure 27. 24

Figure 27 Create a real service group Type the real service group name FirewallGroup. Select the algorithm Destination IP Hashing. Select the health monitoring type ICMP. Select the troubleshooting method Redirection. Click Apply. # Create real service FirewallA for Firewall A on LB device A. Click the Real Service tab, and click Add to perform the following configuration, as shown in Figure 28. Figure 28 Create a real service Type the real service name FirewallA. Type the IP address of the real service 10.0.1.1. Select the real service group FirewallGroup. Click Apply. # Create real service FirewallB for Firewall B. 25

Click Add on the Real Service tab to perform the following configuration, as shown in Figure 28. Type the real service name FirewallB. Type the IP address of the real service 10.0.1.2. Select the real service group FirewallGroup. Click Apply. # Create virtual service VS on LB device A. Click Virtual Service, and click Add to perform the following configuration, as shown in Figure 29. Figure 29 Create virtual service VS Type the virtual service name VS. Type the IP address of the virtual service 20.0.0.0. Select the mask 24 (255.255.255.0). Select the protocol type Any. Type the port number 0. Select the forwarding mode Firewall Forwarding. Select the real service group FirewallGroup. Select the Enable Virtual Service option. Click Apply. Configuration verification A period time after the hosts in the internal network access the Internet, you can display the statistics to verify load balancing configuration on LB device A. Select Load Balance > Server Load Balance from the navigation tree, and click the Statistics tab. 26

Click the virtual service name link of virtual service VS, and you can see the statistics on the corresponding page, as shown in Figure 30. Figure 30 Statistics on LB device A From Figure 30, you can see that the traffic from the internal network to the Internet is balanced by Firewall A and Firewall B. 27

Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.com/support Before contacting HP, collect the following information: Product model names and numbers Technical support registration number (if applicable) Product serial numbers Error messages Operating system type and revision level Detailed questions Subscription service HP recommends that you register your product at the Subscriber's Choice for Business website: http://www.hp.com/go/wwalerts After registering, you will receive email notification of product enhancements, new driver versions, firmware updates, and other product resources. Related information Documents Websites To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. For a complete list of acronyms and their definitions, see HP A-Series Acronyms. HP.com http://www.hp.com HP Networking http://www.hp.com/go/networking HP manuals http://www.hp.com/support/manuals HP download drivers and software http://www.hp.com/support/downloads HP software depot http://www.software.hp.com HP Education http://www.hp.com/learn 28

Conventions This section describes the conventions used in this documentation set. Command conventions Convention Boldface Italic Description Bold text represents commands and keywords that you enter literally as shown. Italic text represents arguments that you replace with actual values. [ ] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x y... } [ x y... ] { x y... } * [ x y... ] * &<1-n> Braces enclose a set of required syntax choices separated by vertical bars, from which you select one. Square brackets enclose a set of optional syntax choices separated by vertical bars, from which you select one or none. Asterisk-marked braces enclose a set of required syntax choices separated by vertical bars, from which you select at least one. Asterisk-marked square brackets enclose optional syntax choices separated by vertical bars, from which you select one choice, multiple choices, or none. The argument or keyword and argument combination before the ampersand (&) sign can be entered 1 to n times. # A line that starts with a pound (#) sign is comments. GUI conventions Convention Boldface Description Window names, button names, field names, and menu items are in bold text. For example, the New User window appears; click OK. > Multi-level menus are separated by angle brackets. For example, File > Create > Folder. Symbols Convention WARNING CAUTION IMPORTANT NOTE TIP Description An alert that calls attention to important information that if not understood or followed can result in personal injury. An alert that calls attention to important information that if not understood or followed can result in data loss, data corruption, or damage to hardware or software. An alert that calls attention to essential information. An alert that contains additional or supplementary information. An alert that provides helpful information. 29

Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents a LB module. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. 30

Index C L R C Configuring IPv4 server/firewall load balancing,6 Contacting HP,28 Conventions,29 Load balancing configuration examples,19 Load balancing overview,1 R Related information,28 L 31