-
Catalyst 4840G Software Feature and Configuration Guide, Software Release 12.0(13)WT6(1)
-
Preface
-
Overview of Layer 3 Switching and Software Features
-
Before You Begin
-
Configuring the Router Processor
-
Configuring Interfaces
-
Server Load Balancing
-
Firewall Load Balancing
-
Configuring SLB Redundancy
-
Configuring Networking Protocols
-
Configuring Bridging
-
Configuring EtherChannel
-
Configuring NTP
-
Command Reference
-
Cisco IOS Commands Not Supported in Layer 3 Switching Software
-
Using Technical Support
-
Glossary
-
Table Of Contents
Automatic Server Failure Detection
Client-Assigned Load Balancing
Delayed Removal of TCP Connection Context
Dynamic Feedback Protocol for SLB
Network Address Translation (NAT)
Transparent Web Caches Balancing
Supported Standards, MIBs, and RFCs
Configurable URL-Based SLB Features
Required SLB Configuration Tasks
Configuring Restricted Clients
Sample SLB Network Configuration
Optional SLB Configuration Tasks
Specifying a Load Balancing Algorithm (Optional)
Configuring HTTP Redirect Load Balancing (Optional)
Specifying a Bind ID (Optional)
Configuring Real Server Attributes (Optional)
Adjusting Virtual Server Values (Optional)
Configuring SLB Dynamic Feedback Protocol (Optional)
Configuring SLB Network Address Translation (Optional)
Configuring HTTP Probe (Optional)
Required URL-Based SLB Configuration Tasks
Configuring Policy-Based Virtual Servers
Verifying Policy-Based Virtual Servers
Sample URL-Based SLB Network Configuration
Optional URL-Based SLB Configuration Tasks
Configuring TCP Parameters (Optional)
Configuring HTTP 1.1 (Optional)
Monitoring and Maintaining SLB
Server Load Balancing
This chapter describes the Server Load Balancing (SLB) feature and contains the following sections:
•
Required SLB Configuration Tasks
•
•
•
•
Note
SLB Overview
The SLB feature is an IOS-based solution that provides IP server load balancing. Using this feature, you can define a virtual server which represents a group of real servers in a cluster of network servers known as a server farm. In this environment a client connects to the IP address of the virtual server. When a client initiates a connection to the virtual server, the SLB function chooses a real server for the connection, based on a configured load-balancing algorithm.
IOS SLB also provides firewall load balancing, which balances flows across a group of firewalls called a firewall farm.
SLB provides server takeover capabilities in failure cases where one of the real servers goes out of service due to a scheduled or unscheduled outage. In the event of a real server failure, an available alternate server takes over the functions of the failed server with minimal disruption to the client.
Figure 5-1 illustrates an SLB network.
Figure 5-1
Logical View of SLB
SLB supports URL-based load balancing. URL-based SLB is an IOS-based solution that provides control over load balancing based on a URL. URL-based load balancing provides a way to intercept URL requests directed to a particular Web server and to distribute the requests across a set of server farms. Any server belonging to the server farm is capable of processing the request sent to the particular URL. The matching criteria used are exact match, longest match, prefix match, and suffix match.
Figure 5-2 illustrates a URL-based SLB network.
Figure 5-2
Logical View of URL-Based SLB
Configurable SLB Features
This section describes the features you can configure in SLB:
•
•
•
•
•
•
Algorithms for SLB
SLB provides two load-balancing algorithms: weighted round robin and weighted least connections. You can specify either algorithm as the basis for choosing a real server for each new connection request that arrives at the virtual server.
Weighted Round Robin
The weighted round robin algorithm specifies that the real server used for a new connection to the virtual server is chosen from the server farm in a circular fashion. Each real server is assigned a weight, n, that represents its capacity to handle connections, as compared to the other real servers associated with the virtual server. That is, new connections are assigned to a given real server n times before the next real server in the server farm is chosen.
For example, assume a server farm consisting of real server Server A with n = 3, Server B with n = 1, and Server C with n = 2. The first three connections to the virtual server are assigned to Server A, the fourth connection to Server B, and the fifth and sixth connections to Server C.
Note
Weighted Least Connections
The weighted least connections algorithm specifies that the next real server chosen from a server farm for a new connection to the virtual server is the server with the fewest (least) active connections. Each real server is assigned a weight for this algorithm. When weights are assigned, the decision of which server has the fewest connections is based on the number of active connections on each server, and on the relative capacity of each server. The capacity of a given real server is calculated as the assigned weight of that server divided by the sum of the assigned weights of all of the real servers associated with that virtual server, or n1/(n1+n2+n3...).
For example, assume a server farm consisting of real server Server A with n = 3, Server B with n = 1, and Server C with n = 2. Server A would have a calculated capacity of 3/(3+1+2), or half of all active connections on the virtual server, Server B one-sixth of all active connections, and Server C one-third of all active connections. At any point in time, the next connection to the virtual server would be assigned to the real server whose number of active connections is farthest below its calculated capacity.
Note
Alternate IP Addresses
SLB allows you to use Telnet to connect to the load-balancing device by using an alternate IP address. You can use either of the following methods:
•
•
This function is similar to the function provided by the LocalDirector (LD) alias command.
Automatic Server Failure Detection
SLB automatically detects each failed attempt to connect to a real server by means of TCP. SLB then increments a failure counter for that server. (The failure counter is not incremented if a failed TCP connection from the same client has already been counted.) If a server's failure counter exceeds a configurable failure threshold, the server is considered out of service and is removed from the list of active real servers.
Automatic Unfail
When a real server fails and is removed from the list of active servers, it is assigned no new connections for a length of time specified by a configurable retry timer. After that time expires, the server is again eligible for new virtual server connections, and SLB sends the server the next qualifying connection. If the connection is successful, the failed server is placed back on the list of active real servers. If the connection is unsuccessful, the server remains out of service and the retry timer is reset.
Client-Assigned Load Balancing
Client-assigned load balancing allows you to limit the subnets that use a virtual server by specifying the list of client IP subnets permitted to use the virtual server. With this feature a set of client IP subnets (such as internal subnets) connecting to a virtual IP address can be assigned to one server farm while a different set of clients (such as external clients) are assigned to a different server farm.
Content Flow Monitor Support
SLB supports the Cisco Content Flow Monitor (CFM), a Web-based status monitoring application within the CiscoWorks2000 product family. You can use CFM to manage Cisco server load-balancing devices. CFM runs on Windows NT and Solaris workstations and is accessed using a Web browser.
Delayed Removal of TCP Connection Context
Because of IP packet ordering anomalies, SLB might "see" the termination of a TCP connection (a finish [FIN] or reset [RST]) followed by other packets for the connection. This problem usually occurs when there are multiple paths that the TCP connection packets can follow. To correctly redirect the packets that arrive after the connection is terminated, SLB retains the TCP connection information, or context, for a specified length of time. The length of time the context is retained after the connection is terminated is controlled by a configurable delay timer.
Dynamic Feedback Protocol for SLB
SLB Dynamic Feedback Protocol (DFP) is a mechanism that allows host agents in load-balanced environments to dynamically report the change in status of the host systems that provide a virtual service. The status reported is a relative weight that specifies a host server's capacity to perform work.
When a DFP agent is defined on SLB, a TCP connection is initiated from the manager to the DFP agent. Once this connection is established, the agent periodically sends update information across the connection to SLB. This information is used by SLB as an aid in load balancing the real servers, as well as acting as an application-level keepalive for the connection. If an agent on the real server has no information to send, and an inactivity timeout was specified for this DFP agent, the agent must send an empty report to prevent termination of the connection. In the event of a failure, SLB uses a default weight for the real servers.
The DFP agent can be either software running on the real server or a separate unit that collects information from one or more real servers. The DFP agent consolidates the information, formats it into DFP, and reports the information to SLB at periodic intervals. If a need arises, such as a sudden change in a real server's ability to handle traffic, the DFP agent can send an early report.
Cisco Systems DistributedDirector can use DFP to obtain availability information on virtual servers from SLB. DistributedDirectors can use this information to identify load imbalances over multiple sites and distribute Internet traffic more evenly. The process is performed by a DFP manager on the DistributedDirector and a DFP agent on the SLB device. The DFP agent calculates an availability metric for the virtual servers, and the DFP manager uses the metric to make load distribution decisions.
HTTP Redirect Load Balancing
The HTTP redirect load balancing feature provides persistence across HTTP and SSL sessions. All HTTP requests that belong to the same transaction are directed to the same real server. An example of such a transaction is a user's shopping on the Web by adding items to a "shopping cart" and then electronically purchases them.
HTTP permits a Web server to redirect HTTP requests to another server. Using HTTP redirect load balancing, the Web server is identified by a public virtual IP address known as the Web Server Virtual Address (WSVA). When HTTP redirect load balancing is configured, SLB intercepts HTTP requests to the Web server and returns the IP address of an intermediate virtual server (a Redirected Server Virtual Address [RSVA]) to the originator of the HTTP request. The RSVA corresponds to a real server. After being redirected, the client then sends connection requests to the IP address of the RSVA instead of the WSVA. Because the SLB device maps an RSVA IP address to a single real server, persistence is created across the connections between the client and the real server.
The HTTP redirect load-balancing feature provides high performance by minimizing the number of TCP connections that must be proxied. This feature also monitors TCP connection events and therefore can quickly detect a real server failure. In case of server failure, packets are redirected to another RSVA or to a specified backup location if it is a new connection, or the connection is reset if it already exists.
Maximum Connections
SLB allows you to configure maximum connections for each server.
For server load balancing, you can configure a limit on the number of active connections that a real server is assigned. If the maximum number of connections is reached for that server, SLB automatically switches all further connection requests to another server until the connection number drops below the specified limit.
Network Address Translation (NAT)
Cisco IOS NAT, RFC 1631, allows unregistered private IP addresses to connect to the Internet by translating them into globally registered IP addresses. NAT also increases network privacy by hiding internal IP addresses from external networks.
SLB can operate in one of two redirection modes:
•
Note
•
SLB supports the following types of NAT:
•
Note
The network designer must ensure that outbound packets travel through IOS SLB, using one of the following methods:
–
–
–
•
Note
Figure 5-3 shows a sample SLB NAT topology.
Figure 5-3
Sample NAT Topology
The topology in Figure 5-3 has two Web servers running a single HTTP server application listening on port 80. Server 1 and Server 2 are load balanced by Switch A, which is performing server address translation.
See the "Configuring SLB Network Address Translation (Optional)" section to configure SLB NAT on the Catalyst 4840G SLB switch.
Port-Bound Servers
When you define a virtual server, you must specify the TCP or UDP port handled by that virtual server. However, if you configure NAT on the server farm, you can also configure port-bound servers. Port-bound servers allow one virtual server IP address to represent one set of real servers for one service, such as Hypertext Transfer Protocol (HTTP), and a different set of real servers for another service, such as Telnet.
Packets destined for a virtual server address for a port that is not specified in the virtual server definition are not redirected.
SLB supports both port-bound and non-port-bound servers, but port-bound servers are recommended.
Probes
SLB supports both HTTP probes and ping probes. Probes are a simple way to verify connectivity to devices being server load balanced, including devices on the other side of a firewall.
HTTP probes also allow you to monitor applications being server load balanced. With frequent probes the operation of each application is verified, not just connectivity to the application.
You can configure more than one probe for each server farm.
Server Load Balancing
Probes determine the status of each real server in a server farm. All real servers associated with all virtual servers tied to that server farm are probed.
If a real server fails for one probe, it fails for all probes. After the real server recovers, all probes must acknowledge its recovery before it is restored to service.
HTTP Probes
Configure the HTTP probe to expect status code 401; this will eliminate password problems. See the expect command for details.
Use the ip http server command to configure an HTTP server on the switch. See the description of the ip http server command in the Cisco IOS Configuration Fundamentals Command Reference for details.
Redundancy Enhancements
An SLB device can represent a single point of failure, and the servers can lose their connections to the backbone, if either of the following occurs:
•
•
To reduce that risk, SLB supports two redundancy options, both based on Hot Standby Router Protocol (HSRP):
•
•
SLB also supports active standby, by which two SLBs can load balance the same virtual IP address while simultaneously acting as backups for each other:
•
•
Slow Start
In an environment in which weighted least connections load balancing is used, a real server that is placed in service initially has no connections and can therefore be assigned so many new connections that it becomes overloaded. To prevent such an overload, the slow start feature controls the number of new connections that are directed to a real server that has just been placed in service.
Sticky Connections
When you use the sticky connections feature, new connections from a client IP address or subnet are assigned to the same real server (for server load balancing), just as previous connections from that address or subnet were assigned.
SLB creates "sticky objects" to track client assignments. These objects remain in the SLB device database after the last sticky connection is deleted, for a period defined by a configurable sticky timer. If the timer is configured on a virtual server, new connections from a client are sent to the same real server that handled the previous client connection, provided one of the following is true:
•
•
Sticky connections also permit the coupling of services that are handled by more than one virtual server. This allows connection requests for related services to use the same real server. For example, a Web server typically uses TCP port 80 for HTTP, and port 443 for HTTP Secure Socket Layer. If HTTP virtual servers and HTTPS virtual servers are coupled, connections for ports 80 and 443 from the same client IP address or subnet are assigned to the same real server.
SynGuard
To prevent a type of network problem known as a SYN flood denial-of-service attack, the SynGuard feature limits the rate of TCP SYNs handled by a virtual server . A user might send a large number of SYNs to a server, which could overwhelm the server or cause it to fail, denying service to other users. SynGuard prevents such an attack from bringing down SLB or a real server. SynGuard monitors the number of SYNs to a virtual server over a specific time interval and does not allow the number to exceed a configured SYN threshold. If the threshold is reached, any new SYNs are dropped.
TCP Session Reassignment
SLB tracks each SYN sent to a real server by a client attempting to open a new connection. If several consecutive SYNs are not answered, or if a SYN is replied to with an RST, the TCP session is reassigned to a new real server. The number of SYN attempts is controlled by a configurable reassign threshold.
Transparent Web Caches Balancing
You can use SLB to balance transparent Web caches if you know the IP addresses they are serving. To do this, configure the IP addresses (or some common subset of them) as virtual servers.
Note
SLB Restrictions
SLB has the following restrictions:
•
•
•
•
•
Supported Standards, MIBs, and RFCs
The following standards, MIBs, and RFCs are supported:
•
•
•
Configurable URL-Based SLB Features
This section describes the features you can configure in URL-based SLB:
Note
URL Map
URL maps are used to define URLs that are then associated with a URL-based SLB policy. A maximum of four URLs can be configured to a map. The URL configured as part of a URL map is a string containing a sequence of directories, which may terminate with a filename. Within this string the character "/" is the delimiter for each level of a directory. You can configure URLs for longest match, exact match, prefix match, and suffix match.
Server Farms
A server farm or pool is a collection of servers that have the same content. You specify the server farm name when you add servers to a server farm and when you bind a server pool to a virtual server.
Policies
A policy links a URL map to a server farm. The order in which policies are linked to a virtual server determines the precedence of the policy. There is no limit to the number of policies that can be created on a Catalyst 4840G SLB switch. When two or more policies match a requested URL, the policy with the highest precedence will be selected.
Note
Policy-Based Virtual Server
You can designate a policy-based virtual server to represent a group of server farms with policies associated with each server farm. In this environment the client connects to the IP address of the policy-based virtual server. When the client initiates a connection to the policy-based virtual server, the URL-based SLB function parses the URL request and selects the appropriate server farm, based on user-configured policies. The existing SLB function then chooses a real server for the connection, based on a configured load-balancing algorithm.
TCP Parameters
TCP is a connection-oriented protocol using known protocol messages for activation and deactivation of TCP sessions. In URL-based SLB, the Finite State Machine is used to correlate TCP signals such as SYN, SYN/ACK, FIN, and RST when adding or removing a connection from the connection database. These signals are also used for determining the number of connections per server and for detecting server failure and recovery.
HTTP 1.1
HTTP 1.1 provides you with the ability to have better cache management, chunk encoding, and have persistent connections. When you use HTTP 1.1, you can issue subsequent GET requests without having to open a new connection to the server. You can also pipeline HTTP 1.1's GET requests and request the server to service the GETs in an order different from the one entered.
For HTTP 1.1 to be enabled, URL-based SLB must be configured. The minimum configuration to enable HTTP 1.1 on the Catalyst 4840G SLB switch requires you to:
•
•
•
•
Figure 5-4 shows a sample URL-based SLB HTTP 1.1 topology.
Figure 5-4 Sample HTTP 1.1 Topology
The topology in Figure 5-4 shows two server farms running a single HTTP server application listening on port 80. Server 1 and Server 2 are load balanced using Switch A, which is performing server address translation. This topology would allow the following scenario to be accomplished in a way that would be invisible to the client issuing the GET requests:
•
•
•
•
In this scenario a GET request for an HTML file would be directed to Server 1. A subsequent GET request for a JPEG object would be redirected to Server 2.
URL-Based SLB Restrictions
URL-based SLB has the following restrictions:
•
•
•
Required SLB Configuration Tasks
This section describes the tasks necessary to configure a basic SLB network on the Catalyst 4840G SLB switch.
Configuring SLB involves identifying server farms, configuring groups of real servers in server farms, and configuring the virtual servers by which the real servers are represented to the clients. See the following sections for required configuration tasks for the SLB feature:
•
•
Sample SLB Device Network
Figure 5-5 shows a sample SLB network with the following components:
•
–
–
•
–
–
•
–
–
Figure 5-5 Sample SLB Device Network
To configure the SLB device network shown in this figure, perform this task, beginning in global configuration mode:
Configuring Server Farms
The following set of commands shows how to configure the server farm PUBLIC and associate its three real servers:
SLB-Switch# config tEnter configuration commands, one per line. End with CNTL/Z.SLB-Switch(config)# ip slb serverfarm PUBLICSLB-Switch(config-slb-sfarm)# real 10.1.1.1SLB-Switch(config-slb-real)# inserviceSLB-Switch(config-slb-real)# exitSLB-Switch(config-slb-sfarm)# real 10.1.1.2SLB-Switch(config-slb-real)# inserviceSLB-Switch(config-slb-real)# exitSLB-Switch(config-slb-sfarm)# real 10.1.1.3SLB-Switch(config-slb-real)# inserviceSLB-Switch(config-slb-real)# endThe following set of commands shows how to configure the server farm RESTRICTED and associate its two real servers:
SLB-Switch# config tEnter configuration commands, one per line. End with CNTL/Z.SLB-Switch(config)# ip slb serverfarm RESTRICTEDSLB-Switch(config-slb-sfarm)# real 10.1.1.20SLB-Switch(config-slb-real)# inserviceSLB-Switch(config-slb-real)# exitSLB-Switch(config-slb-sfarm)# real 10.1.1.21SLB-Switch(config-slb-real)# inserviceSLB-Switch(config-slb-real)# endSLB-Switch#Verifying Server Farms
The following command shows how to display the status of server farms PUBLIC and RESTRICTED, and their associated real servers and their status:
SLB-Switch# show ip slb realreal server farm weight state conns---------------------------------------------------------------------10.1.1.1 PUBLIC 8 INSERVICE 010.1.1.2 PUBLIC 8 INSERVICE 010.1.1.3 PUBLIC 8 INSERVICE 010.1.1.20 RESTRICTED 8 INSERVICE 010.1.1.21 RESTRICTED 8 INSERVICE 0SLB-Switch#The following command shows how to display the configuration and status of server farms PUBLIC and RESTRICTED:
SLB-Switch# show ip slb serverfarmserver farm predictor nat reals bind id---------------------------------------------------PUBLIC ROUNDROBIN none 3 0RESTRICTED ROUNDROBIN none 2 0SLB-Switch#Configuring Virtual Servers
The following set of commands shows how to configure the virtual servers PUBLIC_HTTP and RESTRICTED_HTTP:
SLB-Switch#SLB-Switch# config tEnter configuration commands, one per line. End with CNTL/Z.SLB-Switch(config)# ip slb vserver PUBLIC_HTTPSLB-Switch(config-slb-vserver)# virtual 10.0.0.1 tcp wwwSLB-Switch(config-slb-vserver)# serverfarm PUBLICSLB-Switch(config-slb-vserver)# inserviceSLB-Switch(config-slb-vserver)#16:17:48:ADD_WILDCARD:.(Information Deleted).index = 1SLB-Switch(config-slb-vserver)# exitSLB-Switch(config)# ip slb vserver RESTRICTED_HTTPSLB-Switch(config-slb-vserver)# virtual 10.0.0.2 tcp wwwSLB-Switch(config-slb-vserver)# serverfarm RESTRICTEDSLB-Switch(config-slb-vserver)# inserviceSLB-Switch(config-slb-vserver)#16:20:18:ADD_WILDCARD:.(Information Deleted).index = 1SLB-Switch(config-slb-vserver)# endSLB-Switch#Verifying Virtual Servers
The following command shows how to verify the configuration of the virtual servers PUBLIC_HTTP and RESTRICTED_HTTP:
SLB-Switch# show ip slb vserversslb vserver prot virtual state conns-------------------------------------------------------------------PUBLIC_HTTP TCP 10.0.0.1:80 INSERVICE 0RESTRICTED_HTTP TCP 10.0.0.2:80 INSERVICE 0SLB-Switch#SLB-Switch#Configuring Restricted Clients
The following set of commands shows how to remove the virtual server RESTRICTED_HTTP from service, allow the restricted client to have access to the virtual server, and then reenable the virtual server:
SLB-Switch# config tEnter configuration commands, one per line. End with CNTL/Z.SLB-Switch(config)# ip slb vserver RESTRICTED_HTTPSLB-Switch(config-slb-vserver)# no inserviceSLB-Switch(config-slb-vserver)#16:23:14:.(Information Deleted).index = 1SLB-Switch(config-slb-vserver)# client 10.4.4.0 255.255.255.0SLB-Switch(config-slb-vserver)# inserviceSLB-Switch(config-slb-vserver)#16:23:45:ADD_WILDCARD:src = 0 - 0.(Information Deleted).index = 1SLB-Switch(config-slb-vserver)# endSLB-Switch#Verifying Restricted Clients
The following command shows how to verify restricted client access and status:
SLB-Switch# show ip slb conns client 10.4.4.0vserver prot client real state nat-------------------------------------------------------------------------------RESTRICTED_HTTP TCP 10.4.4.0:80 10.1.1.20 CLOSING noneSLB-Switch#The following command shows how to display detailed information about restricted client access:
SLB-Switch# show ip slb conns client 10.4.4.0 detailVSTEST_UDP, client = 10.4.4.0:80state = CLOSING, real = 10.1.1.20, nat = nonev_ip = 10.0.0.2:80, TCP, service = NONEclient_syns = 0, sticky = FALSE, flows attached = 0SLB-Switch#Verifying SLB Connectivity
To verify that the SLB feature has been installed and is operating correctly, ping the real servers from the SLB switch, then ping the virtual servers from the clients.
The following command shows how to display detailed information about the SLB device network status:
SLB-Switch# show ip slb statsPkts via normal switching: 0Pkts via special switching: 6Connections Created: 1Connections Established: 0Connections Destroyed: 0Connections Reassigned: 0Zombie Count: 0Connections Reused: 0SLB-Switch#See the "Monitoring and Maintaining SLB" section for additional commands used to verify SLB networks and connections.
Sample SLB Network Configuration
The following command shows how to display the SLB device network shown in Figure 5-5:
SLB-Switch# show running-configBuilding configuration...Current configuration:!.(Information Deleted).ip slb probe PROBE2 httprequest method POST url /probe.cgi?allheader Cookie Monsterheader Authorization Basic U2VtaXN3ZWV0OmNoaXBz!ip slb serverfarm PUBLICnat serverreal 10.1.1.1inservicereal 10.1.1.2inservicereal 10.1.1.3inserviceprobe PROBE2!ip slb serverfarm RESTRICTEDpredictor leastconnsbindid 309real 10.1.1.1weight 32maxconns 1000reassign 4faildetect numconns 16retry 120inservicereal 10.1.1.20inservicereal 10.1.1.21inservice!ip slb vserver PUBLIC_HTTPvirtual 10.0.0.1 tcp wwwserverfarm PUBLICno inservice!ip slb vserver RESTRICTED_HTTPvirtual 10.0.0.2 tcp wwwserverfarm RESTRICTEDno advertisesticky 60 group 1idle 1800client 10.4.4.0 255.255.255.0synguard 3600000inservice!Optional SLB Configuration Tasks
This section describes a series of optional tasks you can perform to fine-tune the SLB configuration on your Catalyst 4840G SLB switch. It includes the following sections:
•
•
•
•
•
•
•
•
Specifying a Load Balancing Algorithm (Optional)
To determine which real server to use for each new connection request, the SLB feature uses one of two load-balancing algorithms: round-robin (the default) or least-connections. See the "Weighted Round Robin" section or the "Weighted Least Connections" section for detailed descriptions of these algorithms.
Note
To specify the load-balancing algorithm, perform this task in server farm configuration mode:
This example shows how to configure the weighted least-connections algorithm:
SLB-Switch(config)# ip slb serverfarm RESTRICTEDSLB-Switch(config-slb-sfarm)# predictor leastconnsConfiguring HTTP Redirect Load Balancing (Optional)
You can use the HTTP redirect load-balancing feature to provide persistence across HTTP and SSL sessions.
The following guidelines apply to HTTP redirect load balancing:
•
•
•
This example shows how to configure HTTP redirect load balancing on a server farm:
ip slb serverfarm ACME_SF1predictor roundrobin http-redirectwebhost 1 name www.acme.com!redirect-vserver ACME1_VSvirtual 40.1.1.1 tcp wwwwebhost 1 relocation www1.acme.com/%p 301webhost 1 backup www6.acme-inside.comssl httpsinservice!redirect-vserver ACME2_VSvirtual 40.1.1.2 tcp wwwwebhost 1 relocation www2.acme.com/sales/%pwebhost 1 backup www1.acme.com 301idle 240delay 15inservice!real 10.1.1.1weight 4faildetect numconns 4redirect-vserver ACME1_VSinservice!real 10.1.1.2weight 4reassign 2redirect-vserver ACME2_VSinservice!ip slb vserver ACME_VSvirtual 40.40.1.40 tcp wwwserverfarm ACME_SF1inserviceSpecifying a Bind ID (Optional)
The bind ID allows a single real server to be bound to multiple virtual servers and report a different weight, or workload capacity, for each server that it is bound to. The real server is represented as multiple instances of itself, each having a different bind ID. DFP uses the bind ID to identify the instance of the real server that is given a particular weight.
To configure a bind ID on the server farm for use by DFP, perform the following steps in server farm configuration mode:
This example shows how to configure a bind ID of 309 on server farm RESTRICTED:
SLB-Switch(config)# ip slb serverfarm RESTRICTEDSLB-Switch(config-slb-sfarm)# bindid 309Configuring Real Server Attributes (Optional)
To configure any of the following real server attributes, perform the following commands in real server configuration mode:
Adjusting Virtual Server Values (Optional)
To change the default settings of the virtual server values, perform the following commands in virtual server configuration mode:
This example shows how to remove the virtual server RESTRICTED_HTTP from service and then allow the restricted client in Figure 5-5 to have access to the virtual server:
SLB-Switch(config)# ip slb vserver RESTRICTED_HTTPSLB-Switch(config-slb-vserver)# no inserviceSLB-Switch(config-slb-vserver)#16:23:14:.(Information Deleted).index = 1SLB-Switch(config-slb-vserver)# client 10.4.4.0 255.255.255.0By default, virtual server addresses are advertised. That is, static routes to the Null0 interface are installed for the virtual server addresses. To advertise these static routes using the routing protocol, you must configure redistribution of static routes for the routing protocol. To prevent the installation of a static route, use the no form of the advertise command:
SLB-Switch(config-slb-vserver)# no advertiseThis example shows how to configure the delay timer to 20 seconds after the termination of the TCP connection to the virtual server:
SLB-Switch(config-slb-vserver)# delay 20The following command configures 180 seconds (3 minutes) as the idle time during which the SLB device maintains connectivity to the virtual server in the absence of packet activity:
SLB-Switch(config-slb-vserver)# idle 180This example shows how to configures 60 seconds as the time that connections from the same client use the same real server:
SLB-Switch(config-slb-vserver)# sticky 60 group 1This example shows how to configure the rate of TCP SYNs handled by the virtual server to 3600000:
SLB-Switch(config-slb-vserver)# synguard 3600000Configuring SLB Dynamic Feedback Protocol (Optional)
SLB Dynamic Feedback Protocol (DFP) allows host agents in load-balanced environments to dynamically report the change in status of the host systems providing a virtual service. The status reported is a relative weight that specifies a host server's capacity to perform work.
To configure SLB DFP, perform the following commands, beginning in global configuration mode:
Step 1
Configures DFP and optionally sets a password and initiates DFP configuration mode.
Step 2
Configures a DFP agent. See the agent command for more information.
Step 3
Assigns a DFP manager to the specified port. See the manager command for more information
This example shows how to make the following configurations:
•
•
SLB-Switch(config)# ip slb dfp password Cookies 360SLB-Switch(config-slb-dfp)# agent 10.1.1.1 2221•
SLB-Switch(config)# ip slb dfpSLB-Switch(config-slb-dfp)# manager 2345Configuring SLB Network Address Translation (Optional)
To configure SLB NAT for client mode, perform the following commands, beginning in global configuration mode:
This example shows how to configure a NAT server on server farm PUBLIC:
SLB-Switch(config)# ip slb serverfarm PUBLICSLB-Switch(config-slb-sfarm)# nat clientTo configure SLB NAT client mode for a specific server farm, perform the following commands, beginning in global configuration mode:
This example shows how to configure NAT clients on server farm FARM2:
SLB-Switch# config tEnter configuration commands, one per line. End with CNTL/Z.SLB-Switch(config)# ip slb natpool Web-clients 128.3.0.1 128.3.0.254 netmask 255.255.0.0SLB-Switch(config)# ip slb serverfarm FARM2SLB-Switch(config-slb-sfarm)# nat client Web-clientsSLB-Switch(config-slb-sfarm)# real 10.3.1.1SLB-Switch(config-slb-real)# inserviceSLB-Switch(config-slb-real)# exitSLB-Switch(config-slb-sfarm)# real 10.4.1.1 8080SLB-Switch(config-slb-real)# inserviceSLB-Switch(config-slb-real)# exitSLB-Switch(config-slb-sfarm)# real 10.4.1.1 8081SLB-Switch(config-slb-real)# inserviceSLB-Switch(config-slb-real)# exitSLB-Switch(config-slb-sfarm)# real 10.4.1.1 8082SLB-Switch(config-slb-real)# inserviceSLB-Switch(config-slb-real)# endSLB-Switch#00:27:00: %SYS-5-CONFIG_I: Configured from console by consoleSLB-Switch# config terminalEnter configuration commands, one per line. End with CNTL/Z.SLB-Switch(config)# ip slb vserver HTTP2SLB-Switch(config-slb-vserver)# virtual 128.2.0.1 tcp wwwSLB-Switch(config-slb-vserver)# serverfarm FARM2SLB-Switch(config-slb-vserver)# inserviceSLB-Switch(config-slb-vserver)#00:28:21:ADD_WILDCARD:(Information Deleted)SLB-Switch# copy running-config startup-configDestination filename [startup-config]?Building configuration...[OK]SLB-Switch#This example shows the final configuration after a NAT client pool was configured using the
previous task:SLB-Switch# show running-configBuilding configuration...(Information Deleted)!ip slb natpool WEB-CLIENTS 128.3.0.1 128.3.0.254 netmask 255.255.0.0 entries 8000 13851890ip slb serverfarm FARM2nat servernat client WEB-CLIENTSreal 10.3.1.1faildetect numconns 8 numclients 2inservicereal 10.4.1.1 8080faildetect numconns 8 numclients 2inservicereal 10.4.1.1 8081faildetect numconns 8 numclients 2inservicereal 10.4.1.1 8082faildetect numconns 8 numclients 2inservice!ip slb vserver HTTP2virtual 128.2.0.1 tcp wwwserverfarm FARM2inservice!Sample NAT Configuration
Figure 5-6 shows a sample SLB NAT configuration topology.
Figure 5-6 Sample NAT Topology
The topology in Figure 5-6 has two Web servers running a single HTTP server application listening on port 80.
Server 1 and Server 2 are load balanced using Switch A, which is performing server address translation.
The configuration statements for Switch A are:
ip slb serverfarm FARM1! Translate server addressesnat server! Server 1 port 80real 10.1.1.1inservice! Server 2 port 80real 10.2.1.1inservice!ip slb vserver HTTP1! Handle HTTP (port 80) requestsvirtual 128.1.0.1 tcp wwwserverfarm FARM1inserviceConfiguring HTTP Probe (Optional)
An HTTP probe allows you to monitor the applications that are server load balanced. With frequent probes you can verify the operation of the application and connectivity to the application.
The basic requirement of an HTTP probe is to determine the real server status, by issuing an HTTP GET against each real server in a server farm. For a detailed description, see the "TCP Session Reassignment" section.
To configure an HTTP probe, perform the following commands, beginning in global configuration mode:
Figure 5-7 shows a sample configuration with IOS SLB real server connections configured as part of a server farm. The example focuses on using ping and HTTP probes to monitor applications being server load balanced.
Figure 5-7 Sample Ping and HTTP Probe Topology
The topology shown in Figure 5-7 is a heterogeneous server farm servicing a single virtual server. Following are the configuration statements for this topology, including a ping probe named PROBE1 and an HTTP probe named PROBE2:
! Configure ping probe PROBE1, change CLI to IOS SLB probe configuration modeSLB-Switch(config)# ip slb probe PROBE1 ping! Configure probe to receive responses from IP address 13.13.13.13SLB-Switch(config-slb-probe)# address 13.13.13.13! Configure unanswered ping threshold to 16SLB-Switch(config-slb-probe)# faildetect 16! Configure ping probe timer interval to transmit every 11 secondsSLB-Switch(config-slb-probe)# interval 11! Configure HTTP probe PROBE2SLB-Switch(config-slb-probe)# ip slb probe PROBE2 http! Configure request method as POST, set URL as /probe.cgi?allSLB-Switch(config-slb-probe)# request method post url /probe.cgi?all! Configure header Cookie MonsterSLB-Switch(config-slb-probe)# header name Cookie Monster! Configure basic authentication username and passwordSLB-Switch(config-slb-probe)# credentials Semisweet chips! Exit to global configuration modeSLB-Switch(config-slb-probe)# exit! Enter IOS SLB server farm configuration mode for server farm PUBLICSLB-Switch(config)# ip slb serverfarm PUBLIC! Configure NAT server and real servers on the server farmSLB-Switch(config-slb-sfarm)# nat serverSLB-Switch(config-slb-sfarm)# real 10.1.1.1SLB-Switch(config-slb-sfarm)# inserviceSLB-Switch(config-slb-sfarm)# real 10.1.1.2SLB-Switch(config-slb-sfarm)# inserviceSLB-Switch(config-slb-sfarm)# real 10.1.1.3SLB-Switch(config-slb-sfarm)# inserviceSLB-Switch(config-slb-sfarm)# real 10.1.1.4SLB-Switch(config-slb-sfarm)# inserviceSLB-Switch(config-slb-sfarm)# real 10.1.1.5SLB-Switch(config-slb-sfarm)# inservice! Configure ping probe on the server farmSLB-Switch(config-slb-sfarm)# probe PROBE1! Configure HTTP probe on the server farmSLB-Switch(config-slb-sfarm)# probe PROBE2SLB-Switch(config-slb-sfarm)# end!Required URL-Based SLB Configuration Tasks
This section describes the steps necessary to configure basic URL-based SLB on the Catalyst 4840G SLB switch.
Configuring URL-based SLB involves configuring URL maps, identifying server farms, configuring policies, and configuring policy-based virtual servers. See the following sections for required configuration tasks for the URL-based SLB feature:
•
•
•
For an example of configuring server farms, see the "Configuring Server Farms" section.
To configure the URL-based SLB network shown in Figure 5-2, perform the following commands, beginning in global configuration mode:
Configuring URL Maps
This example shows how to group URLs and associate them with a Content Switching policy:
SLB-Switch(config)#ip slb map m1SLB-Switch(config-slb-map)#match protocol http url /index.htmlSLB-Switch(config-slb-map)#match protocol http url /stocks/csco/SLB-Switch(config-slb-map)#match protocol http url *gifSLB-Switch(config-slb-map)#match protocol http url /st*SLB-Switch(config-slb-map)#exitVerifying URL Maps
This example shows how to display URL maps associated with a Content Switching policy:
SLB-Switch#show ip slb mapURL map M1 rules:/SLB-Switch#Configuring Policies
This example shows how configure URL-based SLB policies:
SLB-Switch(config)#ip slb policy policy_contentSLB-Switch(config-slb-policy)#serverfarm new_serverfarmSLB-Switch(config-slb-policy)#url-map url_map_1SLB-Switch(config-slb-policy)#exitSLB-Switch(config)Verifying Policies
This example shows how to display the policies associated with a Content Switching policy:
SLB-Switch#show ip slb policyURL policy: P1url map: M1serverfarm: SF1URL policy: POLICY_CONTENTurl map: URL_MAP_1serverfarm: NEW_SERVERFARMURL policy: SHOWurl map:serverfarm:SLB-Switch#Configuring Policy-Based Virtual Servers
Configuring a policy-based virtual server involves configuring the attributes of the virtual server and associating it with one or more URL-based policies and a default server farm.
This example shows how to configure a policy-based virtual server named CONTENT_AWARE:
SLB-Switch(config)# ip slb vserver CONTENT_AWARESLB-Switch(config-slb-vserver)# virtual 10.0.0.1 tcp wwwSLB-Switch(config-slb-vserver)# serverfarm PUBLICSLB-Switch(config-slb-vserver)# slb-policy policy_content1SLB-Switch(config-slb-vserver)# slb-policy policy_content2SLB-Switch(config-slb-vserver)# slb-policy policy_content3SLB-Switch(config-slb-vserver)# inserviceSLB-Switch(config-slb-vserver)#16:17:48:ADD_WILDCARD:.This example shows how to configure a policy-based virtual server named content_aware:
SLB-Switch(config-ip-slb)> ip slb vserver vs_content_awareSLB-Switch(config-ip-slb)> slb-policy policy_contentSLB-Switch(config-ip-slb)> serverfarm default_serverfarmSLB-Switch(config-ip-slb)> exitVerifying Policy-Based Virtual Servers
This example shows how to verify the configuration of the policy-based virtual servers:
SLB-Switch# show ip slb vserversslb vserver prot virtual state conns-------------------------------------------------------------------PUBLIC_HTTP TCP 10.0.0.1:80 INSERVICE 0RESTRICTED_HTTP TCP 10.0.0.2:80 INSERVICE 0CONTENT_AWARE TCP 10.0.0.2:80 INSERVICE 0SLB-Switch#SLB-Switch#Sample URL-Based SLB Network Configuration
This example shows how to display the URL-based SLB network shown in Figure 5-2:
SLB-Switch# show running-configip slb serverfarm IMAGESpredictor leastconns...real 10.1.1.1...inservicereal 10.1.1.2...inservice!ip slb serverfarm STOCKSpredictor leastconns...real 10.1.2.1...inservicereal 10.1.2.2...inservice!ip slb serverfarm ABCpredictor leastconns...real 10.1.3.1...inservice!ip slb map image_urlmatch protocol http url /images/ method GETip slb map stock_urlmatch protocol http url /stocks/ method GETip slb policy image_policyurl_map image_urlserverfarm IMAGESip slb policy stock_policyurl_map stock_policyserverfarm STOCKSip slb vserver PUBLIC_ABCvirtual 172.20.1.10 tcp www...slb-policy image_policyslb_policy stock_policyserverfarm ABCinserviceOptional URL-Based SLB Configuration Tasks
This section describes the steps you can take to fine-tune the URL-based SLB configuration on your Catalyst 4840G SLB switch. It includes the following sections:
•
•
Configuring TCP Parameters (Optional)
This example shows how configure TCP parameters for virtual servers:
SLB-Switch (config)> ip slb vserver barnettSLB-Switch(config-slb-vserve)#idle 255SLB-Switch(config-slb-vserve)exitSLB-Switch (config)> timeout 10SLB-Switch (config)> exitConfiguring HTTP 1.1 (Optional)
This example shows how configure HTTP 1.1:
SLB-Switch (config)> ip slb http11 enableSLB-Switch (config)> exitMonitoring and Maintaining SLB
You can display runtime information about SLB using these commands in EXEC mode:
