This document addresses a problem where Windows Load Balancing Server (WLBS) causes slow traffic through switches.
WLBS on Windows NT and Windows 2000 allows servers to load balance traffic between groups (clusters) of servers. WLBS operates by sharing a virtual IP address so that all servers see all traffic destined for the cluster's IP address. In certain configurations, WLBS can cause large quantities of unicast floods on a switch. This is not a switch problem but expected behavior.
Refer to Cisco Technical Tips Conventions for more information on document conventions.
There are no specific prerequisites for this document.
This document is not restricted to specific software and hardware versions.
This problem appeared as a customer was monitoring traffic because there was a slow response across a specific switch. The customer saw unicast packets appearing on a Switched Port Analyzer (SPAN) port, where they should not appear. A SPAN is a feature of the Catalyst 5000 switch that extends the monitoring abilities of existing network analyzers into a switched Ethernet environment. SPAN mirrors the traffic at one switched segment onto a predefined SPAN port. A network analyzer attached to the SPAN port can monitor traffic from any of the other Catalyst switched ports. The unicast frames contained source addresses of the WLBSs.
A unicast frame is destined to one unique host, and the SPAN port should not see it, except in the situation of a flood. In the case of a flood, the switch will know the MAC address of the destination host after the first frame requesting this information comes back from the destination. The host on the particular port the customer in this situation was examining was not the destination for these frames. The problem may manifest itself in the following ways:
Slow response on a given switch.
Slow response on a given switch on a given Virtual LAN (VLAN).
If the flooding gets bad enough, it could conceivably cause Spanning Tree problems if the switch loses Bridge Protocol Data Units (BPDUs) from other switches.
There are several ways an NT administrator can choose to configure WLBS. The implications of these choices need to be understood because configuring WLBS can impact an internetwork in negative ways. Once the WLBS configuration options are configured properly, per the Microsoft recommendation, problems that match the problems in this document should no longer be present on a switch.
Refer to article 193602 on Microsoft's Web Site for WLBS Layer 2 configuration options:
Configuration Options for WLBS Hosts Connected to a Layer 2 Switches
Another workaround for multicast traffic is to disable IGMP snooping or turn off PIM if you do not require multicast routing or do not have much multicast traffic on the VLAN. If snooping is left on, the switch prgrams only the multicast MAC addresses into the MAC address table if it receives IGMP joins on those ports. Disabling snooping is not be recommended if you have a lot of generic multicast traffic; in this case, the best solution is to create static MAC address mappings for the ports to which the servers are connected.
There are also Layer 3 implications with regards to the Address Resolution Protocol (ARP).
Refer to article 244091 and 197862 on the Microsoft web site: