Load Balancer. Introduction. A guide to Load Balancing.



Similar documents
Chapter 37 Server Load Balancing

Chapter 51 Server Load Balancing

The network configuration for these examples is shown in the following figure. Load Balancer 1. public address

What information will you find in this document?

Configuring Allied Telesyn Equipment to Counter Nimda Attacks

How to Configure URL Filtering Using the Firewall s HTTP Proxy

What information will you find in this document?

configure WAN load balancing

How To Configure some basic firewall and VPN scenarios

Securing Networks with PIX and ASA

How To. Configure Microsoft Windows XP ** Virtual Private Network (VPN) client interoperability without NAT-T support.

Configure WAN Load Balancing

DEPLOYMENT GUIDE DEPLOYING THE BIG-IP LTM SYSTEM WITH MICROSOFT WINDOWS SERVER 2008 TERMINAL SERVICES

Exam F F5 BIG-IP V9.4 LTM Essentials Version: 5.0 [ Total Questions: 100 ]

DEPLOYMENT GUIDE DEPLOYING F5 WITH MICROSOFT WINDOWS SERVER 2008

DEPLOYMENT GUIDE. Deploying the BIG-IP LTM v9.x with Microsoft Windows Server 2008 Terminal Services

Understanding Slow Start

Firewall Load Balancing

LinkProof And VPN Load Balancing

Chapter 51 WAN Load Balancing

Configure the Firewall VoIP Support Service (SIP ALG)

Fortinet Network Security NSE4 test questions and answers:

Chapter 52 WAN Load Balancing

Patch For AR400 and AR700 Series Routers

DMZ Network Visibility with Wireshark June 15, 2010

Managing Virtual Servers

Load Balancing and Sessions. C. Kopparapu, Load Balancing Servers, Firewalls and Caches. Wiley, 2002.

2. Are explicit proxy connections also affected by the ARM config?

Introducing the BIG-IP and SharePoint Portal Server 2003 configuration

NAT REFERENCE GUIDE. VYATTA, INC. Vyatta System NAT. Title

ZEN LOAD BALANCER EE v3.02 DATASHEET The Load Balancing made easy

ZEN LOAD BALANCER EE v3.04 DATASHEET The Load Balancing made easy

DEPLOYMENT GUIDE DEPLOYING THE BIG-IP LTM SYSTEM WITH ADOBE ACROBAT CONNECT PROFESSIONAL

Configuring the BIG-IP and Check Point VPN-1 /FireWall-1

Allow Public and Private Address Access to Servers at a Service Provider Client Site. What information will you find in this document?

Configuring Static and Dynamic NAT Simultaneously

Load Balancing VMware Horizon View. Deployment Guide

Load Balancing for Microsoft Office Communication Server 2007 Release 2

Load Balancing VMware Horizon View. Deployment Guide

Cisco Application Networking for BEA WebLogic

Load Balancing Smoothwall Secure Web Gateway

Cisco Application Networking for IBM WebSphere

Load Balancing Bloxx Web Filter. Deployment Guide

Table of Contents. 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2

TESTING & INTEGRATION GROUP SOLUTION GUIDE

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP LTM with Microsoft Windows Server 2008 R2 Remote Desktop Services

Smoothwall Web Filter Deployment Guide

DEPLOYMENT GUIDE DEPLOYING THE BIG-IP SYSTEM WITH MICROSOFT INTERNET INFORMATION SERVICES (IIS) 7.0

Load Balancing Trend Micro InterScan Web Gateway

DEPLOYMENT GUIDE CONFIGURING THE BIG-IP LTM SYSTEM WITH FIREPASS CONTROLLERS FOR LOAD BALANCING AND SSL OFFLOAD

Monitoring Traffic manager

Load Balancing Web Proxies Load Balancing Web Filters Load Balancing Web Gateways. Deployment Guide

Microsoft SharePoint 2010 Deployment with Coyote Point Equalizer

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP LTM with Apache Tomcat and Apache HTTP Server

Content Switching Module for the Catalyst 6500 and Cisco 7600 Internet Router

Networking and High Availability

Load Balancing Microsoft Terminal Services. Deployment Guide

A Standard Modest WebSite

Deploying SAP NetWeaver Infrastructure with Foundry Networks ServerIron Deployment Guide

How To Use The Cisco Ace Module For A Load Balancing System

EE Easy CramBible Lab DEMO ONLY VERSION EE F5 Big-Ip v9 Local Traffic Management

Load Balancing McAfee Web Gateway. Deployment Guide

WildFire Cloud File Analysis

Load Balancing Sophos Web Gateway. Deployment Guide

BeamYourScreen Security

Creating Web Farms with Linux (Linux High Availability and Scalability)

What information will you find in this document?

Apply Firewall Policies And Rules

AlliedWare TM OS How To. Create a VPN between an Allied Telesis Router and a Microsoft Windows XP 1 Client, Without Using NAT-T.

DEPLOYMENT GUIDE Version 1.2. Deploying the BIG-IP System v10 with Microsoft IIS 7.0 and 7.5

Owner of the content within this article is Written by Marc Grote

Microsoft Office Communications Server 2007 & Coyote Point Equalizer Deployment Guide DEPLOYMENT GUIDE

Millbeck Communications. Secure Remote Access Service. Internet VPN Access to N3. VPN Client Set Up Guide Version 6.0

SiteCelerate white paper

Exam Name: Foundry Networks Certified Layer4-7 Professional Exam Type: Foundry Exam Code: FN0-240 Total Questions: 267

Clavister SSP Security Service Platform firewall VPN termination intrusion prevention anti-virus content filtering traffic shaping authentication

AlliedTelesis AT-AR700 Series

ClusterLoad ESX Virtual Appliance quick start guide v6.3

DEPLOYMENT GUIDE Version 1.2. Deploying the BIG-IP System v9.x with Microsoft IIS 7.0 and 7.5

Load Balancing Barracuda Web Filter. Deployment Guide

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP LTM System with VMware View

MIKOGO SECURITY DOCUMENT

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

ENTERPRISE DATA CENTER CSS HARDWARE LOAD BALANCING POLICY

Chapter 51 Secure Sockets Layer (SSL)

This How To Note describes one possible basic VRRP configuration.

Implementing the Application Control Engine Service Module

DEPLOYMENT GUIDE Version 2.1. Deploying F5 with Microsoft SharePoint 2010

Configuring Stickiness

Active-Active and High Availability

CS 188/219. Scalable Internet Services Andrew Mutz October 8, 2015

Load Balancing Clearswift Secure Web Gateway

How To Balance A Load Balancer On A Server On A Linux (Or Ipa) (Or Ahem) (For Ahem/Netnet) (On A Linux) (Permanent) (Netnet/Netlan) (Un

Chapter 34 Secure Sockets Layer (SSL)

Configuring Nex-Gen Web Load Balancer

Special Edition for Loadbalancer.org GmbH

Cisco ACE Application Control Engine: ACEBC Catalyst 6500 and 4710 Applicance Boot Camp

How To Create A VPN Between An Allied Telesis Router And A Microsoft Windows XP 1 Client, Without Using NAT-T

Transcription:

Technical Note Load Balancer A guide to Load Balancing. Introduction This technical note introduces the load balancer and examples for configuring your Allied Telesyn equipment to run load balancer. The scenarios described in this technical note describe configurations for Allied Telesyn devices running software release 2.5.1 and later. For simplicity, Allied Telesyn devices mentioned in this document are referred to as switches. Load balancer and Firewall are enabled with special feature licenses. To obtain a special feature license contact an Allied Telesyn authorised distributor or reseller. You can find further information about load balancer in the Software Reference Manual for Software Release 2.5.1 provided with your switch, and Release Note for Software Release 2.5.1 for your switch available on the Documentation and Tools CD-ROM packaged with your switch, or from www.alliedtelesyn.co.nz/documentation/documentation.html. If you require more information, or support, on this topic please contact your nearest Allied Telesyn reseller or distributor. As mission critical applications are deployed via the web, IT Managers must provide both a cost effective way of delivering their data in a reliable and secure manner. One approach to meeting client requests for data and other services is to deliver all client requests to one resource. A resource may be a server, firewall or other routing device. A single resource may be able to process requests, but if it fails or suffers poor performance, requests are processed slowly or not at all. Simply connecting the world Copyright 2003 Allied Telesyn International, Corp. While every effort has been made to ensure that the information contained within this techical note is accurate, Allied Telesyn International can not accept any liability for errors in, or omissions arising from the use of this information.

2 Technical Note What is a Load Balancer? The load balancer distributes incoming requests between multiple resources. These resources are grouped together in farms, or resource pools. The load balancer is made up of one or more virtual balancers that each map to one resource pool. Virtual balancers carry out actual load balancing operation by selecting one resource from a resource pool to process individual client requests. The resource then sends a response back to the virtual balancer, which in turn delivers the response to the requesting client. The load balancer supports between 1 and 32 virtual balancers. A virtual balancer exposes one IP address and port, and optionally a URL, on the public side, and maps to a single resource pool. At least one virtual balancer must be configured before load balancing can commence. All connections to a virtual balancer s IP address and port or URL initiated from the public side are balanced over the resources in the virtual balancer s resource pool. Take care with network settings when you configure the load balancer so that routing operates correctly. The load balancer should only be configured by experienced networking professionals. You can configure four different types of load balancer. Each different type of balancing requires a different type of virtual balancer. The types are: TCP (server) virtual balancer This type of virtual balancer examines a packet s IP address to determine where the packet is from and which resource it will be sent to. Route-based virtual balancer This type of virtual balancer is used when packets are routed through a device such as a firewall that is not the packet s final destination. HTTP virtual balancer This type of virtual balancer is primarily for load balancing web servers or applications that tunnel over HTTP, examining the cookies in HTTP requests and responses. A configuration example for HTTP virtual balancer starts on page 5. SSL virtual balancer The load balancer operates with Secure Sockets Layer (SSL) in two different ways. You can either configure an SSL type virtual balancer, or enable SSL for an HTTP type virtual balancer. Health Checks The load balancer regularly conducts health checks to establish the status of: the resources in its resource pools the fail-over balancer the load balancing process. Two methods the load balancer uses for checking the health of its resources are PING checks and recording reset (RST) messages. A PING check sends a PING to the network address of the resource by default every minute. The second form of health checking is the recorded number of reset (RST) messages sent to a resource in the last 100 connections. TCP generates an RST message if it

Technical Note 3 receives anything unexpected. If the percentage of resource RST messages (See the SET LOADBALANCER command in your software reference manual) exceeds the configured limit, that resource is marked as DOWN. If this happens, the administrator must intervene to put the resource UP by using ENABLE LOAD BALANCER RESOURCE command. Triggers Triggers can be activated by certain events in the load balancer module. For a full list of supported triggers, please consult the manual for your device under the load balancer chapter. An example to consider would be an HTTP error. In the below example, the match.scp script could be configured to mail a Network Administrator whenever this error occurred. Event Description Parameters HTTPERROR An HTTP response returned by a resource matches a configured HTTP error code. The following parameter can be specified in the CREATE and SET TRIGGER commands: Parameter RESOURCE=webserver_one Description A match in HTTP error code returned by the HTTP response will be detected for this resource. Script Arguments The trigger passes the following arguments to the script: Argument Description %1 The resource name. Example To create a trigger to activate the script match.scp whenever a match in HTTP error code for resource webserver_one is detected, use the command: CREATE TRIGGER=3 MODULE=LB EVENT=HTTPERROR RESOURCE=webserver_one SCRIPT=match.scp Load Balancer and Firewall The load balancer uses the firewall s Network Address Translation (NAT) facility, so a firewall must be configured for load balancing to work. For details on configuring a firewall, refer to the Firewall chapter in your software reference manual. When configuring a firewall, it is essential that the firewall s policies allow traffic from clients to travel to and from the public interface and port on each configured virtual balancer. If the firewall blocks this traffic, the load balancer will not operate. If you already have a firewall configured on the routing device that will act as a load balancer, you must ensure that existing policies allow for this traffic flow.

4 Technical Note When the load balancer is enabled, the value of the ORPHANTIMEOUT parameter in the SET LOADBALANCER command will overwrite any configured timeout values in the firewall policy. Ensure there are no proxies configured on a policy where load balancing occurs. Take care if changing the firewall s NAT settings because this could prevent the load balancer from operating correctly. SSL Load Balancing SSL traffic may be your lifeblood as it could contain your financial transactions. This is where load really needs to be distributed to make sure that no one receives timeouts when trying to complete a financial transaction. SSL encrypts data and ensures that only trusted devices can exchange confidential information. Affinity is important for SSL connections because it is necessary to maintain a sticky, or persistent, connection. This is when a client tries to keep the same resource it originally established a connection with. For example, a sticky connection is required when a client browses to an SSL secured banking web site. If the load balancer switches resources before the client completes the transaction, a new SSL connection is needed for the new resource. The SSL handshake sequence, which negotiates the security options for the connection, can be time-consuming. A sticky connection improves performance because the handshake time is cut down. Both types of SSL load balancing allow for sticky connections. The public port for SSL is usually 443. If you want to use SSL and the load balancer with the Single DES algorithm, you need: a PCI Accelerator Card (PAC), and a load balancer and firewall feature license. If you want to use SSL and the load balancer with the Triple DES algorithm, you need: a PCI Accelerator Card (PAC), and a load balancer and firewall feature license, and a 3DES feature license. SSL Virtual Balancing You can configure an SSL type virtual balancer. This type of virtual balancer examines the SSL Client Hello or Server Hello, transmitted as part of the handshake, for the SSL Session ID. SSL virtual balancers create affinity table entries based on this Session ID. All Server Hellos with Session ID numbers not already listed in the affinity table create new entries. This happens if the Client ID is set to zero, or the Client ID is not present in the Server Hello. The Session ID is contained in the Server Hello for new connections, and is in the Client Hello for resumed connections. A selection algorithm or affinity table entry determines which (secured) resource will process client requests.

Branch Office Router POWER STATUS SYSTEM PIC BAY0 ENABLED 10BASE-T/100BASE-TX SWITCH PORTS FULL DUP LINK/ACT 100M 1 2 3 4 ETH0 FULL DUP LINK/ACT 100M Technical Note 5 HTTP Virtual Balancing with SSL Enabled You can enable an HTTP type virtual balancer for SSL. In this situation, the SSL connection from the client is terminated at the virtual balancer s public interface. This allows it to decrypt SSL messages and balance requests based on the cookie, as with normal HTTP type balancing. Affinity table entries are based on cookies. Optionally, you can enable SSL for the connection from the private interface of the virtual balancer to the resource pool. This requires a separate SSL connection. HTTP Virtual Balancer Configuration. The main example in this document concentrates on evenly distributing HTTP traffic between three web servers residing on the private side of a firewall. Having a load balancer eliminates a single point of failure (SPOF) that a web server will introduce. Benefits of introducing load sharing between web servers are: a cost saving can be made by introducing lower end machines as the web servers the ability to offline web servers from a group for maintenance whilst still keeping others available for usage. The firewall in this example provides a shield from general Internet traffic. This example only offers a general introduction to the configuration of the firewall to work in conjunction with the load balancer. There are many firewall options and these are fully explained in the Firewall chapter in your software reference manual. Figure 1: Example configuration for an HTTP virtual balancer. Resource Pool "rp2" HTTP Server Load Balancer (Virtual Balancer "vb2") Server 1 192.168.1.1 Internet Public Int-vlan2 IP=172.214.1.2 AR410 Private Int=vlan3 IP-192.168.1.200 Server 2 192.168.1.2 Server 3 192.168.1.3 LB-TN1

6 Technical Note Configuration Example The following example illustrates the steps required to configure an HTTP type virtual balancer, as illustrated in Figure 1 on page 5. 1. Create a vlan and add the Internet (Public) interface. Before creating interfaces for the load balancer, you must enable IP on the switch. You then create a vlan and add the public interface. enable ip create vlan="vlan2" vid=2 add vlan="vlan2" port=1 add ip int=vlan2 ip=172.214.1.2 mask=255.255.255.0 2. Create another vlan and add the Server (Private) interface. create vlan="vlan3" vid=3 add vlan="vlan3" port=2,3,4 add ip int=vlan3 ip=192.168.1.200 3. Enable the firewall, and create a firewall policy for the load balancer. enable firewall create firewall policy="lb" 4. Set the timeouts for various traffic types so that connections do not take too long to timeout. set firewall policy="lb" tcptime=3 udptime=3 othertime=3 add firewall policy="lb" int=vlan3 type=private add firewall policy="lb" int=vlan2 type=public 5. Add rules to the policy to allow traffic to flow through the firewall on port 80 using the ACTION and PORT parameters. These rules can be tightened to only allow traffic that is destined for certain addresses on the public side, or only from certain addresses on the public side. add firewall policy="lb" rule=1 action=allow int=vlan2 prot=tcp port=80 6. Create a resource pool that the servers can be assigned to. Here the ROUNDROBIN option is used to distribute the traffic load between servers. ena loadbalancer add loadbalancer respool=rp2 sel=roundrobin fail=no Other methods of load distribution include:

Technical Note 7 WLEASTCONNECT The virtual balancer will select the resource with the highest result achieved after dividing its assigned weight by the number of its current connections. WLOTTERY The load balancer will randomly select a resource from its resource pool. Resources with higher weights are more likely to be selected, but if all resources have the same weight WLOTTERY provides a similar result to the ROUNDROBIN algorithm. FASTESTRESPONSE The load balancer will select the resource that has the fastest response time based on resource health checks. 7. Add the servers to a resource pool. add loadbalancer resource=server1 ip=192.168.1.1 port=80 respool=rp2 add loadbalancer resource=server2 ip=192.168.1.2 port=80 respool=rp2 add loadbalancer resource=server3 ip=192.168.1.3 port=80 respool=rp2 It is here that the WEIGHT option can be specified if required. The WEIGHT parameter specifies the preference applied to this resource when the virtual balancer selects a resource for an incoming connection. The higher the weight of a resource, the more likely it will be selected for an incoming request. The weight option is useful if the processing power of the boxes may not be evenly distributed. One server could have a 400Mhz CPU and 1GB of main memory, whilst the other unit could only have a 233Mhz CPU and 512MB of memory. It would be advantageous to have the more powerful machine receiving more traffic, favouring it via a weighting. 8. Create a new virtual balancer. Each virtual balancer maps to resources in one resource pool. When a new virtual balancer is configured, it is always in the DOWN (disabled) state, so performs no balancing operations. add loadbalancer virtualbalancer=vb2 publicip=172.214.1.2 publicport=80 respool=rp2 type=http affinity=yes policy=lb enable loadbalancer virtualbalancer=vb2 To move a virtual balancer into the UP state so it will start balancing operations, use the ENABLE LOADBALANCER VIRTUALBALANCER. For an HTTP type balancer the AFFINITY parameter specifies whether or not affinity table entries are made for cookies received from clients. If an entry exists for a client IP address or cookie in a virtual balancer s affinity table, the resource associated with that entry will be used first to establish the connection. This means that no selection process takes place unless the connection fails.

8 Technical Note Example outputs from the Load Balancer s SHOW commands. The following are examples of output from the load balancer s SHOW commands: Figure 2: Example output from the SHOW LOADBALANCER command. Global Load Balancer Configuration - Status... ENABLED Affinity Timeout... 6000s Orphan Timeout... 300s Critical RST... 50% Total Resources... 3 Total Resource Pools... 1 Total Virtual Balancers... 1 Current Connections... 2 Health Check Pings... ENABLED Affinity List Populations Route affinities... 0 TCP affinities... 1 SSL affinities... 0 HTTP affinities... 0 Figure 3: Example output from the SHOW LOADBALANCER AFFINITY command. Virtual Balancer Affinity Tables --------------------------------- Number of Entries: 1 Name IP/Cookie Resource Expiry vb2 172.214.1.1 server1 2807s Figure 4: Example output from the SHOW LOADBALANCER CONNECTIONS command. Virtual Balancer Connections Balancer Name Client IP Port Resource vb2 172.214.1.1 1034 server1 vb2 172.214.1.1 1035 server1

Technical Note 9 Figure 5: Example output from the SHOW LOADBALANCER REDUNDANCY command. Load Balancer Redundancy Information Redundancy Enabled... NO Peer Type... MASTER Peer Present... NO Current State... Initial Last Event... None Redundancy Port... 0 Affinity Transfer... NO Redundant IP address... 0.0.0.0 Redundant IP Mask... 0.0.0.0 Peer IP address... 0.0.0.0 Public Interface... - Message Counters Heart Beats Received... 0 Heart Beats Sent... 0 Affinity Entries Received... 0 Affinity Entries Sent... 0 Resource Updates Received... 0 Resource Updates Sent... 0 Slave Registrations Received... 0 Slave Registrations Sent... 0 Virtual Balancer Updates Received... 0 Virtual Balancer Updates Sent... 0 Figure 6: Example output from the SHOW LOADBALANCER RESOURCE command. Load Balancer Resources Name IP State Allocated server1 192.168.1.1 UP YES server2 192.168.1.2 DOWN YES server3 192.168.1.3 DOWN YES Figure 7: Example output from the SHOW LOADBALANCER RESPOOL command. Load Balancer Resource Pools Name Resources Connections - rp2 3 0 -

10 Technical Note Figure 8: Example output from the SHOW LOADBALANCER VIRTUALBALANCER command. Load Balancer Virtual Balancers Name Public IP/DOMAIN Port vb2 172.214.1.2 80

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information