Documente Academic
Documente Profesional
Documente Cultură
Release 11.0.00
ServerIron 350 & 350-PLUS ServerIron 350 & 350-PLUS ServerIron 450 & 450-PLUS
Release Date: September 18, 2008 Publish Date: September 18, 2008
Copyright 2008 Foundry Networks, Inc. All rights reserved. No part of this work may be reproduced in any form or by any means graphic, electronic or mechanical, including photocopying, recording, taping or storage in an information retrieval system without prior written permission of the copyright owner. The trademarks, logos and service marks ("Marks") displayed herein are the property of Foundry or other third parties. You are not permitted to use these Marks without the prior written consent of Foundry or such appropriate third party. Foundry Networks, BigIron, Terathon, FastIron, IronView, JetCore, NetIron, ServerIron, SecureIron, TurboIron, IronWare, EdgeIron, IronPoint, the Iron family of marks and the Foundry Logo are trademarks or registered trademarks of Foundry Networks, Inc. in the United States and other countries. F-Secure is a trademark of F-Secure Corporation. All other trademarks mentioned in this document are the property of their respective owners.
Foundry Networks 4980 Great America Parkway Santa Clara, CA 95054 Tel 408.207.1700 www.foundrynetworks.com
Contents
September 2008
iii
SLOW-START MECHANISM ....................................................................................................................3-2 LOAD-BALANCING PREDICTOR ..............................................................................................................3-2 LEAST CONNECTIONS .................................................................................................................... 3-3 ROUND ROBIN ............................................................................................................................... 3-3 WEIGHTED .................................................................................................................................... 3-3 SERVER RESPONSE TIME ONLY ....................................................................................................... 3-3 LEAST CONNECTION AND SERVER RESPONSE TIME WEIGHTS............................................................ 3-3 LEAST LOCAL CONNECTIONS .......................................................................................................... 3-4 LEAST LOCAL SESSIONS ................................................................................................................. 3-4 DYNAMIC WEIGHTED PREDICTOR ................................................................................................... 3-4 DYNAMIC-WEIGHTED DIRECT ................................................................................................................3-4 DYNAMIC-WEIGHTED REVERSE .............................................................................................................3-5 CONFIGURABLE APPLICATION GROUPING .....................................................................................................3-5 STICKY CONNECTIONS .........................................................................................................................3-6 CONFIGURABLE TCP/UDP APPLICATION GROUPS .................................................................................3-6 CONCURRENT CONNECTIONS ...............................................................................................................3-6 STICKY VIPS ........................................................................................................................................3-7 UNLIMITED VIPS ..................................................................................................................................3-7 GEOGRAPHICALLY-DISTRIBUTED SERVERS ..................................................................................................3-7 SYMMETRIC SLB ........................................................................................................................................3-8 LINK-LEVEL REDUNDANCY ....................................................................................................................3-9 SWITCHBACK .............................................................................................................................................3-9 MANY-TO-ONE TCP/UDP PORT BINDING .................................................................................................3-10 BINDING SAME REAL PORTS TO MULTIPLE VIP PORTS ..............................................................................3-11 PORT RANGES .........................................................................................................................................3-12 DEFINING A PORT RANGE ...................................................................................................................3-12 USING A PORT RANGE UNDER A REAL SERVER DEFINITION .................................................................3-13 USING A PORT RANGE UNDER A VIRTUAL SERVER DEFINITION ............................................................3-13 BINDING A PORT RANGE FOR VIRTUAL PORTS TO A REAL SERVER ......................................................3-13 DEFINING PORT PROFILE FOR PORT RANGE .......................................................................................3-14 DISPLAYING A LIST OF PORT RANGES .................................................................................................3-14 HTTP REDIRECT ......................................................................................................................................3-15 TRANSPARENT VIP AND STATELESS APPLICATION PORTS ..........................................................................3-16 WINDOWS TERMINAL SERVER WITH L7 PERSISTENCE ................................................................................3-16 UNDERSTANDING WINDOWS TERMINAL SERVER ..................................................................................3-16 CONFIGURING WINDOWS TERMINAL SERVER .......................................................................................3-17 TFTP LOAD BALANCING ...........................................................................................................................3-18 MULTINETTING USING NAT .......................................................................................................................3-18 CONFIGURING SLB ...................................................................................................................................3-19 CONFIGURATION GUIDELINES .............................................................................................................3-20 DEFINING THE REAL SERVERS AND ADDING THE APPLICATION PORTS .................................................3-21 CLONING REAL SERVERS ............................................................................................................. 3-21 DEFINING A VIRTUAL SERVER (VIP) ....................................................................................................3-22 BINDING VIRTUAL AND REAL SERVERS ................................................................................................3-22 DELETING A VIP ................................................................................................................................3-23 GLOBAL SETTINGS FOR SLB ..............................................................................................................3-24 FAST-PATH SLB PROCESSING ..................................................................................................... 3-24 CONFIGURATION CONSIDERATIONS .....................................................................................................3-24
iv 2008 Foundry Networks, Inc. September 2008
ENABLING FAST-PATH PROCESSING FOR STATELESS SLB ..................................................................3-26 GLOBALLY CHANGING THE LOAD-BALANCING METHOD .................................................................. 3-26 CONFIGURING THE ENHANCED WEIGHTED PREDICTOR .................................................................. 3-26 ASSIGNING WEIGHTS TO THE REAL SERVERS ............................................................................... 3-27 ENABLING THE WEIGHTED PREDICTOR ......................................................................................... 3-28 ENABLING THE ENHANCED WEIGHTED PREDICTOR........................................................................ 3-28 COMPARISON OF CONNECTION ASSIGNMENTS .............................................................................. 3-28 CONFIGURING DYNAMIC WEIGHTED PREDICTOR ........................................................................... 3-30 CONFIGURATION EXAMPLE ........................................................................................................... 3-30 DYNAMIC-WEIGHTED DIRECT ....................................................................................................... 3-30 DYNAMIC-WEIGHTED REVERSE .................................................................................................... 3-31 DELETION OF UDP DATA SESSION ALONG WITH TCP CONTROL SESSION FOR RTSP .................. 3-31 IDENTIFYING THE PORTS ATTACHED TO A ROUTER ....................................................................... 3-31 LIMITING THE MAXIMUM NUMBER OF TCP SYN REQUESTS........................................................... 3-31 CONFIGURING THE WARNING AND SHUTDOWN THRESHOLDS ......................................................... 3-31 CONFIGURING WARNING AND SHUTDOWN THRESHOLDS FOR ALL REAL SERVERS......................... 3-32 CONFIGURING WARNING AND SHUTDOWN THRESHOLDS FOR AN INDIVIDUAL REAL SERVER ............ 3-32 VIEWING THRESHOLD MESSAGES IN THE SYSLOG ......................................................................... 3-32 SENDING ICMP PORT UNREACHABLE OR DESTINATION UNREACHABLE MESSAGES ....................... 3-33 SENDING A TCP RST TO A CLIENT THAT REQUESTS UNAVAILABLE APPLICATIONS ........................ 3-34 SENDING A TCP RST WHEN TCP SESSION ENTRY AGES OUT .................................................... 3-34 DISABLING TCP RST MESSAGE WHEN A REAL SERVER GOES DOWN DURING AN OPEN SESSION 3-34 DISABLING TCP RST MESSAGE ON MAXIMUM CONNECTIONS ....................................................... 3-35 ADDING A SOURCE IP ADDRESS .................................................................................................. 3-35 ENABLING SOURCE NAT GLOBALLY ............................................................................................. 3-37 MINIMIZING SOURCE-IP AND SOURCE-NAT-IP REQUIREMENTS FOR LARGE DEPLOYMENTS ........................3-37 OVERVIEW .........................................................................................................................................3-37 CONFIGURATION ................................................................................................................................3-38 ENABLING PORT ALLOCATION PER REAL SERVER FOR SOURCE IP ............................................... 3-38 ENABLING PORT ALLOCATION PER REAL SERVER FOR SOURCE NAT IP ....................................... 3-38 LOGGING PORT EXHAUSTION MESSAGE ....................................................................................... 3-39 SHOW AND DEBUG COMMANDS ..........................................................................................................3-39 SHOW SOURCE-IP <SOURCE IP> [<REAL-SERVER IP> | ALL]............................................................ 3-39 SHOW SERVER REAL <NAME> | <IP> ............................................................................................. 3-40 SHOW SESSION ALL ...................................................................................................................... 3-40 SOURCE-IP-DEBUG ....................................................................................................................... 3-41 ENABLING USE OF THE CLIENT MAC ADDRESS .........................................................................................3-41 ENABLING REVERSE NAT ............................................................................................................ 3-41 DYNAMIC NAT FOR REAL SERVERS USING VIRTUAL SERVER ADDRESS ........................................ 3-42 DECREMENT COUNTERS IN DELETION QUEUE ............................................................................................3-42 OVERVIEW OF DECREMENT COUNTERS IN DELETION QUEUE ...............................................................3-42 ENABLING DECREMENT SESSION COUNTERS IN DELETION QUEUE .......................................................3-43 ENABLING FORCE-DELETE ........................................................................................................... 3-43 SETTING THE STICKY AGE ........................................................................................................... 3-44 ENABLING TRANSPARENT VIP ...................................................................................................... 3-45 CONFIGURING TCP FAST AGING .................................................................................................. 3-45 DECREMENTING THE CURRENT CONNECTION COUNTER FOLLOWING A SERVER RST..................... 3-46 DISABLING VIPS .......................................................................................................................... 3-46 ENABLING SYN ACK THRESHOLD ................................................................................................ 3-46 ENABLING SYNCHRONIZATION LINK FOR SYMMETRIC SLB ............................................................. 3-46 ENABLING NO-GRACEFUL-SHUTDOWN .......................................................................................... 3-47 ENABLING BACKUP TRUNK PORT ................................................................................................. 3-47
September 2008
REPLACING THE SOURCE MAC ADDRESS OF THE PACKET ............................................................ 3-47 REAL SERVER SETTINGS ..........................................................................................................................3-47 CHANGING A REAL SERVERS IP ADDRESS .........................................................................................3-47 ADDING A DESCRIPTION .....................................................................................................................3-48 CONFIGURING A LOCAL OR REMOTE REAL SERVER .............................................................................3-48 CONFIGURING A LOCAL REAL SERVER.......................................................................................... 3-48 CONFIGURING A REMOTE REAL SERVER....................................................................................... 3-48 CONFIGURING PRIMARY AND BACKUP SERVERS ..................................................................................3-49 DESIGNATING A REAL SERVER AS A BACKUP ................................................................................ 3-50 ENABLING A VIP TO USE THE PRIMARY AND BACKUP SERVERS .................................................... 3-50 CONFIGURATION EXAMPLE ........................................................................................................... 3-50 DESIGNATING A REAL SERVER PORT AS A BACKUP ...................................................................... 3-51 DISABLING A REAL SERVER ................................................................................................................3-52 ADDING APPLICATION PORTS TO A REAL SERVER ...............................................................................3-52 CONFIGURING A HOST RANGE ............................................................................................................3-52 CONFIGURING HOST-RANGE MAPS .............................................................................................. 3-53 DEFINING THE MAXIMUM NUMBER OF SESSIONS .................................................................................3-56 CONFIGURING LOCAL MAX-CONN .......................................................................................................3-57 CONFIGURING LOCAL MAX-CONN FOR A REAL SERVER ................................................................ 3-57 CONFIGURING LOCAL MAX-CONN FOR A REAL SERVER PORT ....................................................... 3-58 SETTING THE TRAFFIC RATE THRESHOLD ...........................................................................................3-58 SETTING WARNING AND SHUTDOWN THRESHOLDS FOR A SERVER .......................................................3-58 VIEWING THRESHOLD MESSAGES IN THE SYSLOG ......................................................................... 3-59 DISABLING LAYER 3 HEALTH CHECK ON A REAL SERVER ....................................................................3-60 ENABLING SOURCE NAT ON A REAL SERVER ......................................................................................3-60 CONFIGURING THE WEIGHT FOR REAL SERVER ...................................................................................3-60 SETTING A REAL SERVERS WEIGHT BASED ON RESPONSE TIME .................................................. 3-61 REAL SERVER PORTS ...............................................................................................................................3-62 DISALBING OR RE-ENABLING APPLICATION PORTS ...............................................................................3-62 GLOBALLY DISABLING APPLICATION PORTS .................................................................................. 3-62 DISABLING SLB TO A SERVER WHEN AN APPLICATION IS DOWN ................................................... 3-63 UNBINDING ALL APPLICATION PORTS FROM VIRTUAL SERVERS ............................................................3-63 REBINING AN APPLICATION PORT TO A VIRTUAL SERVER .............................................................. 3-63 ENABLING OR DISABLING THE KEEPALIVE HEALTH CHECK ...................................................................3-64 CONFIGURING THE CONNECTION RATE ...............................................................................................3-64 LAYER 7 HEALTH CHECK PARAMETERS ...............................................................................................3-65 VIP SETTINGS ..........................................................................................................................................3-65 ADDING APPLICATION PORTS AND BINDINGS .......................................................................................3-65 CONFIGURING PRIMARY AND BACKUP SERVERS ..................................................................................3-65 ENABLING A VIP TO USE THE PRIMARY AND BACKUP SERVERS .................................................... 3-66 CONFIGURING A HOST RANGE ............................................................................................................3-66 ENABLING HTTP REDIRECT ON A VIRTUAL SERVER ............................................................................3-66 CHANGING THE LOAD BALANCING METHOD ON A VIRTUAL SERVER ......................................................3-67 SETTING SYMMETRIC SLB PRIORITY ...................................................................................................3-67 TRACKING THE PRIMARY PORT ...........................................................................................................3-67 CONFIGURING A TRACK PORT GROUP ................................................................................................3-68 TRACK GROUP HEALTH CHECK FOR REAL SERVERS ...........................................................................3-69 SAMPLE CONFIGURATION ............................................................................................................. 3-69 ENABLING TRACK PORTS IN A TRACK GROUP TO UNBIND ....................................................................3-69
vi 2008 Foundry Networks, Inc. September 2008
IDENTIFYING VIP PORT AS TCP ONLY OR UDP ONLY .........................................................................3-70 ENABLING SERVER CLUSTER SUPPORT ..............................................................................................3-70 ENABLING FAST AGING FOR UDP SESSIONS .......................................................................................3-70 ENABLING NORMAL UDP AGING FOR DNS AND RADIUS ....................................................................3-71 ENABLING TRANSPARENT VIP ............................................................................................................3-71 SETTING TCP AND UDP AGES FOR VIPS ...........................................................................................3-71 PER SERVER BASED REAL SERVER BACKUP .............................................................................................3-72 OVERVIEW OF PER SERVER BASED REAL SERVER BACKUP ................................................................3-72 CURRENT BACKUP SCHEME ......................................................................................................... 3-72 PER SERVER BASED BACKUP SCHEME......................................................................................... 3-73 REAL SERVER BACKUP COMMANDS ....................................................................................................3-73 SERVER BACKUP ASSOCIATION .................................................................................................... 3-74 SERVER PORT BACKUP ASSOCIATION .......................................................................................... 3-74 DISPLAY THE BACKUP BINDINGS .................................................................................................. 3-74 VIRTUAL SERVER PORTS ..........................................................................................................................3-75 DISABLING OR RE-ENABLING AN APPLICATION PORT ............................................................................3-75 GLOBALLY DISABLING REAL AND VIRTUAL PORTS ................................................................................3-75 CONFIGURING STICKY PORTS .............................................................................................................3-76 CONFIGURING STICKINESS BASED ON CLIENTS SUBET .......................................................................3-76 INCREASE STICKY-AGE PER VIP LONGER THAN 60 MINUTES ................................................................3-77 ENABLING A CONCURRENT PORT ........................................................................................................3-77 CONFIGURING THE SMOOTH FACTOR ..................................................................................................3-77 CONFIGURING A STATELESS PORT ......................................................................................................3-79 CONFIGURING VIRTUAL SOURCE .........................................................................................................3-79 DISABLING PORT TRANSLATION ..........................................................................................................3-80 ENABLING THE SERVERIRON TO USE THE ALIAS PORTS STATE ...........................................................3-80 STICKY CONNECTION RETURN FROM BACKUP SERVER TO PRIMARY ....................................................3-81 PERFORMING SLB BASED ON ALIAS PORT STATE ...............................................................................3-81 IP LOAD BALANCING .................................................................................................................................3-81 BACKGROUND ....................................................................................................................................3-81 OVERVIEW .........................................................................................................................................3-82 HASHING MECHANISM .................................................................................................................. 3-82 IP LOAD BALANCING VS REGULAR LOAD BALANCING .................................................................... 3-82 FEATURE INTEROPERABILITY ........................................................................................................ 3-82 HIGH AVAILABILITY....................................................................................................................... 3-83 MINIMUM REQUIRED CONFIGURATION .................................................................................................3-83 LOAD BALANCING SPECIFIC IP PROTOCOLS ........................................................................................3-83 DISPLAYING LOAD BALANCING AND HASH DISTRIBUTION STATISTICS ...................................................3-83 BINDING A REAL SERVER PORT TO MULTIPLE VIPS ...................................................................................3-84 CONFIGURING HARDWARE FORWARDING OF PASS-THROUGH TRAFFIC .......................................................3-85 SSL ACCELERATORS ................................................................................................................................3-86 SLB CONFIGURATION .........................................................................................................................3-87 TCS CONFIGURATION ........................................................................................................................3-87 GROUP STICKY: L4 SLB TO SERVER GROUP ............................................................................................3-88 ENABLING GROUP STICKY ..................................................................................................................3-88 CONFIGURATION EXAMPLE ........................................................................................................... 3-88 ENABLING GROUP STICKY FAILOVER ..................................................................................................3-90 HASH-BASED SLB WITH SERVER PERSISTENCE ........................................................................................3-90
September 2008 2008 Foundry Networks, Inc. vii
PERSISTENT HASH TABLE ..................................................................................................................3-91 CLEAR VS REASSIGN MECHANISMS .....................................................................................................3-91 ENABLING PERSISTENT HASHING ........................................................................................................3-91 ENABLING THE CLEAR-ON-CHANGE MECHANISM .................................................................................3-91 ENABLING THE REASSIGN-ON-CHANGE MECHANISM ............................................................................3-92 CONFIGURING THE REASSIGN THRESHOLD AND DURATION ............................................................ 3-92 REASSIGNMENT SEQUENCE AND EXAMPLE ................................................................................... 3-93 KEEPING THE PERSISTENT HASH TABLE UNCHANGED .........................................................................3-95 REAL SERVER FAILURE ......................................................................................................................3-95 DISPLAYING PERSISTENT HASH TABLE ENTRY AND STATISTICS ...........................................................3-96 CLEARING THE HIT COUNT FOR THE PERSISTENT HASH TABLE ............................................................3-97 CLEARING THE PERSISTENT HASH TABLE ............................................................................................3-97 ENABLING DEBUGGING FOR PERSISTENT HASH ...................................................................................3-97 REASSIGNING A PERSISTENT HASH TABLE ENTRY ...............................................................................3-97 VIP ROUTE HEALTH INJECTION .................................................................................................................3-98 OVERVIEW .........................................................................................................................................3-98 INJECTING AND DELETING VIP ROUTE BASED ON VIP HEALTH ...................................................... 3-99 CONFIGURATION CONSIDERATIONS............................................................................................... 3-99 ENABLING OR DISABLING VIP RHI ....................................................................................................3-100 DEFINING THE HEALTH OF A VIP PORT .............................................................................................3-100 DEFINING THE HEALTH OF A VIP ......................................................................................................3-101 CONFIGURING THE VIP RHI ROUTE MASK LENGTH ...........................................................................3-101 VIP RHI AND HIGH AVAILABILITY TOPOLOGIES ..................................................................................3-102 DISPLAYING RHI INFORMATION .........................................................................................................3-102 DISPLAYING ROUTE TYPE .................................................................................................................3-103 CONFIGURATION EXAMPLES .............................................................................................................3-104 BASIC CONFIGURATION .............................................................................................................. 3-104 BOTH SERVERIRON SITES WORKING IN PRIMARY MODE ............................................................. 3-105 SITE-1 SERVERIRON IN PRIMARY MODE AND SITE-2 IN BACKUP MODE........................................ 3-116 USAGE GUIDELINES ..........................................................................................................................3-129 REAL SERVER SHUTDOWN ......................................................................................................................3-130 POLICY-BASED SLB ...............................................................................................................................3-131 CONFIGURING A POLICY LIST ............................................................................................................3-132 SIMPLIFIED FORMAT FOR THE POLICY LIST FILE .......................................................................... 3-132 SPECIFYING THE MAXIMUM NUMBER OF ENTRIES ..............................................................................3-132 NO LIMIT TO THE SIZE OF THE POLICY LIST FILE ......................................................................... 3-133 DELETING AN ENTRY FROM THE POLICY LIST ....................................................................................3-133 DELETING AN ENTIRE PBSLB LIST ...................................................................................................3-133 DYNAMICALLY DOWNLOADING A POLICY LIST ....................................................................................3-133 DOWNLOADING A POLICY LIST USING TFTP .....................................................................................3-134 COPYING A POLICY LIST TO A FILE ON TFTP SERVER .......................................................................3-134 WRITING THE POLICY LIST TO FLASH MEMORY .................................................................................3-134 SPECIFYING A DEFAULT SERVER GROUP ..........................................................................................3-134 ASSIGNING REAL SERVERS TO SERVER GROUPS ..............................................................................3-134 ENABLING PBSLB FOR A PORT ON A VIRTUAL SERVER .....................................................................3-135 DELETING EXISTING PBSLB SESSIONS ............................................................................................3-135 DISPLAYING PBSLB ENTRIES ...........................................................................................................3-136
viii
September 2008
VIP TRAFFIC NO LONGER BLOCKED DURING POLICY FILE DOWNLOAD ..............................................3-136 PACKET TRACE ................................................................................................................................3-137 INCREASE IN THE SIZE OF PBSLB LIST (SPAM LIST) ........................................................................3-138 PBSLB POOL FAILSAFE GROUP .............................................................................................................3-138 OVERVIEW OF PBSLB POOL FAILSAFE GROUP .................................................................................3-138 EXPECTED BEHAVIOR OF PBSLB FAILSAFE GROUP.................................................................... 3-138 COMMAND LINE INTERFACE ..............................................................................................................3-139 CREATE A PBSLB FAILSAFE GROUP ........................................................................................... 3-139 ENABLE PBSLB ON A VIP PORT ................................................................................................ 3-139 SHOW COMMMANDS .................................................................................................................. 3-139 AUTO DOWNLOAD OF PBSLB LIST .........................................................................................................3-139 CONFIGURING PBSLB DOWNLOAD-INTERVAL ....................................................................................3-140 CONFIGURING PBSLB TIME-OF-DAY ................................................................................................3-140 PBSLB SYSLOG MESSAGES ............................................................................................................3-140 BANDWIDTH METRIC FOR SLB ................................................................................................................3-140 EXAMPLE .........................................................................................................................................3-140 ENABING THE BANDWIDTH METRIC PREDICTOR .................................................................................3-143 CHANGING THE SIZE OF THE BANDWIDTH SAMPLING WINDOW ...........................................................3-143 CHANGING THE SIZE GLOBALLY ................................................................................................. 3-143 CHANGING THE SIZE FOR A VIRTUAL SERVER ............................................................................. 3-143 ENABLING METRIC ALGORITHMS .......................................................................................................3-143 RE-ENABLING THE SUM ALGORITHM ........................................................................................... 3-143 ENABLING THE WEIGHTED SERVER SUM ALGORITHM .................................................................. 3-143 ENABLING THE WEIGHTED-INTERVAL SUM ALGORITHM ................................................................ 3-144 DISPLAYING BANDWIDTH USAGE STATISTICS .....................................................................................3-144 DISPLAYING BANDWIDTH USAGE ................................................................................................ 3-144 DISPLAYING BANDWIDTH USAGE COUNTS ................................................................................... 3-145 CLEARING OCTET COUNTS IN THE BANDWIDTH OCTET LIST ..............................................................3-145 POLICY-BASED ROUTING FOR REVERSE SLB TRAFFIC .............................................................................3-145 DSR ......................................................................................................................................................3-146 SETTING DSR NORMAL AGE REVERSE SESSION ...............................................................................3-147 REMOTE FAILOVER SERVERS FOR SWITCHBACK ...............................................................................3-147 HEALTH CHECKS WITH SWITCHBACK ................................................................................................3-147 SYN-DEFENSE WITH SWITCHBACK ...................................................................................................3-148 PLACING A SESSION IN TIMEOUT QUEUE ...........................................................................................3-148 SWITCHBACK CONFIGURATION EXAMPLE ..........................................................................................3-148 CONFIGURING SERVERIRON A.................................................................................................... 3-150 CONFIGURING SERVERIRON B.................................................................................................... 3-151 CONFIGURING THE LOOPBACK ADDRESS ON A REAL SERVER ...................................................... 3-152 DISPLAYING SERVER INFORMATION ...................................................................................................3-156 DISPLAYING GLOBAL LAYER 4 SERVERIRON CONFIGURATION ...........................................................3-160 DISPLAYING REAL SERVER CONFIGURATION STATISTICS ...................................................................3-163 DISPLAYING VIRTUAL SERVERS CONFIGURATION STATISTICS ............................................................3-168 DISPLAYING INFORMATION ABOUT VIRTUAL SERVERS BOUND PORTS .......................................... 3-172 DISPLAYING A LIST OF FAILED SERVERS ...........................................................................................3-175 DISPLAYING A LIST OF FAILED PORTS ...............................................................................................3-175 DISPLAYING PORT-BINDING INFORMATION .........................................................................................3-176 DISPLAYING PACKET TRAFFIC STATISTICS .........................................................................................3-178
September 2008
ix
DISPLAYING CONFIGURATION INFORMATION .............................................................................................3-181 SHOW AGGREGATE HEALTH OF TRACKED PORTS ..............................................................................3-181 AUTO REPEAT OF SHOW COMMAND OUTPUT ...................................................................................3-182 DISPLAYING VIP OWNER IN HA SETUP ..............................................................................................3-183 CLEARING ALL SESSION TABLE ENTRIES ..........................................................................................3-183 CLEARING THE CONNECTIONS COUNTER ...........................................................................................3-184 SLB CONFIGURATION EXAMPLES ............................................................................................................3-185 WEB HOSTING WITH ONE VIRTUAL SERVER MAPPED TO MULTIPLE REAL SERVERS ...........................3-185 WEB HOSTING WITH MULTIPLE VIRTUAL SERVERS MAPPED TO ONE REAL SERVER ...........................3-185 MANY-TO-ONE TCP/UDP PORT BINDING .........................................................................................3-186 CONFIGURATION RULES ............................................................................................................. 3-187 CONFIGURATION EXAMPLE ......................................................................................................... 3-188 WEB HOSTING WITH UNLIMITED VIRTUAL IP ADDRESSES ...................................................................3-189 SLB INTRANET CONFIGURATION WITH HTTP, TELNET HOSTING ACROSS MULTIPLE VIRTUAL SERVERS AND MULTIPLE REAL SERVERS ..........................................................................................................3-191 TCP/UDP APPLICATION GROUPS .....................................................................................................3-192 WEB HOSTING WITH SERVERIRON AND REAL SERVERS IN DIFFERENT SUBNETS ................................3-194 WEB HOSTING WITH GEOGRAPHICALLY-DISTRIBUTED SERVERS .........................................................3-196 USING HTTP REDIRECT WITH GEOGRAPHICALLY-DISTRIBUTED SERVERS ..........................................3-199 USING REVERSE PROXY SLB .................................................................................................... 3-200 BASIC EXAMPLE ........................................................................................................................ 3-201 E-COMMERCE EXAMPLE ............................................................................................................ 3-202 LOAD BALANCING STREAMING MEDIA FILES ......................................................................................3-204 LAYER 3 SLB ..................................................................................................................................3-206 BASIC SLB WITH ONE VLAN AND ONE VIRTUAL ROUTING INTERFACE ........................................ 3-206 BASIC SLB WITH MULTIPLE SUBNETS AND MULTIPLE VIRTUAL ROUTING INTERFACES .................. 3-209 IPSEC AND VPN LOAD BALANCING ...................................................................................................3-211 CONFIGURING IPSEC AND VPN LOAD BALANCING....................................................................... 3-213 CONFIGURATION EXAMPLE ......................................................................................................... 3-213 ACTIVE-ACTIVE INSIDE SOURCE NAT WITH SLB AND VRRP-E ..........................................................3-214 SI A CONFIGURATION ................................................................................................................ 3-214 SI B CONFIGURATION ................................................................................................................ 3-215 SERVER OPT-ENABLE-ROUTE-RECALCULATION ...................................................................................3-215 SOURCE-PORT BASED BP DISTRIBUTION ................................................................................................3-216 CONFIGURING SOURCE-PORT BASED BP DISTRIBUTION ....................................................................3-216 LIMITATIONS .....................................................................................................................................3-216 SYSTEM WITH SINGLE MANAGEMENT MODULE ..................................................................................3-217 SYSTEM WITH DUAL MANAGEMENT MODULES ...................................................................................3-218 IPV6 SUPPORT FOR SLB ........................................................................................................................3-219 DEFINE IPV6 REAL SERVERS ...........................................................................................................3-219 DEFINE IPV6 VIRTUAL SERVERS .......................................................................................................3-219 DEFINE IPV4 REAL SERVERS ...........................................................................................................3-219 DEFINE IPV4 VIRTUAL SERVERS .......................................................................................................3-220 DEFINE PORT CHARACTERISTICS USING PORT PROFILE ....................................................................3-220 DEFINE IP ROUTES ..........................................................................................................................3-220 VLAN, TAGGING AND TRUNK DEFINITIONS ........................................................................................3-220 VRRP-E AND VIP GROUP DEFINITIONS ............................................................................................3-220 MISCELLANEOUS ..............................................................................................................................3-221
x 2008 Foundry Networks, Inc. September 2008
September 2008
xi
APPLICATION PORT STATES ...............................................................................................................5-15 DISPLAYING REAL SERVER STATE INFORMATION .......................................................................... 5-16 DISPLAYING VIRTUAL SERVER STATE INFORMATION ...................................................................... 5-17 BEST PATH TO A REMOTE SERVER ...........................................................................................................5-17 LAYER 3 HEALTH CHECK ..........................................................................................................................5-18 DISABLING LAYER 3 HEALTH CHECK ...................................................................................................5-18 MODIFYING THE PING INTERVAL AND PING RETRIES ............................................................................5-19 SETTING THE PERIODIC ARP INTERVAL ..............................................................................................5-19 SERVER PERIODIC-ARP ENHANCEMENT .............................................................................................5-19 DISPLAYING DEBUGGING INFORMATION ABOUT PERIODIC ARPS .................................................... 5-20 LAYER 4 HEALTH CHECK ..........................................................................................................................5-20 DISABLING OR RE-ENABLING LAYER 4 HEALTH CHECK ........................................................................5-20 PERFORMING LAYER 4 UDP KEEPALIVE HEALTH CHECKS FOR THE DNS PORT ...................................5-20 HEALTH CHECKS FOR FIREWALL PATHS ....................................................................................................5-21 CHANGING THE MAXIMUM NUMBER OF LAYER 3 PATH HEALTH-CHECK RETRIES .................................5-21 ENABLING LAYER 4 PATH HEALTH CHECKS FOR FWLB ......................................................................5-21 PORT PROFILES AND ATTRIBUTES .............................................................................................................5-22 CONFIGURING A PORT PROFILE ..........................................................................................................5-22 ADDING A PORT AND SPECIFYING ITS TYPE .................................................................................. 5-23 CHANGING A PORTS KEEPALIVE PARAMETERS ............................................................................. 5-23 CONFIGURING PORT PROFILE ATTRIBUTES .........................................................................................5-23 CHANGING A PORTS SESSION AGE .............................................................................................. 5-26 DISPLAYING THE SESSION AGE OF A TCP PORT ........................................................................... 5-26 BASING AN ALIAS PORTS HEALTH ON THE HEALTH OF ITS MASTER PORT ..................................... 5-27 OVERRIDING THE GLOBAL TCP OR UDP AGE .............................................................................. 5-28 ENABLING SESSION SYNCHRONIZATION ........................................................................................ 5-29 CHANGING THE SMOOTH FACTOR ON AN APPLICATION PORT ........................................................ 5-29 ENABLING RECURSIVE DNS HEALTH CHECKS .............................................................................. 5-29 BASING A PORTS HEALTH ON THE HEALTH OF ANOTHER PORT ...........................................................5-30 GLOBAL TRACKING OF ALIAS PORT HEALTH ................................................................................. 5-30 REASSIGN THRESHOLD .............................................................................................................................5-30 PREVENTING STATE FLAPPING ...........................................................................................................5-31 ENABLING THE HEALTH CHECKING PROCEDURE IN RELEASES BEFORE 7.1.05 ....................................5-32 SSL HEALTH CHECKS ..............................................................................................................................5-32 CONFIGURING SSL HEALTH CHECKS ..................................................................................................5-32 ERROR MESSAGES ............................................................................................................................5-33 LAYER 7 HEALTH CHECKS ........................................................................................................................5-33 ENABLING LAYER 7 HEALTH CHECK ....................................................................................................5-33 CHANGING HTTP KEEPALIVE METHOD, VALUE, AND STATUS CODES ...................................................5-34 CONFIGURING HTTP CONTENT MATCHING LISTS ................................................................................5-35 DISPLAYING HTTP MATCH LISTS ........................................................................................................5-37 BINDING THE MATCHING LIST TO THE REAL SERVERS .........................................................................5-37 CONFIGURING SCRIPTED HEALTH CHECKS ..........................................................................................5-38 CONFIGURING A PORT PROFILE ................................................................................................... 5-38 CONFIGURING A MATCHING LIST .................................................................................................. 5-38 BINDING THE MATCHING LIST TO THE REAL SERVER ..................................................................... 5-39 USING A SCRIPTED HEALTH CHECK IN A HEALTH-CHECK POLICY .........................................................5-39 CONFIGURING A HEALTH CHECK POLICY ...................................................................................... 5-39 SCRIPTED HEALTHCHECK ENHANCEMENT ON REAL SERVERS ..............................................................5-40
xii 2008 Foundry Networks, Inc. September 2008
BINARY SCRIPTED HEALTH CHECK .....................................................................................................5-40 SCRIPTED HEALTH CHECK FOR UDP PORTS .......................................................................................5-41 OVERVIEW OF SCRIPTED HEALTH CHECK FOR UDP PORTS ................................................................5-41 COMMAND LINE INTERFACE ................................................................................................................5-41 CONFIGURING SERVER PORT HEALTH CHECK POLICY .........................................................................5-41 CONFIGURING A PORT POLICY ..................................................................................................... 5-42 BINDING THE POLICY ................................................................................................................... 5-43 CONFIGURING A KEEPALIVE INTERVAL UNDER A PORT POLICY ...................................................... 5-44 CONFIGURING DNS HEALTH CHECK METHOD AND VALUES .................................................................5-45 CONFIGURING RADIUS HEALTH CHECK VALUES ................................................................................5-46 DROPPING FAILED RADIUS HEALTH CHECKS .....................................................................................5-46 CHANGING THE LDAP VERSION .........................................................................................................5-46 LAYER 7 HEALTH CHECK FOR AN UNKNOWN PORT ..............................................................................5-47 CONFIGURING AN UNKNOWN TCP PORT TO USE LAYER 7 TCP HEALTH CHECKS ......................... 5-47 CONFIGURING AN UNKNOWN UDP PORT TO USE A LAYER 7 HEALTH CHECK ................................ 5-48 HEALTH CHECK OF MULTIPLE WEB SITES ON THE SAME REAL SERVER .....................................................5-48 BOOLEAN HEALTH-CHECK POLICIES ..........................................................................................................5-49 HEALTH-CHECK STATE .......................................................................................................................5-49 HEALTH-CHECK POLICY .....................................................................................................................5-50 CONFIGURING ELEMENT-ACTION EXPRESSIONS ............................................................................ 5-51 CONFIGURING A HEALTH-CHECK POLICY ...................................................................................... 5-56 ATTACHING A HEALTH-CHECK POLICY TO AN APPLICATION PORT ON A SERVER ............................ 5-58 GLOBALLY DISABLING ALL HEALTH-CHECK POLICIES .................................................................... 5-58 DISPLAYING HEALTH CHECK POLICIES AND THEIR STATUS ..................................................................5-58 DISPLAYING HEALTH CHECK POLICY STATISTICS .................................................................................5-60 CLEARING HEALTH CHECK POLICY STATISTICS ...................................................................................5-60 HEALTH CHECK POLICY FOR VIP PORT .....................................................................................................5-60 OVERVIEW OF HEALTH CHECK POLICY FOR VIP PORT ........................................................................5-61 COMMAND LINE INTERFACE ................................................................................................................5-61 MINIMUM HEALTHY REAL SERVERS UNDER VIP PORT ...............................................................................5-61 OVERVIEW OF MINIMUM HEALTHY REAL SERVERS ..............................................................................5-61 COMMAND LINE INTERFACE ................................................................................................................5-61 SERVER PORT BRING UP ENHANCEMENT ..................................................................................................5-61 OVERVIEW OF SERVER PORT BRINGUP ...............................................................................................5-62 COMMAND LINE INTERFACE ................................................................................................................5-62 DISPLAYING SYSLOG ENTRIES ...................................................................................................................5-62 SESSION TABLE PARAMETERS ..................................................................................................................5-62 CONFIGURING THE MAXIMUM NUMBER OF ACTIVE SESSIONS ...............................................................5-63 CONFIGURING FAST SESSION AGING ..................................................................................................5-63 DISPLAYING INFORMATION ABOUT FAST AGING ............................................................................. 5-64 CLEARING STATISTICS COUNTERS FOR FAST SESSION AGING ....................................................... 5-65 CLEARING STATISTICS COUNTERS FOR SESSIONS THAT AGED OUT RANDOMLY ............................. 5-65 CONFIGURING TCP AGE ....................................................................................................................5-65 CONFIGURING UDP AGE ....................................................................................................................5-65 SETTING THE CLOCK SCALE ...............................................................................................................5-66 SYSLOG FOR SESSION TABLE ENTRIES ...............................................................................................5-66 ENABLING TCP/UDP SESSION LOGGING ...................................................................................... 5-67 SLOW-START MECHANISM ........................................................................................................................5-67
September 2008
xiii
OVERVIEW .........................................................................................................................................5-68 PORT SLOW-START MECHANISM ........................................................................................................5-70 DEFAULT PORT SLOW-START MECHANISM ................................................................................... 5-70 SETTING UP A USER-CONFIGURED PORT SLOW-START MECHANISM ............................................. 5-72 APPLYING A USER-CONFIGURED SLOW-START MECHANISM TO MULTIPLE PORTS .......................... 5-75 GLOBALLY DISABLING OR RE-ENABLING THE SLOW-START MECHANISM ...............................................5-75 LDAP OVER SSL .....................................................................................................................................5-75 CONFIGURING NON-BOOLEAN LDAP HEALTH CHECKS ........................................................................5-76 CONFIGURING BOOLEAN LDAP HEALTH CHECKS ................................................................................5-76 09.2.00 SCRIPTED HEALTH CHECK ENHANCEMENT FOR BOOLEAN .............................................................5-76 ENHANCEMENT DESCRIPTION .............................................................................................................5-76 CONFIGURATION EXAMPLE .................................................................................................................5-77 DEBUGGING AND TROUBLESHOOTING ..................................................................................................5-77 FIN CLOSE FOR SERVER HEALTH CHECK ..................................................................................................5-78
.................................................................................................................6-24 REWRITE REQUEST-REPLACE ..............................................................................................................6-25 F. EXPLANATION OF OFFSETS ............................................................................................................6-25 G. DISPLAYING THE STATISTICS FOR ALL HTTP CONTENT REWRITES .................................................6-26 USAGE GUIDELINES ...........................................................................................................................6-27 1.3.2 CASE-INSENSITIVE MATCH FOR CONTENT SWITCHING ................................................................6-28 1.3.3 WILDCARDS IN CSW RULES FOR URL PREFIXES .......................................................................6-28 1.3.1.4 CONFIGURING THE REDIRECT ACTION .....................................................................................6-28 HTTP REDIRECT STATUS CODE .................................................................................................. 6-29 1.3.1.5 SUPPORT FOR LARGE GET REQUESTS ....................................................................................6-29 1.4 DISPLAYING CSW INFORMATION ...................................................................................................6-29 1.4.1 DISPLAYING HEADER INFORMATION ..................................................................................... 6-30 1.4.2 DISPLAYING CSW RULE INFORMATION ................................................................................ 6-31 1.4.3 DISPLAYING CSW POLICY INFORMATION ............................................................................. 6-33 2.2 ENABLING HTTP REDIRECT .........................................................................................................6-35 3.8 HTTP STATUS CODES .................................................................................................................6-35 HTTP REWRITE ON SERVER RESPONSE ...................................................................................................6-37 HTTP RESPONSE-HEADER REWRITE ..................................................................................................6-37 CONFIGURING HTTP HEADER RESPONSE REWRITE .............................................................................6-38 STEP 1: CREATE A CSW RULE SPECIFYING THE HEADER RESPONSE CODES ............................... 6-38 STEP 2: CREATE A CSW RULE SPECIFYING THE STRING TO BE MODIFIED .................................... 6-38 STEP 3: CREATE A CSW POLICY ................................................................................................. 6-38 STEP 4: BIND CSW-POLICY TO THE VIRTUAL-SERVER PORT .......................................................... 6-38 HTTP RESPONSE-BODY REWRITE: .....................................................................................................6-39 CONFIGURING HTTP BODY RESPONSE REWRITE .................................................................................6-39 STEP 1: CREATE A CSW RULE IDENTIFYING REQUESTS WHOSE RESPONSES HAVE TO BE MODIFIED 6-39 STEP 2: CREATE A CSW RULE SPECIFYING THE STRING TO BE MODIFIED ...................................... 6-39 STEP 3: CREATE A CSW POLICY ................................................................................................. 6-40 STEP 4: BIND CSW-POLICY TO THE VIRTUAL-SERVER PORT .......................................................... 6-40 SPECIFY CONTENT-TYPE TO ENABLE THIS FEATURE (OPTIONAL) ..................................................... 6-40 SHOW COMMANDS....................................................................................................................... 6-40 DEBUG COMMANDS ..................................................................................................................... 6-40 CONFIGURATION EXAMPLE ........................................................................................................... 6-42 USING MULTIPLE COOKIES UNDER VIRTUAL SERVER PORT .......................................................................6-42 CONFIGURING MULTIPLE UNIQUE COOKIE INSERTION WITH COOKIE PATH ............................................6-42 CONFIGURE COOKIE INSERTION WHEN A PARTICULAR CSW RULE IS HIT ......................................... 6-42 CONFIGURE COOKIE INSERTION IN DEFAULT MODE (WHEN NO CSW RULE IS HIT) ........................... 6-43 SPECIFICATIONS .................................................................................................................................6-43 CONFIGURATION GUIDELINES .............................................................................................................6-43 EXAMPLE ...........................................................................................................................................6-43 SERVER AND SERVER PORT PERSISTENCE WITH CSW NESTED RULES ......................................................6-44 CONFIGURING SERVER AND SERVER PORT PERSISTENCE WITH CSW NESTED RULES .........................6-44 CONFIGURING PERSIST ON THE NESTED RULE ....................................................................................6-45 CONFIGURING PERSIST ON THE REAL PORT ........................................................................................6-45 USAGE EXAMPLE ......................................................................................................................... 6-45 SECTION 2: LEGACY LAYER 7 SWITCHING FEATURES .............................................................................6-46 2.1 LAYER 7 SWITCHING METHODS ....................................................................................................6-46 2.1.1 URL SWITCHING .......................................................................................................................6-46 SETTING UP BASIC URL SWITCHING ............................................................................................ 6-47
September 2008 2008 Foundry Networks, Inc. xv
REWRITE REQUEST-INSERT
CONFIGURING THE URL SWITCHING POLICIES .............................................................................. 6-48 CONFIGURING THE REAL SERVERS ............................................................................................... 6-50 SETTING UP THE VIRTUAL SERVER ............................................................................................... 6-51 CONFIGURATION EXAMPLE: TWO WEB SITES USING ONE VIP ...................................................... 6-52 DEFINING THE URL SWITCHING POLICIES ..................................................................................... 6-53 SETTING UP THE VIRTUAL SERVER ............................................................................................... 6-54 SAMPLE URLS ............................................................................................................................ 6-55 DIRECTING HTTP REQUESTS TO SPECIFIC TCP PORTS ............................................................... 6-56 DEFINING THE URL SWITCHING POLICIES ..................................................................................... 6-56 CONFIGURING THE REAL SERVERS ............................................................................................... 6-57 SETTING UP THE VIRTUAL SERVER ............................................................................................... 6-57 PREFIX-SUFFIX MATCHING METHOD ...................................................................................................6-58 SYNTAX CHANGE FOR URL SWITCHING POLICIES ...............................................................................6-58 2.1.1.1 DISPLAYING URL SWITCHING POLICY INFORMATION ................................................................6-58 DISPLAYING URL SWITCHING POLICY INFORMATION ............................................................................6-59 2.1.2 SETTING UP COOKIE SWITCHING ................................................................................................6-59 2.1.2.1 CONFIGURING THE REAL SERVERS ................................................................................... 6-60 2.1.2.2 ENABLING COOKIE SWITCHING ON A VIRTUAL SERVER ............................................................6-61 2.3.1 CONFIGURING COOKIE INSERTION ..............................................................................................6-61 2.3.1.A CONFIGURING THE SERVER TO SEND A SET-COOKIE HEADER .................................................6-61 2.3.1.1 CONFIGURING THE SERVERS ............................................................................................ 6-62 2.3.1.2 ENABLING COOKIE SWITCHING ON THE VIRTUAL SERVER .................................................. 6-63 2.3.1.3 ENABLING COOKIE INSERTION .......................................................................................... 6-63 2.3.1.4 SETTING THE COOKIE DOMAIN ......................................................................................... 6-64 2.3.1.5 SETTING THE COOKIE PATH ............................................................................................. 6-64 2.3.1.6 SETTING THE COOKIE AGE ............................................................................................... 6-65 2.3.1.7 ENABLING COOKIE DELETION ........................................................................................... 6-66 2.3.1.8 ENABLING COOKIE DAMAGE ............................................................................................. 6-66 2.3.1.9 ALLOCATING ADDITIONAL MEMORY TO COOKIE HANDLING................................................. 6-67 2.3.1.10 DISPLAYING COOKIE STATISTICS AND INFORMATION ..............................................................6-68 2.1.3 SETTING UP CONCURRENT URL SWITCHING AND COOKIE SWITCHING ........................................6-69 CONFIGURING THE URL SWITCHING POLICIES ....................................................................................6-71 PREFIX-SUFFIX MATCHING METHOD IN A URL SWITCHING POLICY ................................................ 6-71 SYNTAX CHANGE FOR URL SWITCHING POLICIES ......................................................................... 6-72 CONFIGURING SERVER GROUPS AND SERVER IDS ..............................................................................6-72 CONFIGURING THE SERVER TO SET A COOKIE ....................................................................................6-72 ENABLING CONCURRENT URL AND COOKIE SWITCHING ON THE VIRTUAL SERVER ...............................6-73 2.3.2 HTTP HEADER INSERTION ........................................................................................................6-73 2.3.3 INSERTING THE ORIGINAL SOURCE IP ADDRESS INTO HTTP REQUESTS .....................................6-74 CLIENT IP INSERTION IN USER CONFIGURABLE HEADERS ....................................................................6-75 2.1.4 HTTP HEADER HASHING ...........................................................................................................6-75 2.1.4.1 ENABLING COOKIE HASHING ...................................................................................................6-76 CLEARING COOKIE HASHING BUCKET ALLOCATIONS AND STATISTICS ............................................ 6-77 2.1.4.2 ENABLING SELECTIVE COOKIE HASHING .................................................................................6-77 2.1.4.3 ENABLING URL STRING HASHING ...........................................................................................6-78 2.1.4.4 ENABLING URL SEGMENT HASHING .......................................................................................6-79 SETTING UP THE SERVER GROUPS .............................................................................................. 6-81 ENABLING URL SEGMENT HASHING ON A VIRTUAL SERVER .......................................................... 6-81 2.1.4.5 DISPLAYING HASH BUCKET ASSIGNMENTS AND THE NUMBER OF HITS .....................................6-81 SECTION 3: ADVANCED L7 AND LEGACY L7 "COMMON FEATURES" ........................................................6-82
xvi 2008 Foundry Networks, Inc. September 2008
3.1 CHANGING THE MAXIMUM NUMBER OF CONCURRENT L7 SWITCHING CONNECTIONS ......................6-82 3.2 DROPPING HTTP REQUESTS .......................................................................................................6-82 DROPPING THE REQUESTS AFTER EXCEEDING THE MAXIMUM NUMBER OF CONNECTIONS ............. 6-82 DROPPING THE REQUESTS WHEN SERVERS ARE UNAVAILABLE .................................................... 6-83 3.3 CLEANING UP ALL HASHING BUCKETS ...........................................................................................6-83 3.4 L7 CONTENT BUFFERING OPTIONS ...............................................................................................6-83 3.5 CHANGING THE TCP WINDOW SIZE ..............................................................................................6-83 3.6 PREVENTING THE SERVERIRON FROM SENDING AN ACK TO THE CLIENT .......................................6-84 3.7 DISPLAYING L7 SWITCHING STATISTICS ........................................................................................6-84 3.8 HTTP STATUS CODES .................................................................................................................6-85 SECTION 4: HTTP 1.1 SUPPORT FOR ADVANCED AND LEGACY L7 SWITCHING .......................................6-87 4.1 DEFAULT SETTINGS ......................................................................................................................6-87 4.2 PREVENTING THE SERVERIRON FROM DOWNGRADING THE HTTP VERSION TO 1.0 ........................6-87 4.3 HTTP 1.1 SUPPORT ....................................................................................................................6-88 4.3.1 SUPPORT FOR EXISTING LAYER 7 FEATURES .............................................................................6-88 4.3.2 ENABLING THE KEEPALIVE MODE ...............................................................................................6-89 4.3.3 ENABLING THE TCP OFFLOAD MODE .........................................................................................6-89 4.3.4 GRACEFUL HANDLING OF HTTP PIPELINED REQUESTS ..............................................................6-90 CLEARING ALL KEEPALIVE CONNECTIONS ..................................................................................... 6-91 DISPLAYING MORE CHARACTERS FOR SERVER FIELD ON SHOW SERVER ALL COMMAND OUTPUT ..............6-91 4.3.8 DISPLAYING TRANSACTIONS AND CONNECTIONS ........................................................................6-92 SETTING UP SSL SESSION ID SWITCHING .................................................................................................6-93 CONFIGURATION EXAMPLE .................................................................................................................6-93 CONFIGURING THE REAL SERVERS FOR SSL................................................................................ 6-95 CONFIGURING THE VIRTUAL SERVER FOR SSL SESSION ID SWITCHING ........................................ 6-95 ADJUSTING THE AGE TIMER ......................................................................................................... 6-96 ADJUSTING THE MAXIMUM NUMBER OF SESSION_ID-TO-REAL-SERVER ASSOCIATIONS ................... 6-96
September 2008
xvii
SYMMETRIC SLB IN A IPSEC/IKE CONFIGURATION ..............................................................................7-19 ACTIVE SERVERIRON ................................................................................................................... 7-19 STANDBY SERVERIRON ................................................................................................................ 7-20 CONFIGURING THE INTERVAL AND WAIT TIME FOR SSLB DISCOVERY PACKETS ...................................7-22 CONFIGURING DYNAMIC PRIORITY ......................................................................................................7-22 COMMANDS ON SERVERIRON A.................................................................................................... 7-24 COMMANDS ON SERVERIRON B.................................................................................................... 7-24 DISPLAYING DYNAMIC PRIORITY INFORMATION .............................................................................. 7-25 CONFIGURING DELAY REACTIVATION ..................................................................................................7-26 DISPLAYING SSLB INFORMATION ........................................................................................................7-27 VIP FAILOVER FOLLOWING A LINK FAILURE .........................................................................................7-27 CONFIGURING VIP FAILOVER IN VRRP EXTENDED WITH SYMMETRIC SLB ...........................................7-28 CONFIGURING VLAN OPTION FOR ACTIVE-ACTIVE LINKS ....................................................................7-28 ALLOWING PASS-THROUGH TRAFFIC TO A VIP ....................................................................................7-29 FAST SESSION SYNCHRONIZATION WITH VRRP ..................................................................................7-29 CONFIGURING THE OWNER .......................................................................................................... 7-30 CONFIGURING A BACKUP ............................................................................................................. 7-30 VRRP-E TRACK PORT INCREASE .............................................................................................................7-31 TRACKING TRUNK PORTS WITH VRRP-E ...................................................................................................7-31 CONFIGURING TRACKING TRUNK PORTS WITH VRRP-E ......................................................................7-32 SAMPLE CONFIGURATION ...................................................................................................................7-32 SAMPLE CONFIGURATION ...................................................................................................................7-33 SI-A............................................................................................................................................ 7-33 SI-B............................................................................................................................................ 7-34 SYM-ACTIVE SLB .....................................................................................................................................7-34 DIFFERENCE BETWEEN SYM-ACTIVE VS SYMMETRIC SLB ...................................................................7-34 MINIMUM REQUIRED CONFIGURATION .................................................................................................7-35 LAYER 3 SYM-ACTIVE ........................................................................................................................7-35 COMMANDS FOR ROUTER NI1...................................................................................................... 7-36 COMMANDS FOR SERVERIRON 254 .............................................................................................. 7-37 COMMANDS FOR ROUTER NI2...................................................................................................... 7-39 COMMANDS FOR SERVERIRON 253 .............................................................................................. 7-40 SYM-ACTIVE IN AN IPSEC/IKE LOAD BALANCING CONFIGURATION .......................................................7-42 SERVERIRON A............................................................................................................................ 7-43 SERVERIRON B............................................................................................................................ 7-44 MULTIPLE HIGH AVAILABILITY SLB PAIRS IN THE SAME VLAN ...................................................................7-44 HOT STANDBY TOPOLOGY ..................................................................................................................7-44 CONFIGURING A BACKUP-GROUP ID............................................................................................. 7-45 SYMMETRIC TOPOLOGY ......................................................................................................................7-45 CONFIGURING A SYMMETRIC GROUP ID ....................................................................................... 7-45 VRRP AND VRRP-E ................................................................................................................................7-46 ENABLING VRRP AND BINDING A VIP GROUP TO A VIRTUAL ROUTER ID .............................................7-46 CONFIGURING SYNCHRONIZATION WITH HA ...............................................................................................7-46
xviii
September 2008
This guide describes the features of provides configuration procedures for Foundry ServerIron devices. NOTE: Features or options not documented in this guide are not supported.
Audience
This guide is intended for network engineers with a basic knowledge of switching, routing, and application traffic management.
Conventions
This guide uses the following typographical conventions to describe information:
Highlights the title of another publication or emphasizes a word or phrase. Indicates code that is entered exactly as shown. Indicates a command or keyword that can be entered exactly as is.
NOTE: A note emphasizes an important fact or calls your attention to a dependency. WARNING: A warning calls your attention to a possible hazard that can cause injury or death. CAUTION: A caution calls your attention to a possible hazard that can damage equipment.
Related Documentation
For more information, refer to the following Foundry Networks ServerIron documentation: Release Notes for ServerIron Switch and Router Software TrafficWorks 11.0.00 provides a list of new 2008 Foundry Networks, Inc. 1-1
September 2008
features and enhancements, upgrade procedures, and bug fixes. ServerIron TrafficWorks Graphical User Interface provides details on the graphical user interface for the ServerIron family of application delivery controllers. ServerIron TrafficWorks Server Load Balancing Guide describes basic Server Load Balancing configurations for the ServerIron product family. It covers the following features: Server Load Balancing, Stateless Server Load Balancing, Health Checks, Layer 7 Content Switching, and High Availability ServerIron TrafficWorks Advanced Server Load Balancing Guide discusses Advanced Server Load Balancing concepts for the ServerIron product family. It covers the following features: are SIP Server Load Balancing, Transparent Cache Switching, IDS Server Load Balancing, HTTP Compression, and Total Content Analysis ServerIron TrafficWorks Global Server Load Balancing Guide explains how one can achieve site level redundancy and data center site failure protection using Global Server Load Balancing feature of ServerIron ServerIron TrafficWorks Security Guide describes Security features of ServerIron product family. It covers the following features: are Secure Socket Layer (SSL) Acceleration, Web Application Firewall, Deep Packet Scan, Access Control List, and Network Address Translation ServerIron TrafficWorks Administration Guide discusses different administrative configurations for the ServerIron product family. ServerIron TrafficWorks Switching and Routing Guide describes switching and routing configurations on the ServerIron product family Foundry ServerIron Hardware Installation Guide provides the physical characteristics, power consumption, and performance capabilities of the ServerIron switch families, and explains how to set up and install the switches and their modules. Foundry ServerIron Firewall Load Balancing Guide provides detailed feature descriptions, procedures, and application examples for Firewall Load Balancing. Foundry Management Information Base Reference presents the Simple Network Management Protocol (SNMP) Management Information Base (MIB) objects that are supported on Foundry devices.
NOTE: For the latest edition of this document, which contains the most up-to-date information, see Product Manuals at kp.foundrynet.com.
Web Access
1-2 http://www.foundrynetworks.com 2008 Foundry Networks, Inc. September 2008
Email Access
Technical requests can also be sent to the following email address: support@foundrynet.com
Telephone Access
1-877-TURBOCALL (887-2622) United States 408.207.1600 Outside the United States
September 2008
1-3
1-4
September 2008
This chapter lists new ServerIron features by release, and directs you to their descriptions in the documentation. This chapter contains information about the following releases: Software Dependencies for Hardware Platforms on page 2-1 Features and Enhancements for Release 11.0.00 on page 2-2 Features and Enhancements for Release 10.2.01 on page 2-6 Features and Enhancements for Release 10.2.00 on page 2-6 Features and Enhancements for Release 10.1.00 on page 2-9 Features and Enhancements for Release 10.0.00b on page 2-10 Features and Enhancements for Release 09.5.02a on page 2-11 Features and Enhancements for Release 09.4.01 on page 2-12 Features and Enhancements for Release 09.4.00 on page 2-13 Features and Enhancements for Release 09.3.01 on page 2-15
September 2008
2-1
Description
Support for IPv6 management commands has been added to this ServerIron release.
Book: ServerIron TrafficWorks Switching and Routing Guide Chapter: Configuring IPv6 Addressing
IPv6: VRRP-E
IPv6 VRRP-E has been added to the router code version of this release.
Book: ServerIron TrafficWorks Switching and Routing Guide Chapter: Configuring VRRP and VRRP-E
IPv6: OSPFv3
Book: ServerIron TrafficWorks Switching and Routing Guide Chapter: Configuring IPv6 Dynamic Routing
IPv6: ACLs
Book: ServerIron TrafficWorks Security Guide Chapter: Configuring IPv6 Access Control Lists
Support for IPv6 in SLB configurations is added in this release. With this support, you can define IPv6 VIPs with IPv6 real servers. No new commands are required for these configurations. Both IPv4 and IPv6 SLB definitions can co-exist on the system.
Book: ServerIron TrafficWorks Server Load Balancing Guide Chapter: Server Load Balancing Section: IPv6 Support for SLB
Management
2-2
Description The following modules have been added to the ServerIron GUI in this release: Dashboard Source IP/Source NAT IP/Source Standby IP Global Settings SSL Switching Layer 7 Switching Statistics
See details in... Book: ServerIron TrafficWorks Graphical User Interface Guide Chapters: Getting Started with the GUI Configuring a Real Server and a Real Server Port Configuring a Virtual Server and a Virtual Server Port Configuring SSL Certificates Configuring Layer 7 Content Switching Displaying Statistics
Also, the tabs on the following modules have been rearranged: Real Server Virtual Server
SIP SLB TCP SIP SLB Support Support has been added for TCP-based SIP SLB. Book: ServerIron TrafficWorks Advanced Server Load Balancing Guide Chapter: SIP Server Load Balancing Section: TCP SIP Server Load Balancing Stateful SIP session handling in the event of proxy server failure This enhancement enables ServerIron to seamlessly handle proxy server failures. The SIP packets on an existing flow that is going to a failed server will be re-routed to another available healthy server. Book: ServerIron TrafficWorks Advanced Server Load Balancing Guide Chapter: SIP Server Load Balancing Section: Stateful SIP Session Handling in the Event of a Proxy Server Failure GSLB GSLB Optimization and Enhanced Scalability GSLB processes have been optimized to reduce CPU usage on controller. Additionally, the maximum number of GSLB enabled VIPs per site has been increased to 1024 Book: ServerIron TrafficWorks Global Server Load Balancing Guide Chapter: Global Load Server Balancing Section: GSLB Optimization
2-3
Description With this enhancement, the ServerIron GSLB controller, that is operating in DNS override mode, can be configured to respond with all IP addresses, with the best IP on top, to the name query request from a DNS client.
See details in... Book: ServerIron TrafficWorks Global Server Load Balancing Guide Chapter: Global Load Server Balancing Section: Enabling DNS Override
Security Service Port Attack Protection in Hardware ServerIron can be enabled to drop packets that are destined to a VIP on a non-defined service port. This can be handled in hardware without impacting system CPU. Book: ServerIron TrafficWorks Security Guide Chapter: Network Security Section: Service Port Attack Protection in Hardware SLB Port Range Definition For Server Ports This enhancement allows definition of port ranges consisting of up to 50 consecutive application ports and using of them under real server and virtual server definitions. This feature offers enormous flexibility and ease of management especially for large deployments. Also, the total system wide port count has been raised to 8,192. Global Tracking Of Alias Port Health Beginning this release, health of alias ports can be tracked easily through simplified global command. Book: ServerIron TrafficWorks Server Load Balancing Guide Chapter: Server Load Balancing Section: Port Ranges
Book: ServerIron TrafficWorks Server Load Balancing Guide Chapter: Health Checks Section: Global Tracking of Alias Port Health
The keepalive interval can now be configured under a port policy definition. The keepalive timer applies to server ports to which port policy is bound.
Book: ServerIron TrafficWorks Server Load Balancing Guide Chapter: Health Checks Section: Configuring a Keepalive Interval Under a Port Policy
This release enhances Layer 7 Content Switching to allow specification of either code 301 (permanent page move) or code 302 (temporary page move) for HTTP redirect messages.
Book: ServerIron TrafficWorks Server Load Balancing Guide Chapter: Layer 7 Content Switching Section: Configuring the Redirect Action
2-4
Description Beginning this release, ServerIron will be able perform Layer 7 Content Switching on large-sized GET requests (up to 20,000 bytes). Earlier release supported up to 8,000 byte GET requests.
See details in... Book: ServerIron TrafficWorks Server Load Balancing Guide Chapter: Layer 7 Content Switching Section: Support for Large GET requests
On receiving pipelined HTTP requests, the ServerIron can be enabled to handle the first request and optionally send a Reset to the subsequent requests.
Book: ServerIron TrafficWorks Server Load Balancing Guide Chapter: Layer 7 Switching Section: Graceful Handling of HTTP Pipelined Requests
FWLB Firewall Load Balancing with Dual Homed Servers Support for FWLB designs with dual homed servers is added with this release. Book: ServerIron TrafficWorks Firewall Load Balancing Guide Chapter: Configuring FWLB and SLB Section: Supporting Dual Homed Servers in FWLB Design
2-5
access privileges on ServerIron. This feature is documented in the Role Based Management chapter of the ServerIron TrafficWorks Administration Guide. Stateful UDP Based SIP Server Load Balancing ServerIron Release 10.2.00 enhances the current SIP feature by making it stateful and by adding intelligence for handling varying caller-id situations. This feature is documented in the SIP chapter of the ServerIron TrafficWorks Advanced Server Load Balancing Guide. SIP Security ServerIron Release 10.2.00 allows the ServerIron to identify incorrect SIP headers, undefined application ports, and non-supported SIP methods, and then logs and/or drops the appropriate packets. This feature is documented in the SIP chapter of the ServerIron TrafficWorks Advanced Server Load Balancing Guide. Source PAT for SSL Service Modules ServerIron Release 10.2.00 enhances the existing functionality to use source ports instead of source IP address to properly identify SSL terminated response traffic and thereby eliminate the requirement of sourceNAT with SSL service modules. This feature is documented in the SSL chapter of the ServerIron TrafficWorks Security Guide. Identifying VIP Port as TCP Only or UDP Only ServerIron Release 10.2.00 allows ServerIron to explicitly identify an application port to be "TCP only" or "UDP only". This feature is documented in the SLB chapter of the ServerIron TrafficWorks Server Load Balancing Guide. Prioritizing Management Traffic ServerIron Release 10.2.00 enhances the ServerIron TrafficWorks software to give priority to management traffic, such as telnet and SSH, over other web traffic to facilitate uninterrupted access to the ServerIron switches even under heavy load conditions. This feature is documented in the Network Security chapter of the ServerIron TrafficWorks Security Guide. Health Check Policy for VIP Port ServerIron Release 10.2.00 enhances the ServerIron TrafficWorks software to allow more granular health check definitions. This feature is documented in the Health Check chapter of the ServerIron TrafficWorks Server Load Balancing Guide. Minimum Healthy Real Servers under VIP Port ServerIron Release 10.2.00 enhances the ServerIron TrafficWorks software to allow the user to specify "minimum number of healthy real servers" under virtual server definition. This feature is documented in the Health Check chapter of the ServerIron TrafficWorks Server Load Balancing Guide. Server Port Bring Up Enhancement ServerIron Release 10.2.00 allows the user to configure retries for bringup, so that ServerIron will bringup a port only after the configured number of retries have passed. This feature is documented in the Health Check chapter of the ServerIron TrafficWorks Server Load Balancing Guide. Scripted Health Check for UDP Ports ServerIron Release 10.2.00 enhances the TrafficWorks software to perform customizable scripted health
2-7
checks for UDP protocol. This feature is documented in the Health Check chapter of the ServerIron TrafficWorks Server Load Balancing Guide. GSLB Domain-Level Affinity ServerIron Release 10.2.00 enhances the TrafficWorks software to perform GSLB IP Affinity at Host Level. This feature is documented in the ServerIron TrafficWorks Global Server Load Balancing Guide. PBSLB Pool Failsafe Group ServerIron Release 10.2.00 enhances the Policy Based Server Load Balancing (PBSLB) functionality and allows ServerIron to direct traffic away from a given server pool to a "default pool" in case all the servers in server pool become unavailable. This feature is documented in the SLB chapter of the ServerIron TrafficWorks Server Load Balancing Guide. Increase Sticky-age per VIP longer than 60 minutes ServerIron Release 10.2.00 allows ServerIron to specify longer sticky age values (up to 24 hours) per VIP port. This feature is documented in the SLB chapter of the ServerIron TrafficWorks Server Load Balancing Guide. Support for RIP Timers ServerIron Release 10.2.00 enhances the current functionality by providing support for RIP timers, such as update, aging, and garbage collection. This feature is documented in the Routing chapter of the ServerIron TrafficWorks Switching and Routing Guide. Increase SSL Certificate Count to 512 ServerIron Release 10.2.00 increases the maximum number of SSL certificates that ServerIron supports. This feature is documented in the SSL chapter of the ServerIron TrafficWorks Security Guide. Per Server Based Real Server Backup ServerIron Release 10.2.00 enhances the existing ServerIron functionality to allow backup server definition on a per server basis. This feature is documented in the SLB chapter of the ServerIron TrafficWorks Server Load Balancing Guide.
2-8
2-9
columns such as "Next" column. This feature is documented in the Layer 7 Switching chapter of the ServerIron TrafficWorks Server Load Balancing Guide.
2 - 10
Track Port and Track Group Support for SSL Terminated Traffic This release adds track-port and track-group support for SSL terminated traffic. This feature is documented in the SSL chapter of the ServerIron TrafficWorks Security Guide.
Enhanced VIP Group Support This release helps grouping of several virtual server addresses and associating them with the VRRP-E tracking mechanism. This feature is documented in the High Availability chapter of the ServerIron TrafficWorks Server Load Balancing Guide.
Increase in the Size of PBSLB List (SPAM List) The SPAM mitigation feature supported up to 5 Million IP prefix entries. This release increases this capability for up to 7 Million entries. This feature is documented in the Server Load Balancing chapter of the ServerIron TrafficWorks Server Load Balancing Guide.
SNMP MIB Enhancement for GSLB Site The release adds an SNMP MIB for show gslb site. This feature is documented in the Foundry MIB Guide.
2 - 11
Show aggregate health of tracked ports You can now monitor the health of tracked ports. This feature is documented in the Health Check chapter of the ServerIron TrafficWorks Server Load Balancing Guide.
Auto download of PBSLB List You can now automatically download a list of policies to the ServerIron at scheduled intervals or a specific time of day. This feature is documented in the SLB chapter of the ServerIron TrafficWorks Server Load Balancing Guide.
Dual-mode VLAN ports You can now configure tagged ports as dual-mode, allowing them to accept tagged and untagged traffic at the same time. This feature is documented in the ServerIron TrafficWorks Switch and Routing Guide.
LDAPS, POP3S and IMAPS support for SSL SSL acceleration can now be used with popular protocols such as LDAPS, POP3S, and IMAPS. This feature is documented in the SSL chapter of the ServerIron TrafficWorks Security Guide.
TCP-Options support for WSM6-SSL Modules WSM6-SSL Modules now support TCP-Options. This feature is documented in the SSL chapter of the ServerIron TrafficWorks Security Guide.
802.3ad link aggregation ServerIron devices now support 802.3ad LACP link aggregation. This feature is documented in the SLB chapter of the ServerIron TrafficWorks Switching and Routing Guide.
New tcp syn-proxy command TCP syn-proxy can be configured globally or for a specific interface. This feature is documented in the ServerIron TrafficWorks Security Guide.
2 - 12
In previous releases, if you configured "hold down 0," the incoming request could be held down for up to a minute. In this release, if you configure "hold down 0," the incoming request is not held down. Instead it generates a log. This feature is documented in the ServerIron TrafficWorks Security Guide. SIP Header Parsing Length increase The SIP Header Parsing maximum length is now 1000 bytes. This feature is documented in the SIP chapter of the ServerIron TrafficWorks Security Guide. Peak BP Utilization with TRAP New commands and an enhanced command add the ability to show CPU usage, and set barrel processor (BP) and management processor (MP) usage thresholds. RADIUS NAS-Identifier Provides identifiers for ServerIron devices so that RADIUS servers can correct VSAs to the device. This feature is documented in the ServerIron TrafficWorks Administration Guide. Server Periodic-ARP Enhancement Increases the upper range of the periodic-arp timer from 240 seconds to 14,400 seconds. This feature is documented in the Health Check chapter of the ServerIron TrafficWorks Server Load Balancing Guide. Local Max-Conn Limit for Real Servers Enhancement adds a local max-conn count that allows limitation of connections using the connection count of the local barrel processor. This feature is documented in the Health Check chapter of the ServerIron TrafficWorks Server Load Balancing Guide.
2 - 13
Firewall Load Balancing Enhancements You can now configure Firewall Strict Forwarding, Firewall VRRP-E Priority, Track Firewall Group, and Firewall Session Sync Delay. This feature is documented in the Network Security chapter of the ServerIron TrafficWorks Security Guide.
Syn-Cookie Threshhold Trap This feature allows you to configure a Syn-Cookie Threshhold. This feature is documented in the Network Security chapter of the ServerIron TrafficWorks Security Guide.
IP NAT DNS Fast Delete This enhancement fixes the IP-NAT-DNS (UDP) fast-deletion issue. This feature is documented in the Network Security chapter of the ServerIron TrafficWorks Security Guide.
Total content analysis You can now make switching decisions based on the content of any TCP and UDP traffic. This feature is documented in the Total Content Analysis chapter of the ServerIron TrafficWorks Advanced Server Load Balancing Guide.
Session Initiation Protocol (SIP) Session Initiation Protocol acts as a load balancer for requests and responses based on a call-ID. This feature is documented in the SIP chapter of the ServerIron TrafficWorks Advanced Server Load Balancing Guide.
Bandwidth abuse prevention You can now restrict bandwidth use when a client accesses services. This feature is documented in the Network Security chapter of the ServerIron TrafficWorks Security Guide.
Transaction Rate Limiting Transaction Rate Limiting (TRL) allows the ServerIron to monitor and limit traffic from a specific IP address. This feature is documented in the Network Security chapter of the ServerIron TrafficWorks Security Guide.
Enhanced server bringup Increases the speed of the bringup process. This feature is documented in the Network Security chapter of the ServerIron TrafficWorks Security Guide.
Windows Terminal Server with L7 Persistance You can now reconnect to the session directory on the Windows 2003 terminal server. This feature is documented in the SLB chapter of the ServerIron TrafficWorks Server Load Balancing Guide.
VRRP-E track port increase You can now configure eight additional (16) track ports with VRRP-E. This feature is documented in the High Availability chapter of the ServerIron TrafficWorks Server Load Balancing Guide.
Client IP insertion in user-configurable headers You can now configure ServerIron to insert the client IP header with any configurable name. This feature is documented in the Layer 7 Switching chapter of the ServerIron TrafficWorks Server Load Balancing Guide.
TFTP Load Balancing Support for TFTP Load Balancing with L4 health checks is now supported.
2 - 14
This feature is documented in the SLB chapter of the ServerIron TrafficWorks Server Load Balancing Guide. Case-insensitive match You can now specify a csw-rule or csw-policy to disregard case. This feature is documented in the Layer 7 Switching chapter of the ServerIron TrafficWorks Server Load Balancing Guide. Policy-Based Routing for Reverse SLB Traffic Policy based routing for server-initiated (reverse) traffic is now supported. This feature is documented in the ServerIron TrafficWorks Server Load Balancing Guide.
2 - 15
Use show server port failed to display all server ports that are not in Active or Disabled state. It also shows the servers to which the ports belong. This feature is documented in the High Availability chapter of the ServerIron TrafficWorks Server Load Balancing Guide. Deleting existing PBSLB sessions Client sessions that are associated with a PBSLB server group change can be deleted from the session table if that PBSLB server groups configuration changes. This feature is documented in the SLB chapter of the ServerIron TrafficWorks Server Load Balancing Guide. Deleting an entire PBSLB List You can remove all the entries in a PBSLB list with one command. This feature is documented in the SLB chapter of the ServerIron TrafficWorks Server Load Balancing Guide. Server port health check policy Server port policies help reduce the configuration required for health checks and provides more flexibility while configuring health checks This feature is documented in the Health Check chapter of the ServerIron TrafficWorks Server Load Balancing Guide. Scripted health check enhancement for real servers When configured to send a string to the server, the ServerIron will establish a TCP connection and immediately send the configured string to the server. The device then waits for the server to send ASCII text and then brings the real server port up or down, based on the configured match-list policy. The new content-check send has been added to the existing port <port-name> command. This feature is documented in the Health Check chapter of the ServerIron TrafficWorks Server Load Balancing Guide. Increased GSLB parameter values The values for the following GSLB parameters have been increased for the WSM6 module: Maximum zones Maximum hosts Maximum geographic prefixes
This feature is documented in the ServerIron TrafficWorks Global Server Load Balancing Guide. Maximum concurrent connection limit per client This feature restricts each client to a specified number of connections, based on the clients subnet, to prevent any one client from using all available connections. This feature is documented in the Network Security chapter of the ServerIron TrafficWorks Security Guide. Support for DNS type ANY query GSLB ServerIron will be able to handle DNS type ANY queries. This feature is documented in the ServerIron TrafficWorks Global Server Load Balancing Guide. GSLB active bindings enhancements Weighed active bindings, minimum active bindings, and tracking an application port for active bindings have been added to the GSLB active bindings feature. This feature is documented in the ServerIron TrafficWorks Global Server Load Balancing Guide. Removal of TCP option command The ip tcp syn-proxy tcp-options command has been removed in this release. 2 - 16 2008 Foundry Networks, Inc. September 2008September 18, 2008
This feature is documented in the Network Security chapter of the ServerIron TrafficWorks Security Guide. New HTTP methods Support for the HTTP Lock and Unlock methods have been added to this release on Layer 7 switching. This feature is documented in the Layer 7 Switching chapter of the ServerIron TrafficWorks Server Load Balancing Guide.
2 - 17
2 - 18
NOTE: With multi-port bindings, ServerIron does not support the case where the master port is unbound or removed. Server Load Balancing (SLB) is based on associations between real servers and virtual servers. The real servers are your application servers. The virtual servers have one or more Virtual IP addresses (VIPs). You associate a real server with a virtual server by binding TCP/UDP ports on the real servers with TCP/UDP ports on the virtual server. When a client sends a TCP/UDP request for a port on the virtual server, the ServerIron sends the clients request to the real server. The client is unaware of the real servers behind the virtual server but does experience enhanced throughput and availability for TCP/UDP services. SLB maps one logical (virtual) server connection to multiple physical (real) servers. This allows a single IP address (virtual server IP address) can serve as the connection point for multiple TCP/UDP services such as HTTP, FTP or Telnet rather than each of the services requiring a different IP address for each service. These services can be located on a single server or across multiple servers.
Figure 3.1 Single Virtual IP Address Mapped to Multiple Real Servers
www.alterego.com
Internet
SI
Web requests forwarded among multiple servers unseen by end users
In Figure 3.1, a company establishes a Web site with the URL of www.alterego.com. The Web site is mapped to the virtual IP address 207.95.55.1, defined on a ServerIron. All inquiries made to that Web site by users on the Internet or the company's Intranet use either the URL or virtual IP address to reach the company's Web site.
September 2008
3-1
Once these inquiries are received at the company site, the requests are handled by one of four separate physical (real) Web servers that the system administrator has mapped to the virtual IP address. The addresses of the four physical (real) Web servers are unknown and unseen to those users who send the inquiries. The only address the users ever see for the Web site is the virtual IP address.
Value of SLB
SLB provides numerous benefits that ease overall administration of TCP/UDP applications on servers as well as increase their performance and reliability. In the previous example, Figure 3.1, the system administrator has greater flexibility in managing server resources for this application. When you use a ServerIron, you can add or remove the physical (real) servers to handle changing traffic requirements without disrupting service to the end users. The end users continue to access the virtual IP address configured on the ServerIron and are not aware of added or removed real servers that underlay the virtual IP address. SLB also enhances server security because the real servers IP addresses are never broadcast. The ServerIron sends and responds to ARPs with the virtual IP address, not the actual IP addresses of the real servers. In addition to offering increased control over server resources and greater security within the network, SLB provides increased reliability of the server resources by providing support for both switch and server redundancy.
Slow-Start Mechanism
When the ServerIron begins sending client requests to a real server that has recently gone online, it allows the server to ramp up by using the slow-start mechanism. The slow-start mechanism allows a server (or a port on the server) to handle a limited number of connections at first and then gradually handle an increasing number of connections until the maximum is reached. The ServerIron uses two kinds of slow-start mechanisms: The non-configurable server slow-start mechanism applies to a real server that has just gone online The configurable port slow-start mechanism applies to individual TCP application ports that have just been activated on a real server
Load-Balancing Predictor
The predictor is the parameter that determines how to balance the client load across servers. You can fine-tune how traffic is distributed across multiple real servers by selecting one of the following load balancing metrics (predictors):
3-2
September 2008
Least Connections
Sends the request to the real server that currently has the fewest active connections with clients. For sites where a number of servers have similar performance, the least connections option smooths distribution if a server gets bogged down. For sites where the capacity of various servers varies greatly, the least connections option maintains an equal number of connections among all servers. This results in those servers capable of processing and terminating connections faster receiving more connections than slower servers over time.
Round Robin
Directs the service request to the next server, and treats all servers equally regardless of the number of connections or response time. For example, in a configuration of four servers, the first request is sent to server1, the second request is sent to server2, the third is sent to server3, and so on. After all servers in the list have received one request, assignment begins with server1 again. If a server fails, SLB avoids sending connections to that server and selects the next server instead.
Weighted
Assigns a performance weight to each server. Weighted load balancing is similar to least connections, except servers with a higher weight value receive a larger percentage of connections at a time. You can assign a weight to each real server, and that weight determines the percentage of the current connections that are given to each server. The default weight is 0. For example, in a configuration with five servers of various weights, the percentage of connections is calculated as follows: Weight server1 = 7 Weight server2 = 8 Weight server3 = 2 Weight server4 = 2 Weight server5 = 5 Total weight of all servers = 24
The result is that server1 gets 7/24 of the current number of connections, server2 gets 8/24, server3 gets 2/24, and so on. If a new server, server6, is added with a weight of 10, the new server gets 10/34. If you set the weight so that your fastest server gets 50 percent of the connections, it will get 50 percent of the connections at a given time. Because the server is faster than others, it can complete more than 50 percent of the total connections overall because it services the connections at a higher rate. Thus, the weight is not a fixed ratio but adjusts to server capacity over time.
The server response time method, when used by itself, always selects the real server with the fastest response time. If all your real servers have similar response capacities, then using the server response time metric by itself generally provides an even load-balancing distribution among the real servers. However, if your server farm contains a mixture of servers, some of which have greater response capability than others, you might want to set the Server Response Time weights on individual real servers. The default server response time weight is 0 (no weight). You can specify a weight from 0 65000. Setting a real servers weight higher relative to other real servers biases the ServerIrons load-balancing selections toward that real server.
Dynamic-Weighted Direct
The SNMP response value from real server is considered as direct performance weight of that server. Direct weighted load balancing is similar to least connections, except that servers with a higher weight value receive a larger percentage of connections. You can assign a weight to each real server and that weight determines the percentage of the current connections that are given to each server. The default weight is 0. For example, in a configuration with five servers of various weights, the percentage of connections is calculated as follows: 3-4 2008 Foundry Networks, Inc. September 2008
Weight server1 = 7 Weight server2 = 8 Weight server3 = 2 Weight server4 = 2 Weight server5 = 5 Total weight of all servers = 24
The result is that server1 gets 7/24 of the current number of connections, server2 gets 8/24, server3 gets 2/24, and so on. If a new server, server6, is added with a weight of 10, the new server gets 10/34. If you set the weight so that your fastest server gets 50 percent of the connections, it will get 50 percent of the connections at a given time. Because this server is faster than the others, it can complete more than 50 percent of the total connections overall because it services the connections at a higher rate. Thus, the weight is not a fixed ratio but adjusts to the server capacity over time.
Dynamic-Weighted Reverse
The SNMP response from each server is regarded as reverse performance weight. Dynamic-weighted reverse load balancing is similar to dynamic-weighted direct , except that the servers with a lower weight value receive a larger percentage of connections. You can assign a weight to each real server, and that weight determines the percentage of the current connections that are given to each server. NOTE: The following predictors are not supported on Layer 7 switching: Under weight, [<response-time-weight>] is not supported. response-time is not supported.
September 2008
3-5
Concurrent connections When you configure a TCP/UDP port in a virtual server to support concurrent connections, the real server can open additional ("concurrent") TCP/UDP sessions with the client using arbitrary TCP/UDP port numbers. Although the concurrent connections feature is similar to the application group feature, application groups apply to specific TCP/UDP ports that you configure on the virtual server. Concurrent connections enables the real server to arbitrarily determine the TCP/UDP ports and assign them to the client.
NOTE: For servers that use passive FTP, configure the FTP ports to be both sticky and concurrent.
Sticky Connections
When a service request by a client mandates a series of sequential TCP/UDP port connections to be served by the same real server, you can enable a sticky connection on that TCP/UDP virtual server port. For example, if a user is accessing dynamically generated pages, the client must consistently attach to the same server; otherwise, the state information is lost. By default, the sticky parameter is disabled for virtual service ports, except for Secure Socket Layer (SSL).
Concurrent Connections
The concurrent connection option is similar to the sticky option. However, instead of supporting sequential connections to the same server, the concurrent connection option supports both a primary connection and secondary connections. The connections are supported at the same time. The primary connection is the controlling connection and dictates the resource, such as a server, to which subsequent or secondary connections are made. Once the controlling connection is established, the server dynamically assigns a TCP/UDP port to which the client should open subsequent or secondary connections. Subsequent connections from that client are accepted on the server as long as the controlling connection is still active. Figure 3.2 shows an example of a concurrent connection. A client initiates a session request to the NETPERF application supported on servers S1, S2, and S3. When the SLB switch receives the request, the switch forwards the request to server S2. This forms the primary connection. Then S2 dynamically assigns a port, 10000, to the application and forwards it to the client. NOTE: The method the server uses to communicate the dynamic port to the client is application specific. The ServerIron switches all subsequent connections to S2 to ensure that the NETPERF session completes successfully. By default, the concurrent property of a virtual TCP/UDP service port is enabled except for FTP, Telnet, TFTP, HTTP, and SSL ports.
3-6
September 2008
Figure 3.2
Step 1 Client initiates a NETPERF session. Step 2 ServerIron forwards request to S2 and a primary connection is established. S1 ServerIron
SI
S2 port 10000 S3
Step 3 S2 dynamically assigns port 10000 to the service (NETPERF application) and forwards it back to Client1 Subsequent connections (seconday connections) marked with port 10000 will be forwarded by the SLB switch to S2 ensuring that the NETPERF session completes succesfully.
Sticky VIPs
The "track source-ip" command entered under a VIP acts like enabling stickiness for all protocols defined under that VIP. This means that all requests from the same source-ip to all destination ports defined in the VIP will be load balanced to the same real server. NOTE: This is not a commonly used feature. You can also use "sticky" for each port you define under the VIP.
Unlimited VIPs
If your real Web servers have many IP addresses, you can easily create a separate VIP for each real IP address without individually configuring each VIP. To do so, configure a host range. A host range is a block of contiguous IP addresses. To configure a host range, you add a VIP and specify how many hosts are in the range. The ServerIron automatically configures a separate VIP for each host in the range. When you bind the base VIP to the real servers, the ServerIron associates the VIP with the first real IP address on the server. Subsequent VIPs in the host range are associated with subsequent real IP addresses on the server. The association is based on the offset from the base VIP. When a client requests an address in the VIP range, the ServerIron automatically maps the VIP to a real IP address on a real server based on the address's offset from the base VIP address. For example, if you define a range using the base VIP 209.157.22.1 and a host range of 10, the ServerIron maps VIPs 209.157.22.1 209.157.22.10 to a range of ten addresses on each real server. If a client requests VIP 209.157.22.3 (two from the base VIP number), the ServerIron sends the request to an IP address that is two higher than the start of the corresponding range on a real server. You can configure up to 256 virtual servers, each with a host range of 256 addresses, for a total of up to 64,000 VIPs. NOTE: To use this feature, the IP address range on the real server must be contiguous. If the range contains gaps (addresses in use by other hosts), specify separate ranges on the virtual server to work around the gaps.
Geographically-Distributed Servers
The servers in your SLB configurations do not need to have Layer 2 connectivity to the ServerIron. In fact, they do not need to be in the same LAN or Intranet as the ServerIron at all. Using the NAT support described in
September 2008
3-7
Multinetting Using NAT on page 3-18, you can configure the ServerIron to use geographically-distributed servers. In a typical configuration, the ServerIron uses geographically-distributed servers as failovers if all the local servers become unavailable. When you configure a real server, you indicate whether the server is local or remote. If the server is remote, the ServerIron does not include the server in its predictor (load-balancing metric). The remote server can be the IP address of a real server or even a virtual IP address configured on another ServerIron. For information about the predictor, see Load-Balancing Predictor on page 3-2. Servers that are locally attached to the ServerIron (not separated by one or more router hops) are local servers. Servers that are one or more router hops away from the ServerIron are remote servers. NOTE: You can configure the ServerIron to include remote servers when load balancing traffic, instead of using the remote servers only as failovers. See Configuring Primary and Backup Servers on page 3-65.
Symmetric SLB
Symmetric Server Load Balancing (SLB) allows you to use multiple ServerIrons to simultaneously load balance VIP traffic and provide hot standbys for one anothers VIPs. In addition to their roles as mutual backups, each ServerIron actively provides Layer 4 SLB (and TCS, if configured) services. As a result, you get the fault protection of a hot standby configuration while doubling connection capacity. In a Symmetric SLB configuration, each VIP is actively served by only one of the ServerIrons. The other ServerIrons are standbys for that VIP, although they may each simultaneously be the active ServerIron for other VIPs. You determine which ServerIron is the active ServerIron for a VIP by assigning a priority to each VIP. The ServerIron that has the highest priority for a specific VIP is the active ServerIron for the VIP by default. The other ServerIrons have lower priorities for the VIP and are standbys for that VIP. Only if the ServerIron that has the highest priority for the VIP becomes unavailable does another ServerIron (with the next highest priority for the VIP) assume service for the VIP. To configure Symmetric SLB, you configure the same VIPs on multiple ServerIrons that have Layer 2 connectivity, then assign a different SLB priority to each VIP on each of the ServerIrons. For example, to configure two ServerIrons for SLB, configure the same VIPs on each of the ServerIrons. On one of the ServerIrons, assign half of the VIPs a priority of 1 (lowest) and assign the other VIPs a priority of 255 (highest). Assign the reverse priorities to the VIPs on the other ServerIron. A typical Symmetric SLB configuration uses a redundant set of real servers connected to each ServerIron. The VIPs and their contents are identical on each pair of servers. The only difference for each VIP is the priority you assign the VIP on a particular virtual server. You can configure a priority from 1 255 and you can use up to 255 ServerIrons in a Symmetric SLB configuration. NOTE: You need to enable VRRP or VRRP-E on ServerIrons that are in a Symmetric SLB configuration; otherwise, FTP, RTSP, and MMS protocols may not work. Also, configure the IP address of the real servers default gateway as the VRID of the VRRP or VRRP-E. Figure 3.3 shows an example of Symmetric SLB.
3-8
September 2008
Figure 3.3
VIP1 traffic
VIP2 traffic
Internet
Clients do not notice a change in service or availability. Remote Access Server Remote Access Server
X
SI SI
Real Server 1
Real Server 2
Real Server 3
Real Server 4
Link-Level Redundancy
Symmetric SLB includes link-level redundancy to provide fault tolerance against failed links. If a link from a ServerIron to the real servers fails, Symmetric SLB can use an alternate path through another ServerIron running Symmetric SLB to reach the real servers. Link-level redundancy requires no additional configuration. If the ServerIrons have Layer 2 connectivity and you configure Symmetric SLB priorities for the VIPs, then link-level redundancy is automatically enabled. See Symmetric SLB on page 7-16.
SwitchBack
Direct Server Return (SwitchBack) configures the ServerIron to instruct real servers to send client responses directly to the clients instead of sending the responses back through the ServerIron. As a result, the clients receive faster response time and the ServerIron is free to support even more sessions to serve more clients. (A connection is two sessions, one in each direction.) When configured for this feature, the ServerIron sends client requests addressed to a VIP to a load balanced real server, as in standard Server Load Balancing (SLB) configurations. However, to enhance server-to-client response time and to increase the overall connection capacity of the ServerIron, the software in a SwitchBack configuration formats the client request packets in such a away that the real servers respond directly to the clients, instead of sending the responses back through the ServerIron. Figure 3.4 shows an example of two ServerIrons deployed in a SLB SwitchBack configuration.
September 2008
3-9
Figure 3.4
Internet
SI-A
SI-B
You configure SwitchBack on an individual TCP/UDP port basis when you configure your virtual servers. The feature requires that you configure a loopback interface on each real server and give the loopback interface the IP address of the VIP. The ServerIron sends the client traffic to the real server without translating the destination address from the VIP into the real server's IP address. Thus, the real server receives the client traffic addressed to its loopback address and responds directly to the client. The SwitchBack feature can be used on a single ServerIron supporting a single server farm, but is also is quite powerful when used on multiple ServerIrons in combination with the Symmetric SLB feature (see Symmetric SLB on page 3-8). For a complete configuration example, see SwitchBack Configuration Example on page 3-148. For overview information, see SwitchBack Configuration Example on page 3-148.
3 - 10
September 2008
for each of the additional VIPs. The ServerIron collects and displays statistics and configuration information individually for each VIP, but sends all traffic to the same TCP/UDP port number on the real server. See Many-To-One TCP/UDP Port Binding on page 3-186 for an example application using this feature.
5.
Bind the the alias ports to the real servers on the virtual servers. ServerIron(config-vs-vs1)# bind http rs1 81 rs2 82
6.
Create a second virtual server with an HTTP port. ServerIron(config)# server virtual-name-or-ip vs2 ServerIron(config-vs-vs2)#port http
7.
Bind the the alias ports to the real servers on the virtual servers. ServerIron(config-vs-vs2)# bind http rs1 8081 real-port 81 rs2 8082 real-port 82 Syntax: bind <virtual-port> <real-server-name> <alias-port> [real-port <real-port-num>]
September 2008
3 - 11
Port Ranges
Beginning with ServerIron software release 11.0.00, port ranges can be defined under real servers or virtual servers. Port ranges can be used with bind statement under VIP. Additionally, you can define port profiles for a port range and specify characteristics such as tcp/udp, keepalive timers, retires for all ports inside port range. NOTE: Port-policy definition is not supported with port range. This is because all ports inside a port range must have same characteristics and these characteristics can be defined using port profile. The ServerIron processes client requests destined to ports inside a port range in the same manner as it processes connections to individual ports.
3 - 12
September 2008
Port ranges cannot be used with IPv6 services Some of the other features not supported with port range are: PBSLB, TCS, boolean health check, scripted health check, track-groups, track-ports, tcp offload & keepalive
September 2008
3 - 13
When defining port profile for a port range, note the following: A separate port profile for an individual port inside a port-range definition is not permitted. All ports inside a port-range must have same properties. In the case of overlapping port ranges that are used under different real servers, a port profile for only one of the port ranges is allowed. You cannot have conflicting properties for the same port under different port ranges.
Pending Start
Using a <start-index> variable begins display at the record specified where the first record has a value of 0. In the following example, the <start-index> value of 2 is used on the same port-range displayed in the previous example: HA1(config)#show port-range 2 Name Start pr98 9800 range4 7001 End Pending Start 9803 7050 Pending End RefCnt 4
3 - 14
September 2008
To display a list of port ranges with a name that starts with a specified prefix issue the following command: ServerIron(config)# show port-range starts-with pr Syntax: show port-range starts-with <prefix> ServerIron#show port-range starts with pr Name Start End pr2 8090 8139 pr3 8140 8149 pr98 9800 9803 The following table describes the information in the output:
Pending Start
Description Name of the port range First port in the port range Last port in the port range The port range has been changed but the apply port-range command has not been issued. This column shows the start of the new port range. The port range has been changed but the apply port-range command has not been issued. This column shows the end of the new port range. This is used by developers for debugging purposes.
Pending End
RefCnt
HTTP Redirect
The remote server support and NAT support described in previous sections allow you to configure geographicallydistributed servers that the ServerIron uses as failovers if the local servers are unavailable. A typical configuration with geographically-distributed servers uses source NAT to cause responses from the remote real server to go back to the ServerIron instead of directly to the client. This traffic pattern matches the standard traffic pattern among the ServerIron, the clients, and the real servers. However, if the links between a remote server and ServerIron are slow and would introduce unacceptable delays, you can enable HTTP redirect. HTTP redirect configures the ServerIron to send an HTTP redirect message to a client when the ServerIron is sending the client's request to a remote server. The HTTP redirect instructs the client to redirect its TCP connection from the VIP to the real IP address of the remote server. After a successful HTTP redirect, the client and remote server communicate directly, not through the ServerIron. NOTE: If a client creates a bookmark when communicating directly with a remote server, the bookmark points to the real IP address of the server instead of the VIP. If the client uses the bookmark later to re-access the server, the client bypasses the VIP.
September 2008
3 - 15
Client
ServerIron
R1
R2
Session Directory
When the new connection is made, the ServerIron load balances it to one of the bound terminal servers. R2 in the example above. On receiving the client logon, R2 checks with the session directory to see if the username exists in its database. Because this user had not previously established a session, the logon is established with R2. 3 - 16 2008 Foundry Networks, Inc. September 2008
R2 forwards a token to the user with the server IP address. The client now connects to the virtual server (VIP), and includes the token. The ServerIron inspects this token and then establishes a connection with the server that the token identifies. Figure 3.6 shows how Windows Terminal Server load balancing with persistence works in the case of a disconnected session.
Figure 3.6 Disconnected Session Scenario
Client
ServerIron
R1
R2
Session Directory
The ServerIron load balances the initial connection to one of its bound servers. When the user logs on, the terminal server that receives this request, checks with the session directory to see if there is an established session in its database. The session directory communicates the same information to the terminal server. Because the user has an established session with another server, the terminal server forwards a token to the user with the IP address of the server that it had disconnected from or had a failed session. The user now connects to the VIP and uses the token with the server IP to which it needs to be connected. After inspecting the token, the ServerIron directs the server to the IP in the token rather than load balancing the request. NOTE: This IP port should be one of the servers bound to the VIP. Otherwise, the Serveriron does not direct the request. NOTE: The IP address redirection feature on the terminal server session directory needs to be turned OFF for Windows Terminal Server to work. If IP address redirection is ON, the client tries to establish the session with the server directly after receiving the token. Only with Windows Terminal Server OFF, is a routing token for redirection used. The client connects to the VIP of SI and uses the token for redirection.
September 2008
3 - 17
For ServerIron->client packets: Destination Leave clients IP address unchanged. Source Translate real server IP address into VIP address.
The ServerIron always translates the MAC address in responses from a real server into the MAC address of the virtual IP address (VIP) before sending the response to the client. Thus, the client receives a response that contains the source IP address and MAC address of the VIP. This behavior assumes that the ServerIron and the real servers are all on the same sub-net and have direct Layer 2 connectivity. However, you are not limited to this topology. You can easily configure the ServerIron to operate in a multi-netted environment in which the ServerIron and the real servers are in different sub-nets. In addition to the IP management address, the ServerIron can have up to eight additional IP addresses for use with source NAT. When the network topology requires the ServerIron to translate a packets source IP address into one of the ServerIrons source IP addresses, the ServerIron can use one of the source IP addresses you
3 - 18
September 2008
configure. You can configure source IP addresses on a global basis (for the entire device). See the application examples in SLB Configuration Examples on page 3-185 for more information.
Destination Translate virtual IP address known by client into real server address. Source Translate real server IP address into virtual IP address known by client. In multi-netted environment: Destination Translate virtual IP address known by client into real server address. Source Translate client IP address into source IP address in the same sub-net as the real server if possible. (Source IP address is defined on the ServerIron.)
When sending client request to remote real server: Destination Translate virtual IP address known by client into real server address. Source Translate client IP address into source IP address defined on the ServerIron. This ensures that server response comes back to ServerIron instead of directly to client.
ServerIron->client
In multi-netted environment: Source Translate real server address into virtual IP address known by client. Destination Translate ServerIron source IP address back into client IP address.
When receiving response from remote server: Source Translate real server address into virtual IP address known by client. Destination Translate ServerIron source IP address into client IP address.
Configuring SLB
A basic SLB configuration consists of a single ServerIron and multiple real servers with identical content. To configure basic SLB, perform the following tasks: Define the real servers on the ServerIron. See Defining the Real Servers and Adding the Application Ports on page 3-21.
September 2008
3 - 19
Define a virtual server. See Defining a Virtual Server (VIP) on page 3-22. Bind the real servers to the VIP. See Binding Virtual and Real Servers on page 3-22
Figure 3.7 shows an example of a basic SLB configuration. This example uses multiple Web servers to handle remote Web requests received on the Web site. The Web site URL is assigned to the switch as the focal point for all inquiries as a virtual server address. The virtual server will then forward requests to each of the four Web servers as specified by the predictor (load balancing metric). The sections following the example show how to configure the ServerIron in the example using the CLI.
Figure 3.7 Basic SLB configuration
Client
SI
RS1 Primary for HTTP, FTP Backup for DNS RS2 Primary for DNS Backup for HTTP, FTP
Real and virtual server assignments Port 80 Real IP 207.95.55.21 (Web1) 207.95.55.22 (Web2) 207.95.55.23 (Web3) 207.95.55.24 (Web4) Port 80 80 80 80
Configuration Guidelines
The following configuration guidelines should be observed when configuring SLB on a switch: Each virtual server name and IP address must be unique. Each virtual server can have multiple TCP/UDP ports assigned. Each real server name and IP address must be unique. Each real server can have multiple TCP/UDP ports assigned. Each real server TCP/UDP port can be bound only to one virtual TCP/UDP port. One virtual TCP/UDP port can be bound to one or more real TCP/UDP ports.
3 - 20
September 2008
NOTE: If you need to map a real server port to multiple VIP ports, you can use the many-to-one TCP/UDP port binding feature. See Many-To-One TCP/UDP Port Binding on page 3-186. The selection of a real server among many is managed by the selected predictor (load balancing metric). Binding must be done to establish a relationship between virtual and real servers.
September 2008
3 - 21
ServerIron(config)#server real rs1 1.2.3.4 ServerIron(config-rs-rs1)#clone-server rs2 5.6.7.8 The first command changes the CLI to the configuration level for the real server you want to copy. The second command creates a clone of real server rs1. The clone is named "rs2" and has IP address 5.6.7.8. Syntax: [no] clone-server <name> <ip-addr> The <name> parameter specifies the name of the clone. The <ip-addr> parameter specifies the IP address of the clone.
NOTE: To delete a server clone, you must manually edit the startup-config file to remove the command. The "no" option is not supported for this command.
Syntax: [no] port <tcp/udp-port> After you have defined the virtual server, you can add configuration statements or delete the server by referring to the servers IP address or name, by entering commands such as the following: ServerIron(config)#server virtual-name-or-ip www.altergo.com 207.95.55.1 ServerIron(config-vs-www.alterego.com)#port http ServerIron(config-vs-www.alterego.com)#exit ServerIron(config)#server virtual-name-or-ip 207.95.55.1 ServerIron(config-vs-www.alterego.com)#exit ServerIron(config)#server virtual-name-or-ip www.altergo.com ServerIron(config-vs-www.alterego.com)#exit ServerIron(config)#no server virtual-name-or-ip 207.95.55.1
3 - 22
September 2008
NOTE: For clarity, the bindings in the example are shown as four separate entries. You can enter all the binding information as one command: bind http Web1 http Web2 http Web3 http Web4 http
Deleting a VIP
It is critical that you follow the steps below prior to deleting a VIP that is in production or is handling live traffic: 1. Configure the following command at the global configuration mode. ServerIron(config)# server no-graceful-shutdown Syntax: [no] server no-graceful-shutdown 2. Disable the real server ports that are associated with this virtual server port. ServerIron(config)# server real rs1 ServerIron(config-real-rs1)# port http disable ServerIron(config-real-rs1)#exit Syntax: [no] server real <real-server-name> Syntax: [no] port <port> disable 3. Keep checking the current connection count against the real server until the connection count falls to zero. ServerIron# show server real rs1 Syntax: show server real <real-server-name> 4. If the current connection value does not drop to zero after some time has passed, then unbind the real server port from under the VIP. ServerIron(config)# server virtual vs1 ServerIron(config-virtual-vs1)#no bind http rs1 http ServerIron(config-real-rs1)#exit Syntax: no bind <virtual-port> <real-server-name> <real-server-port> 5. Double check to make sure that real server is unbound from the virtual server. Syntax: show server bind If the real server is not unbound properly, then check the connection count under the BP console and try clearing the server sessions. ServerIron# rconsole 1 1 ServerIron1/1# show server real rs1 ServerIron1/1#rconsole-exit ServerIron# rconsole 1 2 ServerIron1/2# show server real rs1 ServerIron1/1#rconsole-exit ServerIron# rconsole 1 3 ServerIron1/3# show server real rs1 ServerIron1/1#rconsole-exit Syntax: rconsole <slot#> <BP#> Syntax: show server real <real-server-name> Syntax: rconsole-exit If there are existing connections or the port is still in AWU or AWM state, then clear the server sessions using following command. Syntax: clear server all-session <real-server-name> <real-port> September 2008 2008 Foundry Networks, Inc. 3 - 23
6.
After the connection count drops to zero or the unbinding is successful, delete the VIP. ServerIron(config)#no server virtual vs1 Syntax: no server virtual <virtual-server-name>
7.
If real servers are not required, then delete those also. ServerIron(config)#no server real rs1 Syntax: no server real <real-server-name>
If you any current connection or current session cannot be disabled and the port is in "AWU" or "AWM", then issue a clear server all-session <real server name> <port> command.
When you enable fast-path processing, the ServerIron does not process every TCP or UDP packet in a given session in detail. Instead, the ServerIron uses information gathered during setup of the session to forward packets in the session. NOTE: SLB optimization is useful if simple SLB (stateful or stateless) is the primary or sole application on the device. If you use the ServerIron for other features such as GSLB or FWLB, SLB optimization is not useful. NOTE: Starting with release 08.1.00S, stateful and stateless SLB traffic are optimized by default.
Configuration Considerations
You can use only one type of optimization at a time. You cannot use stateful and stateless optimization at the same time. Optimization applies only to SLB TCP or UDP traffic that is initiated by clients. Other types of traffic are not optimized. Optimization does not apply to fragmented IP packets. In the current release, the port name or number on the VIP must be same as the one on the real server bound to the VIP. Port translation is not supported. FTP traffic is not supported. Source NAT (source-nat command) is not supported. Host ranges (host-range command) are not supported. The show server stateless command does not display hits.
3 - 24
September 2008
Many-to-one TCP/UDP port binding (no port <tcp/udp-port> translate command) is not supported.
NOTE: Traffic for an SLB configuration that does not meet these criteria is still forwarded using normal processing, but fast-path processing is not used. For stateless SLB, optimization is supported only for the following TCP or UDP ports that are well-known to the ServerIron: 7 (echo) 9 (discard) 21 (ftp) 22 (ssh) 23 (telnet) 25 (smtp) 37 (time) 49 (tacacs) 53 (dns) 67 (bootps) 68 (bootpc) 69 (tftp) 80 (http) 109 (pop2) 110 (110) 119 (nntp) 123 (ntp) 137 (netbios-ns) 138 (netbios-dgm) 143 (imap4) 161 (snmp) 162 (snmp-trap) 179 (bgp) 195 (dnsix) 389 (ldap) 434 (mobile-ip) 443 (ssl) 517 (talk) 520 (rip) 554 (rtsp) 1755 (mms) 1812 (radius) 1645 (radius-old)
September 2008
3 - 25
3 - 26
September 2008
Starting in Release 09.00.1S, you can direct traffic to real servers in proportion to their weights, by entering the following command: ServerIron(config)#server enhanced-weighted Syntax: [no] server enhanced-weighted To configure the enhanced weighted predictor, perform the following tasks: 1. 2. 3. Assign weights to the real servers. Enable the weighted predictor either globally or for a virtual server. Enable the enhanced weighted predictor.
Syntax: [no] weight <least-connections-weight> [<response-time-weight>] The weight command assigns a performance weight to each server or firewall. Servers or firewalls with a larger or higher weight assigned receive a larger percentage of connections. For FWLB, the weight feature is supported only for stateful FWLB. FWLB in software releases 07.2.x and 08.x is always stateful. FWLB in releases 07.1.x and 07.3.x can be stateful or stateless, depending upon your configuration. The <least-connections-weight> parameter specifies the real servers weight relative to other real servers in terms of the number of connections on the server. More precisely, this weight is based on the number of session table entries the ServerIron has for TCP or UDP sessions with the real server. You can specify a value from 0 65000. The default is 1. This parameter is required. However, if you want to use a weight value only for the Server Response Time but not for the number of connections, specify 0 for this parameter. The <response-time-weight> parameter specifies the real servers weight relative to other real servers in terms of the servers response time to client requests sent to the server. You can specify a value from 0 65000. The default is 0 (disabled). This weight is applicable only when the server response time load-balancing method is enabled. If you enter a value for <response-time-weight>, the ServerIron adds the two weight values together when selecting a real server. If you specify equal values for each parameter, the ServerIron treats the weights equally. The number of connections on the server is just as relevant as the servers response time. However, if you set one parameter to a higher value than the other, the ServerIron places more emphasis (weight) on the parameter with the higher value. For example, if you specify a higher server response time weight than the weight for the number of connections, the ServerIron pays more attention to the servers response time than to the number of connections it currently has when considering the real server for a new connection. The <response-time-weight> parameter is not valid for FWLB. Default value: 0 for SLB; 1 for FWLB NOTE: FWLB. The <response-time-weight> parameter is valid for real servers in SLB configurations but is not valid for
September 2008
3 - 27
Table 3.4: Real Server A weight = 1 Connections 0 0 0 0 0 0 1 1 1 1 1 1 Server Loada 0/1=0 0/1=0 0/1=0 0/1=0 0/1=0 0/1=0 1/1=1 1/1=1 1/1=1 1/1=1 1/1=1 1/1=1
SLB with the weighted predictor Real Server C weight = 3 Server Load 0/2=0 0/2=0 0/2=0 0/2=0 1/2=0 2/2=1 2/2=1 2/2=1 2/2=1 2/2=1 3/2=1 4/2=2 Connections 0 1 2 3 3 3 3 4 5 6 6 6 Server Load 0/3=0 1/3=0 2/3=0 3/3=1 3/3=1 3/3=1 3/3=1 4/3=1 5/3=1 6/3=2 6/3=2 6/3=2
3 - 28
September 2008
Table 3.4: Real Server A weight = 1 Connections 2 2 2 Server Loada 2/1=2 2/1=2 2/1=2
SLB with the weighted predictor Real Server C weight = 3 Server Load 4/2=2 4/2=2 4/2=2 Connections 6 7 8 Server Load 6/3=2 7/3=2 8/3=2
a.For the weighted predictor, the server load is calculated as connections divided by server weight = server load. Fractional remainders are rounded down. If there is a tie, the server with the highest weight receives the connection When the enhanced weighted predictor is configured, connections are assigned as indicated in the following table.
Table 3.5: Real Server A weight = 1 Connections 0 0 0 1 1 1 1 1 1 2 2 2 2 2 2 Server Loada 0x6/1=0 0x6/1=0 0x6/1=0 1x6/1=6 1x6/1=6 1x6/1=6 1x6/1=6 1x6/1=6 1x6/1=6 2 x 6 / 1 = 12 2 x 6 / 1 = 12 2 x 6 / 1 = 12 2 x 6 / 1 = 12 2 x 6 / 1 = 12 2 x 6 / 1 = 12
SLB with the Enhanced Weighted predictor Real Server B weight = 2 Connections 0 0 1 1 1 2 2 2 3 3 3 4 4 4 5 Server Load 0x6/2=0 0x6/2=0 1x6/2=3 1x6/2=3 1x6/2=3 2x6/2=6 2x6/2=6 2x6/2=6 3x6/2=9 3x6/2=9 3x6/2=9 4 x 6 / 2 = 12 4 x 6 / 2 = 12 4 x 6 / 2 = 12 5 x 6 / 2 = 15 Real Server C weight = 3 Connections 0 1 1 1 2 2 3 4 4 4 5 5 6 7 7 Server Load 0x6/3=0 1x6/3=2 1x6/3=2 1x6/3=2 2x6/3=4 2x6/3=4 3x6/3=6 4x6/3=8 4x6/3=8 4x6/3=8 5 x 6 / 3 = 10 5 x 6 / 3 = 10 6 x 6 / 3 = 12 7 x 6 / 3 = 14 7 x 6 / 3 = 14
a.For the enhanced weighted predictor, the server load is calculated as connections x [combined weights / server weight] = server load. Fractional remainders are rounded down. If there is a tie, the server with the highest weight receives the connection.
September 2008
3 - 29
SNMP versions 1 and 2 use community strings to restrict SNMP access. The administrator must configure an SNMP community string to match with those configured in all the real servers. ServerIron(config-rs-rs1)#snmp-request community public Syntax: snmp-request community public <port> <port> snmp-request host UDP port (Default: port 161)
You can configure the frequency of the periodic SNMP queries using the following command: ServerIron(config)#server snmp-poll 5 Syntax: server snmp-poll <num> <num>Decimal value in seconds (Default: 3 sec)
Configuration Example
ServerIron(config)#server snmp-poll 5 ServerIron(config)#server real rs1 10.1.1.1 snmp-request community public port 161 snmp-request oid 1 1.3.6.1.2.1.25.3.3.1.2.1 snmp-request oid 2 1.3.6.1.2.1.1.3.0 port http port http keepalive port http url "HEAD /"
Dynamic-Weighted Direct
To configure a dynamic-weighted reverse predictor, use the following comand: ServerIron(config-vs-vs1)#predictor dynamic-weighted direct oid 1 Syntax: predictor dynamic-weighted {direct oid <ID>
3 - 30
September 2008
Configuration Example
server virtual-name-or-ip vs1 10.1.1.151 predictor dynamic-weighted direct oid 1 port http bind http rs1 http rs2 http rs3 http
Dynamic-Weighted Reverse
To configure a dynamic-weighted reverse predictor, use the following comand: ServerIron(config-vs-vs1)#predictor dynamic-weighted reverse oid 1 max 50 Syntax: predictor dynamic-weighted reverse oid <ID> [max <value>] DECIMAL Max value - reverse weight = direct weight
Deletion of UDP Data Session Along With TCP Control Session For RTSP
Release 10.0.00a adds this feature. This TrafficWorks software release enables the ServerIron to track both control and data sessions for RTSP even if they are carried over separate transport layer protocols. At the time of deletion of a TCP based RTSP control session, the ServerIron also delete UDP based RTSP data session.
September 2008
3 - 31
By default, a real server does not have a warning threshold or a shutdown threshold. For each threshold, you can specify a threshold value from 0 (disabled) 65535 milliseconds (65 seconds). You can configure one or both thresholds globally or on an individual real server basis. The thresholds configured on an individual real server override the globally configured thresholds. After bringing down the application port, the ServerIron periodically attempts to reach the port and brings the port back up once the port responds. For information, see Application Port States on page 5-15. NOTE: This feature is supported only on ServerIron Chassis devices. NOTE: This feature requires the Layer 4 and Layer 7 health checks to enabled. If the health checks are not enabled, the ServerIron does not apply the response thresholds you configure. NOTE: This feature applies only to TCP ports.
3 - 32
September 2008
Log servers: IP 10.10.10.20, Port 514 Dynamic Log Buffer (50 entries): 00d00h13m06s:I:running-config was changed from console 00d00h08m35s:N:L4 server 10.10.10.20 r20 port 80 is up 00d00h08m34s:N:L4 server 10.10.10.20 r20 port 80 is down 00d00h08m34s:W:Port 80 on server r20: 10.10.10.20: Avg response time 27 exceeded lower threshold 00d00h08m34s:W:Port 80 on server r20: 10.10.10.20: Avg response time 27 exceeded upper threshold; Bringing down the port... ServerIron# show logging Syslog logging: enabled (0 messages dropped, 0 flushes, 5 overruns) Buffer logging: level ACDMEINW, 50 messages logged level code: A=alert C=critical D=debugging M=emergency E=error I=informational N=notification W=warning Log servers: IP 10.10.10.20, Port 514 Dynamic Log Buffer (50 entries): 00d00h13m06s:I:running-config was changed from console 00d00h08m35s:N:L4 server 10.10.10.20 r20 port 80 is up 00d00h08m34s:N:L4 server 10.10.10.20 r20 port 80 is down 00d00h08m34s:W:Port 80 on server r20: 10.10.10.20: Avg response time 27 exceeded lower threshold 00d00h08m34s:W:Port 80 on server r20: 10.10.10.20: Avg response time 27 exceeded upper threshold; Bringing down the port... The first message shown in bold type is a warning message. The last message shown in bold type is a shutdown message. Syntax: show logging
September 2008
3 - 33
Generally, an application is unavailable if all the real servers that have the application are unavailable or the application is not configured on the VIP requested by the client. To configure the ServerIron to send a TCP RST to a client, enter the following command: ServerIron(config)# server reset-message Syntax: [no] server reset-message NOTE: The server reset message overrides the ICMP Destination Unreachable message. If the configuration contains both, the ServerIron sends a TCP RST instead of an ICMP message for TCP requests. For UDP requests, the device still sends ICMP messages. TCP RST does not apply to UDP. For information on how to globally configure the ServerIron to send an ICMP Destination Unreachable message to a client, see Sending ICMP Port Unreachable or Destination Unreachable Messages on page 3-33. NOTE: The server no-reset-on-max-conn command overrides the server reset-message command. For more information, see Disabling TCP RST Message on Maximum Connections on page 3-35.
Disabling TCP RST Message When a Real Server Goes Down During an Open Session
NOTE: This feature is supported on ServerIron Chassis devices running switch software version 07.2.26A or later. By default, if a real server goes down during an open TCP session with a client, the ServerIron sends a TCP RST message to the client to terminate the session normally. When the real server comes back up, clients can establish a new sessions with the server. You can globally disable the TCP RST message from being sent under these circumstances. When you disable the TCP RST message, the client can resume the interrupted session when the real server comes back up.
3 - 34
September 2008
NOTE: Disabling the TCP RST messages affects only the message sent to a client when a real server goes down during a clients session with the server. TCP RST messages sent under other circumstances are not affected. To globally disable the TCP RST message from being sent, enter the following command: ServerIron(config)#server no-reset-for-established-session Syntax: [no] server no-reset-for-established-session By default, sending TCP RST messages is enabled.
See Web Hosting with ServerIron and Real Servers in Different Subnets on page 3-194 for an example of the type of configuration in which you need to use this feature. NOTE: Depending on the configuration, you might also need to enable source NAT. See Web Hosting with ServerIron and Real Servers in Different Subnets on page 3-194. See Multinetting Using NAT on page 3-18 for general information about the NAT operations performed by the ServerIron. The ServerIron supports a maximum of 64,000 simultaneous connections on each source IP address. This maximum value is based on the architectural limits of IP itself. As a result, if you add only one source IP address,
September 2008
3 - 35
the ServerIron can support up to 64,000 simultaneous connections to the real servers. If you configure 64 source IP addresses, the ServerIron can support more simultaneous connections. ServerIron(config)#server source-ip 192.168.1.5 255.255.255.0 192.168.1.1 Syntax: [no] server source-ip <ip-addr> <network-mask> <default-gateway> The <default-gateway> parameter is required. By specifying "0.0.0.0" as a gateway, the system is going to use the ip default-gateway setting for the default gateway. The gateway function will not actually be disabled for the interface. You can configure source IP addresses to enable the ServerIron to communicate with routers and real servers in different subnets. For example, Figure 3.8 shows an example of a ServerIron that uses both public and private source NAT addresses. NOTE: You can define a total of 64 source-ip and source-nat-ip addresses on a ServerIron running switch code. The source-ip command is not required on ServerIrons running router code.
Figure 3.8
Internet
SI
-management IP address 192.168.1.69 -VIP 192.168.1.70 source IP address 192.168.1.5 - source IP address 10.10.10.5 - source IP address 10.10.20.5 - source NAT enabled Real server R2 10.10.20.2
The ServerIron in this example is configured with three source IP addresses. Two of the addresses are in the subnets of the real servers and the third address is in the same subnet as the ServerIron management address. The software considers any address that is not within the following address ranges to be a public address. These address ranges are defined as private address ranges in RFC 1918. 10.0.0.0 10.255.255.255 172.16.0.0 172.31.255.255 192.168.0.0 192.168.255.255
You can also use the server source-ip command under a real server to designate the source IP address for Source NAT. For example, to specify that traffic from remote real server R1 use 193.77.7.7 as its source IP address, enter the following commands: ServerIron(config)#server remote R1 193.77.7.2 ServerIron(config-rs-R1)#source-ip 193.77.7.7
3 - 36
September 2008
If the <ip-addr> parameter is not already configured as a source IP address on the ServerIron (with the server source-ip command), an error message is displayed.
September 2008
3 - 37
NOTE: If source-ip and source-nat-ip are configured for the same subnet, then the source-nat-ip is given a higher priority. In the router case, the interface IPs are programmed as source-ips on the BP. The IP that matches the default gateway is given preference in the router case. As a result, if you configure the source-nat-ip in a subnet different than the gateway remote servers that ared defined on the Serveriron, then this source-nat-ip must not be used. You should take this into account during network design. For example, if you want to keep using the same IP 4.4.4.101 as source-ip, but change old source-ip feature to new source-ip port-alloc-per-real. You need to perform the following steps in order: 1. 2. 3. Bring traffic that hit 4.4.4.101 to zero. No server source-ip 4.4.4.101 255.255.255.0.0.0.0.0 Server source-ip 4.4.4.101 255.255.255.0.0.0.0.0 per-alloc-per-real
Configuration
To enable this feature, use the "port-alloc-per-real" keyword along with server source-ip or server source-nat-ip commands. Enabling Port Allocation Per Real Server for Source IP Enabling Port Allocation Per Real Server for Source NAT IP
3 - 38
September 2008
EXAMPLE: ServerIron 4502/1#sh source-ip 4.4.4.101 all Source IP information ********************* Source IP: 4.4.4.101 flt: Yes standby: No intf ip: No Real server: real-rs-8.10 (8.8.8.10) MMS: h: 0 t: 0 m: 23b4fb3c T: 642 f: 642 RTSP: h: 0 t: 0 m: 23b51b54 T: 384 f: 384 NORM: h: 0 t: 0 m: 23b34b24 T: 9216 f: 9216 Real server: real-rs-8.11 (8.8.8.11) MMS: h: 0 t: 0 m: 23b53b6c T: 642 f: 642 RTSP: h: 0 t: 0 m: 23b55b84 T: 384 f: 384 NORM: h: 0 t: 0 m: 280c1d08 T: 9216 f: 9216 Real server: real-rs-8.12 (8.8.8.12) MMS: h: 0 t: 0 m: 23b58114 T: 642 f: 642 RTSP: h: 0 t: 0 m: 23b5a12c T: 384 f: 384 NORM: h: 0 t: 0 m: 280dcd20 T: 9216 f: 9216
NOTE: If show source-ip displays that the IP is a per-real-srcip, then you should use the show source-ip <source-ip><real-server IP> to view the port allocation and usage information since the ports allocation will be from the real server pool.
September 2008
3 - 39
Total
Src IP mem alloc per real info: Index = 0 Global index = 0 Src IP = 1.1.1.79
In the above example, 1.1.1.42 is the client and 1.1.1.99 is the VIP address. The IP 1.1.15 is the real server and 1.1.1.79 is the source-nat-ip.
3 - 40
September 2008
NOTE: In the reverse session, the port 10242 has been allocated from the pool of real server 1.1.1.15. You can verify this by using the show source-ip command as follows: ServerIron4/1#sh source-ip 1.1.1.79 1.1.1.15 Source IP information ********************* Source IP: 1.1.1.79 Real server: rest (1.1.1.15) flt: Yes standby: No intf ip: No port-range: 1 for ssl: No per-real-srcip: Yes MMS: h: 0 t: 0 m: 23b4eb3c T: 1922 f: 1922 RTSP: h: 0 t: 0 m: 23b50b54 T: 1024 f: 1024 NORM: h: 3 t: 2 m: 23b33b24 T: 27648 f: 27647
Output shows that of a total of 27648 ports, one port has been allocated and 27467 are still available.
source-ip-debug
NOTE: This command should only be used for debugging purposes as enabling it could impact performance. You can configure the following command to enable debugging for source IP. ServerIron(config)# source-ip-debug Syntax: [no] source-ip-debug
September 2008
3 - 41
it is not easy to predict the source port numbers the real server will use. You can ensure that the ServerIron translates the source address of the traffic by binding the real server to a VIP using the default port. For example, if you configure VIP1 and bind it to real server RS1 using the default port, the ServerIron translates the source IP address in all TCP and UDP traffic initiated by RS1 from the real servers IP address into the VIP address. Even when Reverse NAT is enabled, the ServerIron does not translate the source address for traffic that the real server initiates over ports that are not bound to a VIP. If you bind a real server to more than one VIP, the ServerIron will use the address of the VIP that is bound to the server using the default port. For example, if you bind a real server to VIP1 using TCP port 80 and bind the same server to VIP2 using the default port, the ServerIron always uses VIP2 for Reverse NAT. NOTE: Reverse NAT does not affect reply traffic from the server. The feature applies only to traffic initiated by the server. In addition, the feature applies only to traffic on the TCP and UDP ports that are used to bind the real server to a VIP configured on the ServerIron. If the real server and VIP are bound using the default port, Reverse NAT applies to all TCP and UDP traffic initiated by the server. The server reverse-nat command is disabled by default. ServerIron(config)#server real R1 10.10.10.1 ServerIron(config-rs-RS1)#port http ServerIron(config-rs-RS1)#exit ServerIron(config)#server virtual-name-or-ip VIP1 192.168.1.10 ServerIron(config-vs-VIP1)#bind http RS1 http ServerIron(config-rs-RS1)#exit ServerIron(config)#server virtual-name-or-ip VIP2 192.168.1.69 ServerIron(config-vs-VIP1)#bind default RS1 default ServerIron(config)#server reverse-nat The commands in this example create real server R1 and VIPs VIP1 and VIP2. VIP1 is bound to RS1 using TCP port 80 (HTTP). VIP2 is bound to RS1 using the default port. When RS1 initiates TCP or UDP traffic, the ServerIron translates the source IP address from 10.10.10.1 to 192.168.1.69. The ServerIron uses VIP2s IP address instead of VIP1s IP address for Reverse NAT because VIP2 is bound using the default port. Syntax: server reverse-nat
3 - 42
September 2008
On the ServerIron, when a connection is closed, the corresponding sessions are not immediately deleted. The sessions are put in a deletion queue and deleted later at MSL time (default is 8 seconds). Statistics on the closed connections are not adjusted until the the sessions are actually deleted from the deletion queue.
Enabling Force-Delete
SLB and TCS allow the graceful shutdown of servers and services. By default, when a service is disabled or deleted, the ServerIron does not send new connections to the real servers for that service. However, the ServerIron does allow existing connections to complete normally, however long that may take. You can force the existing SLB connections to be terminated within two minutes, by using the server force-delete command. If you disable or delete a service, do not enter an additional command to reverse the command you used to disable or delete the service, while the server is in graceful shutdown. NOTE: See Real Server Shutdown on page 3-130 for important information about shutting down services or servers. Suppose you have unbound the Telnet service on real server 15, but you do not want to wait until the service comes down naturally. You can force server load-balancing connections to be terminated, by entering the following command: ServerIron(config)# server force-delete Syntax: server force-delete To display active sessions for a specific server, enter show server real server <number> and a display as seen below will appear. Notice that the display below shows the Telnet connection on server 15 as awaiting unbinding. Without server force-delete, this feature will stay in this state until the session ends naturally. Because the binding is awaiting deletion, it will also still be seen as an active binding, if you enter the show server bind command, such as the following: ServerIron(config-vs-building)#show server bind Virtual Server Name: building, IP: 207.95.5.130 http -------> s21: 207.95.18.21, http s15: 207.95.18.15, http s50: 207.95.18.50, http ftp -------> s50: 207.95.18.50, ftp s21: 207.95.18.21, ftp s15: 207.95.18.15, ftp telnet -------> s15: 207.95.18.15, telnet s21: 207.95.18.21, telnet s50: 207.95.18.50, telnet
September 2008
3 - 43
Once force delete is enabled, the unbinding will occur within two minutes and the show session real server s15 command will show that connection as unbound, as seen below: ServerIron(config)#show session real s15 Real Servers Info Server State - 1:enabled, 2:failed, 3:test, 4:suspect, 5:grace_dn, 6:active Name: s15 IP: 207.95.18.15 State: 6 Wt: 1 Max-conn: 1000000 Port State CurConn TotConns Rx-pkts Tx-pkts Rx-octet Tx-octet Reas http active 0 1711509 0 1206 0 82402 0 ftp active 0 0 0 0 0 0 0 telnet unbnd 0 2 406 385 24700 23112 0 default unbnd 0 0 0 0 0 0 0 Server Total 0 1711511 406 1591 24700 105514 0
NOTE: The binding for the real server will also be eliminated from the show server bind display.
3 - 44
September 2008
By default, when the ServerIron receives a new request associated with a sticky port in the aw_unbnd state, the ServerIron establishes the session on another real server, not the real server from which you are unbinding the port. You can configure the ServerIron to accept new sessions for the same real server for a sticky port, even under the following conditions: The real server port is in the aw_unbnd state. The real server port is in the aw_del state. The real server port is disabled.
To do so, enter the following command: ServerIron(config)#server allow-sticky Syntax: [no] server allow-sticky [refresh-age] The refresh-age option resets the age of a sticky session on the port whenever a new connection associated with the sticky port is established. This parameter ensures that the session stays up indefinitely until it is no longer needed. By default, the ServerIron does not reset the age of the session when new connections are established. Instead, the session times out after the sticky age expires. If you use refresh-age, the ServerIron resets the age of the session to the value of the sticky age. For example, if the sticky age is five minutes (the default), when the ServerIron establishes a new session on the sticky port, the ServerIron resets the age time for the session to five minutes. Each time the ServerIron receives another connection request associated with the sticky session, the ServerIron resets the session age again.
September 2008
3 - 45
To set the amount of time a session table entry stays in the delete queue following a RST from the server, enter a command such as the following: ServerIron(config)#server msl 2 Syntax: server msl <seconds> In software release 07.2.26 and later (for ServerIron devices only), the <seconds> parameter can be from 0 180 seconds. The default is 8 seconds. In software release 07.2.25 (for ServerIron devices only), the <seconds> parameter can be from 1 40 seconds. The default is 8 seconds. To disable TCP fast aging and use the 1 2 minute aging time from previous releases, enter the following command: ServerIron(config)#server no-tcp-fast-age-on-server-reset Syntax: [no] server no-tcp-fast-age-on-server-reset
Disabling VIPs
Starting in Release 08.1.00R, you can globally or individually disable VIPs. To globally disable all virtual servers, enter the following command: ServerIron(config)#server disable-vip Use the no parameter to globally re-enable virtual servers after disabling them. Syntax: [no] server disable-vip To disable an individual virtual server, enter commands such as the following: ServerIron(config)#server virtual-name-or-ip www.foo.com ServerIron(config-vs-www.foo.com)#disable Use the no parameter to re-enable a virtual server. Syntax: [no] disable
3 - 46
September 2008
Starting with Release 09.1.00, you can specify a dedicated link (port and VLAN ID) for symmetric packets such as, session synchronization packets and VIP sym-priority packets. When you enable this feature and the dedicated link goes down, the ServerIron will automatically detect this and revert back to the dynamic detection of communication links. To enable this feature, enter a command such as the following: ServerIron(config)# server symmetric-port ethernet 1/2 vlan-id 101 Syntax: [no] server symmetric-port <slot num/port num> <vlan ID>
Enabling No-Graceful-Shutdown
When no-graceful-shutdown is enabled, the delete operation of a VIP/real server/port will immediately delete/ unbind all existing sessions related to the real server/port. The same applies to unbinding a virtual port from a real port. The delete/unbind operation takes effect immediately, if no-graceful-shutdown is enabled. To enable no-graceful-shutdown, enter the following command: SLB-ServerIron(config)#server no-graceful-shutdown Syntax: [no] server no-graceful-shutdown The default behavior (no-graceful-shutdown is not enabled) is to wait for all existing sessions related to the real server/port to finish before the deleting or unbinding.
September 2008
3 - 47
Optionally, you can force all existing connections to be reset instead of waiting for them to terminate normally. When you force the connections to be reset, the ServerIron immediately resets a connection when it receives client data for the connection. To change a real servers IP address, enter commands such as the following: ServerIron(config)# server real rs1 ServerIron(config-rs-rs1)# ip-address 5.6.7.8 Syntax: [no] ip-address <ip-addr> [force-shutdown] The <ip-addr> parameter specifies the real servers new IP address. The force-shutdown parameter immediately resets a clients connection to the IP address when the ServerIron receives TCP data from the client. By default, the ServerIron allows existing connections to terminate normally following the address change.
Adding a Description
You can add a description to a real server, virtual server, firewall, or cache. The description appears in the output of show commands and in the running-config and startup-config files. To add a description, enter commands such as the following: ServerIron(config)#server real RS20 1.2.3.4 ServerIron(config-rs-RS20)#description "Real Server # 20" Syntax: [no] description <text>"
NOTE: To use a remote server for regular load balancing, see Configuring Primary and Backup Servers on page 3-65.
3 - 48
September 2008
This command is used in conjunction with the Server Load Balancing feature on the ServerIron switch. See Real Server Ports on page 3-62.
You can explicitly designate a server to be a primary or backup server, regardless of the command you used to add it. Thus, a primary or backup server can be locally attached or attached through a router. In addition, this feature implements the primary and backup configuration on an individual VIP basis. You designate each backup server by changing the real server configurations. You do not need to designate the primary servers. You enable the feature in individual VIPs for individual application ports. Figure 3.9 shows an SLB configuration that uses locally-attached and remotely-attached servers. The configuration also uses some of the servers as the primary load-balancing servers while using the other servers only as backups. Notice that one of the locally-attached servers is a backup server while one of the remotelyattached servers is a primary load-balancing server.
Figure 3.9 Servers configured as primaries and backups
Client Servers R1, R2, and R4 are used for load balancing. Servers R3 and R5 are backups only.
SI
R1 Primary R2 Primary Locally-attached servers. Added using the server real-name command Remotely-attached servers. Added using the server remote-name command R3 Backup R4 Primary R5 Backup
By default, when this feature is enabled on a VIP and all the primary servers are unavailable, a VIP begins using the backup servers until a primary server becomes available again. Once a primary server is available, the VIP uses the primary server instead. Optionally, you can configure a VIP to continue to use the backup servers even after the primary servers become available again. To configure primary and backup servers, perform the following tasks: 1. Edit the configuration of each backup real server to designate the server as a backup. NOTE: You do not need to designate the primary servers. The ServerIron assumes that all servers you do not designate as backup servers are primary servers. 2. Enable use of the primary and backup servers in individual VIPs on individual application ports. Only the VIPs and application ports for which you enable the feature use it. The other application ports within the VIP, and the other VIPs, use the locally-attached servers (configured using the server real-name-or-ip command) 2008 Foundry Networks, Inc. 3 - 49
September 2008
as their primary servers and the remotely-attached servers (configured using the server remote-name command) as their backup servers. Optionally, configure the individual applications on the VIPs to continue using the backup servers following a failover, instead of returning to the primary servers.
Configuration Example
The example configures load-balancing shown in Figure 3.9 on page 3-49. To configure the real servers, enter commands such as the following: ServerIron(config)# server real R1 10.10.10.10 ServerIron(config-rs-R1)# port http ServerIron(config-rs-R1)# exit ServerIron(config)# server real R2 10.10.10.20 ServerIron(config-rs-R2)# port http ServerIron(config-rs-R2)# exit ServerIron(config)# server real R3 10.10.10.30 ServerIron(config-rs-R3)# backup ServerIron(config-rs-R3)# port http ServerIron(config-rs-R3)# exit ServerIron(config)# server remote-name R4 198.10.10.40 ServerIron(config-rs-R4)# port http ServerIron(config-rs-R4)# exit ServerIron(config)# server remote-name R5 198.10.10.50 ServerIron(config-rs-R5)# backup ServerIron(config-rs-R5)# port http Notice that the backup command is used with servers R3 and R5. To configure the VIP, enter commands such as the following:
3 - 50
September 2008
ServerIron(config-rs-R5)# server virtual-name-or-ip VIP1 198.10.10.100 ServerIron(config-vs-VIP1)# port http lb-pri-servers ServerIron(config-vs-VIP1)# bind http R1 http R2 http R3 http R4 http R5 http
SI
RS1 Primary for HTTP, FTP Backup for DNS RS2 Primary for DNS Backup for HTTP, FTP
In this example, real servers RS1 and RS2 are bound to a VIP. Each real server has three ports defined: HTTP, FTP, and DNS. RS1 is the primary server for HTTP and FTP, and the backup for DNS. RS2 is the primary server for DNS, and the backup for HTTP and FTP. An HTTP or FTP request will not be sent to RS2 unless the HTTP or FTP service on RS1 is down, and a DNS request will not be sent to RS1 unless the DNS service on RS2 is down. To configure the VIP and the real servers in Figure 3.10, enter commands such as the following: ServerIron(config)# server ServerIron(config-vs-vs1)# ServerIron(config-vs-vs1)# ServerIron(config-vs-vs1)# ServerIron(config-vs-vs1)# ServerIron(config-vs-vs1)# ServerIron(config-vs-vs1)# ServerIron(config-vs-vs1)# ServerIron(config-vs-vs1)# ServerIron(config-vs-vs1)# ServerIron(config)# server ServerIron(config-rs-rs1)# ServerIron(config-rs-rs1)# ServerIron(config-rs-rs1)# ServerIron(config-rs-rs1)# ServerIron(config)# server ServerIron(config-rs-rs2)# ServerIron(config-rs-rs2)# ServerIron(config-rs-rs2)# ServerIron(config-rs-rs2)# virtual-name-or-ip vs1 10.10.10.10 port http bind http rs1 http rs2 http port http lb-primary-servers port ftp bind ftp rs1 ftp rs2 ftp port ftp lb-primary-servers port dns bind dns rs1 dns rs2 dns port dns lb-primary-servers real rs1 10.10.10.1 port http port ftp port dns backup exit real rs2 10.10.10.2 port http backup port ftp backup port dns exit
September 2008
3 - 51
3 - 52
September 2008
Additionally, you can map a host range of VIP addresses to a host range of IP addresses on multiple real servers. For example:
With host ranges, the mapping between the host range on the virtual server and the host range on the real server(s) had to be sequential and contiguous. With the host-range map feature, addresses in the host range on the real server(s) do not need to be contiguous. The host-range map feature allows you to select the addresses in a real servers host range that can be mapped to addresses in the virtual servers host range. For example, using this feature, you can establish the following
September 2008
3 - 53
mapping between a host range of VIP addresses on a virtual server and a host range of IP addresses on three real servers.
Table 3.6: Virtual Server VIP addresses 192.168.9.11 192.168.9.12 192.168.9.13 192.168.9.14
VIP-to-IP address mapping using the host-range map feature Offset from VIP base address 1 2 3 4 10.10.10.72 10.10.10.73 10.10.10.54 Real Server 3 IP addresses Real Server 2 IP addresses 10.10.10.51 10.10.10.52 10.10.10.32 10.10.10.33 10.10.10.34 Real Server 1 IP addresses
In this example, real server 1 can use addresses in its host range that are offset by 2, 3, and 4 from its base IP address to map to VIP addresses that are offset by 2, 3, and 4 from the virtual servers base VIP address. However, the IP address in real server 1s host range that is offset by 1 from its base IP address would not be mapped to the VIP address that is offset by 1 from the virtual servers base VIP address. You can use the host-range map feature with up to 32 real servers and host ranges of up to 255 addresses. To use the host-range map feature to establish a mapping structure like the one shown in Table 3.6, perform the following tasks: 1. 2. 3. Assign a unique bind-ID to each real server bound to the virtual server. Each real server must have its own bind-ID. Define a host-range map, which associates each offset in a virtual servers host range with one or more bindIDs. Apply the host-range map to the virtual server.
3 - 54
September 2008
The host-range <number-of-addresses> command specifies the number of IP addresses that will be included in the host range for the real server. For example, since real server rs1 has a base IP address of 10.10.10.30, the host-range 5 command causes addresses 10.10.10.30 through 10.10.10.34 to be included in the host range. You use the host range map to select individual addresses within the range and omit the addresses you want to omit. The bind-id <number> command assigns a bind-ID to each real server to be included in a host-range map. When you configure a host range map, you refer to the real servers by their bind-IDs. Each real server in a host range map must have a unique bind-ID.
Determining a host-range map Bind to Bind ID = 1 Binary Representation 010 X X X 111 101 011 Hex Number
2 7 5 3
The first line of the table indicates that VIP offset 1 applies only to the real server with bind-ID = 2. Only real server 2 will map the IP address in its host range that is offset by 1 to the IP address that is offset by one from the VIPs base IP address. The binary representation of this is 010, which means not bind-ID = 3, bind-ID = 2, not bind-ID = 1". The hex representation of 010 is 2. You enter this hex number as part of the definition of the hostrange map. Using the information in Table 3.7, you would define the host-range map for the configuration in Table 3.6 on page 3-54 as follows: ServerIron(config)# vip-host-range-map 1 ServerIron(config-vip-host-range-1)# vip-offset ServerIron(config-vip-host-range-1)# vip-offset ServerIron(config-vip-host-range-1)# vip-offset ServerIron(config-vip-host-range-1)# vip-offset ServerIron(config-vip-host-range-1)# exit Syntax: [no] vip-host-range-map <map-number> Syntax: [no] vip-offset <vip-offset-number> <hex-number> The default behavior (without a host-range map definition) is to bind each VIP address offset from the virtual servers base address to the comparable offset address on each of the real servers. In the sample configuration, the host-range map definition for VIP offset 2 specifies that addresses from all three real servers be included in the bindings. Since this is the default behavior, the vip-offset 2 7 command in the host-range map definition can be omitted. 1 2 3 4 2 7 5 3
September 2008
3 - 55
Up to one million total sessions are supported on the ServerIron. This is also the default maximum connection value for real servers. To modify the maximum connections supported for a specific real server, enter commands such as the following: ServerIron(config)#server real Web1 ServerIron(config-rs-Web1)#max-conn 145000 ServerIron(config-rs-Web4)#end ServerIron#write mem Syntax: [no] max-conn <1-1000000> Starting with Release 09.0.00S, you can limit the maximum number of connections for individual application ports on a real server. For example, to limit the number of FTP connections on real server Web1 to 10, enter the following commands: ServerIron(config)#server real Web1 ServerIron(config-rs-Web1)#port ftp max-conn 10 Syntax: [no] port <port> max-conn <number> NOTE: For ftp (Port 21), the number of current connections is equal to the number of control connections, plus any data connections opened during the session. For example, logging on to an FTP site (the control connection) and transferring a file from the FTP site equal two connections. Therefore, although you have only one control connection, additional operations you perform while you are logged on could consume all the FTP connections allowed. NOTE: If you use the max-conn command for a firewall, the command specifies the maximum permissible number of connections that can be initiated from this ServerIron's direction on the firewall paths. The max-conn command does not limit the total number of connections that can exist on the ServerIron, which includes connections that come from the ServerIrons at the other ends of the firewall paths. For FWLB, the command to restrict the total number of connections that can exist on the ServerIron is fw-exceed-max-drop.
September 2008
3 - 57
In this example, the command limits max-conn to 66000, 66000, 68000 connections on BP1, BP2 and BP3 respectively. NOTE: If you do not issue the max-conn command, then the max-conn-weight command limits the connection count to 330000, 330000, 340000 connections on BP1, BP2 and BP3 respectively, considering the default maxconn limit of 1M connection per real server.
3 - 58
September 2008
threshold, the software generates a Syslog message and an SNMP trap. Shutdown If an applications average response time is longer than the number of milliseconds of the shutdown threshold, the software generates a Syslog message and an SNMP trap and also shuts down the application port on the real server. Other application ports on the real server are not affected.
By default, a real server does not have a warning threshold or a shutdown threshold. For each threshold, you can specify a threshold value from 0 (disabled) 65535 milliseconds (65 seconds). You can configure one or both thresholds globally or on an individual real server basis. The thresholds configured on an individual real server override the globally configured thresholds. After bringing down the application port, the ServerIron periodically attempts to reach the port and brings the port back up once the port responds. For information, see Application Port States on page 5-15. NOTE: This feature requires the Layer 4 and Layer 7 health checks to enabled. If the health checks are not enabled, the ServerIron does not apply the response thresholds you configure. NOTE: This feature applies only to TCP ports. To configure warning and shutdown thresholds for an individual server, enter a command such as the following: ServerIron(config-rs-R1)# response-time 50 75 This command sets the warning threshold to 50 milliseconds and the shutdown threshold to 75 milliseconds for the real server. Syntax: [no] response-time <warning-threshold> [<shutdown-threshold>] The parameters are the same as the ones for the server response-time command. NOTE: The threshold values you configure on an individual real server override the globally configured thresholds. To globally set warning and shutdown thresholds for all real servers, see Configuring Warning and Shutdown Thresholds for All Real Servers on page 3-32.
3 - 60
September 2008
ServerIron(config-vs-www.alterego.com)# predictor weighted ServerIron(config-vs-www.alterego.com)# server real Web1 207.95.55.21 ServerIron(config-vs-www.alterego.com)# exit ServerIron(config)# server real Web1 ServerIron(config-rs-Web1)# weight 10 Syntax: weight <least-connections-weight> [<response-time-weight>] The <least-connections-weight> parameter specifies the real servers weight relative to other real servers in terms of the number of connections on the server. More precisely, this weight is based on the number of session table entries the ServerIron has for TCP or UDP sessions with the real server. You can specify a value from 0 65000. The default is 1. This parameter is required. However, if you want to use a weight value only for the Server Response Time but not for the number of connections, specify 0 for this parameter. The <response-time-weight> parameter specifies the real servers weight relative to other real servers in terms of the servers response time to client requests sent to the server. You can specify a value from 0 65000. The default is 0 (disabled). This weight is applicable only when the server response time load-balancing method is enabled. See Setting a Real Servers Weight Based on Response Time on page 3-61. If you enter a value for <response-time-weight>, the ServerIron adds the two weight values together when selecting a real server. If you specify equal values for each parameter, the ServerIron treats the weights equally. The number of connections on the server is just as relevant as the servers response time. However, if you set one parameter to a higher value than the other, the ServerIron places more emphasis (weight) on the parameter with the higher value. For example, if you specify a higher server response time weight than the weight for the number of connections, the ServerIron pays more attention to the servers response time than to the number of connections it currently has when considering the real server for a new connection.
September 2008
3 - 61
3 - 62
September 2008
ServerIron(config-port-http)# To disable all real and virtual HTTP ports: ServerIron(config)# server port 80 ServerIron(config-port-http)# disable ServerIron(config-port-http)# Syntax: disable [real | virtual]
To configure the ServerIron to stop sending requests to a real server for an application that is down on the server, enter the following command at the configuration level for the ports profile: ServerIron(config-port-80)# reset-port-on-reset Syntax: [no] reset-port-on-reset
September 2008
3 - 63
The ServerIron increments the connection counter for real server connections only after the ServerIron selects a server for the connection. If the ServerIron cannot serve a client request because a real server, cache, or firewall already has the maximum number of connections for the current second for the requested port, the ServerIron tries another server. If there are no servers available, the ServerIron sends a TCP RST to the client. If you configure a limit for TCP or UDP and also for an individual application port, the ServerIron uses the lower limit. For example, if you limit new TCP connections to a real server to 1000 per second and also limit new HTTP connections to 600 per second, the ServerIron limits connections to TCP port HTTP to 600 per second. NOTE: The ServerIron counts only the new connections that remain in effect at the end of the one second interval. If a connection is opened and terminated within the interval, the ServerIron does not include the connection in the total for the server. NOTE: The connection limit you specify is enforced on an individual BP basis. Thus, each BP allows up to the number of connections you specify. For example, if you specify a maximum TCP connection rate of 800 connections per second, each BP allows up to 800 TCP connections per second, for a total of 2400 TCP connections per second. To limit the number of new TCP and UDP connections a real server can receive each second, enter commands such as the following: ServerIron(config)# server real RS1 1.2.3.4 ServerIron(config-rs-RS1)# max-tcp-conn-rate 1000 ServerIron(config-rs-RS1)# max-udp-conn-rate 800 The first command limits new TCP connections to the real server to 1000 per second. The second command limits the rate of new UDP connections to the real server to 800 per second. Syntax: max-tcp-conn-rate <num> Syntax: max-udp-conn-rate <num>
3 - 64
September 2008
The <num> parameter specifies the maximum number of connections per second. There is no default. To limit the rate of new connections for a specific application port, enter commands such as the following: ServerIron(config-rs-RS1)# port http ServerIron(config-rs-RS1)# port http max-tcp-conn-rate 600 These commands add port HTTP (80) to the real server and limit the rate of new connections to the port to 600. Syntax: port <TCP/UDP-portnum> max-tcp-conn-rate <num> Syntax: port <TCP/UDP-portnum> max-udp-conn-rate <num> The port <TCP/UDP-portnum> parameter specifies the application port. The <num> parameter specifies the maximum number of connections per second.
VIP Settings
For basic Virtual IP server (VIP) configuration, you need to specify a name and the virtual servers IP address (the VIP), add the application ports that you want to load balance, then bind the VIP to the real servers based on the application ports. The following sections describe more advanced virtual server options.
September 2008
3 - 65
NOTE: This section does not apply to software Release 07.1.x. To configure primary and backup servers: 1. Edit the configuration of each backup real server to designate the server as a backup. See Configuring Primary and Backup Servers on page 3-49. NOTE: You do not need to designate the primary servers. The ServerIron assumes that all servers you do not designate as backup serves are primary servers. 2. Enable use of the primary and backup servers in individual VIPs on individual application ports. Only the VIPs and application ports for which you enable the feature use it. The other application ports within the VIP, and the other VIPs, use the locally-attached servers as their primary servers and the remotely-attached servers as their backup servers. Optionally, configure the individual applications on the VIPs to continue using the backup servers following a failover, instead of returning to the primary servers.
3 - 66
September 2008
To enable HTTP redirect on a virtual server, enter commands such as the following: ServerIron(config)# server virtual-name-or-ip VIP1 209.157.22.88 ServerIron(config-vs-VIP1)#port http ServerIron(config-vs-VIP1)#bind http r1 80 r2 80 r3 80 ServerIron(config-vs-VIP1)#httpredirect Syntax: [no] httpredirect
September 2008
3 - 67
NOTE: If a client requests one of the ports that follows the primary port before requesting the primary port itself, the ServerIron does not make the connection sticky. Only after the client requests the primary port does the ServerIron make subsequent requests from the client for that port or ports that track the primary port sticky. NOTE: For servers that use passive FTP, configure the FTP ports to be both sticky and concurrent. For a configuration example and more information, see TCP/UDP Application Groups on page 3-192. To configure a TCP/UDP application group, enter the following commands: ServerIron(config)# server virtual-name-or-ip v1 209.157.22.1 ServerIron(config-vs-v1)# port 80 sticky ServerIron(config-vs-v1)# port 23 sticky ServerIron(config-vs-v1)# port 69 sticky ServerIron(config-vs-v1)# track 80 23 69 ServerIron(config-vs-v1)# bind 80 r1 80 r2 80 ServerIron(config-vs-v1)# bind 23 r1 23 r2 23 ServerIron(config-vs-v1)# bind 69 r1 69 r2 69 These commands configure HTTP (port 80), Telnet (port 23), and TFTP (port 69) to be sticky. Syntax: [no] track <primary-port> <TCP/UDP-port> [<TCP/UDP-port> [<TCP/UDP-port> [<TCP/UDP-port>]]]
For a configuration example and more information, see TCP/UDP Application Groups on page 3-192. Note that if any service port is down for a real server, any track port groups on that real server are not considered for load balancing. NOTE: You must configure all the track port groups to be sticky and bind them to all real servers involved. To configure a track port group, use either of the following methods. The following commands illustrate the track group function: ServerIron(config)# server virtual-name-or-ip v1 209.157.22.1 ServerIron(config-vs-v1)# port 80 sticky ServerIron(config-vs-v1)# port 69 sticky ServerIron(config-vs-v1)# port 23 sticky ServerIron(config-vs-v1)# track-group 80 69 23 ServerIron(config-vs-v1)# bind 80 r1 80 r2 80 ServerIron(config-vs-v1)# bind 23 r1 23 r2 23 ServerIron(config-vs-v1)# bind 69 r1 69 r2 69 ServerIron(config-vs-v1)# exit Syntax: [no] track-group <TCP/UDP-port>... In this example, the track-group command groups the HTTP port (80), Telnet port (23), and TFTP port (69) together. Whenever a client attempts to connect to a port within the group, the ServerIron ensures all ports in the group are active before granting the connection.
3 - 68
September 2008
The sticky parameter makes the TCP/UDP ports sticky. The sticky parameter must be set for all ports in the group. After the ServerIron sends a client to a real server for any of these three ports, subsequent requests from that client for the HTTP, TFTP, or Telnet port go to the same real server. Up to eight ports can be grouped together using the track group function. A port can be part of only one group. The track-group and track commands for a port are mutually exclusive.
Sample Configuration
server real rs1 10.1.1.1 port http port 8081 port 8082 hc-track-group http 8081 8082 Here is the output of the show command for this feature: ServerIron#show hc-track-group Real Server track-group rs1 80 21 53 ServerIron# state ACTIVE
September 2008
3 - 69
On ServerIron, when a port is defined under VIP, both UDP and TCP traffic with the port number are enabled and passed through to the real server. This is not desirable in some cases. As an enhancement, the user is to be allowed to define a TCP-only or UDP-only port so that only TCP or UDP traffic with the specified port number can pass through. This document is the feature specification for this enhancement. TCP-only or UDP-only traffic control has been supported internally on ServerIron, but no CLI is available for the user to enable it. As the enhancement, following commands are to be provided to the user to enable/disable TCP-only or UDP-only traffic control for a port defined under VIP: Syntax: [no] port <port> tcp-only Syntax: [no] port <port> udp-only The command is available under VIP configuration mode. When either TCP-only or UDP-only is configured, only TCP traffic or UDP traffic can pass through as configured; otherwise both TCP traffic and UDP traffic can pass through as before. TCP-only and UDP-only are exclusive, that means when TCP-only is configured, TCP-only and UDP-only cannot be configured for a port at the same time. UDP-only will be automatically disabled if TCP-only is configured, and vice verse.
NOTE: The ServerIron always redirects new connections to real servers on which the requested application ports are available. The command in this section applies only to connections that are already established when the application fails. To configure the ServerIron to stop sending requests for an established connection to a real server for an application that is down on the server, enter the following command at the configuration level for the VIP: ServerIron(config-vs-VIP1)# port 80 reset-on-port-fail This command configures the ServerIron to stop sending traffic on existing HTTP connections to a real server bound to VIP1 if the HTTP application has failed on the server. The ServerIron instead terminates the connection (if UDP) or resets the connection (if TCP). Syntax: [no] port <tcp/udp-portnum> reset-port-on-fail
NOTE: Fast aging is the default behavior for the well-known DNS and RADIUS ports. To change DNS or RADIUS to use the UDP age timer instead, see Enabling Normal UDP Aging for DNS and RADIUS on page 371. When this feature is configured, if the ServerIron detects a server response to a client request, and the response is not fragmented, the session table entry is deleted immediately. If the response is fragmented, the ServerIron waits for the last fragment to arrive, forwards it to the client, and then sends the session to the delete queue. The session stays in the delete queue for 8 seconds by default before being deleted. You can change the amount of time the session stays in the delete queue to between 1 40 seconds. To activate fast aging for UDP sessions for port 1234, enter commands such as the following: ServerIron(config)# server virtual-name-or-ip vs1 192.168.1.2 ServerIron(config-vs-vs1)# port 1234 udp-fast-age Syntax: port <UDP-portnum> udp-fast-age To set the amount of time sessions for ports configured with the udp-fast-age command stay in the delete queue before being deleted: ServerIron(config)# server msl 2 Syntax: server msl <secs> The <secs> parameter can be from 1 40 seconds.
September 2008
3 - 71
ServerIron(config)# server virtual-name-or-ip v1 ServerIron(config-vs-v1)# tcp-age 20 Syntax: [no] tcp-age <minutes> To set the UDP age for virtual server v1 to 26 minutes, enter the following commands: ServerIron(config)# server virtual-name-or-ip v1 ServerIron(config-vs-v1)# udp-age 26 Syntax: [no] udp-age <minutes> To set the TCP age for the HTTP port on virtual server v1 to 10 minutes, enter the following commands: ServerIron(config)# server virtual-name-or-ip v1 ServerIron(config-vs-v1)# port http tcp-age 10 Syntax: [no] port <port> tcp-age <minutes> To set the UDP age for the SNMP port on virtual server v1 to 26 minutes, enter the following commands: ServerIron(config)# server virtual-name-or-ip v1 ServerIron(config-vs-v1)# port snmp udp-age 26 Syntax: [no] port <port> udp-age <minutes> You can set the TCP or UDP age from 2 60 minutes. The default TCP age is 30 minutes. The default UDP age is five minutes. More specific settings override more general settings; that is, a TCP or UDP age setting for the HTTP port will override a TCP or UDP age setting for the virtual server, which will override the global TCP or UDP age (set with the server tcp-age or server udp-age commands).
The current implementation of the backup server requires that all non-backup servers fail prior to directing requests to backup servers. This may not allow for maintaining the same level of performance in the server farm. The ability to maintain same performance level for a given service is critical for many customers. Per Server Based Real Server Backup allows the backup servers to be associated with the specified primary servers. When a primary server fails, its backup server starts processing the traffic no matter what state the other primary servers are in. This feature works with the current real server back mechanism, by providing additional control of the backup server selection.
3 - 72
September 2008
The Back Port has the Precedence over the Back Server
When both the port and the server backup are configured, the port configuration takes precedence over the server configuration. For instance, the following is configured: The server C is the backup of the server A. The port 8080 of the server C is the backup of the port 8080 of the server B.
Then, the port 8080 of the server C becomes the backup of the port 8080 of the server B, and it's not the backup of the port 8080 of the server A.
September 2008
3 - 73
Server Port Backup Association on page 3-74 Display the Backup Bindings on page 3-74
3 - 74
September 2008
Syntax: show server backup-server-port-binding EXAMPLE: ServerIron(config)# server real-name R1 10.10.10.10 ServerIron(config-rs-R1)# port http ServerIron(config-rs-R1)# exit ServerIron(config)# server real-name R2 10.10.10.20 ServerIron(config-rs-R2)# backup R1 ServerIron(config-rs-R2)# port http ServerIron(config-rs-R2)# port http backup R1 http ServerIron(config-rs-R2)# exit ServerIron(config)#server show backup-server-port-binding Server/Port State - 0: disabled, 1:enabled, 2:failed, 3:test, 4:suspect, 5:grace_dn, 6:active Real Server rs3:(state 6) Backup Server : rs2(state 6) Port 80(state 6) <---------- Port rs2:80(state 6)
September 2008
3 - 75
3 - 76
September 2008
NOTE: You can remove the multiplier by using sticky-age-multiplier 1 or no sticky-age-multiplier <number> When a sticky-age-multiplier is configured for a virtual server, the actual sticky age of any sticky session of the server will be the product of the configured or default sticky-age and this multiplier. For example, if the sticky age is configured to be 20 minutes, and the sticky-age-multiplier to be 40, then the actual sticky age of the sticky sessions for the server will be 20x40= 800 minutes. However, even though the sticky-ages are multiplied, the show session command will still only show ordinary age of the sticky sessions. The difference is that the age is incremented in a slower pace when multiplier is applied. That is, if the sticky-age-multiplier is configured to be 40, the age counter in the session table is incremented once in 40 minutes instead of 1 minute.
September 2008
3 - 77
S = Smooth factor, which is configurable and can be from 1 99. The default is 90. A large value gives the previous response time more weight than the new response time. A small value gives the new response time more weight than the previous response time. For example, if a given real servers previous response time value was 2 milliseconds, and a new measurement also results in 2 milliseconds, the calculated server response time using the default smooth factor is as follows: R = ((90 * 2) + ((100 - 90) * 2) / 100 R = 180 + 20 / 100 R = 200 / 100 R=2 If the real servers response time slows due to processing for additional connections, the slower response time affects the Server Response Time calculation for the server. For example, if the next server response time sample is 5 milliseconds instead of 2, the Server Response Time calculation is as follows: R = ((90 * 2) + ((100 - 90) * 5) / 100 R = 180 + 50 / 100 R = 230 / 100 R = 2.3 Since the real servers response time has slowed by two and a half times, the servers response time calculation biases the ServerIron away from selecting that server for new connections. You can affect the degree of difference in subsequent response time weights by changing the smooth factor (S). For example, if you change the smooth factor from 90 (the default) to 50, the calculations shown above have the following results: Here is the calculation when the previous and new response times are 2 milliseconds: R = ((50 * 2) + ((100 - 50) * 2) / 100 R = 100 + 100 / 100 R = 200 / 100 R=2 Here is the calculation if the servers next response time is 5 milliseconds. R = ((50 * 2) + ((100 - 50) * 5) / 100 R = 100 + 250 / 100 R = 350 / 100 R = 3.5 Notice that the differences between the first and second samples are much greater when the smooth factor is 50 than when the smooth factor is 90. A large value gives the previous response time more weight than the new response time. A small value gives the new response time more weight than the previous response time. You can change the smooth factor on an individual virtual server basis and on an individual application port basis. If you change the smooth factor for a virtual server, the change affects all Server Response Time calculations for the real servers bound to the virtual server. If you change the smooth factor for an application port, the change affects Server Response Time calculations only for port bindings that use that application port.
To change the smooth factor for a virtual server, enter a command such as the following at the configuration level for the virtual server: ServerIron(config-vs-Joes_Garage)# port 80 smooth-factor 50 Syntax: [no] smooth-factor <num>
3 - 78
September 2008
The <num> parameter specifies the smooth factor value the server response time calculation uses. You can specify a number from 1 99. The default is 90.
September 2008
3 - 79
Syntax: [no] port <tcp/udp-port> sticky-acl <num> NOTE: This feature is different from the sticky feature, which you can associate with ports on the virtual server level. The sticky attribute ensures that subsequent packets from the same client during the same TCP session go to the same real server. In this case, the ServerIron knows the packets are from the same client based on the source IP address. When a proxy is used, subsequent packets from the same client can have different IP addresses. For standard IP ACL configuration information, see the Configuring Standard ACLs section in the Using Access Control Lists (ACLs) chapter of the Foundry Switch and Router Installation and Basic Configuration Guide.
ServerIron(config-vs-v1)#server virt VIP2 10.10.1.122 ServerIron(config-vs-v2)#port http ServerIron(config-vs-v2)#bind http r1 8080 ServerIron(config-vs-v2)#no port http translate
IP Load Balancing
Background
In previous releases, the ServerIron supports load balancing of only TCP or UDP traffic. Any other IP traffic needing to be load balanced requires special intelligence and handling of that protocol. For example, IPSec load
September 2008
3 - 81
balancing requires understanding of the IPSec and IKE protocols. There has been no generic mechanism to load balance all IP traffic. NOTE: TCP and UDP also require the binding of ports, which is eliminated when using IP Load Balancing.
Overview
Starting in 09.1.01S and 09.3.00S, IP Load Balancing (LB) implements a generic mechanism that load balances all IP traffic, irrespective of the transport protocol. This feature inspects only the IP header and is completely transparent to upper layer protocols. IP LB is designed to be a stateless solution. That is, it does not track traffic flows and has no intelligence about connection establishment/termination. Enable this feature at the virtual server configuration level. A virtual server is bound to a set of real servers for IP LB, and all IP traffic destined to the virtual server IP address will be load balanced across the real servers. The configuration or binding of virtual ports to real ports has no meaning in the context of IP LB, and all binding is at a server level (as opposed to the traditional binding of ports).
Hashing Mechanism
The load balancing scheme is based on a hash of the source IP address. Each virtual server is associated with a hash table (size 256) for IP LB. To begin with, the hash table is empty, and any client request will go through the server selection process (the only supported load balancing metric for IP LB is round-robin). After a server is selected, a reference to the server is placed in the hash bucket corresponding to the client IP address. All subsequent requests from that source IP address (or any other source IP hashing to the same hash bucket) will be directed to this real server, as long as the server is "healthy". In this way, the hash table is populated and is ensured that all packets originating from a specific client are load balanced to the same real server. Client persistence is implicit for IP LB. Since this feature is completely hash based, it is essential that the state of the hash table always be consistent with the state of the real servers associated with the virtual server. For example, a hash bucket should not be pointing to a real server that is down due to health check. For this purpose, the ServerIron identifies and handles the following cases: Server deletion/unbindingWhen a real server is deleted or unbound from a virtual server, all references from the virtual server hash table to that real server are deleted. Server down due to health checkWhen a client-request hashes to a real server that is down, the system chooses a new real server and updates the hash bucket to point to the newly selected server. This process is done "on demand." The ServerIron does not explicitly detect the "server down" case and clean up the hash table references. Adding a new serverWhen a new server is bound to the virtual server, the new server must be accommodated in the hash table. However, it is possible for all hash buckets to be filled up already with existing servers that are serviceable, resulting in the newly added real server to never be selected for load balancing. To address this issue, the ServerIron clears the entire hash table and starts afresh when a server is detected as "up" due to health check.This behavior applies to a new server being added, or an existing server going down and coming back up again.
Feature Interoperability
3 - 82
September 2008
Since IP LB is a stateless feature, it cannot operate in conjunction with any other Layer 4 features supported by the ServerIron (such as syn proxy, ACLs, Transaction Rate Limiting, and so on). The reason is all other ServerIron features are stateful and act on flows. Specifications of IP LB: The feature cannot handle complex protocols, such as FTP/streaming media when performing IP LB. If the application or the transport layer protocol incorporates IP address information in the headers/payload, IP load balancing will not translate those headers.
High Availability
IP LB supports all high availability mechanisms: hot standby, symmetric, and sym-active. The way these mechanisms work remains the same as in previous releases, and IP LB does not mandate any change to these features. For maintaining persistence across a fail over, the IP LB hash table is synchronized to the peer ServerIron. This sync is done only for hot standby and symmetric SLB setup, not for sym-active configuration. The reason is for sym-active, both the SIs can be taking traffic for the same virtual IP, and synchronizing the hash table to each device means overriding each device's hashing decision.
IP: 4.4.4.202
September 2008
3 - 83
Virtual server: vip3 rs3: 4.4.4.102 (Enabled) rs4: 4.4.4.103 (Enabled) rs11: 4.4.4.111 (Enabled) rs12: 4.4.4.112 (Enabled) rs13: 4.4.4.113 (Enabled) rs14: 4.4.4.114 (Enabled) rs15: 4.4.4.115 (Enabled) rs10: 4.4.4.110 (Enabled)
Status: enabled
IP: 3.3.3.200
Syntax: show server ip-load-balancing bind <vserver-name> The <vserver-name> parameter is the name of a virtual server. To display hash distribution statistics, enter the following command: SLB-ServerIron1/1#show server ip-load-balancing hash-distribution IP Load balancing hash distribution: Virtual Server <vip1> Bucket: Server Hit Bucket: Server Hit Assigned = 0 Virtual Server <vip3> Bucket: Server 109: rs13 111: rs15 113: rs11 115: rs13 117: rs15 119: rs11 121: rs13 ... Assigned = 51
Hit Bucket: Server 49194 110: rs14 49194 112: rs10 49194 114: rs12 49194 116: rs14 49194 118: rs10 49194 120: rs12 49194 122: rs14
Syntax: show server ip-load-balancing hash-distribution <vserver-name> The <vserver-name> parameter is the name of a virtual server.
3 - 84
September 2008
To bind one real server port to multiple VIPs (vs1 and vs2), enter commands such as the following: server real rs port 8080 port 8081 <---- alias port server virtual-name-or-ip vs1 port http bind http rs 8080 server virtual-name-or-ip vs2 port http port http real-port 8080 <---- use real port 8080 to do port translation bind http rs 8081 <--- bind to alias port
To bind one real server port to multiple virtual ports of one VIP, enter commands such as the following: server real rs port 8080 port 8081 <------ alias port server virtual-name-or-ip vs port http bind http rs 8080 port 81 port 81 real-port 8080 <---- use real port 8080 to do port translation bind 81 rs 8081 <---- bind to alias port
September 2008
3 - 85
The show cam layer4/7 command has been enhanced to show the new user type: Real server port: ServerIron#sh cam layer4/7 detail slb User Type: Real server port Entry Type: Real server port Match Srcip: 10.32.5.111 (0x0a20056f) Mask: 0xffffffff Srcport : 5050 Mask: 0xffff 16594 - (DestIP & 0xF): 0 to 1 FID: dd03 BP: 3/1 16596 - (DestIP & 0xF): 2 FID: dd02 BP: 3/1 16598 - (DestIP & 0xF): 3 FID: dd06 BP: 3/2 16598 - (DestIP & 0xF): 3 FID: dd06 BP: 3/2 16602 - (DestIP & 0xF): 6 to 7 FID: dd0b BP: 3/3 16604 - (DestIP & 0xF): 8 FID: dd0a BP: 3/3 16606 - (DestIP & 0xF): 9 FID: dd02 BP: 3/1 16608 - (DestIP & 0xF): a to b FID: dd03 BP: 3/1 16610 - (DestIP & 0xF): c FID: dd07 BP: 3/2 16612 - (DestIP & 0xF): d FID: dd06 BP: 3/2 16614 - (DestIP & 0xF): e FID: dd0b BP: 3/3 16616 - (DestIP & 0xF): f FID: dd0a BP: 3/3
SSL Accelerators
The ServerIron features enhanced support for SSL accelerators by allowing the ServerIron to send return traffic from a real server back to the SSL accelerator from which it was sent. Normally, when the ServerIron supports SLB for some services and TCS for others, the cache server uses the original clients IP address as the source IP address for SLB traffic sent from the cache server to the ServerIron. When the ServerIron sends return traffic from the real server back to the client, it goes directly to the original client (bypassing the cache server). However, some configurations (such as those using an SSL accelerator as a cache server) may require that traffic from a real server first go back to the cache server before going to the original client. Using a technique called VIP spoofing, the ServerIron, when it receives traffic from a real server on a specified port, forwards it not to the original client, but to the cache server where the SLB traffic was initiated. The following diagram illustrates a configuration that uses VIP spoofing to direct SLB traffic from a real server to the SSL accelerator that originated the traffic.
Figure 3.11 Using VIP spoofing with an SSL accelerator
1 8
SI
2
4 5
Real Server
Client
SSL Accelerator
3 - 86
September 2008
In this configuration, SSL traffic travels from the client to the real server as follows: 1. 2. 3. 4. 5. 6. The client sends an SSL packet to a ServerIron VIP on port 443. The ServerIron directs the packet to the SSL accelerator on port 443 The SSL accelerator sends the packet to the ServerIron on port 80. The ServerIron directs the packet to the real server on port 80. The real server sends a packet to the ServerIron on port 80. The ServerIron sends packet to the SSL accelerator on port 80. Normally, the ServerIron would send the packet directly back to the original client on port 80. However, with the VIP spoofing feature enabled, the ServerIron instead sends the packet to the cache server that initiated the traffic (in this case the SSL accelerator). 7. 8. The SSL accelerator sends the packet back to the ServerIron on port 443. The ServerIron sends the packet to the client on port 443.
To implement a configuration like the one in Figure 3.11, enter the following commands.
SLB Configuration
You can configure the ServerIron so that the clients request to the VIP is translated to the real IP address of the cache server (that is, the SSL Accelerator) and then sent there. In this case, the port ssl cache-enable command is not used in the VIP's configuration. Instead, the cache server is bound to the SSL port on the VIP. In the example above, VIP vip1 would have the following configuration: ServerIron(config)# server virtual-name-or-ip vip1 10.10.1.100 ServerIron(config-vs-vip1)# port http ServerIron(config-vs-vip1)# port http spoofing ServerIron(config-vs-vip1)# port ssl ServerIron(config-vs-vip1)# port ssl sticky ServerIron(config-vs-vip1)# bind ssl cs1 ssl ServerIron(config-vs-vip1)# bind http rs1 http ServerIron(config-vs-vip1)# exit Syntax: port http spoofing
TCS Configuration
ServerIron(config)# server cache-name cs1 10.10.1.10 ServerIron(config-rs-cs1)# port ssl ServerIron(config-rs-cs1)# port ssl no-health-check ServerIron(config-rs-cs1)# port http ServerIron(config-rs-cs1)# port http no-health-check ServerIron(config-rs-cs1)# port http url "HEAD /" ServerIron(config-rs-cs1)# exit ServerIron(config)# server real rs1 10.10.1.40 ServerIron(config-rs-rs1)# port http ServerIron(config-rs-rs1)# port http url "HEAD /" ServerIron(config-rs-rs1)# exit ServerIron(config)# server virtual-name-or-ip vip1 10.10.1.100 ServerIron(config-vs-vip1)# port http ServerIron(config-vs-vip1)# port http spoofing ServerIron(config-vs-vip1)# port ssl ServerIron(config-vs-vip1)# port ssl sticky ServerIron(config-vs-vip1)# port ssl cache-enable ServerIron(config-vs-vip1)# bind http rs1 http ServerIron(config-vs-vip1)# exit ServerIron(config)# server cache-group 1
September 2008
3 - 87
ServerIron(config-tc-1)# cache-name cs1 ServerIron(config-tc-1)# exit ServerIron(config)# ip address 10.10.1.1 255.255.255.0 ServerIron(config)# ip default-gateway 10.10.1.3 ServerIron(config)# ip policy 1 cache tcp 0 global ServerIron(config)# ip policy 2 cache tcp ssl global
Configuration Example
Figure 3.12 Group Sticky Sample Topology
Client 1
Client 2
SI
! server virtual vip1 40.40.1.10 predictor round-robin port http sticky port http group-sticky bind http rs1 http rs2 http web1 http web2 http bind http web3 http !
rs1
rs2 ...
web1
web2
web3 ...
group-id 1 1
group-id 2 2
Figure 3.12 shows two server groups: group-id 1 1 and group-id 2 2. The configured VIP is serving the clients and load balancing traffic across the servers in their respective groups.
3 - 88
September 2008
When a client first enters the system, the ServerIron inspects the defined groups, predictors, and chooses a server within a group to create a sticky session. When a new connection comes in from the same client and group sticky is configured, the ServerIron will find all the servers belonging to the group and will load balance among the servers. Perform the following steps: 1. Set up the real servers and group IDs. The rs1 and rs2 are in group 1. The devices Web1, Web2, and Web3 are in group 2: server real rs1 20.20.1.40 port http port http url "HEAD /" port http group-id 1 1 server real rs2 20.20.1.41 port http port http url "HEAD /" port http group-id 1 1 server real Web1 20.20.1.42 port http port http url "HEAD /" port http group-id 2 2 server real Web2 20.20.1.43 port http port http url "HEAD /" port http group-id 2 2 server real Web3 20.20.1.44 port http port http url "HEAD /" port http group-id 2 2 2. On the VIP, ensure the minimum required commands for Group Sticky are present: port <type> group-sticky and port <type> sticky. If stickiness is not configured, load balancing among the group will not work: ServerIron(config-vs-v1)#server virtual-name-or-ip vip1 40.40.1.10 ServerIron(config-vs-vip1)#predictor round-robin ServerIron(config-vs-vip1)#port http sticky !(or port http client-subnet-sticky) ServerIron(config-vs-vip1)#port http group-sticky ServerIron(config-vs-vip1)#bind http rs1 http rs2 http Web1 http Web2 http ServerIron(config-vs-vip1)#bind http Web3 http Once a group sticky session is created, all subsequent traffic will be load balanced across the group. The first incoming sticky session will go to a real server in group 1. All subsequent connections will also go to group 1. If multiple clients are in the same subnet, then use the port http client-subnet-sticky command instead of port http sticky. The group-sticky behavior will apply itself to the client-subnet-sticky. NOTE: When a real servers port is part of two groups, the group-sticky feature takes the first listed group ID only, if the first connection is load balanced to this server. 3. Identify what server the sticky session is pointed to. In the example below, the sticky session was originated from the client 30.30.1.1 to the VIP 40.40.1.10 using real server rs1. All the traffic to/from the client is being
September 2008
3 - 89
load balanced across the group (group-id 1 1) to which the real server rs1 belongs. Enter the show session all 0 command such as the following: 92R-M6-A2/1#sh sess all 0 Session Info: Flags - 0:UDP, 1:TCP, 2:IP, 3:INT, 4:INVD, H: sessInHash, N: sessInNextEntry Index Src-IP ===== ====== 0 30.30.1.1 Dst-IP ====== 40.40.1.10 S-port D-port Age Next Serv Flags ====== ====== === ==== ==== ========= 0 80 59 000000 rs1 SLB3 H
NOTE: In most cases, an "S-port" of value "0" indicates a sticky session. Regardless of the source port (S-port) of the connection, the sticky session will stick to Src-IP 30.30.1.1, Dst-IP 40.40.1.10, and D-port 80 in the example. To clear a sticky session, use the clear server session command.
server). If multiple real servers are bound to a VIP, then requests from the same client may be serviced by different real servers over a period of time. However for transaction-oriented systems, a client may need to be serviced by the same real server each time the client makes a request, irrespective of whether the requests were made within seconds of each other or over an extended period of time. Using the sticky feature, the current maximum persistence possible for Stateful SLB is 20 hours. This setting may not be sufficient for systems that always need the client to be directed to the same real server, unless an event such as real server failure necessitates reassignment of the client to a different server.
September 2008
3 - 91
SLB-ServerIron(config)#server virtual-name-or-ip vs1 SLB-ServerIron(config-vs-vs1)#port http persist-hash clear-on-change SLB-ServerIron(config-vs-vs1)#end When clear-on-change is set for persistent hashing, the entire persistent hash table is cleared whenever a new server comes up. For example, the persistent hash table for a virtual server port is shown below:
Figure 3.13 Hash Table Before rs3 Comes Up
Persistent hash table virtual server vs1 port http Hash 0 Hash 1 Hash 2 Hash 3 Hash 4 Hash 5 Hash 6 ........... Hash 255 none rs2 rs2 rs1 rs1 rs2 rs1 none
Assume the administrator now binds port HTTP of a new real server rs3 to port HTTP of virtual server vs1. When real server rs3 comes up, the entire persistent hash table is cleared:
Figure 3.14
Persistent hash table virtual server vs1 port http Hash 0 Hash 1 Hash 2 Hash 3 Hash 4 Hash 5 Hash 6 ........... Hash 255 none none none none none none none none
3 - 92
real server only if there are no empty persistent hash entries (for example, the default persist hash reassign threshold is 0 percent). To specify the threshold, enter commands such as the following: SLB-ServerIron#con t SLB-ServerIron(config)#server persist-hash-threshold 5 Syntax: [no] server persist-hash-threshold <percent-value> The <percent-value> is any value from 0 to 99. With the reassign mechanism, if multiple servers come up simultaneously and need reassignment because the number of empty hash table entries is below the reassign threshold, then the ServerIron will clear the persistent hashing table. Reassign duration If the number of empty persistent hash entries is below the reassign threshold, the ServerIron reassigns some of the persistent hash entries over a period of time to the new real server. This duration of time is known as the persist hash reassign duration. To specify the reassign duration, enter commands such as the following: SLB-ServerIron#con t SLB-ServerIron(config)#server persist-hash-reassign-duration 5 This global command is applied to all configured VIP ports that are persist-hash enabled. The ServerIron will complete the reassignment within 2 minutes by default. Syntax: [no] server persist-hash-reassign-duration <value> The <value> is the time duration from 2 to 30 minutes
The ServerIron will stop reassigning persistent hash entries to the new real server when either of the following occurs: The system has finished reassigning X persistent hash entries to the new real server (occurs in the amount of time specified by the persist-hash-reassign-duration) The number of persistent hash entries assigned to the new real server is equal to the lowest number of persistent hash entries assigned to any of the existing real servers, whichever happens earlier.
September 2008
3 - 93
Figure 3.15
Persistent hash table virtual server vs1 port http Hash 0 Hash 1 ........... Hash 47 Hash 48 Hash 49 Hash 50 Hash 51 Hash 52 Hash 53 Hash 54 Hash 55 Hash 56 ........... Hash 255 none none rs1 rs1 rs1 rs1 rs1 rs1 rs1 rs1 rs2 rs2 none
Persistent hash entries have been assigned as follows. Entries 47 to 54 have been assigned to real server rs1. Entries 55 and 56 have been assigned to rs2. All other entries are empty (no real server has been assigned to them). In this example, the administrator configures a reassign-threshold of 99 percent. That is, whenever the number of empty hash entries falls below 99 percent, the ServerIron will reassign the persistent hash table entries whenever a new real server comes up. The reassign-duration is the default value (2 minutes). Next, the administrator binds port HTTP of a new real server rs3 to port HTTP of virtual server vs1. When real server rs3 comes up, the ServerIron calculates the number of active real server ports. In this example, the number is 3 (rs1, rs2 and rs3). The system then calculates the number of empty hash table entries. In this example, the number is 246. Since less than 99 percent of the hash table entries are empty, the ServerIron will attempt to reassign some of the persistent hash entries to the new real server rs3. The ServerIron now calculates entries per server X as follows: X = total assigned hash table entries/number of active real servers = 10/3 = 3 The ServerIron now attempts to reassign 3 persistent hash entries to the new real server over 2 minutes. The system will stop after it has reassigned 2 entries of real server rs1 to new real server rs3. The reason is once rs3 is assigned 2 persistent hash entries, the value is equal to the number of entries assigned to existing real server rs2. The persistent hash table after the reassignment appears as follows:
3 - 94
September 2008
Figure 3.16
Persistent hash table virtual server vs1 port http Hash 0 Hash 1 ........... Hash 47 Hash 48 Hash 49 Hash 50 Hash 51 Hash 52 Hash 53 Hash 54 Hash 55 Hash 56 ........... Hash 255 none none rs3 rs3 rs1 rs1 rs1 rs1 rs1 rs1 rs2 rs2 none
Persistent hash table virtual server vs1 port http Hash 0 Hash 1 Hash 2 ........... Hash 255 rs1 rs2 rs1 none
Real server rs1 has been assigned to persistent hash table entries corresponding to hash value 0 and hash value 2. Real server rs2 has been assigned to the entry corresponding to hash value 1. Now assume all other hash table entries have not been assigned to any real servers.
September 2008
3 - 95
If port HTTP of real server rs1 fails, then the ServerIron will clear assignment of rs1 to the persistent hash entries in the above table. Once this is done, the persistent hash table will be as follows:
Figure 3.18 Hash Table After Server Failure
Persistent hash table virtual server vs1 port http Hash 0 Hash 1 Hash 2 ........... Hash 255 none rs2 none none
The ServerIron will not immediately assign a new server to the cleared hash table entries. The ServerIron will select and assign a real server for these entries using the SLB predictor the next time a client hashes to these hash table entries. In the previous example, assume a client now makes an HTTP request for virtual server vs1. Assume also the clients IP address hashes to a value of 2. The ServerIron checks the hash table entry corresponding to hash value 2 in the above persistent hash table. Since no real server is associated with the hash entry, the ServerIron selects a new real server, such as rs2, using the SLB predictor and then assigns it to the hash table entry. This and subsequent requests from the client will then be serviced by rs2.
Figure 3.19 Using rs2 to Service Requests
Persistent hash table virtual server vs1 port http Hash 0 Hash 1 Hash 2 ........... Hash 255 none rs2 rs2 none
Hit
Hit
3 - 96
September 2008
If you do not specify a virtual server name, then all the persistent hash tables for all virtual server ports for all virtual servers will be displayed.
Description Name of the virtual server. Virtual server port. Hash value for hash table entry. Real server assigned to the hash table entry. Number of times the client IP has hashed to this entry and been serviced by the associated real server. Is is possible for multiple clients to hash to the same hash entry (bucket).
September 2008
3 - 97
To verify the assignment, enter the following command: 4/1 #show server persist-hash Virtual port Persist Hash Buckets: Virtual Server <http-vs> Port <80>: Bucket: Server Hit Bucket: Server 36: http-rs1 Syntax: show server persist-hash 0
Hit
If a real server is manually assigned to a hash entry, the hit count will not be incremented for the assignment. Additionally, if you manually assign a real server for a hash table entry for which another real server is currently assigned, the new real server will replace the old real server for the hash entry as follows: 4/1# show server manual-persist-assign-hash 1.1.1.33 http-vs 80 http-rs2 80 Hash bucket for Client IP 1.1.1.33 = 36 Replacing current server http-rs1 allocated for hash 36 with server http-rs2 Server http-rs2 allocation to bucket 36 of specified virtual server for port 80 completed!
Routers receiving client traffic for the VIP select the best route to the VIP. As a result, clients enjoy fast response time regardless of their location because their gateway routers use the best path to the VIP. RHI also prevents client traffic from being routed to a VIP that is unavailable. VIP Route health injection advertises the host route to the VIP instead of a network route to the VIP's subnet. This approach ensures that the clients' gateway routers receive a route to the IP address only if that VIP is available.
3 - 98
September 2008
NOTE: Disabling the real ports of all real servers using server disable-all-real causes the respective virtual port's RHI state to become "Not Healthy", and the VIP host route will not be advertised. See show server virtualname-or-ip. In contrast, when you disable the virtual port of virtual server, the RHI state of a virtual port will not become "Not Healthy", and the ServerIron will keep advertising the VIP host route.
Configuration Considerations
Before you enable RHI, consider the following three issues: Static route redistribution It is required to redistribute the host route for the VIP into OSPF. To enable redistribution of static routes, enter commands such as the following:
ServerIronA(config)# router ospf ServerIronA(config-ospf-router)# area 0 ServerIronA(config-ospf-router)# redistribution static Syntax: [no] redistribution static Virtual server constraints Only a single virtual server with VIP RHI enabled should be associated with the subnet for an interface. For example, if you enable VIP RHI for a virtual server 1.1.1.101 and the associated interface has an IP address 1.1.1.106/24, do not enable VIP RHI on any other virtual server in the subnet prefix 1.1.1.0/24. User should not configure two VIPs in the same subnet prefix with VIP RHI enabled for these two virtual servers. Disabling network route advertisement for an interface associated with VIP RHI The ip dontadvertise command configures the ServerIron to block advertisement of the network on the interface. If you do not block advertisement of the network, the ServerIron will advertise a route to the network containing the VIP even if the VIP itself is unavailable. After you enter the ip dont-advertise command, the ServerIron advertises only a host route to the VIP address. Thus, if the VIP is not healthy, the ServerIron will remove the static host route for the VIP address and also not advertise a network route for the network containing the VIP address. ServerIronA(config)# interface ethernet 4/15 ServerIronA(config-if-4/15)# ip address 10.1.1.99 255.255.255.0
September 2008
3 - 99
ServerIronA(config-if-4/15)# ip dont-advertise 10.1.1.99 255.255.255.0 ServerIronA(config-if-4/15)# exit Syntax: ip dont-advertise <ip-addr> <mask> I <ip-addr>/<mask-bits>
To define the percentage of bound real server ports that must be healthy to consider a VIP port healthy, enter commands such as the following: ServerIronA#con t ServerIronA(config)# server rhi-active-bindings-threshold 20 Syntax: [no] server rhi-active-bindings-threshold <percent> A valid range for <percent> is 1-100. If the <percent> parameter is not set, the percentage is 0. In this case, the default method will be used to determine the health of the VIP port. For example, a VIP port will be considered healthy as long as there is at least one healthy real server port bound to it. As another example, consider a virtual server 1.1.1.101 with port http configured. This port http of the virtual server is bound to port http of real server 1.1.1.15 and port http of real server 1.1.1.44. If you have not configured any active bindings threshold percentage, then port http of VIP 1.1.1.101 will be considered healthy as long as at least one of the two bound real server ports is healthy.
3 - 100
September 2008
If you configure an active bindings threshold percentage of 100, then this setting requires all bound real server ports for the VIP port to be healthy, in order to consider the VIP port as healthy. If real server port http for real server 1.1.1.15 goes down, then VIP port http is no longer considered healthy because only 50% of the bound real server ports are healthy. The configuration in this example requires 100% of the bound real server ports to be up in order to consider the VIP port as healthy.
To specify that a VIP should be considered healthy if at least one VIP port is healthy, enter commands such as the following: ServerIronA#con t ServerIronA(config)# server rhi-one-vip-port-up Syntax: server rhi-one-vip-port-up
If this command is not configured, a VIP will be considered healthy only if all VIP ports are healthy. NOTE: If a VIP port is not bound to any real server ports, it will not be used for deciding the health of the VIP. If a VIP port is bound but you do not want to use it to determine the health of the VIP as described above, then configure the following for the VIP port: ServerIronA#con t ServerIronA(config)#server virtual-name-or-ip dns-p1 ServerIronA(config-vs-dns-p1)#port ftp rhi-dont-use-port Syntax: [no] port <port> rhi-dont-use-port As another example, assume port http and port ftp have been configured for virtual server vs1. You then bind port ftp of real server rs1 and port ftp of real server rs2 to port ftp of virtual server vs1. Similarly, you bind port http of real server rs1 and port http of real server rs2 to port http of virtual server vs1. If you need to base the health of the VIP vs1 only on the health of the VIP port http, then you can configure the following for the port ftp: ServerIronA#con t ServerIronA(config)#server virtual-name-or-ip vs1 ServerIronA(config-vs-dns-p1)#port ftp rhi-dont-use-port As a result, only the health of port http of virtual server vs1 will be used to determine the health of virtual server vs1 and consequently to determine if the VIP route for vs1 should be injected or withdrawn.
To change the VIP RHI route mask length for a specific virtual server, enter a command such as the following: ServerIron(config)#server virt virt-2 ServerIron(config-vs-virt-2)#vip-route-subnet-mask-length 28
September 2008
3 - 101
Syntax: [no] vip-route-subnet-mask-length <length> The <length> parameter specifies the subnet mask length of VIP RHI injected route for this virtual server. NOTE: The VIP-RHI mask length must be longer than the interface subnet mask length, and it must not overlap with other local hosts or servers.
Optionally, one can enable ServerIron to inject VIP route inside routing process regardless of its VIP ownership status. Enter the following command if you want to enable both SrverIrons to inject VIP route regardless of its ownership. ServerIron(config)#server rhi-inject-always Syntax: [no] server rhi-inject-always
PeakConn -------0
Bind count for virtual port = 1 Active count for virtual port = 1 RHI state for virtual port = Healthy Use port for RHI VIP health = YES Binding Information: ===================== http -------> http-ns: 1.1.1.15,
http (Active)
Bound Port Information: ======================== State(St) - ACT:active, ENB:enabled, FAL:failed, TST:test, DIS:disabled, UNK:unknown, UNB:unbind, AWU:await-unbind, AWD:await-delete Port ---St -Ms CurConn TotConn -- ------- ------Rx-pkts ------Tx-pkts ------Rx-octet -------Tx-octet -------Reas ----
3 - 102
September 2008
Field Descriptions for show server virtual-name-or-ip <name> <port> Description Number of real server ports bound to this VIP port Number of healthy real server ports bound to this VIP port This field can have one of the following three values: Healthy Not healthy Not bound
Bind count for virtual port Active count for virtual port RHI state for virtual port
If a VIP port is not bound to any real server ports, then its health is not used in the determination of the health of the VIP. Use port for RHI VIP health Health of this VIP will be used in the determination of the VIP health or not (related to command port <port> rhi-dont-use-port).
To display the RHI information for a VIP, enter the following command: SLB-ServerIron#show server virtual-name-or-ip Virtual Servers Info Name: dns-p1 Pred: least-conn VIP RHI: Enabled Port ---State ----State: Enabled ACL-Id: 0 VIP RHI state: healthy Sticky -----NO NO Concur -----NO NO Proxy ----NO NO DSR --NO NO IF UP IP:1.1.1.101: TotalConn: 0 1
CurConn ------0 0
TotConn ------0 0
PeakConn -------0 0
Description Indicates if VIP RHI is enabled for the VIP Indicates the health of the VIP. This can have one of the following two values: healthy Not healthy
September 2008
3 - 103
The following snap shot of show ip route was taken from a ServerIron with VIP RHI enabled: 93R-M6-JC#sh ip rou Total number of IP routes: 11 Start index: 1 B:BGP D:Connected R:RIP S:Static O:OSPF *:Candidate default Destination NetMask Gateway Port Cost 1 20.20.1.0 255.255.255.0 0.0.0.0 v2 1 2 30.30.0.0 255.255.0.0 40.40.1.101 v1 2 3 40.40.1.0 255.255.255.0 0.0.0.0 v1 1 4 50.50.1.0 255.255.255.0 0.0.0.0 v4 1 5 60.60.1.0 255.255.255.0 0.0.0.0 v3 1 6 60.60.1.10 255.255.255.255 60.60.1.10 v3 1 7 70.70.1.0 255.255.255.0 0.0.0.0 3/12 1 8 70.70.1.10 255.255.255.255 70.70.1.10 3/12 1 9 80.80.1.0 255.255.255.0 20.20.1.101 v2 2 10 90.90.1.0 255.255.255.0 0.0.0.0 3/12 1 11 90.90.1.10 255.255.255.255 90.90.1.10 3/12 1
Tip: Some administrators may view this approach as a contradiction to the basic definition of a route type. The route type of a network that is owned by an ServerIron (router) is usually shown as "D:connected" and a manually added static route type is to be shown as "S:Static".
Configuration Examples
Basic Configuration
Consider the example where VIP 10.1.1.10 is configured on three SIs A, B and C. The following is the step-by-step VIP RHI configuration for ServerIron A. 1. Ensure a routing protocol is running, such as OSPF: ServerIronA(config)# vlan 9 ServerIronA(config-vlan-9)# untagged ethernet 4/1 to 4/5 ServerIronA(config-vlan-9)# router-interface ve 9 ServerIronA(config-vlan-9)# exit ServerIronA(config)# router ospf ServerIronA(config-ospf-router)# area 0 ServerIronA(config-ospf-router)# redistribution static ServerIronA(config-ospf-router)# exit ServerIronA(config)# interface ve 9 ServerIronA(config-ve-9)# ip address 186.211.21.11 255.255.255.0 ServerIronA(config-ve-9)# ip ospf area 0 ServerIronA(config-ve-9)# exit 2. Configure the interface associated with the VIP: ServerIronA(config)# interface ethernet 4/15 ServerIronA(config-if-4/15)# ip address 10.1.1.99 255.255.255.0 ServerIronA(config-if-4/15)# ip dont-advertise 10.1.1.99 255.255.255.0 ServerIronA(config-if-4/15)# exit 3. Enable the real servers and ports: ServerIronA#con t ServerIronA(config)#server real rs1 10.1.1.20 ServerIronA(config-rs-rs1)#port http ServerIronA(config-rs-rs1)#exit
3 - 104
September 2008
ServerIronA(config)#server real rs2 10.1.1.30 ServerIronA(config-rs-rs2)#port http ServerIronA(config-rs-rs2)#exit 4. Set the VIP, bind VIP ports to real server ports, and enable VIP RHI: ServerIronA(config)#server virtual-name-or-ip vip-si-A 10.1.1.10 ServerIronA(config-vs-vip-si-A)#port http ServerIronA(config-vs-vip-si-A)#bind http rs1 http rs2 http ServerIron(config-vs-vip-si-A)#advertise-vip-route ServerIron(config-vs-vip-si-A)#exit The configuration is similar for ServerIron B and C (with relevant interface IP addresses).
Router #3
Client #1
Client #2
C
OSPF or BGP
Router #1
Ve3: 60.60.1.120 /24 Ve4: 50.50.1.120 /24 Don't advertise subnets Ve3: 60.60.1.120 /24 Ve4: 50.50.1.120 /24 Don't advertise subnets
Router #2
Ve1: 140.140.1.120 / 24 OSPF or RIP V2
S Site #1 ServerIron L2 S S
Wr1 to Wr10 Servers: 50.50.1.40 - 50.50.1.49 Ve2: 20.20.1.120 /24 OSPF or RIP V2 or Static Routes
S L2 S
Wr1 to Wr10 Servers: 50.50.1.40 - 50.50.1.49 Ve2: 120.120.1.120 /24 OSPF or RIP V2 or Static Routes
Site #2 ServerIron
PC
S
RS1 & RS2 Servers: 20.20.1.40 & 20.20.1.41
Internal Router#1
Internal Router#2
Virtual Servers for which VIP RHI is enabled: VIP60: 60.60.1.10 (Web1 to web10) & Prefix: /30 VIP50: 50.50.1.10 (Wr1 to wr10) & Prefix: /30 VIP70: 70.70.1.10 (test) & Prefix: /30 VIP90: 90.90.1.10 (Rem1 & Rem2) & Prefix: /28
Site 1 Configuration
ver 09.3.00b265TD4 ! module 1 bi-0-port-wsm2-management-module module 2 bi-jc-8-port-gig-module module 3 bi-jc-16-port-gig-copper-module module 4 bi-jc-16-port-gig-copper-module September 2008 2008 Foundry Networks, Inc. 3 - 105
! global-protocol-vlan ! ! server predictor round-robin server global-advertise-vip-route server global-vip-route-mask-length 30 server rhi-active-bindings-threshold 80 server port 21 tcp server port 80 tcp server port 53 udp server port 161 udp server port 25 tcp server port 443 tcp server port 8601 tcp ! ! server real rs1 20.20.1.40 port http port http url "HEAD /" port ftp port smtp port dns port dns zone "satish.com" port snmp port mms port rtsp ! server real rs2 20.20.1.41 port http port http url "HEAD /" port ftp port smtp port dns port dns zone "satish.com" port snmp port mms port rtsp ! server remote-name test 30.30.1.40 source-nat port http port http url "HEAD /" port ftp port smtp port dns port dns zone "satish.com" port snmp port mms port rtsp ! 3 - 106 2008 Foundry Networks, Inc. September 2008
server real Web1 60.60.1.40 port 8601 ! server real Web2 60.60.1.41 port 8601 ! server real Web3 60.60.1.42 port 8601 ! server real Web4 60.60.1.43 port 8601 ! server real Web5 60.60.1.44 port 8601 ! server real Web6 60.60.1.45 port 8601 ! server real Web7 60.60.1.46 port 8601 ! server real Web8 60.60.1.47 port 8601 ! server real Web9 60.60.1.48 port 8601 ! server real Web10 60.60.1.49 port 8601 ! server real wr1 50.50.1.40 port http port http url "HEAD /" ! server real wr2 50.50.1.41 port http port http url "HEAD /" ! server real wr3 50.50.1.42 port http port http url "HEAD /" ! server real wr4 50.50.1.43 port http port http url "HEAD /" ! server real wr5 50.50.1.44 port http port http url "HEAD /" ! server real wr6 50.50.1.45 port http port http url "HEAD /" ! server real wr7 50.50.1.46 port http port http url "HEAD /" ! server real wr8 50.50.1.47 September 2008 2008 Foundry Networks, Inc. 3 - 107
port http port http url "HEAD /" ! server real wr9 50.50.1.48 port http port http url "HEAD /" ! server real wr10 50.50.1.49 port http port http url "HEAD /" ! server remote-name rem1 80.80.1.40 port 8601 port ftp port smtp port ssl port dns port dns zone "satish.com" port snmp port mms port rtsp ! server remote-name rem2 80.80.1.41 port 8601 port ftp port smtp port ssl port dns port dns zone "satish.com" port snmp port mms port rtsp ! ! server virtual-name-or-ip vip60 60.60.1.10 port http bind http Web1 8601 Web2 8601 Web3 8601 Web4 8601 bind http Web5 8601 Web6 8601 Web7 8601 Web8 8601 bind http Web9 8601 Web10 8601 ! server virtual-name-or-ip vip50 50.50.1.10 port http bind http wr1 http wr2 http wr3 http wr4 http bind http wr5 http wr6 http wr7 http wr8 http bind http wr9 http wr10 http ! server virtual-name-or-ip vip70 70.70.1.10 port http port smtp port ftp port dns port snmp port mms port rtsp bind http test http bind smtp test smtp bind ftp test ftp bind dns test dns bind snmp test snmp 3 - 108 2008 Foundry Networks, Inc. September 2008
bind mms test mms bind rtsp test rtsp ! server virtual-name-or-ip vip90 90.90.1.10 vip-route-subnet-mask-length 28 port dns port snmp port http port ftp bind dns rem1 dns rem2 dns bind snmp rem1 snmp rem2 snmp bind http rem1 8601 rem2 8601 bind ftp rem1 ftp rem2 ftp ! server virtual-name-or-ip vip20 20.20.1.10 disable-advertise-vip-route port http port dns port snmp port ftp bind http rs1 http rs2 http bind dns rs1 dns rs2 dns bind snmp rs1 snmp rs2 snmp bind ftp rs1 ftp rs2 ftp ! ! vlan 1 name DEFAULT-VLAN by port ! vlan 10 by port untagged ethe 2/1 to 2/4 router-interface ve 1 ! vlan 20 by port untagged ethe 4/1 to 4/16 router-interface ve 2 ! vlan 30 by port tagged ethe 2/5 untagged ethe 2/8 router-interface ve 3 ! vlan 40 by port tagged ethe 2/5 untagged ethe 2/6 to 2/7 router-interface ve 4 ! ! hostname Site1-SI logging buffered 1000 mirror ethernet 4/12 ! server session-debug 100000 auto-cam-repaint pram-write-retry ! router ospf area 0 metric-type type1 redistribution connected September 2008 2008 Foundry Networks, Inc. 3 - 109
redistribution static ! interface loopback 1 ip address 100.100.100.100 255.255.255.255 ip ospf area 0 ! interface ethernet 2/1 mon ethe 4/12 input mon ethe 4/12 output ! interface ethernet 2/2 mon ethe 4/12 input mon ethe 4/12 output ! interface ethernet 2/5 mon ethe 4/12 input mon ethe 4/12 output ! interface ethernet 3/12 ip address 70.70.1.120 255.255.255.0 ip dont-advertise 70.70.1.120 255.255.255.0 ip address 90.90.1.120 255.255.255.0 ip dont-advertise 90.90.1.120 255.255.255.0 ! interface ethernet 4/1 mon ethe 4/12 input mon ethe 4/12 output ! interface ethernet 4/2 mon ethe 4/12 input mon ethe 4/12 output ! interface ethernet 4/16 mon ethe 4/12 input mon ethe 4/12 output ! interface ve 1 ip address 40.40.1.120 255.255.255.0 ip address 40.40.1.121 255.255.255.0 secondary ip ospf area 0 ! interface ve 2 ip address 20.20.1.120 255.255.255.0 ip address 20.20.1.121 255.255.255.0 secondary ip ospf area 0 ! interface ve 3 ip address 60.60.1.120 255.255.255.0 ip dont-advertise 60.60.1.120 255.255.255.0 ip address 60.60.1.121 255.255.255.0 secondary ip dont-advertise 60.60.1.121 255.255.255.0 ! interface ve 4 ip address 50.50.1.120 255.255.255.0 ip dont-advertise 50.50.1.120 255.255.255.0 ip address 50.50.1.121 255.255.255.0 secondary ip dont-advertise 50.50.1.121 255.255.255.0 ! ! 3 - 110 2008 Foundry Networks, Inc. September 2008
end
Site 2 Configuration
ver 09.3.00b265TD4 module 1 bi-0-port-wsm2-management-module module 2 bi-jc-8-port-gig-module module 3 bi-jc-16-port-gig-copper-module module 4 bi-jc-16-port-gig-copper-module ! global-protocol-vlan ! ! server predictor round-robin server global-advertise-vip-route server global-vip-route-mask-length 30 server rhi-active-bindings-threshold 80 server port 21 tcp server port 80 tcp server port 53 udp server port 161 udp server port 25 tcp server port 443 tcp server port 8601 tcp ! ! ! server real rs1 120.120.1.40 port http port http url "HEAD /" port ftp port smtp port dns port dns zone "satish.com" port snmp port mms port rtsp ! server real rs2 120.120.1.41 port http port http url "HEAD /" port ftp port smtp port dns
September 2008
3 - 111
! server remote-name test 130.130.1.40 source-nat port http port http url "HEAD /" port ftp port smtp port dns port dns zone "satish.com" port snmp port mms port rtsp ! server real Web1 60.60.1.40 port 8601 ! server real Web2 60.60.1.41 port 8601 ! server real Web3 60.60.1.42 port 8601 ! server real Web4 60.60.1.43 port 8601 ! server real Web5 60.60.1.44 port 8601 ! server real Web6 60.60.1.45 port 8601 ! server real Web7 60.60.1.46 port 8601 ! server real Web8 60.60.1.47 port 8601 ! server real Web9 60.60.1.48 port 8601 ! server real Web10 60.60.1.49 port 8601 ! server real wr1 50.50.1.40 port http port http url "HEAD /" ! server real wr2 50.50.1.41 port http port http url "HEAD /" ! server real wr3 50.50.1.42 port http port http url "HEAD /" ! 3 - 112 2008 Foundry Networks, Inc. September 2008
server real wr4 50.50.1.43 port http port http url "HEAD /" ! server real wr5 50.50.1.44 port http port http url "HEAD /" ! server real wr6 50.50.1.45 port http port http url "HEAD /" ! server real wr7 50.50.1.46 port http port http url "HEAD /" ! server real wr8 50.50.1.47 port http port http url "HEAD /" ! server real wr9 50.50.1.48 port http port http url "HEAD /" ! server real wr10 50.50.1.49 port http port http url "HEAD /" ! server remote-name rem1 180.180.1.40 port 8601 port ftp port smtp port ssl port dns port dns zone "satish.com" port snmp port mms port rtsp ! server remote-name rem2 180.180.1.41 port 8601 port ftp port smtp port ssl port dns port dns zone "satish.com" port snmp port mms port rtsp ! ! server virtual-name-or-ip vip60 60.60.1.10 port http bind http Web1 8601 Web2 8601 Web3 8601 Web4 8601 bind http Web5 8601 Web6 8601 Web7 8601 Web8 8601 bind http Web9 8601 Web10 8601 ! server virtual-name-or-ip vip50 50.50.1.10 port http September 2008 2008 Foundry Networks, Inc. 3 - 113
bind http wr1 http wr2 http wr3 http wr4 http bind http wr5 http wr6 http wr7 http wr8 http bind http wr9 http wr10 http ! server virtual-name-or-ip vip70 70.70.1.10 port http port smtp port ftp port dns port snmp port mms port rtsp bind http test http bind smtp test smtp bind ftp test ftp bind dns test dns bind snmp test snmp bind mms test mms bind rtsp test rtsp ! server virtual-name-or-ip vip90 90.90.1.10 vip-route-subnet-mask-length 28 port dns port snmp port http port ftp bind dns rem1 dns rem2 dns bind snmp rem1 snmp rem2 snmp bind http rem1 8601 rem2 8601 bind ftp rem1 ftp rem2 ftp ! server virtual-name-or-ip vip120 120.120.1.10 disable-advertise-vip-route port http port dns port snmp port ftp bind http rs1 http rs2 http bind dns rs1 dns rs2 dns bind snmp rs1 snmp rs2 snmp bind ftp rs1 ftp rs2 ftp ! ! vlan 1 name DEFAULT-VLAN by port ! vlan 10 by port untagged ethe 2/1 to 2/4 router-interface ve 1 ! vlan 20 by port untagged ethe 4/1 to 4/16 router-interface ve 2 ! vlan 30 by port tagged ethe 2/5 untagged ethe 2/8 router-interface ve 3 ! vlan 40 by port 3 - 114 2008 Foundry Networks, Inc. September 2008
tagged ethe 2/5 untagged ethe 2/6 to 2/7 router-interface ve 4 ! ! hostname Site2-SI logging buffered 1000 mirror ethernet 4/12 ! server session-debug 100000 auto-cam-repaint pram-write-retry ! router ospf area 0 metric-type type1 redistribution connected redistribution static ! interface loopback 1 ip address 100.100.100.101 255.255.255.255 ip ospf area 0 ! interface ethernet 2/1 mon ethe 4/12 input mon ethe 4/12 output ! interface ethernet 2/2 mon ethe 4/12 input mon ethe 4/12 output ! interface ethernet 2/5 mon ethe 4/12 input mon ethe 4/12 output ! interface ethernet 3/12 ip address 70.70.1.120 255.255.255.0 ip dont-advertise 70.70.1.120 255.255.255.0 ip address 90.90.1.120 255.255.255.0 ip dont-advertise 90.90.1.120 255.255.255.0 ! interface ethernet 4/1 mon ethe 4/12 input mon ethe 4/12 output ! interface ethernet 4/2 mon ethe 4/12 input mon ethe 4/12 output ! interface ethernet 4/16 mon ethe 4/12 input mon ethe 4/12 output ! interface ve 1 ip address 140.140.1.120 255.255.255.0 ip address 140.140.1.121 255.255.255.0 secondary ip ospf area 0 ! interface ve 2 September 2008 2008 Foundry Networks, Inc. 3 - 115
ip address 120.120.1.120 255.255.255.0 ip address 120.120.1.121 255.255.255.0 secondary ip ospf area 0 ! interface ve 3 ip address 60.60.1.120 255.255.255.0 ip dont-advertise 60.60.1.120 255.255.255.0 ip address 60.60.1.121 255.255.255.0 secondary ip dont-advertise 60.60.1.121 255.255.255.0 ! interface ve 4 ip address 50.50.1.120 255.255.255.0 ip dont-advertise 50.50.1.120 255.255.255.0 ip address 50.50.1.121 255.255.255.0 secondary ip dont-advertise 50.50.1.121 255.255.255.0 ! end
Router #3
Client #1
Client #2
C
OSPF or BGP
Router #1
Ve3: 60.60.1.120 /24 Ve4: 50.50.1.120 /24 Don't advertise subnets Ve3: 60.60.1.120 /24 Ve4: 50.50.1.120 /24 Don't advertise subnets
Router #2
Ve1: 140.140.1.120 / 24 OSPF or RIP V2
S L2 S
Wr1 to Wr10 Servers: 50.50.1.40 - 50.50.1.49
S L2 S
Wr1 to Wr10 Servers: 50.50.1.40 - 50.50.1.49 Ve2: 120.120.1.120 /24 OSPF or RIP V2 or Static Routes
PC
S
RS1 & RS2 Servers: 20.20.1.40 & 20.20.1.41
S
Ve2: 20.20.1.120 /24 OSPF or RIP V2 or Static Routes
Internal Router#1
Internal Router#2
Virtual Servers for which VIP RHI is enabled: VIP60: 60.60.1.10 (Web1 to web10) & Prefix: /30 VIP50: 50.50.1.10 (Wr1 to wr10) & Prefix: /30 VIP70: 70.70.1.10 (test) & Prefix: /30 VIP90: 90.90.1.10 (Rem1 & Rem2) & Prefix: /28
Site 1 Configuration
The following configuration is only for virtual server vip60 (60.60.1.10). !
3 - 116
September 2008
ver 09.3.00b269TD4 ! module 1 bi-0-port-wsm2-management-module module 2 bi-jc-8-port-gig-module module 3 bi-jc-16-port-gig-copper-module module 4 bi-jc-16-port-gig-copper-module ! global-protocol-vlan ! ! server predictor round-robin server global-advertise-vip-route server global-vip-route-mask-length 30 server rhi-active-bindings-threshold 80 server port 21 tcp server port 80 tcp server port 53 udp server port 161 udp server port 25 tcp server port 443 tcp server port 8601 tcp ! ! server real rs1 20.20.1.40 port http port http url "HEAD /" port ftp port smtp port dns port dns zone "satish.com" port snmp port mms port rtsp ! server real rs2 20.20.1.41 port http port http url "HEAD /" port ftp port smtp port dns port dns zone "satish.com" port snmp port mms port rtsp ! September 2008 2008 Foundry Networks, Inc. 3 - 117
server remote-name test 30.30.1.40 source-nat port http port http url "HEAD /" port ftp port smtp port dns port dns zone "satish.com" port snmp port mms port rtsp ! server real Web1 60.60.1.40 port 8601 ! server real Web2 60.60.1.41 port 8601 ! server real Web3 60.60.1.42 port 8601 ! server real Web4 60.60.1.43 port 8601 ! server real Web5 60.60.1.44 port 8601 ! server real Web6 60.60.1.45 port 8601 ! server real Web7 60.60.1.46 port 8601 ! server real Web8 60.60.1.47 port 8601 ! server real Web9 60.60.1.48 port 8601 ! server real Web10 60.60.1.49 port 8601 ! server real wr1 50.50.1.40 port http port http url "HEAD /" ! server real wr2 50.50.1.41 port http port http url "HEAD /" ! server real wr3 50.50.1.42 port http port http url "HEAD /" ! server real wr4 50.50.1.43 port http port http url "HEAD /" ! server real wr5 50.50.1.44 3 - 118 2008 Foundry Networks, Inc. September 2008
port http port http url "HEAD /" ! server real wr6 50.50.1.45 port http port http url "HEAD /" ! server real wr7 50.50.1.46 port http port http url "HEAD /" ! server real wr8 50.50.1.47 port http port http url "HEAD /" ! server real wr9 50.50.1.48 port http port http url "HEAD /" ! server real wr10 50.50.1.49 port http port http url "HEAD /" ! server remote-name rem1 80.80.1.40 port 8601 port ftp port smtp port ssl port dns port dns zone "satish.com" port snmp port mms port rtsp ! server remote-name rem2 80.80.1.41 port 8601 port ftp port smtp port ssl port dns port dns zone "satish.com" port snmp port mms port rtsp ! ! server virtual-name-or-ip vip60 60.60.1.10 port http bind http Web1 8601 Web2 8601 Web3 8601 Web4 8601 bind http Web5 8601 Web6 8601 Web7 8601 Web8 8601 bind http Web9 8601 Web10 8601 ! server virtual-name-or-ip vip50 50.50.1.10 port http bind http wr1 http wr2 http wr3 http wr4 http bind http wr5 http wr6 http wr7 http wr8 http bind http wr9 http wr10 http ! server virtual-name-or-ip vip70 70.70.1.10 September 2008 2008 Foundry Networks, Inc. 3 - 119
port port port port port port port bind bind bind bind bind bind bind
http smtp ftp dns snmp mms rtsp http test http smtp test smtp ftp test ftp dns test dns snmp test snmp mms test mms rtsp test rtsp
! server virtual-name-or-ip vip90 90.90.1.10 vip-route-subnet-mask-length 28 port dns port snmp port http port ftp bind dns rem1 dns rem2 dns bind snmp rem1 snmp rem2 snmp bind http rem1 8601 rem2 8601 bind ftp rem1 ftp rem2 ftp ! server virtual-name-or-ip vip20 20.20.1.10 disable-advertise-vip-route port http port dns port snmp port ftp bind http rs1 http rs2 http bind dns rs1 dns rs2 dns bind snmp rs1 snmp rs2 snmp bind ftp rs1 ftp rs2 ftp ! vlan 1 name DEFAULT-VLAN by port ! vlan 10 by port untagged ethe 2/1 to 2/4 router-interface ve 1 ! vlan 20 by port untagged ethe 4/1 to 4/16 router-interface ve 2 ! vlan 30 by port tagged ethe 2/5 untagged ethe 2/8 router-interface ve 3 ! vlan 40 by port tagged ethe 2/5 untagged ethe 2/6 to 2/7 router-interface ve 4 ! ! hostname Site1-SI 3 - 120 2008 Foundry Networks, Inc. September 2008
logging buffered 1000 mirror ethernet 4/12 ! server session-debug 100000 auto-cam-repaint pram-write-retry ! router ospf area 0 metric-type type1 redistribution connected redistribution static ! interface loopback 1 ip address 100.100.100.100 255.255.255.255 ip ospf area 0 ! interface ethernet 2/1 mon ethe 4/12 input mon ethe 4/12 output ! interface ethernet 2/2 mon ethe 4/12 input mon ethe 4/12 output ! interface ethernet 2/5 mon ethe 4/12 input mon ethe 4/12 output ! interface ethernet 3/12 ip address 70.70.1.120 255.255.255.0 ip dont-advertise 70.70.1.120 255.255.255.0 ip address 90.90.1.120 255.255.255.0 ip dont-advertise 90.90.1.120 255.255.255.0 ! interface ethernet 4/1 mon ethe 4/12 input mon ethe 4/12 output ! interface ethernet 4/2 mon ethe 4/12 input mon ethe 4/12 output ! interface ethernet 4/16 mon ethe 4/12 input mon ethe 4/12 output ! interface ve 1 ip address 40.40.1.120 255.255.255.0 ip address 40.40.1.121 255.255.255.0 secondary ip ospf area 0 ! interface ve 2 ip address 20.20.1.120 255.255.255.0 ip address 20.20.1.121 255.255.255.0 secondary ip ospf area 0 ! interface ve 3 ip address 60.60.1.120 255.255.255.0 September 2008 2008 Foundry Networks, Inc. 3 - 121
ip dont-advertise 60.60.1.120 255.255.255.0 ip address 60.60.1.121 255.255.255.0 secondary ip dont-advertise 60.60.1.121 255.255.255.0 ! interface ve 4 ip address 50.50.1.120 255.255.255.0 ip dont-advertise 50.50.1.120 255.255.255.0 ip address 50.50.1.121 255.255.255.0 secondary ip dont-advertise 50.50.1.121 255.255.255.0 ! end
Site 2 Configuration
! ver 09.3.00b269TD4 ! module 1 bi-0-port-wsm2-management-module module 2 bi-jc-8-port-gig-module module 3 bi-jc-16-port-gig-copper-module module 4 bi-jc-16-port-gig-copper-module ! global-protocol-vlan ! ! healthck Site1-chk icmp dest-ip 40.40.1.120 healthck Site1-NOT boolean not Site1-chk healthck Web1-8601-chk tcp dest-ip 60.60.1.40 port 8601 protocol http protocol http url "HEAD /" interval 20 retries 4 l7-check healthck Web2-8601-chk tcp dest-ip 60.60.1.41 port 8601 protocol http protocol http url "HEAD /" interval 20 retries 4 l7-check healthck Web3-8601-chk tcp dest-ip 60.60.1.42 port 8601 protocol http protocol http url "HEAD /" interval 20 retries 4 l7-check healthck Web4-8601-chk tcp
3 - 122
September 2008
dest-ip 60.60.1.43 port 8601 protocol http protocol http url "HEAD /" interval 20 retries 4 l7-check healthck Web5-8601-chk tcp dest-ip 60.60.1.44 port 8601 protocol http protocol http url "HEAD /" interval 20 retries 4 l7-check healthck Web6-8601-chk tcp dest-ip 60.60.1.45 port 8601 protocol http protocol http url "HEAD /" interval 20 retries 4 l7-check healthck Web7-8601-chk tcp dest-ip 60.60.1.46 port 8601 protocol http protocol http url "HEAD /" interval 20 retries 4 l7-check healthck Web8-8601-chk tcp dest-ip 60.60.1.47 port 8601 protocol http protocol http url "HEAD /" interval 20 retries 4 l7-check healthck Web9-8601-chk tcp dest-ip 60.60.1.48 port 8601 protocol http protocol http url "HEAD /" interval 20 retries 4 l7-check healthck Web10-8601-chk tcp dest-ip 60.60.1.49 port 8601 protocol http protocol http url "HEAD /" interval 20 September 2008 2008 Foundry Networks, Inc. 3 - 123
retries 4 l7-check healthck Web1-chk boolean and Site1-NOT Web1-8601-chk healthck Web2-chk boolean and Site1-NOT Web2-8601-chk healthck Web3-chk boolean and Site1-NOT Web3-8601-chk healthck Web4-chk boolean and Site1-NOT Web4-8601-chk healthck Web5-chk boolean and Site1-NOT Web5-8601-chk healthck Web6-chk boolean and Site1-NOT Web6-8601-chk healthck Web7-chk boolean and Site1-NOT Web7-8601-chk healthck Web8-chk boolean and Site1-NOT Web8-8601-chk healthck Web9-chk boolean and Site1-NOT Web9-8601-chk healthck Web10-chk boolean and Site1-NOT Web10-8601-chk ! server predictor round-robin server global-advertise-vip-route server global-vip-route-mask-length 30 server rhi-active-bindings-threshold 80 server port 21 tcp server port 80 tcp server port 53 udp server port 161 udp server port 25 tcp server port 443 tcp server port 8601 tcp ! ! server real rs1 120.120.1.40 port http port http url "HEAD /" port ftp port smtp 3 - 124 2008 Foundry Networks, Inc. September 2008
! server real rs2 120.120.1.41 port http port http url "HEAD /" port ftp port smtp port dns port dns zone "satish.com" port snmp port mms port rtsp ! server remote-name test 130.130.1.40 source-nat port http port http url "HEAD /" port ftp port smtp port dns port dns zone "satish.com" port snmp port mms port rtsp ! server real Web1 60.60.1.40 port 8601 port 8601 healthck Web1-chk ! server real Web2 60.60.1.41 port 8601 port 8601 healthck Web2-chk ! server real Web3 60.60.1.42 port 8601 port 8601 healthck Web3-chk ! server real Web4 60.60.1.43 port 8601 port 8601 healthck Web4-chk ! server real Web5 60.60.1.44 port 8601 port 8601 healthck Web5-chk ! server real Web6 60.60.1.45 port 8601 port 8601 healthck Web6-chk ! server real Web7 60.60.1.46 port 8601 port 8601 healthck Web7-chk ! server real Web8 60.60.1.47 port 8601 September 2008 2008 Foundry Networks, Inc. 3 - 125
port 8601 healthck Web8-chk ! server real Web9 60.60.1.48 port 8601 port 8601 healthck Web9-chk ! server real Web10 60.60.1.49 port 8601 port 8601 healthck Web10-chk ! server real wr1 50.50.1.40 port http port http url "HEAD /" ! server real wr2 50.50.1.41 port http port http url "HEAD /" ! server real wr3 50.50.1.42 port http port http url "HEAD /" ! server real wr4 50.50.1.43 port http port http url "HEAD /" ! server real wr5 50.50.1.44 port http port http url "HEAD /" ! server real wr6 50.50.1.45 port http port http url "HEAD /" ! server real wr7 50.50.1.46 port http port http url "HEAD /" ! server real wr8 50.50.1.47 port http port http url "HEAD /" ! server real wr9 50.50.1.48 port http port http url "HEAD /" ! server real wr10 50.50.1.49 port http port http url "HEAD /" ! server remote-name rem1 180.180.1.40 port 8601 port ftp port smtp port ssl port dns port dns zone "satish.com" port snmp port mms 3 - 126 2008 Foundry Networks, Inc. September 2008
port rtsp ! server remote-name rem2 180.180.1.41 port 8601 port ftp port smtp port ssl port dns port dns zone "satish.com" port snmp port mms port rtsp ! ! server virtual-name-or-ip vip60 60.60.1.10 port http bind http Web1 8601 Web2 8601 Web3 8601 Web4 8601 bind http Web5 8601 Web6 8601 Web7 8601 Web8 8601 bind http Web9 8601 Web10 8601 ! server virtual-name-or-ip vip50 50.50.1.10 port http bind http wr1 http wr2 http wr3 http wr4 http bind http wr5 http wr6 http wr7 http wr8 http bind http wr9 http wr10 http ! server virtual-name-or-ip vip70 70.70.1.10 port http port smtp port ftp port dns port snmp port mms port rtsp bind http test http bind smtp test smtp bind ftp test ftp bind dns test dns bind snmp test snmp bind mms test mms bind rtsp test rtsp ! server virtual-name-or-ip vip90 90.90.1.10 vip-route-subnet-mask-length 28 port dns port snmp port http port ftp bind dns rem1 dns rem2 dns bind snmp rem1 snmp rem2 snmp bind http rem1 8601 rem2 8601 bind ftp rem1 ftp rem2 ftp ! server virtual-name-or-ip vip120 120.120.1.10 disable-advertise-vip-route port http port dns port snmp port ftp September 2008 2008 Foundry Networks, Inc. 3 - 127
http rs1 http rs2 http dns rs1 dns rs2 dns snmp rs1 snmp rs2 snmp ftp rs1 ftp rs2 ftp
! ! vlan 1 name DEFAULT-VLAN by port ! vlan 10 by port untagged ethe 2/1 to 2/4 router-interface ve 1 ! vlan 20 by port untagged ethe 4/1 to 4/16 router-interface ve 2 ! vlan 30 by port tagged ethe 2/5 untagged ethe 2/8 router-interface ve 3 ! vlan 40 by port tagged ethe 2/5 untagged ethe 2/6 to 2/7 router-interface ve 4 ! ! hostname Site2-SI logging buffered 1000 mirror ethernet 4/12 ! server session-debug 100000 auto-cam-repaint pram-write-retry ! router ospf area 0 metric-type type1 redistribution connected redistribution static ! interface loopback 1 ip address 100.100.100.101 255.255.255.255 ip ospf area 0 ! interface ethernet 2/1 mon ethe 4/12 input mon ethe 4/12 output ! interface ethernet 2/2 mon ethe 4/12 input mon ethe 4/12 output ! interface ethernet 2/5 mon ethe 4/12 input mon ethe 4/12 output ! interface ethernet 3/12 ip address 70.70.1.120 255.255.255.0 3 - 128 2008 Foundry Networks, Inc. September 2008
ip dont-advertise 70.70.1.120 255.255.255.0 ip address 90.90.1.120 255.255.255.0 ip dont-advertise 90.90.1.120 255.255.255.0 ! interface ethernet 4/1 mon ethe 4/12 input mon ethe 4/12 output ! interface ethernet 4/2 mon ethe 4/12 input mon ethe 4/12 output ! interface ethernet 4/16 mon ethe 4/12 input mon ethe 4/12 output ! interface ve 1 ip address 140.140.1.120 255.255.255.0 ip address 140.140.1.121 255.255.255.0 secondary ip ospf area 0 ! interface ve 2 ip address 120.120.1.120 255.255.255.0 ip address 120.120.1.121 255.255.255.0 secondary ip ospf area 0 ! interface ve 3 ip address 60.60.1.120 255.255.255.0 ip dont-advertise 60.60.1.120 255.255.255.0 ip address 60.60.1.121 255.255.255.0 secondary ip dont-advertise 60.60.1.121 255.255.255.0 ! interface ve 4 ip address 50.50.1.120 255.255.255.0 ip dont-advertise 50.50.1.120 255.255.255.0 ip address 50.50.1.121 255.255.255.0 secondary ip dont-advertise 50.50.1.121 255.255.255.0 ! end
Usage Guidelines
In software releases prior to release 11.0.00, the ServerIron supported a maximum of 4096 ports. This limit has been increased to 8192 beginning with release 11.0.00. NOTE: The ServerIron system may not be able to perform Layer 7 or Layer 4 health checks for these many ports though. It will stop processing health checks once its exceeds its system capacity. If this occurs, you must explicitly disable health checks for several ports. 2) The following table shows the minimum, maximum and default number of supported real servers, virtual servers and ports on the ServerIron system.
September 2008
3 - 129
Table 3.11:
Port Type
Default
NOTE: The implicit default port under virtual and real servers are included in the port count. In releases prior to 11.0.00, ServerIron supports a maximum of 8KB GET requests while performing Layer 7 switching. Beginning with release 11.0.00, ServerIron supports GET requests up to 20KB.
The ServerIron allows existing connections to end normally or, if you have enabled the force shutdown option, the ServerIron ends all connections within two minutes. If you use this method, to re-add the real server to the ServerIron, you must redefine the real server, then rebind the real server to the appropriate VIP(s). Shut down the real server itself, rather than change definitions on the ServerIron. When the real server stops responding to health checks, the ServerIron removes the server from the SLB. This option is simple because it does not require any configuration changes on the ServerIron. However, this option immediately disconnects all users, whereas the above options allow the server or service to gracefully shut down (unless you use the force shutdown option).
3 - 130
September 2008
Policy-Based SLB
NOTE: PBSLB time-of-day takes time as 16:35:30, but in the config it is shown as 16:35:00. ServerIron is setting seconds part to zero. Policy-Based Server Load Balancing (PBSLB) is the ServerIrons ability to direct requests to a server group, based on the source IP address of the request. When policy-based SLB is enabled for a port on a virtual server, the ServerIron examines the source IP address of each new connection sent to the VIP on the port. The ServerIron looks up the source IP address of the request in an internal policy list. The policy list is a table that associates IP addresses with real server groups. If an entry for the IP address is found in the policy list, then the ServerIron forwards the request to the associated real server group. If no entry for the IP address is found, the ServerIron directs the request to a server group specified as the "default" server group. Figure 3.22 shows a sample policy-based SLB configuration.
Figure 3.22 Policy-based SLB configuration
Server Group ID=1
Real Server rs1 207.95.7.1 HTTP requests from address 10.10.10.10 are sent here. 10.10.10.10 20.20.20.20 30.30.30.30 Real Server rs2 207.95.7.2
Internet
SI
SLB Policy: 10.10.10.1 Group 1 20.20.0.0/16 Group 2 Default Group 3
Real Server rs4 207.95.7.4 All other HTTP requests made to the VIP are sent here. Real Server rs5 207.95.7.5
The policy list contains two entries: one associating IP address 10.10.10.1 with real server group 1, and another associating network address 20.20.0.0/16 with real server group 2. In addition, real server group 3 is specified as the default server group. In this example, policy-based SLB works as follows: When a request from address 10.10.10.1 is received on the VIP, the ServerIron forwards the request to one of the load-balanced servers in real server group 1. When a request from network 20.20.0.0/16 is received, it is forwarded to the real server in group 2. When a request from a different address is received, since it does not have an entry in the policy list, it is forwarded to one of the load-balanced real servers in the default server group, which is specified as group 3.
September 2008
3 - 131
Since policy-based SLB is enabled on a per-VIP basis, some VIPs configured on the ServerIron can have policy-based SLB enabled, while others do not. Policy-based SLB can exist on a standalone device or in high-availability configurations, such as activestandby, symmetric, and active-active configurations. Policy-based SLB can coexist with other ServerIron features, including FWLB, NAT, and TCS. Policy-based SLB cannot coexist on the same VIP with Layer 7 switching features, including URL switching and cookie switching.
3 - 132
September 2008
For example, to specify 40,000 as the maximum number of entries for policy-based SLB, enter the following command: ServerIron(config)# server pbslb max-entries 40000 Syntax: [no] server pbslb max-entries <value> On ServerIron Chassis devices managed by the Web Switching Management Module (WSM), the maximum number of entries is 500,000. On devices managed by the Web Switching Management Module-II (WSM-II), the the maximum number of entries is 5,000,000. After you enter this command and save the configuration, you must reload the software for the new maximum limit to take effect.
September 2008
3 - 133
3 - 134
September 2008
A real server group can contain one or more real servers. If there is more than one real server in a server group, requests are load balanced across all the servers in the group. To assign real servers to server groups, you establish the IP address of each real server and specify the server group(s) to which it belongs. For example, to configure real server rs1 in Figure 3.22 on page 3-131, enter commands such as the following: ServerIron(config)# server real-name rs1 207.95.7.1 ServerIron(config-rs-rs1)# port http group-id 1 1 ServerIron(config-rs-rs1)# exit Syntax: server real <real-server-name> <ip-addr> Syntax: port http group-id <server-group-id-pairs> In this example, the server real command defines a real server called rs1 with an IP address of 207.95.7.1. The port http group-id command indicates the server group(s) to which the real server belongs. The server group is expressed as a pair of numbers, indicating a range of real server group IDs. The first number is the lowest-numbered server group ID, and the second is the highest-numbered server group ID. For example, if a real server belongs only to the server group with ID = 1, the last two numbers in the port http group-id command would be 1 1. (Note the space between the two numbers.) If a real server belongs to server groups 1 10, the last two numbers in the command would be 1 10. Valid numbers for server group IDs are 0 1023. To include a real server in groups that are not consecutively numbered, you can enter up to four server group ID pairs. For example, to include a real server in groups 1 5 and 11 15, you would enter the following command: ServerIron(config-rs-rs1)# port http group-id 1 5 11 15 You can also specify the server group ID pairs on separate lines; for example: ServerIron(config-rs-rs1)# port http group-id 1 5 ServerIron(config-rs-rs1)# port http group-id 11 15 The configuration for the remaining real servers in Figure 3.22 on page 3-131 is shown below. These commands place real server rs2 in server group ID = 1 (along with real server rs1), real server rs3 in server group ID = 2, and real servers rs4 and rs5 in server group ID = 3. ServerIron(config)# server ServerIron(config-rs-rs2)# ServerIron(config-rs-rs2)# ServerIron(config)# server ServerIron(config-rs-rs3)# ServerIron(config-rs-rs3)# ServerIron(config)# server ServerIron(config-rs-rs4)# ServerIron(config-rs-rs4)# ServerIron(config)# server ServerIron(config-rs-rs5)# ServerIron(config-rs-rs5)# real port exit real port exit real port exit real port exit rs2 207.95.7.2 http group-id 1 1 rs3 207.95.7.3 http group-id 2 2 rs4 207.95.7.4 http group-id 3 3 rs5 207.95.7.5 http group-id 3 3
September 2008
3 - 135
In previous software releases, when a PBSLB server group configuration changes, the client sessions with that group remain open. For example, if a client has sessions associated with Group A and Group As configuration changes moving the clients to Group B, the sessions with Group A are still open. Beginning with this release, the old sessions can be deleted and a new connection can be set up with a new group whenever a PBSLB server groups configuration changes. To enable this feature, enter the following command. SLB-ServerIron# configure terminal SLB-ServerIron(config)# server pbslb scan-session-table-after-config-change Syntax: [no] server pbslb scan-session-table-after-config-change Use the no form of the command to disable this feature. The feature is disabled by default.
NOTE: This enhancement applies only when the maximum number of PBSLB entries has not been increased over the supported numbers (using the server pbslb max-entries command). In this case, to send traffic for the port on the VIP to the default server group instead of blocking it, enter the following command: ServerIron(config)#server pbslb send-to-default-group-during-download Syntax: [no] server pbslb send-to-default-group-during-download
3 - 136
September 2008
NOTE: You would configure this command only if you have increased the maximum number of PBSLB entries over the default number.
Packet Trace
To perform a packet trace and print the messages to the console, enter the following command: SLB-telnet@ServerIron#ptrace term debug output is now sent to this terminal Syntax: ptrace term SLB-telnet@ServerIron#conf t SLB-telnet@ServerIron(config)#server pbslb tftp 10.1.1.1 pbslb/pbslb2M.txt 1 Download of pbslb config from TFTP server is initiated. .SLB-telnet@ServerIron(config)#............................................. ...............................Download of pbslb config from TFTP server is done. TFTP file size = 27718556, Entry count = 1000000, Parse error = 0, Table full error 1000000 Resetting pbslb trie Processing PBSLB entries .......................................PBSLB processing done BP sync msg = 200, BP Sync fail = 0 Duplicates = 0, Alloc err = 0, Full err = 0, Unknown err = 0
Error Messages
The number of messages that it took for the MP to synch the downloaded pbslb table to the BP (The download itself is staggered, so it is done in multiple passes). The number of messages (mentioned above) that failed successful transmission. In the event of a failure, the message is sent again. If BP sync fails, the MP will try to push down the PBSLB table to the BPs again after 100 ms. This process continues until the BP synch is completely successful. On the BP, the PBSLB trie is not populated until the download is totally successful.
BP Sync fail
Alloc err
The number of times the ServerIron was unsuccessful in allocating memory for the PBSLB trie. The device tries to allocate the entire trie at once, so if there is an error, this counter can only show a value of 1. The number of times the ServerIron could not add a new PBSLB entry to the trie because the trie is already full. This value should indicate the number by which the downloaded pbslb trie size exceeds the value that the ServerIron supports. When the PBSLB list is downloaded, it is first populated into a flat table that does not have any heirarchy. After populating this table, the MP will construct the DP trie to actually store the PBSLB entries for later lookups. Even when the MP synchs the PBSLB info to the BPs, it is the flat table that is pushed down and not the DP trie. Full error refers to those error cases where new entries cannot be added to the DP trie because the trie is already full. Table full error refers to those error cases where no more entries can be added to the flat table because the flat table is filled up.
Full err
September 2008
3 - 137
Error Messages
Is used to catch miscallaneous unexpected errors. For example, if the download buffer of the PBSLB table from MP to BP is corrupted. Another example is when we try to add an entry to the trie and the entry cannot be added due to an unexpected error.
3 - 138
If the default-group-id is configured, load balance traffic among default-group servers as per predictor. If all the servers of default-group are in failed state or max-conn limit is reached on all servers, load balance traffic among "failsafe" group servers. (If any customer complains about this behavior, we will treat it as bug). If all the servers of failsafe group are in failed state or max-conn limit is reached, deny the traffic.
Show Commmands
show pbslb failsafe To show how many requests are forworded by failsafe feature, enter a command such as the following: ServerIronI# show pblsb failsafe Syntax: show pbslb failsafe clear pbslb failsafe To clear PBSLB fail-safe counter, enter a command such as the following: ServerIron# clear pbslb failsafe
September 2008
3 - 139
Example
In Figure 3.23, one virtual server is associated with two real servers. When the virtual server receives a service request from a client, the virtual server sends the request to the real server with the least bandwidth utilization.
3 - 140
September 2008
Figure 3.23
ServerIron 400
evitcA rwP
Real Server 2
If the bandwidth metric is enabled globally or locally for a virtual server, then the ServerIron collects bandwidth usage data for each real server that is mapped to that virtual server. The bandwidth usage for a real server is measured in bytes. Each bandwidth usage count maintained for the real server corresponds to the bytes between the ServerIron and the real server in a 100 ms interval. Each virtual server is associated with a bandwidth sampling window size that specifies how many 100 ms bandwidth usage counts will be maintained for each real server. This size is used to calculate bandwidth usage of a real server. Figure 3.24 shows Virtual Server 1 with a bandwidth sampling window size of four. Therefore, ServerIron maintains the four most recent bandwidth usage counts for the two real servers that are associated with Virtual Server 1. Each count contains the bandwidth usage on the real server during a 100 ms interval. Using the specified algorithm, the counts are aggregated to determine the bandwidth usage on a real server
Figure 3.24 Bandwidth Sampling Window Set to 4 for Virtual Server 1
Virtual Server 1 Time 0 ms 100 ms 200 ms Real Server 1
0 20 0 0 0 0 0 0
Real Server 2
0 15 0 0 0 0 0 0
20
75
15
25
One of the following algorithms can be used to decide which real server has the most available bandwidth: Sum If the Sum algorithm is used, the ServerIron calculates the bandwidth usage on a real server by adding up the byte counts in all intervals in the bandwidth sampling window.
Sum Algorithm
Figure 3.25
20 Virtual Server 1
ServerIron 400
evitcA rwP
15
20
Real Server 1
15
25
15
10 Real Server 2
In Figure 3.25, the bandwidth sampling window for Virtual Server 1 is set to 4, so the four most recent bandwidth usage counts will be maintained for Real Server 1 and Real Server 2. If the sum algorithm is used, September 2008 2008 Foundry Networks, Inc. 3 - 141
then the number of bytes in the four 100 ms intervals for a real server are added to calculate bandwidth usage: Real server 1: 20 + 15 + 0 + 20 = 55 bytes Real server 2: 15 + 25 + 15 + 10 = 65 bytes Real Server 1 processed less bytes than Real Server 2; therefore, Real Server 1 has more available bandwidth than Real Server 2. The request is sent to Real Server 1. This algorithm is the default algorithm used by the bandwidth metric predictor. Weighted Server Sum If the weighted server sum algorithm is configured, weights can be assigned to the real servers. For each real server, the ServerIron takes the total number of bytes in each 100 ms interval in the bandwidth sampling window. Then it divides the total bytes by the weight of the real server. The service request is directed to the real server with the least bandwidth usage.
Weighted Server Sum
Figure 3.26
20 Virtual Server 1
ServerIron 400
evitcA rwP
15
20
15
25
15
In Figure 3.26, Real Server 1 has a weight of 1, while Real Server 2 has a weight of 4. If the weighed server sum algorithm is used, bandwidth usage is calculated as follows: Real Server 1: (20 + 15 + 0 + 20) divided by 1 = 55 bytes Real Server 2: (15 + 25 + 15 + 10) divided by 4 = 16.25 bytes Real Server 2 has less bandwidth usage than Real Server 1; therefore, the service request is directed to Real Server 2. Weighted Interval Sum In the weighted interval sum algorithm, a weight in percent is specified for the most recent interval, based on the weight assigned to the virtual server. The total bandwidth usage is calculated by multiplying this weight with the most recent bandwidth usage count. Then add up the remaining usage counts in the bandwidth sampling window and multiply that by 100% minus the configured weight for an interval. The totals are added together to calculate bandwidth usage.
Weighted interval Sum
Figure 3.27
20 Virtual Server 1
ServerIron 400
evitcA rwP
15
20
Real Server 1
15
25
15
10 Real Server 2
In Figure 3.27, the most current interval weight is configured at 80%. Bandwidth usage is calculated as follows: Real Server 1: (20 x 80%) + [ (15 + 0 + 20) x (100% 80%) ] = 23 bytes Real Server 2: (15 x 80%) + [ (25 + 15 + 10) x (100% 80%) ] = 22 bytes The results of the calculations show that Real Server 2 uses less bandwidth than Real Server 1; therefore, the service request will be sent to Real Server 2. 3 - 142 2008 Foundry Networks, Inc. September 2008
September 2008
3 - 143
Once the weighted-server sum algorithm is enabled, assign a weight to the real server. This weight is assigned at the real server level. Enter a command such as the following: ServerIron(config)# server real rs1 ServerIron(config-rs-rs1)# bw-weight 4 Syntax: [no] bw-weight <weight> Enter a number from 1 5 for <weight>. The default is 1.
Total
In the example above, information for the bandwidth on the ServerIron are highlighted in bold font. Syntax: show server real dns-ns Information specific to bandwidth usage on a ServerIron shows the following: Local BP BW(bits:last sec) Shows the number of bits processed by the real server during the last one second on the ServerIron. Local BP BW(bits:curr min) Shows the number of bits during the current minute processed by the real server on the ServerIron. This count shows the local real-time bandwidth usage for the real server. 2008 Foundry Networks, Inc. September 2008
3 - 144
Local BP BW(bits:last min) Shows the number of bits processed by the real server during the last one minute on the ServerIron.
Table 3.13: This Field... Server IP address Number of intervals Bind count Interval size Start of list ... end of list
Displays... IP address of the real server Number of 100 ms byte counts (bandwidth usage counts) maintained for the real server. Number of virtual servers to which the ports of a real server are bound The size of an interval, which is always 100 ms Each entry represents a count. A count represents the bandwidth usage in bytes for a duration shown in the Interval size field and is an aggregate of the bytes reported by all the ServerIron for that interval . For example, in the example above, there are ten bandwidth usage counts for Real Server dns-ns. Each count reflects the bandwidth usage of the real server during a 100 ms interval. The text "write next here" means that this is the most recent interval; that is, the most recent bandwidth usage count will be written in this space.
September 2008
3 - 145
having all of the traffic use the default route. To do this, you can configure ACLs and route maps and apply them either globally or to individual interfaces. In the following example, clients belonging to two different sub-nets 33.33.33.0/24 and 10.10.1.0/24 are accessing VIPs 33.33.33.111 and 10.10.1.111, respectively. The next-hop routers for these clients are 33.33.33.1 and 10.10.1.1. To load balance the return traffic to the clients, you can configure the following ACLs and route map: ServerIron(config)# access-list 101 permit ip 33.33.33.0 0.0.0.255 any ServerIron(config)# access-list 102 permit ip 10.10.1.0 0.0.0.255 any ServerIron(config)# route-map test-route permit 101 ServerIron(config-route-map test-route)# match ip address 101 ServerIron(config-route-map test-route)# set ip next-hop 33.33.33.2 ServerIron(config-route-map test-route)# exit ServerIron(config)# route-map test-route permit 102 ServerIron(config-route-map test-route)# match ip address 102 ServerIron(config-route-map test-route)# set ip next-hop 10.10.1.2 ServerIron(config-route-map test-route)# exit ServerIron(config)# ip policy route-map test-route See "Policy-Based Routing (PBR)" in the Foundry Enterprise Configuration and Management Guide for more information on configuring PBR.
DSR
Direct Server Return (DSR) enables the return traffic to not be processed by the ServerIron. Instead, the real server directly sends the return traffic to the client. In this case, the ServerIron changes the way it sends health checks to the application so that the health checks do not rely on the return traffic. There are many DSR applications. You can use DSR on a single ServerIron or apply it to a High Availability (HA) scenario (Hot Standby SLB, Symmetric SLB, and Sym-Active SLB). SwitchBack configurations enhance server response time and increase capacity on the ServerIron, by allowing server responses to bypass the ServerIron on the way to clients and at the same time increasing the number of simultaneous connections the ServerIron can support. When DSR is used in the configuration, the return traffic gets directed over a more efficient path.
Figure 3.28 DSR
Client
Client requests
SI-A
SI-B
Server sends return traffic directly to the client
Server
3 - 146
September 2008
DSR configurations can enhance server response time and increase capacity on the ServerIron, by allowing server responses to bypass the ServerIron on the way to clients and at the same time increasing the number of simultaneous connections the ServerIron can support. Some ServerIron implementations are in topologies where both directions of load-balancing traffic, the client-toserver and server-to-client traffic, flow through the ServerIron. In this type of configuration, the ServerIron uses two sessions for each connection. One session is for the client-server traffic and the other session is for the server-client traffic. Typically, the client-server traffic uses less bandwidth than the server-client traffic. The client-server traffic usually consists of the initial GET requests to the VIP and TCP ACKs when the client receives a response from the server. The remaining traffic consists of the requested Web pages sent to the client by the server. The SwitchBack feature places the real server directly in contact with the client, so that server-client traffic does not pass through the ServerIron but instead goes directly from the server to the client. By placing the client directly in contact with the real server, SwitchBack enhances overall performance and throughput, and thus enhances the service experienced by the client. A ServerIron configured for Server Load Balancing acts as a dispatcher, sending client requests for a VIP directly to the real server, which responds directly to the client. The ServerIron does not translate the destination IP address in the clients request from the VIP into the real servers IP address as in other SLB configurations. Instead, the ServerIron leaves the destination IP address unchanged. NOTE: You cannot have a router hop between the ServerIrons. They must have Layer 2 connectivity. The SwitchBack feature applies to individual TCP/UDP ports. To configure the ServerIron for SwitchBack, you enable the feature for individual TCP/UDP ports when configuring the virtual server. For example, when you enable TCP port 80 (HTTP) on a virtual server, you can add the dsr parameter to enable SwitchBack for that port. Traffic for other ports still returns through the ServerIron. The ServerIron does not translate the destination IP address in client requests for the port with SwitchBack enabled. However, the ServerIron does still translate the destination IP address in the clients request to the real servers IP address for other ports. To configure the real servers for SwitchBack, configure a loopback interface on each real server and assign the VIP addresses to the loopback interface. The loopback interface enables the real server to respond to client requests directed at the VIPs, while at the same time keeping the real server hidden. The loopback interface responds to unicast traffic directed to it, but does not respond to ARP requests. The ServerIron responds to pings and ARPs for the VIPs. Thus, an attempt to obtain the real servers MAC address by ARPing a VIP does not succeed. See Configuring the Loopback Address on a Real Server on page 3-152.
the ServerIron concludes that the application or the entire server is down and stops sending client requests to that server. When you enable an application port for DSR, the ServerIron can still perform heath checks on the application by sending the health checks to the loopback address you configure on the real server: ServerIron(config)# server virtual-name-or-ip v1 209.157.22.1 ServerIron(config-vs-v1)# port 80 dsr Syntax: [no] port <tcp/udp-port> dsr You can use Layer 4 and Layer 7 health checks in your SwitchBack configuration: The ServerIron addresses Layer 3 (IP ping) health checks to the real server IP address, and addresses Layer 4 health checks to the real server IP address and the TCP or UDP protocol on the server. The ServerIron addresses Layer 7 health checks to the real server MAC address and to the loopback address that matches the VIP address.
The configuration procedures for the health checks are the same as for other types of SLB. See Health Checks on page 5-1.
3 - 148
September 2008
Because multiple VIPs are mapping to the same ports on the same real servers, TCP/UDP port binding is used. Thus, port 180 on VIP2 on ServerIron A and on VIP1 on ServerIron B is a logical port that is bound to port 80 on the real servers. For more information, see Many-To-One TCP/UDP Port Binding on page 3-10.
ServerIron
Domain Name
Priority
Real IP Address
www.abc.com
VIP1: 209.157.22.100
254
80
80 180
www.def.com
VIP2: 209.157.22.101
80
180 180
www.abc.com
VIP1: 209.157.22.100
80
180 80
www.def.com
VIP2: 209.157.22.101
254
80
80
September 2008
3 - 149
Figure 3.29
Internet
SI-A
SI-B
To implement the configuration shown in Figure 3.29, configure ServerIrons A and B. Note the dsr parameter on the port commands that add the HTTP port (TCP port 80) to the VIPs. To enable SwitchBack for additional TCP/UDP ports, you use the dsr parameter for each port when you add the port to a VIP. NOTE: Be sure you configure all the real servers on both ServerIrons, and bind the VIPs on each ServerIron to all the real servers. NOTE: Foundry recommends that you specify 2 (instead of 1) as a low priority or 254 (instead of 255) as a high priority. This way, you can easily force failover of the high priority ServerIron to the low priority ServerIron by changing the priority on just one of the ServerIrons. For example, you can force a failover by changing the priority on the high priority ServerIron from 254 to 1. Since the priority on the low priority ServerIron is 2, the low priority ServerIron takes over for the VIP. Likewise, you can force the low priority ServerIron to take over by changing its priority to 255, since the priority on the high priority ServerIron is only 254.
Configuring ServerIron A
Notice that all four real servers must be configured, and bound to the VIPs, on both ServerIrons. Notice also that two HTTP ports are added to each real server. This type of configuration requires that you use the TCP/UDP port binding feature to bind the ports on the two real servers to the same port on the virtual server. For information, see Many-To-One TCP/UDP Port Binding on page 3-10. To configure the real servers, enter the following commands: ServerIronA(config)# server real-name Real_Server_1 10.0.0.1
3 - 150
September 2008
ServerIronA(config-rs-Real_Server_1)# ServerIronA(config-rs-Real_Server_1)# ServerIronA(config-rs-Real_Server_1)# ServerIronA(config)# server real-name ServerIronA(config-rs-Real_Server_2)# ServerIronA(config-rs-Real_Server_2)# ServerIronA(config-rs-Real_Server_2)# ServerIronA(config)# server real-name ServerIronA(config-rs-Real_Server_3)# ServerIronA(config-rs-Real_Server_3)# ServerIronA(config-rs-Real_Server_3)# ServerIronA(config)# server real-name ServerIronA(config-rs-Real_Server_4)# ServerIronA(config-rs-Real_Server_4)# ServerIronA(config-rs-Real_Server_4)#
port http port 180 exit Real_Server_2 10.0.0.2 port http port 180 exit Real_Server_3 10.0.1.1 port http port 180 exit Real_Server_4 10.0.1.2 port http port 180 exit
To configure the VIPs, enter the following commands: ServerIronA(config)# server virtual-name-or-ip VIP1 209.157.22.100 ServerIronA(config-vs-VIP1)# port http dsr ServerIronA(config-vs-VIP1)# bind http Real_Server_1 http Real_Server_2 http Real_Server_3 http Real_Server_4 http ServerIronA(config-vs-VIP1)# sym-priority 254 ServerIronA(config-vs-VIP1)# exit ServerIronA(config)# server virtual-name-or-ip VIP2 209.157.22.101 ServerIronA(config-vs-VIP2)# port http dsr ServerIronA(config-vs-VIP2)# bind http Real_Server_1 180 Real_Server_2 180 Real_Server_3 180 Real_Server_4 180 ServerIronA(config-vs-VIP2)# no http port translate ServerIronA(config-vs-VIP2)# sym-priority 2 ServerIronA(config-vs-VIP2)# exit ServerIronA(config)# write memory
Configuring ServerIron B
To configure the real servers, enter the following commands: ServerIronB(config)# server real-name ServerIronB(config-rs-Real_Server_1)# ServerIronB(config-rs-Real_Server_1)# ServerIronB(config-rs-Real_Server_1)# ServerIronB(config)# server real-name ServerIronB(config-rs-Real_Server_2)# ServerIronB(config-rs-Real_Server_2)# ServerIronB(config-rs-Real_Server_2)# ServerIronB(config)# server real-name ServerIronB(config-rs-Real_Server_3)# ServerIronB(config-rs-Real_Server_3)# ServerIronB(config-rs-Real_Server_3)# ServerIronB(config)# server real-name ServerIronB(config-rs-Real_Server_4)# ServerIronB(config-rs-Real_Server_4)# ServerIronB(config-rs-Real_Server_4)# Real_Server_1 port http port 180 exit Real_Server_2 port http port 180 exit Real_Server_3 port http port 180 exit Real_Server_4 port http port 180 exit 10.0.0.1
10.0.0.2
10.0.1.1
10.0.1.2
To configure the VIPs, enter the following commands: ServerIronB(config)# server virtual-name-or-ip VIP1 209.157.22.100 ServerIronB(config-vs-VIP1)# port http dsr ServerIronB(config-vs-VIP1)# bind http Real_Server_1 180 Real_Server_2 180 Real_Server_3 180 Real_Server_4 180
September 2008
3 - 151
ServerIronB(config-vs-VIP1)# no http port translate ServerIronB(config-vs-VIP1)# sym-priority 2 ServerIronB(config-vs-VIP1)# exit ServerIronB(config)# server virtual-name-or-ip VIP2 209.157.22.101 ServerIronB(config-vs-VIP2)# port http dsr ServerIronB(config-vs-VIP2)# bind http Real_Server_1 http Real_Server_2 http Real_Server_3 http Real_Server_4 http ServerIronB(config-vs-VIP2)# sym-priority 254 ServerIronB(config-vs-VIP2)# exit ServerIronB(config)# write memory
Solaris
To configure a loopback address on Solaris, enter the following command: ifconfig lo0:1 <vip-addr> netmask <net-mask> up You might need to plumb the interface first. In this case, enter the following commands: ifconfig lo0:1 plumb ifconfig lo0:1 <vip-addr> netmask <net-mask> up NOTE: This command applies to the current running configuration only. To make the address permanent so that it is reconfigured following a reboot or power cycle, create the file /etc/hostname.lo0:1. NOTE: For Hewlett-Packard (HP) version 11.x, use the May 2000 or later patch.
Linux
To configure a loopback interface on Linux, enter a command such as the following: ifconfig lo:0 <vip-addr> netmask <net-mask> up NOTE: This command applies to the current running configuration only. To make the address permanent so that it is reconfigured following a reboot or power cycle, go to /etc/sysconfig/network-scripts and make a file called ifcfg-lo:0 using ifcfg-lo as a template.
NT
To configure a loopback interface on NT, you need to configure a new network adapter. Use the following procedure. This procedure applies to the following products: Microsoft Windows 2000 Professional Microsoft Windows 2000 Server Microsoft Windows 2000 Advanced Server Microsoft Windows 2000 Datacenter Server
3 - 152
September 2008
NOTE: When you add a loopback interface to NT, NT sometimes creates a route that has the same address as the loopback interface. You need to delete this route. In come cases, the procedure for deleting the route can include deleting the correct route to the servers default gateway. When this is the case, you need to add this route back to NT.
Manual Installation
1. 2. 3. 4. 5. 6. 7. 8. Click Start, point to Settings, click Control Panel, and then double-click Add/Remove Hardware. Click Add/Troubleshoot a device, and then click Next. Click Add a new device, and then click Next. Click No, I want to select the hardware from a list, and then click Next. Click Network adapters, and then click Next. In the Manufacturers box, click Microsoft. In the Network Adapter box, click Microsoft Loopback Adapter, and then click Next. Click Finish.
After the adapter is installed successfully, you can configure its options manually, as with any other adapter. NOTE: If the TCP/IP properties are configured to use DHCP (the default), the adapter will eventually use an autonet address (169.254.x.x/16) because it is not actually connected to any physical media.
Unattended Installation
Modify the Unattend.txt file using the following example as a guide to install the Microsoft Loopback adapter: [NetAdapters] Adapter01=Params.Adapter01 [Params.Adapter01] InfID="*msloop" ; Microsoft Loopback Adapter ConnectionName = "MS Loopback Adapter" [NetProtocols] MS_TCPIP=Params.MS_TCPIP ; TCP/IP parameters ; Use parameter values specific to your network [Params.MS_TCPIP] AdapterSections=params.TCPIP.Adapter01 DNS=yes DNSSuffixSearchOrder=mycorp.com EnableLMHosts=No ; Adapter Specific TCP/IP parameters ; Use parameter values specific to your network [params.TCPIP.Adapter01] SpecificTo=Adapter01 DNSDomain=mycorp.com DNSServerSearchOrder=192.168.5.251 WINS=no DHCP=no IPAddress=192.168.5.10 SubnetMask=255.255.255.0 DefaultGateway=192.168.5.254
September 2008
3 - 153
2.
Delete the route that has the same address as the loopback interface. C:\>route delete 192.168.200.0 mask 255.255.255.0 192.168.200.106
3.
Display the route table again to verify that the unwanted route is gone. C:\>route print Active Routes: Network Address 0.0.0.0 127.0.0.0 192.168.200.0 192.168.200.106 192.168.200.251 192.168.200.255 224.0.0.0 224.0.0.0 255.255.255.255 Netmask 0.0.0.0 255.0.0.0 255.255.255.0 255.255.255.255 255.255.255.255 255.255.255.255 224.0.0.0 224.0.0.0 255.255.255.255 Gateway Address 192.168.204.254 127.0.0.1 192.168.200.251 127.0.0.1 127.0.0.1 192.168.200.251 192.168.200.106 192.168.200.251 192.168.200.251 Interface 192.168.200.251 127.0.0.1 192.168.200.251 127.0.0.1 127.0.0.1 192.168.200.251 192.168.200.106 192.168.200.251 192.168.200.251 Metric 1 1 1 1 1 1 1 1 1
Long Method
3 - 154
September 2008
The long method, like the short method, requires you to delete the route that NT creates when you add the loopback interface. However, what makes this method is long is that in some cases, when the route table has more than one route in the network that contains the loopback interface, the route delete command deletes the wrong route. In this case, you need to enter the command again to delete the route that has the loopback address, then re-add the other route. 1. Enter the route print command to display the servers route table. In this example, the loopback interface has address 192.168.200.106. Notice that the route table also contains another route (192.168.200.250) in the same network. The 192.168.200.250 route is the gateway route and needs to stay in the route table. C:\users\default>route print Active Routes: Network Address 0.0.0.0 127.0.0.0 192.168.200.0 192.168.200.0 192.168.200.106 192.168.200.250 192.168.200.255 224.0.0.0 224.0.0.0 255.255.255.255 Netmask 0.0.0.0 255.0.0.0 255.255.255.0 255.255.255.0 255.255.255.255 255.255.255.255 255.255.255.255 224.0.0.0 224.0.0.0 255.255.255.255 Gateway Address 192.168.200.254 127.0.0.1 192.168.200.250 192.168.200.106 127.0.0.1 127.0.0.1 192.168.200.106 192.168.200.250 192.168.200.106 192.168.200.106 Interface 192.168.200.250 127.0.0.1 192.168.200.250 192.168.200.106 127.0.0.1 127.0.0.1 192.168.200.106 192.168.200.250 192.168.200.106 192.168.200.106 Metric 1 1 1 1 1 1 1 1 1 1
2. 3.
Enter the route delete command to delete the unwanted 192.168.200.106 route. C:\users\default>route delete 192.168.200.0 mask 255.255.255.0 192.168.200.106 Display the route table again to verify the results. In this example, NT deletes the first 192.168.200.x route in the table instead of deleting the route you want to delete. If this occurs when you are performing this procedure, go to Step 4. Otherwise, you are through with this procedure. C:\users\default>route print Active Routes: Network Address 0.0.0.0 127.0.0.0 192.168.200.0 192.168.200.106 192.168.200.250 192.168.200.255 224.0.0.0 224.0.0.0 255.255.255.255 Netmask 0.0.0.0 255.0.0.0 255.255.255.0 255.255.255.255 255.255.255.255 255.255.255.255 224.0.0.0 224.0.0.0 255.255.255.255 Gateway Address 192.168.200.254 127.0.0.1 192.168.200.106 127.0.0.1 127.0.0.1 192.168.200.106 192.168.200.250 192.168.200.106 192.168.200.106 Interface 192.168.200.250 127.0.0.1 192.168.200.106 127.0.0.1 127.0.0.1 192.168.200.106 192.168.200.250 192.168.200.106 192.168.200.106 Metric 1 1 1 1 1 1 1 1 1
4.
Enter the route delete command again to delete the unwanted route. C:\users\default>route delete 192.168.200.0 mask 255.255.255.0 192.168.200.106
September 2008
3 - 155
5.
Display the route table again to verify the results. In this example, none of the 192.168.200.x routes remain in the table. C:\users\default>route print Active Routes: Network Address 0.0.0.0 127.0.0.0 192.168.200.106 192.168.200.250 192.168.200.255 224.0.0.0 224.0.0.0 255.255.255.255 Netmask 0.0.0.0 255.0.0.0 255.255.255.255 255.255.255.255 255.255.255.255 224.0.0.0 224.0.0.0 255.255.255.255 Gateway Address 192.168.200.254 127.0.0.1 127.0.0.1 127.0.0.1 192.168.200.106 192.168.200.250 192.168.200.106 192.168.200.106 Interface 192.168.200.250 127.0.0.1 127.0.0.1 127.0.0.1 192.168.200.106 192.168.200.250 192.168.200.106 192.168.200.106 Metric 1 1 1 1 1 1 1 1
6. 7.
Enter the route add command to re-add the gateway route. C:\users\default>route add 192.168.200.0 mask 255.255.255.0 192.168.200.250 Display the route table again to verify that the table contains the gateway route but does not contain a route with the loopback address. C:\users\default>route print Active Routes: Network Address 0.0.0.0 127.0.0.0 192.168.200.0 192.168.200.106 192.168.200.250 192.168.200.255 224.0.0.0 224.0.0.0 255.255.255.255 Netmask 0.0.0.0 255.0.0.0 255.255.255.0 255.255.255.255 255.255.255.255 255.255.255.255 224.0.0.0 224.0.0.0 255.255.255.255 Gateway Address 192.168.200.254 127.0.0.1 192.168.200.250 127.0.0.1 127.0.0.1 192.168.200.106 192.168.200.250 192.168.200.106 192.168.200.106 Interface 192.168.200.250 127.0.0.1 192.168.200.250 127.0.0.1 127.0.0.1 192.168.200.106 192.168.200.250 192.168.200.106 192.168.200.106 Metric 1 1 1 1 1 1 1 1 1
The show server global command gives the output of the show server backup or the show server symmetric command, depending on which high availability method is in use, plus some additional configuration information that would have to be shared between a pair of ServerIrons in a high availability environment.
3 - 156
September 2008
The following is a sample for a ServerIron using Sym-active SLB: ServerIron#show server Server Symmetric port = 2/7 Group_id = 1 Candidate cnt = 1 Port No-rx 2/7 0 Server Load Balancing - global parameters Predictor = round-robin Force-deletion = 0 Reassign-threshold = 20 Reassign-limit = 3 TCP-age = 30 UDP-age = 5 Sticky-age = 5 TCP-syn-limit = 65535 msl = 8 TCP-total conn = 0 Unsuccessful conn = 0 NO-RESET-on-max-conn = Disabled Ping-interval = 2 Ping-retries = 4 Session ID age = 30
September 2008
3 - 157
Bind info Virtual server: v Status: enabled IP: 192.168.199.99 telnet -------> a: 192.168.99.11, telnet (remote) (Active) b: 192.168.99.12, telnet (remote) (Failed) http -------> a: 192.168.99.11, http (remote) (Active) b: 192.168.99.12, http (remote) (Failed) Client->Server = 0 Server->Client = Drops = 0 Aged = Fw_drops = 0 Rev_drops = FIN_or_RST = 0 old-conn = Disable_drop = 0 Exceed_drop = Stale_drop = 0 Unsuccessful = SYN def/proxy RST = 0 Server Resets = Out of Memory = 0 Out of Memory = last conn rate = 0 max conn rate = last TCP attack rate = 0 max TCP attack rate = fast vport found = 4 fast vport n found = Fwd to non-static FI = 0 Dup stale SYN = ServerIron#show server Server Symmetric port = 2/7 Group_id = 1 Candidate cnt = 1 Port No-rx 2/7 0 Server Load Balancing - global parameters Predictor = round-robin Force-deletion = 0 Reassign-threshold = 20 Reassign-limit = 3 TCP-age = 30 UDP-age = 5 Sticky-age = 5 TCP-syn-limit = 65535 msl = 8 TCP-total conn = 0 Unsuccessful conn = 0 NO-RESET-on-max-conn = Disabled Ping-interval = 2 Ping-retries = 4 Session ID age = 30 Bind info Virtual server: v Status: enabled IP: 192.168.199.99 telnet -------> a: 192.168.99.11, telnet (remote) (Active) b: 192.168.99.12, telnet (remote) (Failed) http -------> a: 192.168.99.11, http (remote) (Active) b: 192.168.99.12, http (remote) (Failed)
0 0 0 0 0 0 0 0 0 0 11 0
3 - 158
September 2008
Client->Server = 0 Server->Client = Drops = 0 Aged = Fw_drops = 0 Rev_drops = FIN_or_RST = 0 old-conn = Disable_drop = 0 Exceed_drop = Stale_drop = 0 Unsuccessful = SYN def/proxy RST = 0 Server Resets = Out of Memory = 0 Out of Memory = last conn rate = 0 max conn rate = last TCP attack rate = 0 max TCP attack rate = fast vport found = 4 fast vport n found = Fwd to non-static FI = 0 Dup stale SYN = TCP forward FIN = 0 TCP reverse FIN = Fast path FWD FIN = 0 Fast path REV FIN = Fast path SLB SYN = 0 Dup SYN after FIN = Duplicate SYN = 0 Duplicate sessions = TCP ttl FIN recvd = 0 TCP ttl reset recvd = Sessions in DEL_Q = 0 Sess force deleted = Fwd sess not found = 0 sess already in delQ = Sess rmvd from delQ = 0 New sess sync sent = 0 New sess sync recvd = TCP SYN received = 0 TCP SYN dropped = TCP SYN to MP = 0 TCP SYN ACK to MP = TCP SYN ACK received = 0 TCP SYN ACK dropped = TCP pkt received = 0 TCP pkt dropped = TCP pkt to MP = 0 PBSLB tftp status = Avail. Sessions on MP = 999993 Total Sessions on MP = slot-1 cpu-1 Avail. Session = 1999992 Total Sessions = 2000000 slot-1 cpu-2 Avail. Session = 1999992 Total Sessions = 2000000 slot-1 cpu-3 Avail. Session = 1999992 Total Sessions = 2000000 Total C->S Conn = 0 Total S->C Conn = 0 Total Reassign = 0 Unsuccessful Conn = 0 Server State - 0: disabled, 1:enabled, 2:failed, 3:test, 4:suspect, 5:grace_dn, 6:active Real Server State CurrConn TotConn TotRevConn CurrSess PeakConn a 6 0 0 0 0 0 b 1 0 0 0 0 0 last conn rate = 0 max conn rate = last TCP attack rate = 0 max TCP attack rate = SYN def RST = 0 SYN flood = ServerIron#
0 0 0
September 2008
3 - 159
You also can display this information separately. See Displaying SSLB Information on page 7-27. Server Symmetric port Group_id Candidate cnt Port Priority No-rx The ServerIron port number on which the ServerIron perceives other ServerIrons running Symmetric SLB. The Symmetric SLB group ID. The group ID is always 1 in the current release. The number of ports on which the ServerIron perceives a partner ServerIron running Symmetric SLB. The TCP/UDP port for which Symmetric SLB is enabled. The priority for the VIP. Information Foundry technical support can use to help resolve Symmetric SLB configuration issues.
3 - 160
September 2008
The load balancing metric in effect on the ServerIron. The predictor can be one of the following: least-conn (least connections) least-sess (least sessions) response-time (server response time) Note: This value also applies to the combined method of least connections and server response time weights. round-robin (round robin) weighted (weighted percentage) least-local-conn (least local connections) least-local-sess (least local sessions)
The default is least-conn. You can assign these metrics on a global basis and an individual virtual server basis. For more information or to globally change the predictor, see Globally Changing the Load-Balancing Method on page 3-26. To locally change the predictor for a virtual server, see Changing the Load Balancing Method on a Virtual Server on page 3-67. Force-deletion The state of the force shutdown option. This option immediately shuts down a server or service instead of waiting for existing connections to end before shutting the server or service down. The state can be one of the following: Reassign-threshold 0 Disabled 1 Enabled
The number of contiguous inbound TCP-SYN packets sent to the server that the server has not responded to. The TCP SYN-ACK counter increments only when acknowledgments are not received. Each time an expected TCP SYN-ACK is received, the counter is cleared. The default reassign threshold is 21 unacknowledged TCP SYNACKs. The value can be from 6 254. To change the reassign threshold, see Reassign Threshold on page 5-30 Note: You can modify this parameter to help minimize vulnerability to TCP SYN attacks.
Reassign-limit
The number of missed TCP SYN packets the ServerIron will accept before moving an inbound connection attempt to another server.
September 2008
3 - 161
Layer 3 Health Check Parameters Ping-interval How often the ServerIron sends a Layer 3 IP ping to test the basic health and reachability of the real servers. When enabled, this parameter specifies the interval for the pings. To change the interval, see Modifying the Ping Interval and Ping Retries on page 5-19. How many times the ServerIron resends a ping to a real server that is not responding. The default is 4 and can be from 2 10. To change this parameter, see Modifying the Ping Interval and Ping Retries on page 5-19. If the server still does not respond after the last retry, the ServerIron marks the server FAILED and removes it from the load balancing rotation. Global TCP/UDP Parameters TCP-age The number of minutes the ServerIron allows a TCP connection to remain unused before closing the connection. The default is 30 minutes. To change this parameter, see Configuring TCP Age on page 5-65. The value shown here is the global value. You can override this value for an individual TCP/UDP port by modifying its port profile. See Overriding the Global TCP or UDP Age on page 5-28. UDP-age The number of minutes the ServerIron allows a UDP connection to remain unused before closing the connection. The default is 5 minutes. To change this parameter, see Configuring UDP Age on page 5-65. The value shown here is the global value. You can override this value for an individual TCP/UDP port by modifying its port profile. See Overriding the Global TCP or UDP Age on page 5-28. Sticky-age TCP-syn-limit The number of minutes a sticky server connection can remain inactive before aging out. The default is 5 minutes. The maximum number of TCP SYN connections per second the ServerIron is allowed to send to the real server. The default is 65535 connections. You can guard against TCP SYN attacks by changing this parameter to a lower value. See Limiting the Maximum Number of TCP SYN Requests on page 3-31. TCP Connections Counters TCP-total conn Unsuccessful conn The total number of TCP connections the ServerIron is currently managing. The number of client requests for a TCP port that the ServerIron could not fulfill because the server was busy or down, or the port was not configured on the server.
Ping-retries
3 - 162
September 2008
The state of the ICMP message feature. The state can be one of the following: Disabled The ServerIron does not send ICMP Destination Unreachable messages to a client that requests an HTTP port that is on a busy or down server or that is not configured on the server. This is the default. Enabled The ServerIron does send ICMP Destination Unreachable messages to clients when the requested HTTP port is not available or not configured.
To change the state of this feature, see Sending ICMP Port Unreachable or Destination Unreachable Messages on page 3-33.
Reas ---0 0 0 0
Total
SLB-ServerIron#
information for remaining real servers omitted for brevity... Syntax: show server real
September 2008
3 - 163
Table 3.15: This Field... Server State Codes Server State General Server Parameters Name IP
Displays...
The possible values for the server state. The state of each real server is shown by the State field. See below.
The name of the real server. This is the name you assigned to the server when you configured it on the ServerIron. The IP address of the real server. If you configured a host range of VIPs on the server, the number following the IP address (after the colon) is the number of hosts on the server. In the example shown above, the VIP address is 209.157.23.60 and the address has been configured with a host range of four hosts. For more information, see Web Hosting with Unlimited Virtual IP Addresses on page 3-189.
State
The state of the real server, based on Layer 3 health checks. The state can be one of the following states, also listed next to "Server State" at the top of the show server real display: 1 Enabled 2 Failed 3 Test 4 Suspect 5 Graceful shutdown 6 Active
Note: The value in this field is based on the results of Layer 3 health checks, if enabled. The real server state can also be seen in the State column in the show server session display. To display the server state based on Layer 3 health checks, see the State field in the show server session display. (See You can also display port-binding information by entering the show server session command: on page 3-176.) Wt The weight assigned to this server. The weight applies only if the predictor (load balancing method) is weighted. See Changing the Load Balancing Method on a Virtual Server on page 3-67. The maximum number of client connections that the ServerIron will manage for the server. A connection consists of two sessions, the client-to-server session and the server-to-client session. By default, the ServerIron allows up to 500,000 connections (one million sessions) on a server. If you need to lower the maximum number of connections the ServerIron will manage, see Configuring the Maximum Number of Active Sessions on page 5-63.
Max-conn
3 - 164
September 2008
Real Server Information (Continued) Displays... The configured and operational states of the source NAT feature. The two states are separated by a colon ( : ). The configured state is shown first, followed by the operational state. Each state can have one of the following values: 0 Disabled 1 Enabled
Dest-nat
The configured and operational states of the destination NAT feature. The two states are separated by a colon ( : ). The configured state is shown first, followed by the operational state. Each state can have one of the following values: 0 Disabled 1 Enabled
Remote server
Indicates whether the server is configured on the ServerIron as a remote server or a local server. The ServerIron uses remote servers as failovers if all the local servers are down. This field can have one of the following values: No The server is not a remote server. Yes The server is a remote server.
For more information about remote servers, see Web Hosting with Geographically-Distributed Servers on page 3-196. Dynamic TCP/UDP Port Statistics The following fields apply to all the TCP/UDP ports on the real servers. Note: For DNS, HTTP, and RADIUS ports, the server-specific health check information for the port is listed under the ports statistics. For information about the health check parameters, see Changing HTTP Keepalive Method, Value, and Status Codes on page 5-34. A statistic used by Foundry technical support.
September 2008
3 - 165
Real Server Information (Continued) Displays... The TCP/UDP port name or number. This field can have one of the following values: default dns the well-known name for port 53 ftp the well-known name for port 21. (ports 20 and 21 both are FTP ports but on the ServerIron, the name ftp corresponds to port 21.) http the well-known name for port 80 imap4 the well-known name for port 143 ldap the well-known name for port 389 nntp the well-known name for port 119 ntp the well-known name for port 123 pop2 the well-known name for port 109 pop3 the well-known name for port 110 radius the well-known name for udp port 1812 smtp the well-known name for port 25 snmp the well-known name for port 161 ssl the well-known name for port 443 telnet the well-known name for port 23 tftp the well-known name for port 69 <number> the port number, if the port is not one of those listed above
State
The state of the port. The state can be one of the following: enabled failed test suspect graceful shutdown active unbnd
Note: If the state is unbnd, you have not bound the port to a virtual server port.
3 - 166
September 2008
Real Server Information (Continued) Displays... The master port state. This field applies only to track ports and to ports to which you have bound other TCP/UDP ports in many-to-one configurations. For track ports, the state of the master port. When a port is configured to track a master port, the ServerIron sends a clients request for the tracking port to the same real server as the master port. See Configuring a Track Port Group on page 3-68 and TCP/UDP Application Groups on page 3-192. In the example show real server output shown above, assume that port 500 is tracked by port 600. If port 500s state changes, port 600s state also changes to match. For many-to-one TCP/UDP port binding, the state of the port that is translated in the port binding between the real server and the virtual server. The ports that are not translated follow the state of the port that is translated. See Many-To-One TCP/UDP Port Binding on page 3-186. In the example show real server output shown above, assume that port 70 is untranslated and follows the state of port http. If port https state changes, port 70s state also changes to match.
This field can have one of the following values for the types of ports listed above: 1 Enabled 2 Failed 3 Test 4 Suspect 5 Graceful shutdown 6 Active
For all other types of ports, the value is always 0. CurConn The number of client connections currently on the server. A connection consists of two sessions, the client-to-server session and the server-to-client session. The number of client connections on the server since the ServerIron was last booted. A connection consists of two sessions, the client-toserver session and the server-to-client session. The number of packets the ServerIron has received from the server. The number of packets the ServerIron has sent to the server. The number of octets (bytes) the ServerIron has received from the server. The number of octets (bytes) the ServerIron has sent to the server.
TotConns
September 2008
3 - 167
Real Server Information (Continued) Displays... The number of times the ServerIron has reassigned the connection to another server in the rotation because the server that is in use has not responded to two contiguous TCP SYNs from the client. When this occurs, the ServerIron directs the client to another server upon receiving the third SYN from the client. Note: Windows 98 sends two TCP SYNs for each connection attempt. Note: This statistic does not apply to SwitchBack (Direct Server Return).
Server Name: v100 IP : 209.157.23.100 : 4 Status: enabled Predictor: least-conn TotConn: 4233 Dynamic: No HTTP redirect: disabled Sym: group = 1 state = 5 priority = 2 keep = 0 Activates = 4, Inactive= 3 Port State Sticky Concur CurConn TotConn radius-oenabled NO NO 0 0 http enabled NO NO 0 4233 ftp enabled NO NO 0 0 telnet enabled NO NO 0 0 ssl enabled YES NO 0 0 smtp enabled NO NO 0 0 nntp enabled NO NO 0 0 ntp enabled NO NO 0 0 dns enabled NO NO 0 0 pop2 enabled NO NO 0 0 pop3 enabled NO NO 0 0 tftp enabled NO NO 0 0 imap4 enabled NO NO 0 0 snmp enabled NO NO 0 0 ldap enabled NO NO 0 0 default enabled NO NO 0 0 information for remaining virtual servers omitted for brevity... Syntax: show server virtual-name-or-ip This display shows the following information.
PeakConn 0 39 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Displays...
3 - 168
September 2008
Virtual Server Information (Continued) Displays... The name of the virtual server. This is the name you assigned to the server when you configured it on the ServerIron. The IP address of the virtual server. If you configured a host range of VIPs on the server, the number following the IP address (after the colon) is the number of hosts on the server. In the example above, the VIP has a host range of 4 addresses.
Status
The status of the virtual server. The status can be one of the following: enabled disabled
Predictor
The load balancing predictor the ServerIron uses to balance traffic among the real servers bound to this virtual server. The predictor can be one of the following: least-conn (least connections) least-sess (least sessions) response-time (server response time) Note: This value also applies to the combined method of least connections and server response time weights. round-robin (round robin) weighted (weighted percentage) least-local-conn (least local connections) least-local-sess (least local sessions)
You can assign these metrics on a global basis and an individual virtual server basis. For more information or to globally change the predictor, see Globally Changing the Load-Balancing Method on page 3-26. To locally change the predictor for a virtual server, see Changing the Load Balancing Method on a Virtual Server on page 3-67. TotConn The number of client connections on the server since the ServerIron was last booted or restarted. A connection consists of two sessions, the client-to-server session and the server-to-client session. A statistic used by Foundry technical support.
Dynamic
September 2008
3 - 169
Virtual Server Information (Continued) Displays... The state of the HTTP redirect feature. This feature enables the ServerIron to send an HTTP redirect message to the client if all the real servers are down and the ServerIron is therefore sending client requests to a remote server. The HTTP redirect message instructs the client to redirect its HTTP connection directly to the remote server, bypassing the ServerIron. The state can be one of the following: disabled enabled
For more information, see Using HTTP Redirect with GeographicallyDistributed Servers on page 3-199. Sym Information for Symmetric SLB. The following information is displayed: group The Symmetric SLB group number. state State 3 means the VIP is inactive. State 5 means the VIP is active. priority The Symmetric SLB priority configured on the ServerIron. keep The number of times an SSLB backup has failed to communicate with the active ServerIron. By default, the counter is incremented by 1 every 400 milliseconds the backup ServerIron is late responding to the active ServerIrons keepalive message. The counter is reset to 0 each time the backup ServerIron replies to a keepalive message. If the counter goes higher than the maximum number allowed (20 by default, thus 8 seconds), the standby ServerIron takes over as the new active ServerIron. Normally, this field almost always contains 0. Note: This field is applicable only on the active ServerIron. dyn priority/factor The current dynamically set priority and the decrement value. In this example, an application has failed a health check, so the dynamic priority is 20 instead of 30. The decrement value is 10. If the priority and dyn priority values match, then all the VIPs applications that are configured for SSLB are responding to their health checks. Activates The number of times this ServerIron has become the active ServerIron. Inactive The number of times this ServerIron has changed from being the active ServerIron. Best-standby-mac The MAC address of the backup ServerIron with the second-highest priority. This ServerIron will become the active ServerIron if a failover occurs.
For more information about Symmetric SLB, see Symmetric SLB on page 7-16.
3 - 170
September 2008
TCP/UDP Port Information and Statistics Port The TCP/UDP port name or number. This field can have one of the following values: default dns the well-known name for port 53 ftp the well-known name for port 21. (ports 20 and 21 both are FTP ports but on the ServerIron, the name ftp corresponds to port 21.) http the well-known name for port 80 imap4 the well-known name for port 143 ldap the well-known name for port 389 nntp the well-known name for port 119 ntp the well-known name for port 123 pop2 the well-known name for port 109 pop3 the well-known name for port 110 radius the well-known name for udp port 1812 radiuso UDP port 1645, which is used in some older RADIUS implementations instead of port 1812 smtp the well-known name for port 25 snmp the well-known name for port 161 ssl the well-known name for port 443 telnet the well-known name for port 23 tftp the well-known name for port 69 <number> the port number, if the port is not one of those listed above
State
The state of the port. The state can be one of the following: enabled failed test suspect graceful shutdown active unbnd
Note: If the status is unbnd, you have not bound the port to a real server port.
September 2008
3 - 171
Virtual Server Information (Continued) Displays... Whether the port is sticky. When a port is sticky, the ServerIron uses the same real server for multiple requests from the same client for the port. For non-sticky ports, the ServerIron load balances the requests and thus does not necessarily send them all to the same real server. This parameter can have one of the following values: NO YES
For more information, see TCP/UDP Application Groups on page 3192. Concur Whether the port is configured for concurrent connections. A port configured to allow concurrent connections can have more than connection open to the same client at the same time. For more information, see TCP/UDP Application Groups on page 3192. CurConn The number of client connections currently on the server. A connection consists of two sessions, the client-to-server session and the server-to-client session. The number of client connections on the server since the ServerIron was booted. A connection consists of two sessions, the client-toserver session and the server-to-client session. The highest number of connections the VIP has had at the same time.
TotConn
PeakConn
3 - 172
September 2008
The additional information is shown in bold type. ServerIron# show server virtual-name-or-ip dns-p1 http Name: dns-p1 Pred: least-conn Port ---http State ----enabled Sticky -----NO State: Enabled ACL-Id: 0 Concur -----NO Proxy ----NO DSR --NO CurConn ------0 IP:1.1.1.101: TotalConn: 0 TotConn ------688 1
PeakConn -------0
Bound Port Information: ======================== Port State Ms CurConn TotConn Rx-pkts --------- ------- ------- ------dns-ns: 1.1.1.15 http active 0 dns-fs: 1.1.1.16 rtsp failed 0
Tx-pkts -------
Rx-octet --------
Tx-octet --------
Reas ----
688
2060
2748
431614
173798
Syntax: show server virtual-name-or-ip [<virtual-server-name> [<tcp/udp-port>]] This display shows the following information for bound ports.
The virtual server port. The name and IP address of the real server to which the port is bound.
September 2008
3 - 173
Virtual Server Bound Port Information (Continued) Displays... The state of the application port on the real server. The state can be one of the following: Enabled Failed Test Suspect Graceful shutdown Active
For information about these states, see the "Application Port States" section in the "Configuring Port and Health Check Parameters" chapter of the ServerIron. Bound Port Information Note: This information is the same as the application information displayed by the show server real command. Port State Ms The real server port. The state of the application port on the real server. See the description for "<port> (<state>)" above. The master port state. This field applies only to track ports and to ports to which you have bound other TCP/UDP ports in many-to-one configurations. For track ports, the state of the master port. For many-to-one TCP/UDP port binding, the state of the port that is translated in the port binding between the real server and the virtual server.
This field can have one of the following values for the types of ports listed above: 1 Enabled 2 Failed 3 Test 4 Suspect 5 Graceful shutdown 6 Active
For all other types of ports, the value is always 0. CurConn The number of client connections currently on the server. A connection consists of two sessions, the client-to-server session and the server-to-client session. The number of client connections on the server since the ServerIron was last booted. A connection consists of two sessions, the client-toserver session and the server-to-client session.
TotConn
3 - 174
September 2008
Virtual Server Bound Port Information (Continued) Displays... The number of packets the ServerIron has received from the server. The number of packets the ServerIron has sent to the server. The number of octets (bytes) the ServerIron has received from the server. The number of octets (bytes) the ServerIron has sent to the server. The number of times the ServerIron has reassigned the connection to another server in the rotation because the server that is in use has not responded to two contiguous TCP SYNs from the client. When this occurs, the ServerIron directs the client to another server upon receiving the third SYN from the client. Note: Windows 98 sends two TCP SYNs for each connection attempt. Note: This statistic does not apply to SwitchBack (Direct Server Return).
Port http: Failed Name: MyServer03 IP:192.168.160.93 State: Enabled Port 8083: Failed Port http: Failed Syntax: show server port failed
= =
1999998 200001
Total Sessions
2000000
Total C->S Conn = 0 Total S->C Conn = 0 Total Reassign = 0 Unsuccessful Conn = 0 Server State - 0: diasbled, 1:enabled, 2:failed, 3:test, 4:suspect, 5:grace_dn, 6:active Real Server rs1 St CurrConn 1 0/0/0 TotConn 0 TotRevConn CurrSess 0 0 PeakConn 0
3 - 176
September 2008
The number of sessions that are still available for use. By default, the ServerIron is configured to allow the maximum number of sessions it can support. However, if you need to decrease the number of sessions supported, see Configuring the Maximum Number of Active Sessions on page 5-63. The number of sessions that are currently in use. The number of connections initiated by clients. The number of connections initiated by servers. Generally, this value is 0 unless the client is using FTP or another application that causes the server to initiate connections. The number of unacknowledged TCP SYN-ACKs on all the real servers combined. When a server reaches the maximum number of unacknowledged TCP SYN-ACKs allowed by the ServerIron (the reassign threshold), the ServerIron marks that server FAILED and removes it from the load balancing rotation. The TCP SYN-ACK counter increments only when acknowledgments are not received. Each time an expected TCP SYN-ACK is received from a real server, the counter is cleared for that server, thus reducing the total count. For more information, see Reassign Threshold on page 5-30. Note: This statistic does not apply to SwitchBack (Direct Server Return).
Total Reassign
The number of connection attempts by clients or servers that were unsuccessful. If the fast-age threshold is configured, the total number of sessions that were aged out because the number of free sessions dropped below the fast-age threshold, as well as the number of these sessions that were aged out in the last 60 seconds. If the random threshold is configured, the total number of sessions that were aged out at random because the number of free sessions dropped below the random threshold, as well as the number of sessions that were aged out randomly in the last 60 seconds. See Configuring Fast Session Aging on page 5-63 for more information on the fast-age and random thresholds.
Random-aged : total
Statistics for Individual Real Servers Server State Real Server The possible values for the server state. The state of each real server is shown by the State field. See below. The name of the real server. This is the name you gave the server when you configured it.
September 2008
3 - 177
Field Descriptions for show server session (Continued) Description The state of the real server. The state can be one of the states listed by "Server State" at the top of the display. Note: The value in this field is based on the results of Layer 3 health checks. To display the server state based on Layer 4 or Layer 7 health checks, see the State field in the show server real display. (See Displaying Real Server Configuration Statistics on page 3-163.)
CurConn
The number of client connections currently on the server. A connection consists of two sessions, the client-to-server session and the server-to-client session. The number of client connections on the server since the ServerIron was last booted or restarted. A connection consists of two sessions, the client-to-server session and the server-to-client session. The total number of connections initiated by the server to a client. The number of sessions currently open on the ServerIron. The highest number of simultaneous connections the ServerIron has managed since it was last booted or restarted.
TotConn
3 - 178
September 2008
Use clear server traffic to clear traffic statistics for real and virtual servers. SLB-chassis#rconsole 1 1 SLB-chassis1/1#show server traffic Client->Server = 0 Server->Client Drops = 0 Aged Fw_drops = 0 Rev_drops FIN_or_RST = 0 old-conn Disable_drop = 0 Exceed_drop Stale_drop = 0 Unsuccessful SYN def/proxy RST = 0 Server Resets Out of Memory = 0 Out of Memory last conn rate = 0 max conn rate last TCP attack rate = 0 max TCP attack rate fast vport found = 0 fast vport n found Fwd to non-static FI = 0 Dup stale SYN TCP forward FIN Fast path FWD FIN Fast path SLB SYN Duplicate SYN TCP ttl FIN recvd Sessions in DEL_Q Fwd sess not found Sess rmvd from delQ Fragment buf full er New sess sync sent L4 msg sent foundry packet sent TCP SYN received TCP SYN to MP TCP SYN ACK received TCP pkt received TCP pkt to MP = = = = = = = = = = = = = = = = =
= = = = = = = = = = = =
0 0 0 0 0 0 0 0 0 0 0 0
0 TCP reverse FIN = 0 0 Fast path REV FIN = 0 0 Dup SYN after FIN = 0 0 Duplicate sessions = 0 0 TCP ttl reset recvd = 0 0 Sess force deleted = 0 0 sess already in delQ = 0 0 0 Incoming TCP cksum e = 0 0 New sess sync recvd = 0 0 L4 msg recvd = 0 0 ipc packet sent = 8 0 TCP SYN dropped = 0 0 TCP SYN ACK to MP = 0 0 TCP SYN ACK dropped = 0 0 TCP pkt dropped = 0 0 PBSLB tftp status = In progres
Field Descriptions for show server traffic Description Number of packets sent from clients to servers. Number of packets sent from servers to clients. Number of packets dropped by the ServerIron. This statistic includes the following: TCP Resets Resets sent by the ServerIron Forward Resets Resets from the client Unsuccessful requests Requests sent to a TCP or UDP port that is not bound to the requests destination VIP
September 2008
3 - 179
Field Descriptions for show server traffic (Continued) Description Number of TCP and UDP sessions that the ServerIron closed because the aged out. A session ages out when the age timer configured on the ServerIron expires. For more information, see Configuring TCP Age on page 5-65 and Configuring UDP Age on page 5-65. Number of client-to-server packets the ServerIron has dropped. If this statistic is high, there might not be a session entry. This can occur under the following circumstances: If the session is terminated normally but the client sends another RESET. If Denial of Service (DoS) protection is configured and has been activated. If the maximum number of sessions has been reached. If all the real servers are down.
Fw_drops
Rev_drops
Number of server-to-client packets the ServerIron has dropped. If this statistic is high, there might not be a session entry. This can occur for the same reasons as listed for the Fw_drops field. Number of FINs or RSTs passing through (forward and reverse) a non-optimized path (no FPGA processing) inside the ServerIron. All traffic is optimized (FPGA processed) by default except FTP control, streaming protocol control, and DNS traffic.
FIN_or_RST
old-conn fast vport found Duplicate SYN Number of successful virtual-port searches using an improved (faster) method. When the ServerIron receives a SYN packet for a session that is already listed in the session table (show server sessions), the ServerIron has received a Duplicate SYN. The counter is then incremented by 1. Total (ttl) number of resets received in both the forward and reverse direction. This counter applies to both optimized (FPGA assisted) and non optimized traffic paths. Number of packets the ServerIron dropped because they were sent by a client to a VIP port that is bound to a real server port that is currently disabled. Number of packets dropped by the ServerIron because the TCP SYN limit on the real servers had been reached. The TCP SYN limit is a configurable parameter that allows you to protect servers against TCP SYN attacks by limiting the number of TCP SYN requests the ServerIron can send to the server each second. For more information, see Configuring the Maximum Number of Active Sessions on page 5-63. Stale_drop Number of TCP SYN packets the ServerIron dropped because they matched a stale session entry.
Disable_drop
Exceed_drop
3 - 180
September 2008
Field Descriptions for show server traffic (Continued) Description Number of packets that were dropped for one of the following reasons: A deny filter configured on the ServerIron matched the packet, causing the ServerIron to drop the packet. A client requested a TCP/UDP port that is not bound on the VIP.
Rate of TCP traffic per second. This counter includes all TCP traffic, including TCP SYN DoS attacks. This field displays in releases 09.0.00S and later. Peak rate of TCP traffic (per second) encountered on this device. This field displays in releases 09.0.00S and later. Rate of TCP Dos attacks per second. This rate is delayed by 1 to 2 minutes. This field displays in releases 09.0.00S and later. Peak rate of TCP DoS attacks (per second) encountered on this device. This rate is delayed by 1 to 2 minutes. This field displays in releases 09.0.00S and later.
max conn rate last TCP attack rate max TCP attack rate
September 2008
3 - 181
NOTE: The state can be either UP or SUSPECT, depending on the state of the real server ports that are bound to track-group ports. Track-group state is never in a DOWN state. The show track-group-state output above is based upon the following configuration: server real r1 10.10.1.101 port http port http url "HEAD /" port ftp port 3030 ! server real r2 10.10.1.102 port http port http url "HEAD /" port ssl ! server real r3 10.10.1.103 port ssl port http port http url "HEAD /" ! server virtual-name-or-ip v1 10.10.1.151 port http sticky port ftp sticky port 30303 sticky port 3030 sticky track-group http 21 bind http r1 http bind ftp r1 ftp bind 3030 r1 3030 ! server virtual-name-or-ip v2 10.10.1.153 port ssl sticky port http sticky track-group ssl 80 bind ssl r2 ssl bind http r2 http ! server virtual-name-or-ip v3 10.10.1.154 port ssl sticky port http sticky track-group http 443 bind ssl r3 ssl bind http r3 http !
"<cmd to show>"the actual command display to be shown repeatedly. The double quotes allow the command to accomodate white space. <interval>the interval for repeated displays (range from 1 to 60 seconds).
To stop the repeat-show command in the current session, use the following command (on MP only): ServerIron# stop-repeat-show Syntax: stop-repeat-show NOTE: The stop-repeat-show command stops all the repeat show commands issued in the session. The repeat-show commands are very similar to the traceroute and stop-traceroute commands. When you end a Telnet session, this command cleans up the Telnet session and issues the stop-repeat-show command.
September 2008
3 - 183
When you delete a real server, the ServerIron attempts to clear all the session entries for that real server from the session table. The ServerIron requires all the sessions to be cleared from the table before performing these operations. If you use the force shutdown option (server force-delete command), the ServerIron ends the sessions within one minute. Otherwise, the ServerIron allows active sessions to end normally before removing them. When you enter the command to delete a real server (no server real <name>), the ServerIron changes the servers state to "await_delete". The real server remains in this state until all its sessions are cleared from the session table. Occasionally, the ServerIron cannot clear all of a deleted real servers sessions from the table. When this occurs, to safely delete the real server from the ServerIron, we recommend the following procedure: 1 2 3 4 Under the real server, disable the application ports. Check to see the current connections and session comes down to zero (in show server real output). Under VIP, unbind the real server. Delete the real server.
To complete deletion of the server in this case, enter the clear server session <name> command after entering the no server real <name> command. EXAMPLE: ServerIron(config)# no server real rs1 ServerIron(config)# show server real rs1 Real Servers Info Name : rs1 IP:1.2.3.4 Range:1 State:await_delete Least-con Wt:0 Resp-time Wt:0 Port ---8080 default State ----unbnd unbnd Ms -0 0 CurConn ------0 0 TotConn ------0 0 Rx-pkts ------0 0
Tx-pkts ------0 0
Rx-octet -------0 0 0
Tx-octet -------0 0 0
Reas ---0 0 0
The no server real command deletes real server "rs1". The show server real command displays the states of the real servers. Notice that rs1 is still listed as a valid real server, and has the state "await_delete". If the no server real command does not list the deleted server, the server has been completely deleted. If the server continues to be listed with the "await_delete" state after several minutes, enter the clear server session command to finish deleting the server. The clear server session command deletes the remaining sessions for rs1, after which the ServerIron can finish deleting the server. You can enter this command immediately after entering the no server real command. You do not need to wait for any sessions to end normally.
3 - 184
September 2008
Web Hosting with One Virtual Server Mapped to Multiple Real Servers
Suppose a company establishes a Web site with a URL of www.alterego.com. The company system administrator configures the networks so that the SLB switch forwards Web requests among four independent servers, as shown in Figure 3.30.
Figure 3.30 Real and virtual server assignments in a backbone ServerIron network
www.alterego.com
SI
Web requests forwarded among multiple servers unseen by end users
Virtual IP 207.95.55.1
TCP Port 80
TCP Port 80 80 80 80
Web Hosting with Multiple Virtual Servers Mapped to One Real Server
Suppose an ISP administrator wants to use one real server to accommodate three premium users, all of which are Web sites. Each of these premium users is assigned its own Web site URL: www.fox.com www.horse.com www.tiger.com
As shown in Figure 3.31, the SLB switch forwards requests received for each of the three Web sites to the real server(s) assigned to handle the traffic.
September 2008
3 - 185
Figure 3.31
End user sends query to www.fox.com End user sends query to www.horse.com End user sends query to www.tiger.com
ServerIron
SI
Requests for: www.fox.com www.horse.com www.tiger.com are forwarded to one physical (real) server that hosts multiple web sites (virtual) server
Web Sites hosted (virtual addresses) www.fox.com 206.84.4.100 www.horse.com 206.84.4.101 www.tiger.com 206.84.4.102
3 - 186
September 2008
Figure 3.32
Remote Access Server (RAS) Each real server uses only one TCP port for both virtual IP addresses. An alias is configured on the ServerIron for VIPss TCP port
Two virtual servers configured to each map to the same real servers: VIP1, 209.157.22.88, TCP port 80 VIP2, 209.157.22.99, alias TCP port 180
SI
Web requests forwarded among multiple servers unseen by end users
TCP Port 80 80
Configuration Rules
Use the following rules when configuring the ServerIron to bind more than one virtual server to the same real server using the same application port: You must configure both the real port and the alias port on the real server(s). For example, if you need to create alias port 180 so that you can bind two virtual servers to the same real server and application port (80) on a real server, you must configure port 80 and port 180 on the real server. Otherwise, you will not be able to completely bind all the virtual servers to the real server. In the example below, the following real server configurations are incomplete because neither of the real servers has both the untranslated and alias ports configured: ServerIron(config)# server real-name r1 10.0.1.5 ServerIron(config-rs-r1)# port http ServerIron(config-rs-r1)# exit ServerIron(config)# server real-name r2 10.0.2.200 ServerIron(config-rs-r2)# port 180 ServerIron(config-rs-r2)# exit You cannot bind to both the untranslated port and the alias port in the same bind statement. In the example below, the following bind statement is invalid:
ServerIron(config-vs-VIP1)# port http ServerIron(config-vs-VIP1)# bind http r1 http r2 180 Here is a more detailed explanation: When you configure SLB, one of the tasks you perform is to bind the TCP or UDP application ports on the virtual server to their counterparts on the real server. For example, if clients will be sending requests to port 80 (HTTP) on virtual server www.mysite.com, but your real servers expect the HTTP connections to arrive on port 8080 of real server R1, then you must bind port 80 on the virtual server to port 8080 on the real server.
September 2008
3 - 187
One of the requirements is that a real server can be bound to only one virtual server using the same TCP or UDP application port. Thus, once you bind a real server port to a virtual server port, you cannot bind the same real server port to a different virtual server port. Normally, the ServerIron translates the IP address and application port of the virtual server requested by the client into the real server IP address and application port that you bind to the virtual server. However, when you disable port translation, the ServerIron does not perform the translation for the application port. Instead, the ServerIron translates the destination IP address in the clients request to the IP address of a real server, but leaves the application port in the clients request untranslated.
Configuration Example
To implement the configuration shown in Figure 3.32, enter commands such as the following: ServerIron(config)# server real-name r1 10.0.1.5 ServerIron(config-rs-r1)# port http ServerIron(config-rs-r1)# port 180 ServerIron(config-rs-r1)# exit ServerIron(config)# server real-name r2 10.0.2.200 ServerIron(config-rs-r2)# port http ServerIron(config-rs-r2)# port 180 ServerIron(config-rs-r2)# exit ServerIron(config)# server virtual-name-or-ip VIP1 209.157.22.88 ServerIron(config-vs-VIP1)# port http ServerIron(config-vs-VIP1)# bind http r1 http r2 http ServerIron(config-vs-VIP1)# exit ServerIron(config)# server virtual-name-or-ip VIP2 209.157.22.99 ServerIron(config-vs-VIP2)# port http ServerIron(config-vs-VIP2)# no port http translate ServerIron(config-vs-VIP2)# bind http r1 180 r2 180 The well-known port (80) is used for VIP1, but an alias (180) is used for VIP2. The real servers actually use port 80 for traffic to both virtual IP addresses. However, the alias port enables the ISP to distinguish among the two IP addresses and their traffic when they display SLB information on the ServerIron. The no port http translate command is required. This command enables the ServerIron to send traffic from multiple VIPs to the same real TCP/UDP port on the real server (in this example, http (port 80)). If you leave this command out, the ServerIron does not use port 180 as an alias but instead sends the VIP traffic to TCP/UDP port 180 on the real server rather than 80. NOTE: Since the untranslated port is logically bound to the translated port and both ports are bound to the same port on the real server, state information for the untranslated port is based on the translated ports state. In this example, state information for port 180 is based on the state for port 80. The state is shown in the Ms (Master port state) field of the display produced by the show server real command. See Displaying Real Server Configuration Statistics on page 3-163. NOTE: You can configure the ServerIron to perform health checks on each VIP independently. See Health Check of Multiple Web Sites on the Same Real Server on page 5-48.
3 - 188
September 2008
To display statistics for the separate real IP addresses, enter the following command at any command prompt: ServerIron(config)# show server real Server State - 1:enabled, 2:failed, 3:test, 4:suspect, 5:grace_dn, 6:active Name: r1 IP: 10.0.1.5 : 1 State: 3 Wt: 1 Max-conn: 1 000000 Src-nat (cfg:op) = 0: 0 Dest-nat-(cfg:op) = 0: 0 Port State Ms CurConn TotConns Rx-pkts Tx-pkts Rx-octet Tx-octet Reas 180 enabled 2 0 0 0 0 0 0 0 http enabled 0 0 0 0 0 0 0 0 Keepalive: Disabled, status code(s) default (200-299, 401) HTTP URL: "HEAD /" defaulunbnd 0 0 0 0 0 0 0 0 Server Total 0 0 : 0 0 1 State: 3 0: 0 Wt: 1 0 0 0
IP: 10.0.2.200
Max-conn: 1
0: 0 Dest-nat-(cfg:op) =
Port State Ms CurConn TotConns Rx-pkts Tx-pkts Rx-octet Tx-octet Reas http enabled 2 0 0 0 0 0 0 0 Keepalive: Disabled, status code(s) default (200-299, 401) HTTP URL: "HEAD /" defaulunbnd 0 0 0 0 0 0 0 0 Server Total 0 0 0 0 0 0 0
The lines highlighted in bold indicate the separate HTTP port numbers. The two HTTP lines for real server 1 (r1) indicate that an alias is in use. The first line lists the alias port number and the second line lists the actual port number used by the real server. Even though the same port number is used on the real server, the ServerIron display distinguishes the traffic for the two virtual IP addresses. NOTE: The state of the alias HTTP port is always the same as the state of the actual HTTP port used in the packets the ServerIron sends to the real server. The state is shown in the Ms (Master port state) column in the show server real display. SeeDisplaying Real Server Configuration Statistics on page 3-163.
Each subscribers account is on the same IP address. A Web user who accesses the server by entering the IP address gains access to the ISPs main page, but then must navigate to the individual subscribers directory. For home subscribers, this method of Web hosting is perfectly satisfactory. However, business subscribers sometimes prefer to have unique domain names. ISPs that provide separate IP addresses and domain names to their subscribers often do so by configuring multiple IP addresses on their real servers. The real servers have Network Interface Cards (NICs) that support multiple IP addresses. To provide load balancing and redundancy, ISPs sometimes configure multiple real servers with the same contents, but of course with different IP addresses. The ISP configures a unique virtual IP address September 2008 2008 Foundry Networks, Inc. 3 - 189
(VIP) for each subscriber and uses the ServerIron to map the VIP to real IP addresses on each real server for the subscribers Web site. In this type of application, individually configuring a VIP for each subscriber can require a lot of typing. However, the ServerIron makes configuring multiple VIPs easy by allowing you to configure a range of VIPs. When you configure a range, you create a VIP with the lowest address in the range, then specify how many consecutive addresses are in the range. When the ServerIron translates a VIP address configured as part of a host range into its corresponding real IP address on a real server, the ServerIron uses the VIPs offset from the base address to determine the correct real address. For example, suppose an ISP has two real servers with the following IP address ranges: 10.0.1.6 10.0.1.25 10.0.2.101 10.0.2.120
Instead of configuring 20 individual VIPs for these addresses, the ISP administrator can configure one VIP and a host range. In this example, the administrator configures the VIP 209.157.22.6 and adds a host range of 20 addresses to the VIP.
Figure 3.33 Host range feature used to easily configure a consecutive range of VIPs
Real Web Server 1
Domain names and actual IP addresses:
SI
Web requests forwarded among multiple servers unseen by end users
One virtual server configured to support 20 virtual IP addresses. ServerIron uses NAT to translate packet addresses and forward them to a real server. Domain names and virtual IP addresses: 209.157.22.6, www.another-online-retailer.com 209.157.22.7, www.car-and-boat-showcase.com 209.157.22.8, www.things-to-buy.com . . 209.157.22.25, www.knick-knacks-R-us.com
TCP Port 80 80 80 80
Real IP S1: 10.0.1.6 S2: 10.0.2.101 S1: 10.0.1.7 S2: 10.0.2.102 S1: 10.0.1.8 S2: 10.0.2.103 S1: 10.0.1.25 S2: 10.0.2.120
TCP Port 80 80 80 80
In the example in Figure 3.33, when the ServerIron receives a request for VIP 209.157.22.6, the ServerIron uses the predictor (balancing method) you configured to select one of the real servers, then selects the appropriate IP address on the server. In this case, since 209.157.22.6 is the first address in the VIP range, the ServerIron sends the request to 10.0.1.6 on real server 1 or 10.0.2.101 on real server 2.
3 - 190
September 2008
NOTE: To use this feature, make sure the real server has an unbroken range of consecutive IP addresses. Otherwise, you can define separate VIPs and host ranges for each range of unbroken addresses, or you can define a host-range map (see Configuring Host-Range Maps on page 3-53). Also, when you configure a real server, specify the first address in the host range on that server as that servers IP address. Suppose the ServerIron receives a request for 209.157.22.8. The ServerIron selects a real server, then applies the offset from the base VIP address to determine the corresponding real server address. In this example, 209.157.22.8 is two addresses higher than the base VIP address. Therefore, when the ServerIron sends the request to a real server, the ServerIron sends the request to a real IP address that is two addresses higher than the base address on the real server. The ServerIron knows to apply the offset because the administrator specified a host range when configuring the virtual server and real servers. The IP address you specify when you configure the real server is the first address in the range. NOTE: When health checks are enabled for the ports on the VIPs in a host range, the ServerIron checks the health of the applications on the base IP address only. The ServerIron assumes that the health of an application is the same for all the VIPs within the host range. To configure the ServerIron or switch for this application, enter the following commands: ServerIron(config)# server real-name r1 10.0.0.1 ServerIron(config-rs-r1)# host-range 20 ServerIron(config-rs-r1)# port http ServerIron(config-rs-r1)# exit These commands configure information for the first real server. The host-range command specifies the range of IP addresses the virtual server will represent for the real server. (You do not need to specify the beginning and ending points in the range, just the number of hosts in the range. The IP address you specify for the real server is automatically the first IP address in the range.) NOTE: You can specify up to the number of hosts that are available in the sub-net starting with the offset address. For example, if you are configuring a host range on a Class C sub-net and the starting address is 1, then the host range can be up to 255. If the starting address is 100, you can specify up to 155. The port http command enables the HTTP port. To configure information for the second real server, enter the following commands: ServerIron(config)# server real-name r2 10.0.2.101 ServerIron(config-rs-r2)# port http ServerIron(config-rs-r2)# host-range 20 ServerIron(config-rs-r2)# exit After you enter information for the real servers, you are ready to create the virtual server. To create the virtual server, enter the following commands: ServerIron(config)# server virtual-name-or-ip v1 209.157.22.6 ServerIron(config-vs-v1)# host-range 20 ServerIron(config-vs-v1)# port http ServerIron(config-vs-v1)# bind http r1 http r2 http ServerIron(config-vs-v1)# exit The bind commands associate the http port on each real server with the http port on the virtual server. NOTE: You also can enter the port number. If you enter the port name, the software uses the well-known number for the port (in this case 80).
September 2008
3 - 191
SI
Virtual HTTP Server Addresses www.support.com 200.22.5.25 www.sales.com 200.22.5.35 www.marketing.com 200.22.7.45
S1
S2
S3
S4
TCP Port 80 80 80 80
Port 80 80 80 80
3 - 192
September 2008
require the ability to open concurrent connections on the client with different TCP/UDP ports dynamically assigned by the real server. In all of these cases, the predictor (load-balancing metric) does not ensure that the client returns to the same real server. To accommodate these types of applications, you can configure ports on a virtual server to have the following attributes: Sticky connections When you add a TCP/UDP port to a virtual server, if you specify that the port is sticky, a client request for that port always goes to the same real server unless the sticky age timer has expired. The sticky age timer ages out inactive sticky server connections. Possible values are from 2 60 minutes. The default is 5 minutes. See Setting the Sticky Age on page 3-44 for information. TCP/UDP application groups (using the track port function) A primary TCP/UDP port is grouped with up to four additional TCP/UDP ports. After the ServerIron sends a client request for the primary port to a real server, subsequent requests from the client for ports grouped with the primary port go to the same real server. TCP/UDP application groups (using the track group function) Up to eight TCP/UDP ports are grouped together. After the ServerIron sends a client request for any of the grouped ports to a real server, subsequent requests from the client for ports in the group go to the same real server. NOTE: You must configure all the ports in a TCP/UDP application group to be sticky. Concurrent connections The real server can open additional ("concurrent") TCP/UDP sessions with the client using arbitrary TCP/UDP port numbers. NOTE: Although the concurrent connections attribute is similar to application groups, application groups apply to specific TCP/UDP ports that you configure on the virtual server. Concurrent connections enable the real server to arbitrarily determine the TCP/UDP ports and assign them to the client. NOTE: For servers that use passive FTP, configure the FTP ports to be both sticky and concurrent. Figure 3.35 shows an example of servers configured with sticky ports and an application group. In this example, the content on each real server is identical. However, some applications on the server require that clients use the same server for subsequent requests to application. The virtual server is configured to make the ports sticky and to group the TFTP and Telnet ports under the HTTP port.
Figure 3.35 Sticky ports and application group (using the track-port function) used to group TCP/UDP applications
Internet
Local Real Web Server 1 10.0.1.5
SI
Applications replicated on both real servers: Primary port, HTTP (port 80) Ports grouped with primary: TFTP (port 69) Telnet (port 23)
To implement an application group for this example, enter the following commands: ServerIron(config)# server real-name r1 10.0.1.5 ServerIron(config-rs-r1)# port http ServerIron(config-rs-r1)# port tftp ServerIron(config-rs-r1)# port telnet ServerIron(config-rs-r1)# exit
September 2008
3 - 193
ServerIron(config)# server real-name r2 10.0.2.200 ServerIron(config-rs-r2)# port http ServerIron(config-rs-r2)# port tftp ServerIron(config-rs-r2)# port telnet ServerIron(config-rs-r2)# exit After you enter information for the real servers, you are ready to create the virtual server. To create the virtual server, enter the following commands: ServerIron(config)# server virtual-name-or-ip v1 209.157.22.1 ServerIron(config-vs-v1)# port 80 sticky ServerIron(config-vs-v1)# port 69 sticky ServerIron(config-vs-v1)# port 23 sticky ServerIron(config-vs-v1)# track 80 69 23 ServerIron(config-vs-v1)# bind 80 r1 80 r2 80 ServerIron(config-vs-v1)# bind 23 r1 23 r2 23 ServerIron(config-vs-v1)# bind 69 r1 69 r2 69 ServerIron(config-vs-v1)# exit The commands above illustrate the track port function. The sticky parameter makes the TCP/UDP ports sticky. The track command groups the Telnet port (23) and the TFTP port (69) under the HTTP port (80); the HTTP port is established as the primary port. After the ServerIron sends a client to a real server for the HTTP port, subsequent requests from that client for the HTTP, TFTP, or Telnet port go to the same real server. Up to four ports can be grouped with the primary port. NOTE: Since ports 23 and 69 track port 80, state information for the tracking ports (23 and 69 in this example) are based on the tracked ports state (port 80 in this example). The state is shown in the Ms (Master port state) field of the display produced by the show server real command. See Displaying Real Server Configuration Statistics on page 3-163. The track group function works similarly to the track port function. With the track port function, the client uses the same server for applications associated with the grouped ports, as long as the primary port is active. In contrast, with the track group function, the client uses the same server for applications associated with the grouped ports, as long as all the ports in the group are active. After the ServerIron sends a client to a real server for any of the grouped ports, subsequent requests from that client for any of the grouped ports go to the same real server. The following commands illustrate the track group function: ServerIron(config)# server virtual-name-or-ip v1 209.157.22.1 ServerIron(config-vs-v1)# port 80 sticky ServerIron(config-vs-v1)# port 69 sticky ServerIron(config-vs-v1)# port 23 sticky ServerIron(config-vs-v1)# track-group 80 69 23 ServerIron(config-vs-v1)# bind 80 r1 80 r2 80 ServerIron(config-vs-v1)# bind 23 r1 23 r2 23 ServerIron(config-vs-v1)# bind 69 r1 69 r2 69 ServerIron(config-vs-v1)# exit In this example, the track-group command groups the HTTP port (80), Telnet port (23), and TFTP port (69) together. Whenever a client attempts to connect to a port within the group, the ServerIron ensures all ports in the group are active before granting the connection. The sticky parameter makes the TCP/UDP ports sticky. The sticky parameter must be set for all ports in the group. After the ServerIron sends a client to a real server for any of these three ports, subsequent requests from that client for the HTTP, TFTP, or Telnet port go to the same real server. Up to eight ports can be grouped together using the track group function. A port can be part of only one group. The track-group and track commands for a port are mutually exclusive.
3 - 194
September 2008
nets
The ServerIron allows you to easily deploy its services in a multinetted environment, without the overhead of configuring routing protocols. Normally, the ServerIron requires only one IP address, which you use for management access to the device. However, when the ServerIron and real servers are on different sub-nets, you need one of the following: Multiple sub-nets configured on the router Source NAT enabled and source IP addresses (up to eight) configured on the ServerIron
Figure 3.36 shows an example of a multinetted environment, in which the ServerIron is on one sub-net but the real servers are on another sub-net. The ServerIron is on sub-net 141.149.65.x and the real servers are on sub-net 10.10.10.x.
Figure 3.36 ServerIron and real servers in multinetted environment Router configured to route between sub-nets
Router 141.149.65.1
SI
-management IP address 141.149.65.10 -VIP 141.149.65.2 - source IP address 10.10.10.5 - source IP address 10.10.10.6 - source IP address 10.10.10.7 - source IP address 10.10.10.8 - source NAT enabled
rs2 10.10.10.3
In this example, the ServerIron and the real servers are on different sub-nets, but can communicate because the router is configured with interfaces in both sub-nets. Traffic from the ServerIron to the real servers goes to the router, which routes the traffic to the real servers sub-net. (The traffic passes back through the ServerIron to reach the real servers, but still must be routed by the router.) Traffic from the real servers to the ServerIron passes through the ServerIron to the router. The ServerIron acts like a Layer 2 bridge in this case and thus passes the traffic to the router. The router then routes the traffic to the ServerIrons sub-net. If you have network topology similar to the example in Figure 3.36, but you do not want to configure the router with multiple sub-nets, you can instead enable source NAT and configure a source IP address on the ServerIron. The source IP address allows the ServerIron to be in multiple sub-nets, in addition to the sub-net of the ServerIrons management IP address. Source NAT enables the ServerIron to perform IP address translation on the source address in packets addressed to the real servers. When source NAT is enabled, the ServerIron changes the source address in the IP packets addressed to the real server to the source IP address configured on the ServerIron. Figure shows an example of the topology shown in Figure 3.36, but in this case the ServerIron is configured for multiple sub-nets instead of the router.
September 2008
3 - 195
Figure 3.37
ServerIron and real servers in multinetted environment ServerIron configured for source NAT
Router 141.149.65.1
SI
-management IP address 141.149.65.10 -VIP 141.149.65.2 - source IP address 10.10.10.5 - source IP address 10.10.10.6 - source IP address 10.10.10.7 - source IP address 10.10.10.8 - source NAT enabled
rs2 10.10.10.3
In this example, the ServerIron is configured with source IP addresses in the real servers sub-net and source NAT is enabled. The configuration requires five CLI commands. No reconfiguration of the router is required. The ServerIron supports a maximum of 64,000 simultaneous connections on each source IP address. This maximum value is based on the architectural limits of IP itself. As a result, if you add only one source IP address, the ServerIron can support up to a maximum of 64,000 simultaneous connections to the real servers. You can configure up to eight source IP addresses, for even more simultaneous connections to the real servers. To implement the configuration shown in Figure , enter commands such as the following: ServerIron(config)# server source-ip 10.10.10.5 255.255.255.0 0.0.0.0 ServerIron(config)# server source-ip 10.10.10.6 255.255.255.0 0.0.0.0 ServerIron(config)# server source-ip 10.10.10.7 255.255.255.0 0.0.0.0 ServerIron(config)# server source-ip 10.10.10.8 255.255.255.0 0.0.0.0 ServerIron(config)# server source-nat ServerIron(config)# server real-name R1 10.10.10.2 ServerIron(config-rs-r1)# port http ServerIron(config-rs-r1)# exit ServerIron(config)# server real-name R2 10.10.10.3 ServerIron(config-rs-r2)# port http ServerIron(config-rs-r2)# exit ServerIron(config)# server virtual-name-or-ip VIP 209.157.22.88 ServerIron(config-vs-VIP1)# port http ServerIron(config-vs-VIP1)# bind http R1 http R2 http ServerIron(config-vs-VIP1)# exit NOTE: If a real server is not reachable from the ServerIron at Layer 2 (does not respond to ARP requests), and if the router connecting the ServerIron to the real server is not running proxy ARP, use the following command instead: server remote-name <name> <ip-addr> This command adds the server as a remote server. See Web Hosting with Geographically-Distributed Servers for information. Alternatively, enable proxy ARP on the router connecting the ServerIron to the real server.
3 - 196
September 2008
When you configure remote servers in addition to local servers, the ServerIron does not include the remote servers in the predictor (load balancing method). Thus, the remote servers are not used unless all local servers are unavailable. NOTE: If you want remote servers to be included in the predictor (load balancing method), configure all the real servers, including the local ones, as remote real servers. Figure 3.38 shows an ISP that wants to use load sharing between two local real servers but use remote servers as failovers if both the local real servers are unavailable. The local servers are load balanced by the ServerIron with IP management address 141.149.65.10. The remote servers are load balanced by the ServerIron with IP management address 150.60.60.6. In this example, a VIP on the ServerIron 2 (150.60.60.26) is configured on the ServerIron 1 (141.149.65.10) as a remote server. The remote server can also be a real servers IP address.
Figure 3.38 Geographically-distributed servers
Router 2 150.60.60.1 management IP address 150.60.60.6 VIP 150.60.60.26
SI-2
Internet
SI-1
rs1 10.10.10.2
- management IP address 141.149.65.10 - VIP1 141.149.65.2 - source IP address 141.149.65.4 - source IP address 141.149.65.5 - source IP address 141.149.65.6 - source IP address 141.149.65.7 - source NAT enabled
rs2 10.10.10.3
When you configure a ServerIron to fail over to a remote server or to a VIP on another ServerIron, the remote server or VIP typically is on a different sub-net. In this case, the ServerIron must perform some additional address translation to ensure that the traffic from the remote server to the client passes back through the ServerIron that originally serviced the request. When the ServerIron sends a client request to a local server, it does not change the source IP address of the clients request. However, the ServerIron does change the destination IP address from the VIP requested by the client to the IP address of a real server. When the real server replies to the request, the servers reply is addressed to the client. The ServerIron changes the source IP address of the servers reply to the VIP, then forwards the reply to the client. When the client receives the reply, the reply appears to have come from the VIP. For the configuration shown in Figure 3.38, you need to enable source NAT. When the ServerIron sends a client request to a real server, the ServerIron does not do source NAT by default. The ServerIron simply performs a destination NAT, changing the VIP address to a real server address. When the real server replies, the ServerIron reverses the destination NAT so that the client sees a reply from the VIP. Real server responses must flow through the ServerIron that performed the original destination NAT so that the NAT can be reversed. Otherwise, the client sees a response from the wrong IP address and either resets the TCP connection or ignores the response. September 2008 2008 Foundry Networks, Inc. 3 - 197
If you use remote servers in a remote sub-net, you must enable source NAT to force traffic to return to the ServerIron that performed the original destination NAT. The source IP addresses used for source NAT must be in the original ServerIrons broadcast domain. The remote real server replies are addressed to the original ServerIron, not to the clients address. The original ServerIron can then properly reverse the destination NAT. In Figure 3.38, client requests initially are addressed to VIP1 on ServerIron 1, 141.149.65.2. If the local real servers are healthy, ServerIron 1 distributes traffic to them using destination NAT in the normal way. However, if all the local real servers become unavailable, ServerIron 1 sends traffic to VIP2 on ServerIron 2. ServerIron 1 sends the traffic by using destination NAT in the usual way, translating VIP1s address into VIP2s address. The client's packet is forwarded to the ServerIron's default gateway. By default, if source NAT is not enabled, this is all that happens. If source NAT is disabled, ServerIron 2 performs a second destination NAT, replacing VIP2s address with R3 or R4s address, depending on which real server is next in the rotation. For this example, assume that ServerIron 2 sends the client request to R3. When R3 replies, the destination address is the clients address and R3s address is replaced by VIP2s address. R3s default gateway forwards this packet directly to the client. ServerIron 1 never sees the packet and never has a chance to reverse the original destination NAT. The client sees a response from 150.60.60.26, rather than 141.149.65.2. The client therefore either resets the TCP connection or simply ignores the response. To avoid this problem, enable source NAT on ServerIron 1 for VIP2, the remote server. In the example in Figure 3.38, ServerIron 1 has four addresses to use with source NAT: 141.149.65.4 141.149.65.5 141.149.65.6 141.149.65.7
When ServerIron 1 sends a packet to VIP2, ServerIron 1 also performs a source NAT using one of these four addresses. The remote servers reply to an address on ServerIron 1 rather than to the clients address. Traffic returns to ServerIron 1 where the original destination NAT is reversed. The client sees a response from VIP1, the same address to which the client sent its request. All of this is transparent to the client, who simply sends a request to a published IP address and receives a response from that address. NOTE: You can enable source NAT globally or an a real server basis (local or remote). If you enable source NAT globally, the ServerIron translates the source address of all client requests. If you enable source NAT locally, on individual real servers, the ServerIron translates the source IP address only for client requests directed to those servers. For example, if you enable source NAT only on the remote servers, the ServerIron translates the source IP addresses only in client requests that the ServerIron directs to the remote servers. Here are the commands for implementing the configuration shown in Figure 3.38. This configuration and all the other configuration information shown here is from the perspective of ServerIron 1. You of course also can configure the remote ServerIron to use a VIP on the local ServerIron as a remote failover. ServerIron-1(config)# server real-name R1 10.10.10.2 ServerIron-1(config-rs-R1)# port http ServerIron-1(config-rs-R1)# exit ServerIron-1(config)# server real-name R2 10.10.10.3 ServerIron-1(config-rs-R2)# port http ServerIron-1(config-rs-R2)# exit The commands shown above configure the local servers. The following commands configure the remote server and enable source NAT for the server. In this example, the remote server is VIP2 configured on ServerIron 2. It is also valid to configure real servers R3 and R4 as the remote servers instead. However, by configuring VIP2 as the remote server, you simplify configuration and also take advantage of the SLB services of ServerIron 2. This example assumes that real servers R3 and R4 and VIP2 are configured on ServerIron 2. ServerIron-1(config)# server remote-name VIP2 150.60.60.26 ServerIron-1(config-rs-VIP2)# source-nat
3 - 198
September 2008
ServerIron-1(config-rs-VIP2)# port http ServerIron-1(config-rs-VIP2)# exit The following commands configure VIP1 on ServerIron 1: ServerIron-1(config)# server virtual-name-or-ip VIP1 141.149.65.2 ServerIron-1(config-vs-VIP1)# port http ServerIron-1(config-vs-VIP1)# bind http R1 http R2 http VIP2 http ServerIron-1(config-vs-VIP1)# exit The following source-ip commands configure source IP addresses to allow the ServerIron to send a client request to a remote server, receive the response, and then send the response to the client. Notice that the source IP addresses added to the ServerIron are not in the sub-net of the remote ServerIron. They are in the sub-net that connects the ServerIrons local router to the Internet. The purpose of the source IP addresses in this configuration is to ensure that the responses from remote servers come back to the ServerIron instead of going directly to the clients, so that the ServerIron can properly change the source addresses of the responses back to the VIP requested by the clients. ServerIron-1(config)# server source-ip 141.149.65.4 255.255.255.0 0.0.0.0 ServerIron-1(config)# server source-ip 141.149.65.5 255.255.255.0 0.0.0.0 ServerIron-1(config)# server source-ip 141.149.65.6 255.255.255.0 0.0.0.0 ServerIron-1(config)# server source-ip 141.149.65.7 255.255.255.0 0.0.0.0 You can implement this type of configuration using just one source IP address. However, an architectural limitation in IP allows a maximum of 64,000 simultaneous connections on an IP address. As a result, to maximize the number of simultaneous connections the ServerIron can have to the remote VIP, add the maximum number of source IP addresses (eight).
September 2008
3 - 199
Figure 3.39
Wide Area Network Remote Access Server (RAS) The ServerIron sends an HTTP redirect to the client so that the client expects a TCP SYN ACK directly from the remote server instead of the local VIP.
SI
To implement HTTP redirect for the VIP shown in Figure 3.39, enter commands such as the following: ServerIron(config)# server real-name r1 10.0.1.5 ServerIron(config-rs-r1)# port http ServerIron(config-rs-r1)# exit ServerIron(config)# server real-name r2 10.0.2.200 ServerIron(config-rs-r2)# port http ServerIron(config-rs-r2)# exit ServerIron(config)# server remote-name r3 192.157.22.244 ServerIron(config-rs-r3)# source-nat ServerIron(config-rs-r3)# port http ServerIron(config-rs-r3)# exit ServerIron(config)# server virtual-name-or-ip VIP 209.157.22.88 ServerIron(config-vs-VIP1)# port http ServerIron(config-vs-VIP1)# bind http r1 80 r2 80 r3 80 ServerIron(config-vs-VIP1)# httpredirect ServerIron(config-vs-VIP1)# exit The command that enables HTTP redirect is shown in bold.
The ServerIron uses the TCS hash mechanism when selecting a cache server and uses the SLB load balancing method (the predictor) when selecting a real server.
3 - 200
September 2008
Basic Example
Figure 3.40 shows an example of a simple Reverse Proxy SLB configuration. Cache servers and real servers are located close to the Web content, as opposed to being close to the client (or the clients ISP), which is usually the case. Because the cache servers are located close to the content, this type of configuration is sometimes called reverse caching or reverse proxy. The ServerIron is a proxy acting on behalf of the client, but the proxy is located with the Web content, rather than with the clients ISP.
Figure 3.40 Basic Reverse Proxy SLB Configuration
Client requests for VIP 209.157.22.26 first go to a cache server. Internet -If the cache has the page, the Ser erIron sends the page v to the client. Remote Access Server (RAS) -If the cache does not have the page the ServerIron sends the , request to a real ser er. v
SI
rs3 10.0.1.6
rs1 10.0.1.4
rs2 10.0.1.5
In this example, the ServerIron is configured to send client requests for VIP 209.157.22.26 to a cache server (C1 or C2). If the cache server does not have the requested content, the ServerIron does not send the request to the Internet, as it does in a standard TCS configuration. Instead, the ServerIron sends the request to a load balanced real server. The commands for implementing the configuration are as follows. The following commands globally enable TCS and configure the cache servers: ServerIron(config)#ip policy 1 cache tcp 80 global ServerIron(config)#server cache-name C1 10.0.1.2 ServerIron(config)#server cache-name C2 10.0.1.3 ServerIron(config)#server cache-group 1 ServerIron(config-tc-1)#cache-name C1 ServerIron(config-tc-1)#cache-name C2 ServerIron(config-tc-1)#exit The following commands configure the real servers: Notice that port 80 (HTTP) is added to each server. ServerIron(config)#server real-name R1 10.0.1.4 ServerIron(config-rs-R1)# port 80 ServerIron(config-rs-R1)# exit ServerIron(config)#server real-name R2 10.0.1.5 ServerIron(config-rs-R2)# port 80 ServerIron(config-rs-R2)# exit ServerIron(config)#server real-name R3 10.0.1.6 ServerIron(config-rs-R3)#port 80 September 2008 2008 Foundry Networks, Inc. 3 - 201
ServerIron(config-rs-R3)#exit The following commands configure the VIP and save the configuration to the ServerIrons startup-config file on the flash memory: ServerIron(config)#server virtual-name-or-ip VIP1 209.157.22.26 ServerIron(config-vs-VIP1)#port 80 ServerIron(config-vs-VIP1)#bind 80 R1 80 R2 80 R3 80 ServerIron(config-vs-VIP1)#cache-enable ServerIron(config)#write memory The cache-enable command enables the Reverse Proxy SLB feature. You must use this command to use Reverse Proxy SLB. Otherwise, the ServerIron will use the standard TCS behavior, and send client requests to the Internet if the cache server does not have the requested content. The cache-enable command configures the ServerIron to send requests that the cache servers cannot fulfill to the real servers instead of to the Internet.
E-Commerce Example
You can use Reverse Proxy SLB in an E-Commerce environment to offer information that is located on a corporate intranet to the general public without compromising network security. Figure 3.41 shows an example of a Reverse Proxy SLB configuration. Notice that this configuration uses multiple ServerIrons. One of the ServerIrons is configured for TCS and Reverse Proxy SLB while the other two are configured for SLB.
Figure 3.41 Reverse Proxy SLB configuration in E-Commerce site
Internet
WAN Router
SI
192.1.1.4 Proxy firewall with NAT 10.10.3.254
VIP 10.10.2.20
SI-A
SI-B
VIP 10.10.3.21
3 - 202
September 2008
In this example, the cache servers are located in the demilitarized zone (DMZ). The DMZ is the part of the company's network that is outside the company firewalls but still on the private side of the company's router connection to the Internet. When a client request comes in from the Internet addressed to VIP 192.1.1.1 on a ServerIron with Reverse Proxy SLB enabled, the ServerIron redirects the request to a cache server. If the cache server has the requested content, the cache server responds directly to the client (through the ServerIron). If the cache server does not have the requested content, the cache server redirects the request to the ServerIron. Normally, a ServerIron configured for TCS redirects a cache request to the Internet. However, since Reverse Proxy SLB is enabled, the ServerIron instead sends the request to a load balanced real server. In this example, the real servers are firewalls acting as proxy servers. The TCS ServerIron is configured with two real servers. Each of them is actually a firewall. Each of the firewalls is configured to perform NAT to translate packets addressed to its interface with the ServerIron into the VIP configured on the SLB ServerIron connected to it. Thus, if the TCS ServerIron sends a client request to firewall interface 192.1.1.5 (configured on the TCS ServerIron as a real server), the firewall translates the packets destination address into VIP 10.10.2.20. NOTE: This example assumes that the firewalls are properly configured to perform the address translations needed for this configuration. The ServerIron to which the firewall (proxy server) sends the client request sends the request to a real server, then sends the response back to the firewall, which again performs NAT and sends the response to the cache server. The cache server then sends the requested content to the client. From the clients perspective, the response arrives from IP address 192.1.1.1. This is true whether the content was on the cache server when the client requested it or the cache server needed to obtain the content from a real server before providing it to the client.
September 2008
3 - 203
NOTE: Some streaming media types can use ports other than their well-known port. However, the ServerIron generally supports only the well-known port. For example, QuickTime can use port 7070, in addition to the more common 554. The ServerIron currently supports streaming media load balancing for QuickTime only on port 554.
3 - 204
September 2008
Figure 3.42 shows a sample configuration where requests for three kinds of streaming media files are load balanced across three real servers.
Figure 3.42 Streaming Media SLB Configuration
SI
Requests for: MS-media files at 192.162.1.50 Real Audio files at 192.162.1.51 QuickTime files at 192.162.1.52 Real Media files at 192.162.1.53 are load balanced across 3 real servers
Virtual IP 192.162.1.50
Predictor weighted
Real IP rs1: 10.10.10.1 rs2: 10.10.10.2 rs3: 10.10.10.3 rs1: 10.10.10.1 rs2: 10.10.10.2 rs3: 10.10.10.3 rs1: 10.10.10.1 rs2: 10.10.10.2 rs3: 10.10.10.3
192.162.1.51
least-conn
7070
7070
192.162.1.52
round-robin
554
554
In this configuration, all the streaming media content is located on the three real servers. Requests for MS-media files on VIP 192.162.1.50 are load balanced across the real servers using the weighted predictor; requests for Real Audio files on VIP 192.162.1.51 are load balanced using the least connections predictor; and requests for QuickTime files on VIP 192.162.1.52 are load balanced using the round-robin predictor. The following commands configure the real servers in Figure 3.42: ServerIron(config)#server real-name rs1 10.10.10.1 ServerIron(config-rs-rs1)#port rtsp ServerIron(config-rs-rs1)#port pnm ServerIron(config-rs-rs1)#port mms ServerIron(config-rs-rs1)#exit ServerIron(config)#server real-name rs2 10.10.10.2 ServerIron(config-rs-rs2)#port rtsp September 2008 2008 Foundry Networks, Inc. 3 - 205
ServerIron(config-rs-rs2)#port pnm ServerIron(config-rs-rs2)#port mms ServerIron(config-rs-rs2)#exit ServerIron(config)#server real-name rs3 10.10.10.3 ServerIron(config-rs-rs3)#port rtsp ServerIron(config-rs-rs3)#port pnm ServerIron(config-rs-rs3)#port mms ServerIron(config-rs-rs3)#exit The following commands bind the real servers to the virtual servers in Figure 3.42: ServerIron(config)#server virtual-name-or-ip MSmedia1755 192.162.1.50 ServerIron(config-vs-MSmedia1755)#predictor weighted ServerIron(config-vs-MSmedia1755)#port mms ServerIron(config-vs-MSmedia1755)#bind mms rs1 mms rs2 mms rs3 mms ServerIron(config-vs-MSmedia1755)#exit ServerIron(config)#server virtual-name-or-ip real7070 192.162.1.51 ServerIron(config-vs-real7070)#predictor least-conn ServerIron(config-vs-real7070)#port pnm ServerIron(config-vs-real7070)#bind pnm rs1 pnm rs2 pnm rs3 pnm ServerIron(config-vs-real7070)#exit ServerIron(config)#server virtual-name-or-ip quicktime554 192.162.1.52 ServerIron(config-vs-quicktime554)#predictor round-robin ServerIron(config-vs-quicktime554)#port rtsp ServerIron(config-vs-quicktime554)#bind rtsp rs1 rtsp rs2 rtsp rs3 rtsp ServerIron(config-vs-quicktime554)#exit NOTE: The ServerIron supports configurations that use port 80 for streaming media. However, a Layer 7 health check may fail because a status code of 404 can be returned in response to GET or HEAD requests. To work around this, you must configure the health check so that 404 is an acceptable status code. To do this, use the command port http status-code 200 404 in the real server configuration.
Layer 3 SLB
TrafficWorks release 8.0 introduced Layer 3 support for ServerIron Chassis devices. The following sections illustrate Layer 3 SLB support in these configurations: Basic SLB with One VLAN and One Virtual Routing Interface on page 3-206 Basic SLB with Multiple Subnets and Multiple Virtual Routing Interfaces on page 3-209
Basic SLB with One VLAN and One Virtual Routing Interface
NOTE: This configuration is supported on ServerIron Chassis devices running software release 8.0 or later. Figure 3.43 illustrates an SLB configuration with one VLAN and one virtual routing interface.
3 - 206
September 2008
Figure 3.43
Basic SLB Configuration with One VLAN and One Virtual Routing Interface
Client Systems Remote Servers 10.2.24.26, 27 HTTP, SSL, FTP, DNS Gateway: 10.2.24.1 rs26 rs27
10.2.24.1/24
Router
Port e1 206.65.1.1
OSPF AREA 0
SLB VIPs: HTTP 206.65.1.100 SSL: 206.65.1.100 FTP: 206.65.1.101 MMS: 206.65.1.102 DNS: 206.65.1.103
ServerIron 400
Port 4/5
ve 1: 164.128.1.254/24
Layer 2 Switch Real Servers 68.1.1.23, 24, 25 HTTP, SSL, FTP, DNS, MMS Gateway: 68.1.1.254 rs23 rs24 rs25
The following commands configure a virtual routing interface on VLAN 1 (the default VLAN), then configure IP addresses on the virtual routing interface. ServerIron(config)#vlan 1 name DEFAULT-VLAN by port ServerIron(config-vlan-1)#router-interface ve 1 ServerIron(config-vlan-1)#exit ServerIron(config)#interface ve 1 ServerIron(config-ve-1)#ip address 68.1.1.254 255.255.255.0 ServerIron(config-ve-1)#ip address 164.128.1.254 255.255.255.0 ServerIron(config-ve-1)#ip address 206.65.1.254 255.255.255.0 ServerIron(config-ve-1)#ip ospf area 0 ServerIron(config-ve-1)#exit ServerIron(config)#ip l4-policy 1 cache tcp 0 global ServerIron(config)#ip l4-policy 2 cache udp 0 global The following list of commands configures OSPF and enables redistribution of static and connected routes into OSPF: ServerIron(config)#router ospf ServerIron(config-ospf-router)#area 0 ServerIron(config-ospf-router)#redistribution connected ServerIron(config-ospf-router)#redistribution static ServerIron(config-ospf-router)#exit The following commands configure the real servers in Figure 3.43: ServerIron(config)#server real rs23 68.1.1.23 ServerIron(config-rs-rs23)#port dns ServerIron(config-rs-rs23)#port mms ServerIron(config-rs-rs23)#port ftp ServerIron(config-rs-rs23)#port ssl ServerIron(config-rs-rs23)#port http ServerIron(config-rs-rs23)#port http url "HEAD /"
September 2008
3 - 207
ServerIron(config-rs-rs23)#exit ServerIron(config)#server real rs24 68.1.1.24 ServerIron(config-rs-rs24)#port dns ServerIron(config-rs-rs24)#port mms ServerIron(config-rs-rs24)#port ftp ServerIron(config-rs-rs24)#port ssl ServerIron(config-rs-rs24)#port http ServerIron(config-rs-rs24)#port http url "HEAD /" ServerIron(config-rs-rs24)#exit ServerIron(config)#server real rs25 68.1.1.25 ServerIron(config-rs-rs25)#port dns ServerIron(config-rs-rs25)#port mms ServerIron(config-rs-rs25)#port ftp ServerIron(config-rs-rs25)#port ssl ServerIron(config-rs-rs25)#port http ServerIron(config-rs-rs25)#port http url "HEAD /" ServerIron(config-rs-rs25)#exit The following commands configure the remote servers in Figure 3.43: ServerIron(config)#server remote-name rs26 10.2.24.26 ServerIron(config-rs-rs26)#source-nat ServerIron(config-rs-rs26)#port dns ServerIron(config-rs-rs26)#port ftp ServerIron(config-rs-rs26)#port ssl ServerIron(config-rs-rs26)#port http ServerIron(config-rs-rs26)#port http url "HEAD /" ServerIron(config-rs-rs26)#exit ServerIron(config)#server remote-name rs27 10.2.24.27 ServerIron(config-rs-rs27)#source-nat ServerIron(config-rs-rs27)#port dns ServerIron(config-rs-rs27)#port ftp ServerIron(config-rs-rs27)#port ssl ServerIron(config-rs-rs27)#port http ServerIron(config-rs-rs27)#port http url "HEAD /" ServerIron(config-rs-rs27)#exit The following commands configure the virtual servers in Figure 3.43: ServerIron(config)#server virtual-name-or-ip www 206.65.1.100 ServerIron(config-vs-www)#port ssl sticky ServerIron(config-vs-www)#port http ServerIron(config-vs-www)#bind ssl rs25 ssl rs24 ssl rs23 ssl ServerIron(config-vs-www)#bind ssl rs27 ssl rs26 ssl ServerIron(config-vs-www)#bind http rs25 http rs24 http rs23 http ServerIron(config-vs-www)#bind http rs27 http rs26 http ServerIron(config-vs-www)#exit ServerIron(config)#server virtual-name-or-ip ftp 206.65.1.101 ServerIron(config-vs-ftp)#port ftp ServerIron(config-vs-ftp)#bind ftp rs25 ftp rs24 ftp rs23 ftp ServerIron(config-vs-ftp)#bind ftp rs27 ftp rs26 ftp ServerIron(config-vs-ftp)#exit ServerIron(config)#server virtual-name-or-ip mms 206.65.1.102 ServerIron(config-vs-mms)#port mms ServerIron(config-vs-mms)#bind mms rs25 mms rs24 mms rs23 mms ServerIron(config-vs-mms)#exit ServerIron(config)#server virtual-name-or-ip dns 206.65.1.103 ServerIron(config-vs-dns)#port dns ServerIron(config-vs-dns)#bind dns rs25 dns rs24 dns rs23 dns
3 - 208
September 2008
Basic SLB with Multiple Subnets and Multiple Virtual Routing Interfaces
NOTE: This configuration is supported on ServerIron Chassis devices running software release 8.0 or later. Figure 3.44 illustrates an SLB configuration with three VLANs and three virtual routing interfaces.
Figure 3.44 Basic SLB configuration with three VLANs and three virtual routing interfaces
rs26
rs27
Client Systems
10.2.24.1/24
Router Port e1 206.65.1.1 OSPF AREA 0 Client Systems 164.128.1.0/24 Network Gateway: 164.128.1.254
VLAN 1 Default
SLB VIPs: HTTP 206.65.1.100 SSL: 206.65.1.100 FTP: 206.65.1.101 MMS: 206.65.1.102 DNS: 206.65.1.103
ServerIron 400
Port 4/5
VLAN 4 IP Subnet Based ve 4: 164.128.1.254/24
Port 3/7
VLAN 2 Port Based ve 2: 68.1.1.254/24
Layer 2 Switch
Real Servers 68.1.1.23, 24, 25 HTTP, SSL, FTP, DNS, MMS Gateway: 68.1.1.254 rs23 rs24 rs25
The following commands configure virtual routing interfaces on VLAN 1 (the default VLAN), VLAN 2, and VLAN 4 and configure IP addresses on the virtual routing interfaces. ServerIron(config)#vlan 1 name DEFAULT-VLAN by port ServerIron(config-vlan-1)#router-interface ve 1 ServerIron(config-vlan-1)#exit ServerIron(config)#interface ve 1 ServerIron(config-ve-1)#ip address 206.65.1.254 255.255.255.0 ServerIron(config-ve-1)#ip ospf area 0 ServerIron(config-ve-1)#exit ServerIron(config)#ip l4-policy 1 cache tcp 0 global ServerIron(config)#ip l4-policy 2 cache udp 0 global ServerIron(config)#vlan 2 by port ServerIron(config-vlan-2)#untagged ethe 3/7 to 3/12 ethe 4/3 to 4/4 ServerIron(config-vlan-2)#router-interface ve 2 ServerIron(config-vlan-2)#exit ServerIron(config)#interface ve 2 ServerIron(config-ve-2)#ip address 68.1.1.254 255.255.255.0 ServerIron(config-ve-2)#ip ospf area 0 ServerIron(config-ve-2)#exit ServerIron(config)#vlan 4 by port September 2008 2008 Foundry Networks, Inc. 3 - 209
ServerIron(config-vlan-4)#untagged ethe 3/13 to 3/24 ethe 4/5 to 4/8 ServerIron(config-vlan-4)#ip-subnet 164.128.1.0 255.255.255.0 name PrivateNet ServerIron(config-vlan-4)#static ethe 3/13 to 3/24 ethe 4/5 to 4/8 ServerIron(config-vlan-4)#router-interface ve 4 ServerIron(config-vlan-4)#exit ServerIron(config)#interface ve 4 ServerIron(config-ve-4)#ip address 164.128.1.254 255.255.255.0 ServerIron(config-ve-4)#ip ospf area 0 ServerIron(config-ve-4)#exit The following list of commands configures OSPF and enables redistribution of static as well as connected routes into OSPF: ServerIron(config)#router ospf ServerIron(config-ospf-router)#area 0 ServerIron(config-ospf-router)#redistribution connected ServerIron(config-ospf-router)#redistribution static ServerIron(config-ospf-router)#exit The following commands configure the real servers in Figure 3.44: ServerIron(config)#server real rs23 68.1.1.23 ServerIron(config-rs-rs23)#port dns ServerIron(config-rs-rs23)#port mms ServerIron(config-rs-rs23)#port ftp ServerIron(config-rs-rs23)#port ssl ServerIron(config-rs-rs23)#port http ServerIron(config-rs-rs23)#port http url "HEAD /" ServerIron(config-rs-rs23)#exit ServerIron(config)#server real rs24 68.1.1.24 ServerIron(config-rs-rs24)#port dns ServerIron(config-rs-rs24)#port mms ServerIron(config-rs-rs24)#port ftp ServerIron(config-rs-rs24)#port ssl ServerIron(config-rs-rs24)#port http ServerIron(config-rs-rs24)#port http url "HEAD /" ServerIron(config-rs-rs24)#exit ServerIron(config)#server real rs25 68.1.1.25 ServerIron(config-rs-rs25)#port dns ServerIron(config-rs-rs25)#port mms ServerIron(config-rs-rs25)#port ftp ServerIron(config-rs-rs25)#port ssl ServerIron(config-rs-rs25)#port http ServerIron(config-rs-rs25)#port http url "HEAD /" ServerIron(config-rs-rs25)#exit The following commands configure the remote servers in Figure 3.44: ServerIron(config)#server remote-name rs26 10.2.24.26 ServerIron(config-rs-rs26)#source-nat ServerIron(config-rs-rs26)#port dns ServerIron(config-rs-rs26)#port ftp ServerIron(config-rs-rs26)#port ssl ServerIron(config-rs-rs26)#port http ServerIron(config-rs-rs26)#port http url "HEAD /" ServerIron(config-rs-rs26)#exit ServerIron(config)#server remote-name rs27 10.2.24.27 ServerIron(config-rs-rs27)#source-nat ServerIron(config-rs-rs27)#port dns ServerIron(config-rs-rs27)#port ftp ServerIron(config-rs-rs27)#port ssl ServerIron(config-rs-rs27)#port http
3 - 210
September 2008
ServerIron(config-rs-rs27)#port http url "HEAD /" ServerIron(config-rs-rs27)#exit The following commands configure the virtual servers in Figure 3.44: ServerIron(config)#server virtual-name-or-ip www 206.65.1.100 ServerIron(config-vs-www)#port ssl sticky ServerIron(config-vs-www)#port http ServerIron(config-vs-www)#bind ssl rs25 ssl rs24 ssl rs23 ssl ServerIron(config-vs-www)#bind ssl rs27 ssl rs26 ssl ServerIron(config-vs-www)#bind http rs25 http rs24 http rs23 http ServerIron(config-vs-www)#bind http rs27 http rs26 http ServerIron(config-vs-www)#exit ServerIron(config)#server virtual-name-or-ip ftp 206.65.1.101 ServerIron(config-vs-ftp)#port ftp ServerIron(config-vs-ftp)#bind ftp rs25 ftp rs24 ftp rs23 ftp ServerIron(config-vs-ftp)#bind ftp rs27 ftp rs26 ftp ServerIron(config-vs-ftp)#exit ServerIron(config)#server virtual-name-or-ip mms 206.65.1.102 ServerIron(config-vs-mms)#port mms ServerIron(config-vs-mms)#bind mms rs25 mms rs24 mms rs23 mms ServerIron(config-vs-mms)#exit ServerIron(config)#server virtual-name-or-ip dns 206.65.1.103 ServerIron(config-vs-dns)#port dns ServerIron(config-vs-dns)#bind dns rs25 dns rs24 dns rs23 dns
September 2008
3 - 211
NOTE: In some network configurations where many-to-one address translation is required, NAT transparency may be required. NAT transparency basically encapsulates IKE and ESP packets into another transport protocol such as UDP so that address-translating devices know how to correctly handle the address translation. Release 08.1.00S does not support UDP or TCP encapsulation for IPsec. You can configure a single ServerIron to load balance traffic for multiple VPN devices or use a pair of ServerIrons in an Active-Standby or Active-Active configuration to provide redundancy and improved performance when load balancing multiple VPN devices. See Sym-Active in an IPsec/IKE Load Balancing Configuration on page 7-42 for an example. Figure 3.45 shows an example of a basic IPsec/IKE load balancing configuration. In this example, a single ServerIron is configured to load balance VPN traffic across two VPN devices. A Layer 2 switch on the other side of the VPN devices connects the VPN devices to content servers. When a client sends a request to the VPN IP address, the ServerIron forwards the request to one of the VPN devices. The VPN device authenticates the request and either denies the request or forwards the request to a content server. When the ServerIron receives return traffic from a VPN device, the ServerIron forwards the return traffic to the client.
Figure 3.45 Basic IPsec and VPN Load Balancing
Router to Clients
ServerIron
VPN1
VPN2
Layer 2 Switch
3 - 212
September 2008
Configuration Example
Here are the CLI commands to implement the configuration shown in Figure 3.45 on page 3-212. The following commands change the CLI to global CONFIG level, add the management IP address, and identify the default gateway. ServerIron> enable ServerIron# configure terminal ServerIron(config)# ip address 192.168.1.1 255.255.255.0 ServerIron(config)# ip default-gateway 192.168.1.254 The following commands add the real server definitions for the VPN devices: ServerIron(config)# server real-name VPN1 192.168.1.10 ServerIron(config-rs-VPN1)# port 500 ServerIron(config-rs-VPN1)# exit ServerIron(config)# server real-name VPN2 192.168.1.11 ServerIron(config-rs-VPN2)# port 500 ServerIron(config-rs-VPN2)# exit The following commands configure the virtual server definition for the VPN address. ServerIron(config)# server virtual-name-or-ip VPNaddr 192.168.1.100 ServerIron(config-vs-VPNaddr)# sw-l4-vpn-tunnel ServerIron(config-vs-VPNaddr)# port 500 ServerIron(config-vs-VPNaddr)# bind 500 vpn1 500 vpn2 500
September 2008
3 - 213
ServerIron(config-vs-VPNaddr)# exit The following commands enable Layer 4 switching for TCP traffic and save the configuration changes to the startup-config file. ServerIron(config)# ip l4-policy 1 cache tcp 0 global ServerIron(config)# write memory
SI A Configuration
To add real server rs3, with four application ports, enter commands such as the following: ServerIronA(config)# server real rs3 10.10.20.103 ServerIronA(config-rs-rs3)# port http ServerIronA(config-rs-rs3)# port ftp ServerIronA(config-rs-rs3)# port dns ServerIronA(config-rs-rs3)# port rtsp ServerIronA(config-rs-rs3)# exit To enable session synchronization on the four application ports, enter commands such as the following: ServerIronA(config)# server port 80 ServerIronA(config-port-http)# session-sync ServerIronA(config-port-http)# exit ServerIronA(config)# server port 21 ServerIronA(config-port-ftp)# session-sync ServerIronA(config-port-ftp)# exit ServerIronA(config)# server port 53 ServerIronA(config-port-dns)# session-sync ServerIronA(config-port-dns)# exit ServerIronA(config)# server port 554 ServerIronA(config-port-rtsp)# session-sync ServerIronA(config-port-rtsp)# exit To create virtual server vs1 and bind the application ports on rs3 to the virtual server, enter commands such as the following: ServerIronA(config)# server virtual-name-or-ip vs1 10.10.20.100 ServerIronA(config-vs-vs1) #port http ServerIronA(config-vs-vs1)# port ftp ServerIronA(config-vs-vs1)# port dns ServerIronA(config-vs-vs1)# port rtsp ServerIronA(config-vs-vs1)# bind 80 rs3 80 ServerIronA(config-vs-vs1)# bind 21 rs3 21 ServerIronA(config-vs-vs1)# bind 53 rs3 53 ServerIronA(config-vs-vs1)# bind 554 rs3 554 To configure a Symmetric SLB (SSLB) priority and enable the active-active mode for SSLB, enter commands such as the following: ServerIronA(config-vs-vs1)# sym-priority 254 ServerIronA(config-vs-vs1)# sym-active To configure policies that enable SLB, enter commands such as the following: ServerIronA(config)# ip l4-policy 1 cache tcp 0 global ServerIronA(config)# ip l4-policy 2 cache udp 0 global
3 - 214
September 2008
The following command, entered at the VRID configuration level for VRID 1 on virtual routing interface 1, sets the backup priority to 200, which is higher than the default priority (100). By setting this ServerIrons VRRP-E backup priority to a higher value than the other ServerIrons VRRP-E backup priority, you can ensure that the same ServerIron will be the active ServerIron for the VIP and the VRRP-E address. Make sure the ServerIron that has the higher SSLB priority also has the higher VRRP-E priority. Otherwise, after a VRRP-E failover, it is possible for a ServerIron to become the VRRP-E master without the VIP also failing over to the ServerIron. In this case, one ServerIron is the master for the VRID while the other ServerIron is the master for the VIP. ServerIronA(config-ve-1-vrid1)# backup priority 200 Make sure the ServerIron that has the higher SSLB priority also has the higher VRRP-E priority. To set the backup priority for VRID 2 to 200, enter the following command at the VRID configuration level for VRID 2 on virtual routing interface 2: ServerIronA(config-ve-2-vrid2)# backup priority 200
SI B Configuration
The following commands add the SLB information for ServerIron B. Notice that the information is the same except for the SSLB priority, which is set to 100. The VRRP-E backup priority is not changed and remains set at the default (100). ServerIronB(config)# server real rs3 10.10.20.103 ServerIronB(config-rs-rs3)# port http ServerIronB(config-rs-rs3)# port ftp ServerIronB(config-rs-rs3)# port dns ServerIronB(config-rs-rs3)# port rtsp ServerIronB(config-rs-rs3)# exit ServerIronB(config)# server port 80 ServerIronB(config-port-http)# session-sync ServerIronB(config-port-http)# exit ServerIronB(config)# server port 21 ServerIronB(config-port-ftp)# session-sync ServerIronB(config-port-ftp)# exit ServerIronB(config)# server port 53 ServerIronB(config-port-dns)# session-sync ServerIronB(config-port-dns)# exit ServerIronB(config)# server port 554 ServerIronB(config-port-rtsp)# session-sync ServerIronB(config-port-rtsp)# exit ServerIronB(config)# server virtual-name-or-ip vs1 10.10.20.100 ServerIronB(config-vs-vs1) #port http ServerIronB(config-vs-vs1)# port ftp ServerIronB(config-vs-vs1)# port dns ServerIronB(config-vs-vs1)# port rtsp ServerIronB(config-vs-vs1)# bind 80 rs3 80 ServerIronB(config-vs-vs1)# bind 21 rs3 21 ServerIronB(config-vs-vs1)# bind 53 rs3 53 ServerIronB(config-vs-vs1)# bind 554 rs3 554 ServerIronB(config-vs-vs1)# sym-priority 100 ServerIronB(config-vs-vs1)# sym-active ServerIronB(config)# ip l4-policy 1 cache tcp 0 global ServerIronB(config)# ip l4-policy 2 cache udp 0 global
server opt-enable-route-recalculation
For optimized SLB, the ServerIron does not calculate a reverse route for every packet in a flow. In this scenario, the ServerIron uses the route that it learns in the first reverse packet, such as SYN-ACK packet. However, this calculation might not be desirable in a environment where a route can be dynamically changed, such as a case September 2008 2008 Foundry Networks, Inc. 3 - 215
with upstream firewall fail-over, where the new firewall has the same IP address but a different MAC address. To cover these cases, the server opt-enable-route-recalculation command, forces the ServerIron to dynamically calculate the reverse route. NOTE: This command should only be used when there is a need to recalculate reverse route. Most cases don't require this.
Limitations
Source-Port Based BP Distribution has the following limitations: This feature does not allow IP Fragmentation. This feature only works with Layer 4 SLB configurations. It does not work with Layer 7 switching. This feature is only available on Jetcore I/0 modules and 10G blades with an FPGA version greater than or equal to 51. This feature does not support combinations such as SLB + IP NAT and SLB + TRL. This feature does not work with sticky features such as source sticky, sticky concurrent, track port, and track group. This feature does not work with protocols that negotiate dynamic ports such as FTP, RTSP, MMS, and TFTP.
3 - 216
September 2008
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
0 0 0 1 0 0 0 0 1 1 1 1 0 1 0 1
a. BP#1 refers to BP1 on active M6/M7. b.BP#1 and BP#2 refer to BP1 and BP2 on M6/M7 respectively. c.BP#1, BP#2 and BP#3 refer to BP1, BP2 & BP3 on M6/M7 respectively. For 1-BP M6/M7, source port hashing results in 100% of the traffic going to the single BP in the system. For a 2-BP M6/M7, source port hashing results in 50% of traffic to each of the BPs. For a 3-BP M6/M7, source port hashing results in BP1 receiving 37.5% of the traffic, and BP2 and BP3 each receive 31.25% of the traffic. This assumes that the traffic is received from contiguous source ports. On the reverse direction, traffic is hashed based on destination ports. Note that there are 4 more bits of destination port used in the hashing but that will not affect the distribution. This is the exact scheme we use in source IP hashing.
September 2008
3 - 217
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
0 0 1 1 0 0 0 0 1 1 0 0 0 1 0 1
a. BP#1 refers to BP1 on active M6/M7. b.BP#1 and BP#2 refer to BP1 and BP2 on M6/M7 respectively. c.BP#1, BP#2 and BP#3 refer to BP1, BP2 & BP3 on M6/M7 respectively. For 1-BP M6/M7, source port hashing results in 50% of the traffic going to the BP on the active module and 50% of the traffic going to the BP on the secondary module. For 2-BP M6/M7, source port hashing results in 25% of the traffic going to each of the 2 BPs on the active module and each of the 2 BPs on the secondary module. For a 3-BP M6/M7, source port hashing results in 18.75% of the traffic going to each BP of the active management module. On the secondary management module, BP1 receives 18.75% of the traffic, while BP2 and BP3 receive 12.5% of the traffic. This assumes that the traffic is received from contiguous source ports.
3 - 218
September 2008
September 2008
3 - 219
Define IP Routes
ServerIron(config)# ip route 0.0.0.0 0.0.0.0 40.40.40.5 ServerIron(config)# ipv6 route 700::/64 400::212:f2ff:fea8:1400 ServerIron(config)# exit
3 - 220
September 2008
ServerIron(config-vip-group-[1])# vip 31.31.31.250 ServerIron(config-vip-group-[1])# exit ServerIron(config-ve-10)# ipv6 vrrp-extended vrid 1 ServerIron(config-ve-10-vrid-1)# backup ServerIron(config-ve-10-vrid-1)# ip address fe80::35 ServerIron(config-ve-10-vrid-1)# track-port e 3/1 priority 15 ServerIron(config-ve-10-vrid-1)# enable ServerIron(config-ve-10-vrid-1)# exit ServerIron(config-ve-10)# exit ServerIron(config-if-3/1)# ipv6 vrrp-extended vrid 4 ServerIron(config-if-3/1-vrid-5)# backup ServerIron(config-if-3/1-vrid-5)# ip address fe80::36 ServerIron(config-if-3/1-vrid-5)# vip-group 1 ServerIron(config-if-3/1-vrid-5)# enable ServerIron(config-if-3/1-vrid-5)# exit ServerIron(config-if-3/1)# exit ServerIron(config-ve-10)# ip vrrp-extended vrid 3 ServerIron(config-ve-10-vrid-3)# backup ServerIron(config-ve-10-vrid-3)# ip-address 31.31.31.3 ServerIron(config-ve-10-vrid-3)# track-port e 3/1 priority 15 ServerIron(config-ve-10-vrid-3)# enable ServerIron(config-ve-10-vrid-3)# exit ServerIron(config-if-3/1)# ip vrrp-extended vrid 5 ServerIron(config-if-3/1-vrid-5)# backup ServerIron(config-if-3/1-vrid-5)# ip-address 40.40.40.3 ServerIron(config-if-3/1-vrid-5)# enable ServerIron(config-if-3/1-vrid-5)# exit
Miscellaneous
ServerIron(config)# ServerIron(config)# ServerIron(config)# ServerIron(config)# ServerIron(config)# ServerIron(config)# aaa authentication web-server default local no enable aaa console exit telnet server username admin password ..... snmp-server
September 2008
3 - 221
3 - 222
September 2008
This chapter describes Server Load Balancing configuration options that are stateless. Stateless SLB does not use session table entries for the TCP and UDP sessions between the ServerIron and clients or real servers. These configuration options are useful if you want to deploy multiple ServerIrons to provide service for the same VIPs or applications but the network topology cannot ensure that server responses will pass back through the ServerIron. NOTE: The Direct Server Return (DSR) feature allows you to deploy a single ServerIron in a network where the server responses do not pass back through the ServerIron. Compare the configuration example for SwitchBack with the examples in this chapter to determine which type of configuration is applicable to your network. See DSR on page 3-146. NOTE: ServerIron does not support Stateless SLB with aliased ports, such as shown in the following configuration: server virtual-name-or-ip v3 10.176.7.23 port dns port dns stateless bind dns rs1 7777 real-port dns
September 2008
4-1
NOTE: The SwitchBack feature also allows server responses to take paths that do not pass back through the ServerIron. However, SwitchBack still uses session table resources because the ServerIron creates a session table entry for the connection from the client to the real server. NOTE: ServerIron software currently supports stateless TCP/UDP only for stateless application protocols such as HTTP (TCP port 80).
If client 209.161.1.88s Web browser sent the request from TCP port 8080, and the ServerIrons hash calculation resulted in selection of real server 10.10.10.2, the packet would have the following address values: Source IP: 209.161.1.88 Source application port: 8080 Destination IP: real servers IP 10.10.10.2 Destination application port: 80
Since the clients request contains the clients IP address and application port, the real server can send the packet back to the client by any valid routing path. The request does not need to pass back through the ServerIron that forwarded the request. In fact, the ServerIron that forwards the requests to the transparent VIP does not create session table entries for the requests. Since the ServerIron does not maintain state information for the requests for the stateless application port, the ServerIron does not care whether the server response for a stateless port passes back through the ServerIron on the way to the client. For a normally configured VIP, the servers response passes back though the ServerIron. For a transparent VIP, the response does not necessarily pass back through the ServerIron. NOTE: Since the ServerIron does not create session table entries for requests to the stateless application port, you cannot use ServerIron features that use information in the session table. For example, you cannot use source NAT, port translation, and so on.
4-2
September 2008
ServerIron(config)#server real R1 10.10.10.1 ServerIron(config-rs-R1)#port http ServerIron(config-rs-R1)#exit ServerIron(config)#server real R2 10.10.11.1 ServerIron(config-rs-R2)#port http ServerIron(config-rs-R2)#exit ServerIron(config)#server virtual-name-or-ip StatelessHTTP 192.168.4.69 ServerIron(config-vs-StatelessHTTP)#port http stateless ServerIron(config-vs-StatelessHTTP)#bind http R1 http ServerIron(config-vs-StatelessHTTP)#bind http R2 http Syntax: [no] port <tcp/udp-portnum> stateless The <tcp/udp-portnum> parameter specifies the application port you want to make stateless.
September 2008
4-3
The no-hash parameter disables the SLB hashing mechanism for the port (and protocol, if specified). When hashing is disabled, the ServerIron uses the round-robin load balancing method to select a real server for each request.
Internet
ASBR
ServerIron A
ASBR
ASBR
ServerIron B
ASBR
SI
ABR ABR
SI
ABR
Internal Router
Internal Router
Internal Router
R1 10.10.10.2
R2 10.10.10.3
R3 10.10.11.2
R4 10.10.11.3
R5 10.10.12.2
R6 10.10.12.3
R7 192.168.4.69
R8 192.168.4.70
In this example, a link failure has caused 10.10.12.1 to be unavailable. Since transparent VIP uses hashing to select a server, ServerIrons A and B might continue to send requests to 10.10.12.1 until they learn that the site is unavailable. Due to network conditions, ServerIron B learns about the site going down before ServerIron A. As a
4-4
September 2008
result, ServerIron A continues to send requests to the down site whereas ServerIron B is already sending the requests to other sites. Stateless health checking prevents ServerIrons in this type of configuration from having conflicting server health information. To implement stateless health checking, configure a group that contains the management IP addresses of all the ServerIrons configured for transparent VIP. Then assign each of the ServerIrons in the group a stateless health checking priority. The ServerIron with the highest priority becomes the master for server health information. If the master becomes unavailable, the available ServerIron with the highest priority becomes the new master.
2.
The <num> parameter specifies the stateless health check group ID. You can specify a number from 1 16. There is no default. The <ip-addr>...parameter specifies a list of ServerIron management IP addresses. You can specify up to four addresses with the command. Separate each address with a space. You can configure up to 16 ServerIron management IP addresses. To do so, enter the command four times and specify different addresses each time. NOTE: Make sure you add the management IP address for each of the other ServerIrons in the group. Do not include the ServerIrons own management address in the list.
September 2008
4-5
NOTE: If you do not set the stateless health check priority on a ServerIron, that ServerIron does not participate in stateless health checking. If you set the same priority on all the ServerIrons, their priorities are based on their management IP addresses instead. In this case, a higher management IP address has more priority than a lower management IP address.
4-6
September 2008
This chapter describes the Health Check features in the ServerIron. It contains the following major sections: Health Checks Overview on page 5-1 Server and Application Port States on page 5-14 Best Path to a Remote Server on page 5-17 Layer 3 Health Check on page 5-18 Layer 4 Health Check on page 5-20 Health Checks for Firewall Paths on page 5-21 Port Profiles and Attributes on page 5-22 Reassign Threshold on page 5-30 SSL Health Checks on page 5-32 Layer 7 Health Checks on page 5-33 Health Check of Multiple Web Sites on the Same Real Server on page 5-48 Boolean Health-Check Policies on page 5-49 Displaying Syslog Entries on page 5-62 Session Table Parameters on page 5-62 Slow-Start Mechanism on page 5-67 LDAP Over SSL on page 5-75 09.2.00 Scripted Health Check Enhancement for Boolean on page 5-76 FIN Close for Server Health Check on page 5-78
5-1
Later, when you bind the real server to a Virtual IP (VIP) server, the ServerIron sends a Layer 4 or Layer 7 health check to bring up the port you used for the binding. For example, if you bind a real server to a virtual server using port HTTP, the ServerIron sends an HTTP Layer 7 health check to bring up the HTTP port on the real server. The ServerIron performs the health checks described above by default. In addition, you can enable periodic Layer 4 or Layer 7 keepalive health checks for individual application ports. Following successful bringup of an application port when you bind a real server to a virtual server, the ServerIron repeats the Layer 4 or Layer 7 keepalive health check to continually verify the health of the port.
Application Ports
The ServerIron selects a Layer 4 or Layer 7 health check based on whether the application port is known to the ServerIron. A Layer 4 health check is a TCP or UDP request and is not related to a specific application. A Layer 7 health check is an application-aware health check designed for the specific application. The following application ports are known to the ServerIron. The ServerIron performs Layer 7 health checks for these ports. For other ports, the ServerIron performs a Layer 4 TCP or UDP health check instead: TCP Ports 5-2 FTP (port 21). Ports 20 and 21 both are FTP ports but on the ServerIron, the name FTP corresponds to port 21. HTTP (port 80) IMAP4 (port 143) LDAP (port 389) MMS (port 1755) NNTP (port 119) PNM (port 7070) POP3 (port 110) RTSP (port 554) 2008 Foundry Networks, Inc. September 18, 2008
Health Checks
UDP Ports DNS (port 53) RADIUS (port 1812 RADIUS-OLD (port 1645), which is used in some older RADIUS implementations instead of port 1812 NOTE: You can add either port 1812 or port 1645 to a given real or virtual server, but you cannot add both ports to the same server. The keepalive health checks are disabled by default. To enable a keepalive health check for an application port, configure a port profile for the port (which automatically enables the keepalive globally for the port) or enable the keepalive on individual real servers that use the port.
The following Layer 3 health check types are supported: ARP Request IP Ping
ARP Request
A standard IP ARP request for the servers MAC address, which the ServerIron adds to its ARP table.
Perform:
When you configure a real server
IP Ping
A standard ICMP-based IP ping.
Performed
When you configure a real server If the ARP entry ages out If the time between the last packet sent to the server and the last packet received from the server increases
5-3
Table 5.1: Summary of L3 Health Checks Type ARP request IP ping When Performed When you configure a real server When you configure a real server If the ARP entry ages out If the time between the last packet sent to the server and the last packet received from the server increases Description A standard IP ARP request for the servers MAC address, which the ServerIron adds to its ARP table. A standard ICMP-based IP ping.
5-4
Health Checks
UDP health check The ServerIron sends a UDP packet with garbage (meaningless) data to the UDP port: If the server responds with an ICMP Port Unreachable message, the ServerIron concludes that the port is not alive. If the server does not respond at all, the ServerIron assumes that the port is alive and received the garbage data. Since UDP is a connectionless protocol, the ServerIron and other clients do not expect replies to data sent to a UDP port. Thus, lack of a response indicates a healthy port.
NOTE: The ServerIron assumes that a port is a UDP port unless you configure the port as a TCP port. To configure a port as a TCP port, add a port profile for the port and specify the port type TCP. See Port Profiles and Attributes on page 5-22. After the ServerIron sends an initial packet (TCP or UDP) to the server to bring the port up, the ServerIron waits one second and then checks for a response from the server. If no response is received during that time, the ServerIron will send another packet. The time at which the ServerIron sends the second packet depends on the number of ports being brought up at that time. The ServerIron will send the second packet after it has sent initial packets to all the other ports being brought up at that time. By default, the ServerIron does not repeat the Layer 4 health check after bringing up the port when you bind the real server to the virtual server. However, you can enable a periodic keepalive health check for the port. To configure the keepalive health check globally, configure a port profile for the port. You also can enable or disable the keepalive health check on individual real servers. The following Layer 4 health check types are supported: TCP UDP
TCP
The ServerIron attempts to engage in a normal three-way TCP handshake with the port on the real server: The ServerIron sends a TCP SYN packet to the port on the real server. The ServerIron expects the real server to respond with a SYN ACK. If the ServerIron receives the SYN ACK, the ServerIron sends a TCP RESET, satisfied that the TCP port is alive.
Performed
When you bind a TCP application port on a real server to a TCP application port on a virtual server At regular intervals, if keepalive is enabled for the port and the port does not have a Layer 7 health check
5-5
UDP
The ServerIron sends a UDP packet with garbage (meaningless) data to the UDP port. If the server responds with an ICMP Port Unreachable message, the ServerIron concludes that the port is not alive. If the server does not respond at all, the ServerIron assumes that the port is alive and received the garbage data. Since UDP is a connectionless protocol, the ServerIron and other clients do not expect replies to data sent to a UDP port. Thus, lack of a response is a good outcome.
Performed
When you bind a UDP application port on a real server to a UDP application port on a virtual server At regular intervals, if keepalive is enabled for the port and the port does not have a Layer 7 health check
Table 5.2: Summary of L4 Health Checks Type TCP When Performed When you bind a TCP application port on a real server to a TCP application port on a virtual server At regular intervals, if keepalive is enabled for the port and the port does not have a Layer 7 health check Description The ServerIron attempts to engage in a normal threeway TCP handshake with the port on the real server: The ServerIron sends a TCP SYN packet to the port on the real server. The ServerIron expects the real server to respond with a SYN ACK. If the ServerIron receives the SYN ACK, the ServerIron sends a TCP RESET, satisfied that the TCP port is alive.
UDP
When you bind a UDP application port on a real server to a UDP application port on a virtual server At regular intervals, if keepalive is enabled for the port and the port does not have a Layer 7 health check
The ServerIron sends a UDP packet with garbage (meaningless) data to the UDP port. If the server responds with an ICMP Port Unreachable message, the ServerIron concludes that the port is not alive. If the server does not respond at all, the ServerIron assumes that the port is alive and received the garbage data. Since UDP is a connectionless protocol, the ServerIron and other clients do not expect replies to data sent to a UDP port. Thus, lack of a response is a good outcome.
5-6
Health Checks
You can enable a Layer 7 health check globally by configuring a port profile or locally by enabling the health check on an individual real server. In addition, you can customize some types of Layer 7 health checks for individual real servers. For example, you can specify a URL that the ServerIron should request on a specific real server when sending the Layer 7 HTTP health check to that server. The following Layer 7 health check types are supported: DNS on page 5-7 FTP on page 5-8 HTTP (Status Code) on page 5-8 HTTP (Content Verification) on page 5-9 Scripted (Content Verification for Unknown Ports) on page 5-9 IMAP4 on page 5-10 LDAP on page 5-10 MMS on page 5-10 NNTP on page 5-11 PNM on page 5-11 POP3 on page 5-11 RADIUS on page 5-12 RTSP on page 5-12 SMTP on page 5-12 SSL (Complete) on page 5-13 SSL (Simple) on page 5-13 Telnet on page 5-13
DNS
The ServerIron performs one or both of the following types of DNS health checks: Address-based The ServerIron sends an address request for a specific domain name. If the server successfully responds with the IP address for the domain name, the server passes the health check. Zone-based The ServerIron sends a Source-of-Authority (SOA) request for a specific zone name. If the server is authoritative for the zone and successfully responds to the SOA request, the server passes the health check.
NOTE: If you configure both types of DNS health check for a server, the server must successfully respond to both health checks to remain in the server rotation. You enable each type of DNS health check on a global basis and configure them on an individual server basis. If the server replies with the requested IP address or zone name, the ServerIron considers the server port to be and marks it ACTIVE. If the server does not reply with the requested IP address or zone name, the ServerIron retries the health check up to the number of times configured (the default is two retries). If the server still does not send the requested information, the ServerIron marks the DNS port on the server FAILED and removes the server from the rotation for DNS services.
5-7
NOTE: By default, the health check is non-recursive. If the real server (DNS server) does not successfully reply to the health check, then the DNS port fails the health check. You can enable the real server to perform a recursive lookup for the IP address or zone requested by the health check. In this case, if the real server does not have the requested address or zone, the server can pass the request on to a DNS server with higher authority. See Enabling Recursive DNS Health Checks on page 5-29.
Performed
Immediately following a successful Layer 4 UDP health check At regular intervals, if keepalive is enabled for the port
Configuration
To perform a health check on a DNS port, use a configuration such as the following: EXAMPLE ServerIron(config-port-dns)#sh run | b 53 server port 53 udp keepalive 15 3 tcp keepalive disable server real rs1 2.2.2.200 port dns port dns keepalive port dns addr_query "www.foundry.com" server virtual-name-or-ip test 2.2.2.222 sticky-age 60 port dns port dns stateless no-hash bind dns linux dns rs1 dns ! end
FTP
The ServerIron waits for a message from the server. If the server sends a greeting message with status code 220, the ServerIron resets the connection and marks the port ACTIVE. If the server does not send a greeting message with status code 220, the ServerIron retries the health check up to the number of times configured (the default is two retries). If the server still does not send the expected message, the ServerIron marks the server port FAILED and removes the server from the load-balancing rotation for FTP service.
Performed
Immediately following a successful Layer 4 TCP health check At regular intervals, if keepalive is enabled for the port
5-8
Health Checks
The GET or HEAD request specifies a page (identified by the URL, Universal Resource Locator) on the server. By default, the ServerIron sends a HEAD request for the default page, 1.0. If the server responds with an acceptable status code, the ServerIron resets the connection and marks the port ACTIVE. For SLB, the default acceptable status codes for the check are 200 299 and 401. For TCS, the default acceptable status codes are 100 499. If the server responds with a different status code, the ServerIron marks the HTTP port FAILED. If the server does not respond, the ServerIron retries the health check up to the number of times configured (the default is two retries). If the server still does not respond, the ServerIron marks the server port FAILED and removes the server from the load-balancing rotation for HTTP service.
NOTE: You can change the status code range for individual servers. If you do so, the defaults are removed and only the status code ranges you specify cause the server to pass the health check.
Performed
Immediately following a successful Layer 4 TCP health check At regular intervals, if keepalive is enabled for the port
See Configuring HTTP Content Matching Lists on page 5-35 for information on specifying a page to check and setting up lists of selection criteria
Performed
Immediately following a successful Layer 4 TCP health check At regular intervals, if keepalive is enabled for the port
5-9
FAILED. If the text in the response meets none of the selection criteria, then the ServerIron marks the port either ACTIVE or FAILED according to a user-defined setting. If no response is received within the configured interval (the default is five seconds), the ServerIron sends a RST and retries the health check. After the configured number of retries (the default is two retries), if the server still does not respond, the ServerIron marks the server port FAILED.
See Configuring Scripted Health Checks on page 5-38 for more information.
Performed
Immediately following a successful Layer 4 TCP health check At regular intervals, if keepalive is enabled for the port
IMAP4
The ServerIron waits for a message from the IMAP4 server. If the server sends a greeting message that starts with * OK, The ServerIron sends a Logout command to the IMAP4 port on the real server, then resets the connection and marks the port ACTIVE. If the server does not send a greeting message that starts with * OK, the ServerIron retries the health check up to the number of times configured (the default is two retries). If the server still does not send the expected message, the ServerIron marks the server port FAILED and removes the server from the load-balancing rotation for IMAP4 service.
Performed
Immediately following a successful Layer 4 TCP health check At regular intervals, if keepalive is enabled for the port
LDAP
The ServerIron sends a bind request to the LDAP server and waits for a reply. The bind request includes a configurable version number. The version number can be 2 or 3. The default is 3. If the server sends a bind reply with result code 0 (no error), the ServerIron resets the connection and marks the port ACTIVE. If the server does not send a bind reply by the time the LDAP keepalive retries expires, the ServerIron retries the health check up to the number of times configured (the default is two retries). If the server still does not respond, the ServerIron marks the server port FAILED and removes the server from the load-balancing rotation for LDAP service.
Performed
Immediately following a successful Layer 4 TCP health check At regular intervals, if keepalive is enabled for the port
MMS
The ServerIron sends an intentionally invalid request to the server. If the server replies with a packet containing the value "MMS", the ServerIron marks the port ACTIVE. If the server does not reply with a packet containing the value "MMS", the ServerIron retries the health check up to the number of times configured (the default is two retries). If the server still does not respond, the ServerIron marks the server port FAILED and removes the server from the load-balancing rotation for MMS service.
5 - 10
Health Checks
NOTE: You can view the ServerIrons invalid request in the MMS server log. The log entry has error code 400.
Performed
Immediately following a successful Layer 4 TCP health check At regular intervals, if keepalive is enabled for the port
NNTP
The ServerIron waits for a message from the NNTP server. If the server sends a greeting message with status code 200 or 201, the ServerIron sends a Quit command to the NNTP port on the real server, then resets the connection by sending a quit and a RESET, one immediately after the other, and marks the port ACTIVE. If the server does not send a greeting message with status code 200 or 201, the ServerIron retries the health check up to the number of times configured (the default is two retries). If the server still does not send the expected message, the ServerIron marks the server port FAILED and removes the server from the loadbalancing rotation for NNTP service.
Performed
Immediately following a successful Layer 4 TCP health check At regular intervals, if keepalive is enabled for the port
PNM
The ServerIron sends a PNM file request that does not have a file name. If the server sends a reply containing the value "PNA", the ServerIron marks the port ACTIVE. If the server does not send a reply containing the value "PNA", the ServerIron retries the health check up to the number of times configured (the default is two retries). If the server still does not send the expected message, the ServerIron marks the server port FAILED and removes the server from the load-balancing rotation for PNM service.
Performed
Immediately following a successful Layer 4 TCP health check At regular intervals, if keepalive is enabled for the port
POP3
The ServerIron waits for a message from the POP3 server. If the server sends a greeting message that starts with + OK, the ServerIron sends a Quit command to the POP3 port on the real server, then resets the connection by sending a quit and a RESET, one immediately after the other, and marks the port ACTIVE If the server does not send a greeting message that starts with + OK, the ServerIron retries the health check up to the number of times configured (the default is two retries). If the server still does not send the expected message, the ServerIron marks the server port FAILED and removes the server from the load-balancing rotation for POP3 service.
Performed
Immediately following a successful Layer 4 TCP health check At regular intervals, if keepalive is enabled for the port
5 - 11
RADIUS
The ServerIron sends an authentication request with a user name, password, and key to the RADIUS server. The account information does not need to be valid for the server to pass the health check. In fact, to prevent someone from learning account information by observing the ServerIrons RADIUS health check, Foundry Networks recommends you use invalid information. If the server replies with the result code ACCEPT or REJECT, the ServerIron considers the port to be ok and marks it ACTIVE. If the server does not reply or the server Sends an ICMP Destination Unreachable message, the ServerIron retries the health check up to the number of times configured (the default is two retries). If the server still does not reply with ACCEPT or REJECT, the ServerIron marks the RADIUS port FAILED and removes the server from the rotation for RADIUS services. NOTE: You can configure a check either for the well-known RADIUS port number 1812 or 1645. You cannot configure a health check for both of these ports on the same server.
Performed
Immediately following a successful Layer 4 UDP health check At regular intervals, if keepalive is enabled for the port
RTSP
The ServerIron sends a standard RTSP option packet, using sequence number 1. If the server responds with an acceptable status code, the ServerIron resets the connection and marks the port ACTIVE. For SLB, the default acceptable status codes for the check are 200 299 and 401. If the server responds with a different status code, the ServerIron marks the port FAILED. If the server does not respond, the ServerIron retries the health check up to the number of times configured (the default is two retries). If the server still does not respond, the ServerIron marks the server port FAILED and removes the server from the load-balancing rotation for RTSP service.
Performed
Immediately following a successful Layer 4 TCP health check At regular intervals, if keepalive is enabled for the port
SMTP
The ServerIron waits for a message from the SMTP server. If the server sends a greeting message with status code 220, the ServerIron sends a Quit command to the SMTP port on the real server, then resets the connection by sending a quit and a RESET, one immediately after the other, and marks the port ACTIVE. If the server does not send a greeting message with status code 220, the ServerIron retries the health check up to the number of times configured (the default is two retries). If the server still does not send the expected message, the ServerIron marks the server port FAILED and removes the server from the load-balancing rotation for SMTP service.
Performed
Immediately following a successful Layer 4 TCP health check At regular intervals, if keepalive is enabled for the port
5 - 12
Health Checks
SSL (Complete)
The ServerIron initiates an SSL connection with the server on TCP port 443, a secure link is negotiated, and encrypted data is transferred across it. After the SSL connection is established, the ServerIron sends the SSL server an HTTP GET or HEAD request. The GET or HEAD request specifies a page containing the URL of a page on the server. By default, the ServerIron sends a HEAD request for the default page, 1.0, although this can be changed with the port ssl url command. If the server responds with an acceptable status code, the ServerIron resets the connection and marks the port ACTIVE. If the server does not respond, the ServerIron retries the health check up to the number of times configured (the default is two retries). If the server still does not respond, the ServerIron marks the server port FAILED and removes the server from the load-balancing rotation for SSL service.
Performed
Immediately following a successful Layer 4 TCP health check At regular intervals, if keepalive is enabled for the port
SSL (Simple)
The ServerIron sends an SSL client hello with the SSL SID set to 0: If the server responds, then the ServerIron resets the connection and marks the port ACTIVE. If the server does not respond, the ServerIron retries the health check up to the number of times configured (the default is two retries). If the server still does not respond, the ServerIron marks the server port FAILED and removes the server from the load-balancing rotation for SSL service.
Performed
Immediately following a successful Layer 4 TCP health check At regular intervals, if keepalive is enabled for the port
Telnet
The ServerIron waits for a message from the Telnet server. If the server sends a command string that starts with the IAC escape characters (FF), the ServerIron resets the connection and marks the port ACTIVE. If the server does not send a command that starts with the IAC escape character, the ServerIron retries the health check up to the number of times configured (the default is two retries). If the server still does not send the expected escape character, the ServerIron marks the server port FAILED and removes the server from the load-balancing rotation for Telnet service.
Performed
Immediately following a successful Layer 4 TCP health check At regular intervals, if keepalive is enabled for the port
5 - 13
FastCache
In typical TCS configurations, the ServerIron uses cache responses that flow back through the ServerIron as a means to determine the health of the cache server. When the ServerIron receives cache responses to client requests sent to the cache by the ServerIron, the ServerIron knows that the cache server is healthy. However, if the cache server does not respond to client requests, the ServerIron does not receive the responses from the cache server. Therefore, the ServerIron determines that the cache server is down and stops sending client requests to the cache server. Some configurations might require responses from a cache server to select a path that does not return through the ServerIron. For example, if a cache server supports only one default path and that path is to a gateway router, not to the ServerIron, the cache server might send responses to the clients through the default gateway instead of through the ServerIron. In this case, the ServerIron assumes that the cache server has stopped responding even though the cache server is still working normally. You can override health checking on an individual server basis by enabling FastCache. This feature allows the ServerIron to continue using a cache server even if the server does not send responses to client requests back through the ServerIron. When you enable FastCache on a cache server, the ServerIron continues to send client requests to the cache server even if the server does not respond through the ServerIron.
5 - 14
Health Checks
Table 5.3: Server States State ENB:enabled FAL:failed TST:testing Description There is no link to the real server. The real server is configured on the ServerIron but is not physically connected to the ServerIron. The real server has failed to respond to repeated Layer 3 health checks (IP pings). Typically, a real server changes to the FAILED state from the SUSPECT state. A real server will go to "Testing" if it is reachable at Layer 2 but not at Layer 3. When you first add a real server, the ServerIronXL will first try to ARP it. While it is ARPing, the server state will read "State: Enabled". After the real server replies to the ARP, the ServerIronXL will normally send one ICMP echo request. After it gets the ARP reply and before it gets the ICMP echo reply, the ServerIronXL will show the real server state as Testing. If you have a firewall application on the real server so that it responds to ARP queries but not to ICMP pings, then the real server will show as "Testing" forever. Use the show server real command to display detailed state information. The show server bind command is more concise, though it focuses on port status. SUS:suspect The ServerIron associates a time stamp with each packet sent to and received from the real servers. If the time gap between the last packet received from the server and the last packet sent to the server grows to 3 or 4 seconds, the ServerIron sends a ping (Layer 3 health check) to the server. If the server doesnt respond within the ping interval (a configurable parameter), the ServerIron changes the state to SUSPECT and resends the ping, up to the number of retries specified by the ping retries parameter (also configurable). If the server still doesnt respond after all the retries, the state changes to FAILED. If the server does respond, the state changes to ACTIVE. The server gracefully shut down. See server force-delete. A real server will go to active as long as it is reachable at Layer 2 and 3, regardless of whether or not its ports are bound to anything, regardless of whether or not its ports pass tests. After receiving that first ping reply, normally the ServerIronXL switches to periodic ARPs. If you enable server l3-health-check globally, then the ServerIronXL switches to using periodic pings instead. The real server still shows the state active. If you enter the no server l3-health-check command globally, then the ServerIronXL will switch back to ARP. After that first ping succeeds, if you do not have L3 health checks enabled, you can add an ICMP blocking ACL on the real server, and the system will still display "Active". If you re-add server l3-health-check, then the real server state will change from Active to Suspect and then Failed. This behavior is all done before any ports have been bound to a virtual server. All these states on a real server have nothing to do with L4/L7. UNB:unbind AWU:awaitunbind AWD: awaitshutdown Used for ports which have not been bound to a virtual server. Both can occur when you're trying to unbind or delete ports. You might not even see them in anything but a live environment. After you remove real servers from a virtual server or delete virtual servers or unbind ports, normally the ServerIron or stackable waits until connections in progress finish their business.
GDN:grace-dn ACT:active
5 - 15
Table 5.4: Application Port States State ENABLED FAILED Description There is no link to the server. The server is configured on the ServerIron but is not connected to the ServerIron. (This is the same as the ENABLED server state.) The application has failed to respond to repeated Layer 4 or (if applicable) Layer 7 health checks. Typically, an application changes to the FAILED state from the SUSPECT state. Note that if a application does not pass the Layer 4 health check, the ServerIron does not waste resources on the Layer 7 health check, since the application clearly is not available. When an application enters the FAILED state, the state of the real server itself moves to the TEST state while the ServerIron continually tries to reach the failed application. The server is still reachable at Layer 3, but the application has failed to respond to its Layer 4 (or if applicable, Layer 7) health check. The ServerIron associates a time stamp with each packet sent to and received from the real servers. If the time gap between the last packet received from the server and the last packet sent to the server grows to 3 or 4 seconds, the ServerIron sends a Layer 4 health check to the service. (If applicable, and if the server passes the Layer 4 health check, the ServerIron then sends a Layer 7 health check to the application.) If the application doesnt respond within a specified interval, the ServerIron changes the state to SUSPECT and resends the Layer 4 (and if applicable, Layer 7) health check up to a specific number of retries. If the application still doesnt respond after all the retries, the state changes to FAILED and the server state changes to TEST. If the application does respond, the application state changes to ACTIVE. The forced-shutdown option has been used to gracefully shut the server down. The application has passed its Layer 4 (and if applicable, Layer 7) health check. The application is configured on the real server but is not yet bound to a virtual server.
TEST SUSPECT
5 - 16
Health Checks
information for remaining real servers omitted for brevity... Syntax: show server real The state information shown by this display is highlighted in bold type in the example above. The state of the server itself is listed first, then the states of each of the application ports configured on the server are displayed. In this example, the server itself is enabled. The HTTP port also is enabled, but the default port (a port the ServerIron automatically configures on all the real and virtual servers) is unbound. These states are typical of a ServerIron that is configured for deployment but has not been connected to the real servers. The information under the row for the HTTP application shows settings for the Layer 7 health checks for the port. For information about HTTP health checks and other configurable Layer 7 health check parameters, see Layer 7 Health Checks on page 5-33.
PeakConn 39 0
5 - 17
Figure 5.1
Router R1
Link Activi ty
Router R2
Power
2. Default gateway forwards health check to next hop toward remote server.
Remote Server
In this example, the ServerIron sends the health check through its default gateway. The default gateway sends the health check back to the ServerIron, since Router R1s route to the remote server lists the ServerIron as the next hop. Despite the unnecessary trip through the default gateway, the health check still reaches the remote server. However, if you want to eliminate unnecessary hops, you can enable the ServerIron to learn the MAC address from which the remote servers health check reply is received, and send subsequent health checks directly through that MAC address. Figure 5.2 shows the simplified health check process.
Figure 5.2 Health Check of Remote Server Learned MAC Address is Used
1. ServerIron learns the MAC address of Router R2 when the health check reply is received.
R2
ServerIrons default gateway
SI
R1
Remote Server 2. ServerIron sends subsequent health checks through the learned MAC address.
To enable the ServerIron to use learned MAC addresses for sending health checks to remote servers, enter the following command: ServerIron(config-rs-remote1)#use-learned-mac-address Syntax: [no] use-learned-mac-address NOTE: This command does not apply to local servers. Since local servers are attached at Layer 2, the ServerIron does not need to use a gateway or otherwise route the health check to the server.
5 - 18
Health Checks
To globally disable Layer 3 health check for all remote real servers or of IPs learned through GSLB , enter the following command: ServerIron(config)#server no-remote-l3-check Syntax: [no] server no-remote-l3-check NOTE: The server no-remote-l3-check command also disables Layer3 health checks of IPs learned through GSLB. To disable the Layer 3 health check on an individual real server, enter the following command: ServerIron(config-rs-R1)#no-l3-check Syntax: [no] no-l3-check This command applies to local real servers and remote real servers.
Performing Layer 4 UDP Keepalive Health Checks for the DNS Port
You can configure the ServerIron to perform Layer 4 UDP keepalive health checks for the DNS port (port 53). To do this globally for the DNS port on all real servers, enter the following commands: ServerIron(config)#server port dns ServerIron(config-port-dns)# udp l4-check-only To do this for the DNS port on real server r1, enter commands such as the following: ServerIron(config)#server real r1 1.1.1.1 ServerIron(config-rs-r1)#port dns l4-check-only Syntax: port dns l4-check-only The port dns l4-check-only command configures the ServerIron to use Layer 4 UDP keepalive health checks for the DNS port, instead of Layer 7 DNS health checks. This command applies to keepalive health checks only, not to the health check performed when the DNS port is brought up. When the DNS port on a real server is brought up, by default the ServerIron performs a Layer 4 TCP health check. You can configure the ServerIron to perform a Layer 4 UDP health check when the DNS port is brought up by adding the no tcp keepalive enable command to the DNS port profile. For example: 5 - 20 2008 Foundry Networks, Inc. September 18, 2008
Health Checks
You can change the maximum number of retries to a value from 3 31 (ServerIron Chassis devices) or 8 31 (all other ServerIron models). To change the maximum number of FWLB path health check attempts, enter a command such as the following at the firewall level of the CLI: ServerIron(config-tc-2)# fw-health-check icmp 20 Syntax: [no] fw-health-check icmp <num> The <num> parameter specifies the maximum number of retries and can be a number from 3 31 (ServerIron Chassis devices) or 8 31 (all other ServerIron models). The default is 3 for ServerIron Chassis devices and 8 for all other ServerIron models.
NOTE: You must configure the same Layer 4 health check parameters on all the ServerIrons in the FWLB configuration. Otherwise, the paths will fail the health checks. To configure a Layer 4 health check for firewall paths, enter a command such as the following at the firewall group configuration level: ServerIron(config-tc-2)# fw-health-check udp September 18, 2008 2008 Foundry Networks, Inc. 5 - 21
The command in this example enables Layer 4 health checks on UDP port 7777. This ServerIron sends firewall path health checks to UDP port 7777 and listens for health checks on UDP port 7777. Syntax: [no] fw-health-check udp | tcp [<tcp/udp-portnum> <num>] The <tcp/udp-portnum> parameter specifies the TCP or UDP port and can be a number in one of the following ranges: For TCP, from 1 65535 For UDP, from 1 1032 or 2033 65535 NOTE: Do not use a number from 1033 2032 for UDP. Port numbers in this range are not supported for FWLB UDP health checks. The <num> parameter specifies the maximum number of retries and can be a number from 8 31. The default is 3.
Table 5.5: Keepalive Health Check States State Global (entire ServerIron) Disabled Disabled Local (specific real server) Disabled Enabled Health check is disabled Health check is enabled Effect
5 - 22
Health Checks
Table 5.5: Keepalive Health Check States (Continued) State Global (entire ServerIron) Enabled Enabled Local (specific real server) Disabled Enabled Health check is enabled Health check is enabled Effect
As shown in this table, once a keepalive health check is enabled, to disable it you must do so both globally and locally. If you want to enable keepalive health checks only on specific real servers (locally), you can easily do so by making sure the health checks are disabled globally, then enabling them on individual real servers. To enable or disable a keepalive health check globally, use one of the following methods. To enable or disable a keepalive health check locally, see Enabling Layer 7 Health Check on page 5-33. NOTE: DNS, HTTP, and RADIUS health checks use additional parameters, which you can configure using separate commands. See Changing HTTP Keepalive Method, Value, and Status Codes on page 5-34, Configuring DNS Health Check Method and Values on page 5-45, or Configuring RADIUS Health Check Values on page 5-46. NOTE: When health checks are enabled for the ports on the VIPs in a host range, the ServerIron checks the health of the applications on the base IP address only. The ServerIron assumes that the health of an application is the same for all the VIPs within the host range. For information about host ranges, see Web Hosting with Unlimited Virtual IP Addresses on page 3-189.
5 - 23
Table 5.6: Port Profile Attributes Attribute Port type (TCP or UDP) Description This attribute applies only to ports for which the ServerIron does not already know the type. For example, if a real server uses port 8080 for HTTP (a TCP port), you can globally identify 8080 as a TCP port. The ServerIron assumes that ports for which it does not know the type are UDP ports. See Adding a Port and Specifying Its Type on page 5-23. NOTE: To display a list of the ports for the ServerIron already knows the type, enter the server port ? command at the global CONFIG level. Keepalive interval and retries The number of seconds between health checks and the number of times the ServerIron re-attempts a health check to which the server does not respond. See Changing a Ports Keepalive Parameters on page 5-23. Keepalive state Whether the ServerIrons health check for the port is enabled or disabled. Recurring Layer 4 and Layer 7 health checks are disabled by default. When you configure a port profile, the software automatically globally enables the health check for the application. You also can explicitly disable or re-enable the keepalive health check at this level. NOTE: If you are configuring a port profile for a port that is known to the ServerIron, the keepalive parameters affect Layer 7 health checks. For other ports, the keepalive parameters affect Layer 4 health checks. Keepalive port By default, the ServerIron bases the health of an application port on the port itself. You can specify a different application port for the health check. In this case, the ServerIron bases the health of an application port on the health of the other port you specify. See Basing a Ports Health on the Health of Another Port on page 5-30. NOTE: You cannot base the health of a port well-known to the ServerIron on the health of another port, whether the port is well-known or not wellknown. Source of health for alias port By default, the ServerIron performs independent health checks on an alias port and its master port. You can configure the ServerIron to base the health of an alias port on the state of its master port. See Basing an Alias Ports Health on the Health of its Master Port on page 527.
5 - 24
Health Checks
Table 5.6: Port Profile Attributes (Continued) Attribute TCP or UDP age Description The number of minutes a TCP or UDP session table entry can remain inactive before the ServerIron times out the entry. This parameter is set globally for all TCP or UDP ports but you can override the global setting for an individual port by changing that ports profile. See Overriding the Global TCP or UDP Age on page 5-28 You can specify a TCP age from 2 60 minutes and a multiplier from 2 20. Thus, the maximum configurable TCP age for an individual port is 1200 minutes (20 hours). NOTE: You cannot specify a multiplier when configuring the global TCP age. NOTE: Since UDP is a connectionless protocol, the ServerIron does not remove a UDP session from its session table until the session times out. TCP is a connection-based protocol. Thus, for TCP sessions, the ServerIron removes the session as soon as the client or server closes the session. NOTE: For DNS and RADIUS UDP load balancing, the age value does not follow the normal configuration and default value unless udp-normal-age is configured on the port. The default UDP age will always be 2 minutes unless udp-normal-age is configured. NOTE: The ServerIron immediately deletes a UDP DNS or RADIUS session table entry when the ServerIron receives a reply for the application from a real server. If desired, you can configure the ServerIron to age these ports like other UDP ports, using the UDP age timer. See Enabling Normal UDP Aging for DNS and RADIUS on page 3-71. Session synchronization In Symmetric SLB configurations, this attribute provides failover for individual sessions on the application port. Normally, existing sessions are not carried over from one ServerIron to another during failover. See Enabling Session Synchronization on page 5-29. Connection logging You can enable logging for session table entries created for this port. See Syslog for Session Table Entries on page 5-66. Slow start Configures the ServerIron to control the rate of new connections to the application port to allow the server to ramp up. See Port Slow-Start Mechanism on page 5-70. Smooth factor If you plan to use server response time as a load-balancing method, you can adjust the amount of preference the ServerIron gives the most recent response time compared to the previous response time. See Changing the Smooth Factor on an Application Port on page 5-29.
5 - 25
Table 5.6: Port Profile Attributes (Continued) Attribute Recursive DNS health checks Description By default, a Layer 7 health check for a DNS port sends the query only to the real server (DNS server). If the DNS server does not reply with the IP address or zone name requested by the health check, the port fails the health check. You can enable the real server to perform a recursive lookup for the IP address or zone requested by the health check of the well-known DNS port (53). See Enabling Recursive DNS Health Checks on page 5-29. You also can change port attributes locally, on the Real Server and Virtual Server configuration levels. Port profiles simplify configuration by enabling you to characterize a port globally. For example, if many of your real servers use TCP port 80 (the well-known number for HTTP) and you want to change the keepalive interval for the port, you can do so globally. You do not need to change the value multiple times on each real server. The ServerIron knows the port types of a some well-known port numbers. If you are using a port number for which the ServerIron does not know the port type, you can specify whether the port is TCP or UDP and configure its keepalive values globally. You do not need to define the port on every server. NOTE: Unless a port is known to the ServerIron to be a TCP port, the ServerIron assumes the port is UDP. If you are using a port number that is not known to the ServerIron and the port type is TCP, you must specify this either globally (using a port profile) or locally (when configuring the individual real servers and virtual servers). Otherwise, the ServerIron will use a UDP health check to test the port and the port will fail the health check. NOTE: If you bind an application port on a real server to the same port on a virtual server, the port on the real server inherits the attributes of the port on the virtual server.
5 - 26
Health Checks
ServerIron(config)#show server real rs1 detail Real Servers Info Name : rs1 Mac-addr: 0003.47bf.bad2 IP:192.168.6.91 Range:1 State:Active Max-conn:1000000 Least-con Wt:0 Resp-time Wt:0 Src-nat (cfg:op):(off:off) Dest-nat (cfg:op):(off:off) Remote server : No Dynamic : No Server-resets:0 Mem:server: 02057999 Mem:mac: 02037cb0 Port ---telnet State ----Ms CurConn TotConn Rx-pkts -- ------- ------- ------Tx-pkts ------Rx-octet -------0 Tx-octet -------0 Reas ---0
active 0 0 0 0 0 max_conn = 1000000 sessions = 0 Keepalive(G/L:Off/Off):Off tcp-age: 40 8083 active 0 0 0 0 0 max_conn = 1000000 sessions = 0 Keepalive(G/L:On/Off):On tcp-age: 40 8082 active 0 0 0 0 0 max_conn = 1000000 sessions = 0 Keepalive(G/L:On/Off):On tcp-age: 35 * 4 8081 active 0 1 1 10 19 max_conn = 1000000 sessions = 2 Keepalive(G/L:On/Off):On tcp-age: 53 http failed 0 0 0 0 0 max_conn = 1 sessions = 0 Keepalive(G/L:On/Off):On Status Code(s): default (200-299, 401) HTTP URL: "HEAD /" tcp-age: 60 * 2 default unbnd 0 0 0 0 0 max_conn = 0 sessions = 0 Server Total 1 1 10 19
2280
4380
2280
4380
LDAP port 389 MMS port 1755 NNTP port 119 PNM port 7070 POP3 port 110 RTSP port 554 SMTP port 25 SSL port 443 TELNET port 23
You cannot base an alias ports health on the health of a UDP port or a port that is not well-known to the ServerIron. NOTE: The health checks for the alias ports must be enabled. Otherwise, the ServerIron will not check the master ports state, and the alias port will not go down when the master port goes down. To configure an alias ports health to be based on its master ports health, edit the alias ports profile by entering commands such as the following: ServerIron(config)#server port 8080 ServerIron(config-port-8080)#tcp keepalive use-master-state Syntax: [no] tcp keepalive use-master-state The command is entered at the port profile level.
Health Checks
5 - 29
NOTE: You can enable this feature only on the well-known DNS port (53).
To base a ports health on the health of another port, enter a command such as the following: ServerIron(config-port-1234)# tcp keepalive port 80 Syntax: tcp | udp keepalive port <TCP/UDP-portnum> The command in this example configures the ServerIron to base the health of port 1234 on the health of port 80 (HTTP). If the health of port 80 changes, the ServerIron applies the change to port 1234. NOTE: You cannot base the health of a port well-known to the ServerIron on the health of another port, whether the port is well-known or not well-known.
Reassign Threshold
The reassign threshold specifies the number of contiguous inbound TCP-SYN packets a real server can fail to respond to before the ServerIron changes the application state to FAILED and the server state to TEST. The default reassign threshold is 21. The server and application states are described in Server and Application Port States on page 5-14. If the field reaches the reassign threshold, the ServerIron marks the application failed. The value of an applications Reas field is reset to 0 when the ServerIron receives a TCP SYN ACK from the application. No other type of traffic can clear this field. 5 - 30 2008 Foundry Networks, Inc. September 18, 2008
Health Checks
If a real server seems to be triggering the reassign threshold too frequently, you can increase the reassign threshold. The default is 21 and the range of values is 6 254. This is a global parameter. See Reassign Threshold on page 5-30. In addition to the circumstances described in Server and Application Port States on page 5-14, a real servers state also can be affected by the reassign threshold. The reassign threshold specifies how many consecutive TCP SYN requests a real server can fail to respond to before the ServerIron changes the application state to FAILED and the server state to test. The default reassign threshold is 20. The value of an applications Reas field is reset to 0 when the ServerIron receives a TCP SYN ACK from the application. No other type of traffic can clear this field. NOTE: It is possible to take a service down without triggering the reassign threshold. For example, in a lab environment where the server is not receiving TCP SYNs, the service might be down but since the ServerIron is not sending new requests to the server, the server does not fail to respond to enough consecutive TCP SYNs to meet the reassign threshold. As a result, the ServerIron indicates the server and the service are ACTIVE when in fact they are offline. NOTE: The reassign threshold counter is not incremented in SwitchBack (Direct Server Return) configurations. NOTE: The reassign threshold does not apply to servers in SwitchBack (Direct Server Return) configurations. In a SwitchBack configuration, traffic from the real server does not pass back through the ServerIron. As a result, the ServerIron cannot monitor the TCP SYN ACKs from the server. See DSR on page 3-146. NOTE: The ServerIron does not try to reassign the clients request to another server if you configure the application port to be sticky. The sticky option configures the ServerIron to override load-balancing and send all client requests for the application to the same server during a given session. NOTE: If a real server seems to be triggering the reassign threshold too frequently, you can increase the reassign threshold. This is a global parameter. To modify the SYN-ACK threshold to 215, enter a command such as the following: ServerIron(config)#server reassign-threshold 215 Syntax: server reassign-threshold <threshold value> In releases prior to 6.8.00, the range of values for <threshold value> is 6 254 and the default reassign threshold is 21. In releases 6.8.00 and later, the range of values for <threshold value> is 6 4000 and the default reassign threshold is 20. NOTE: Starting with release 09.0.00S, the SYN-ACK threshold is OFF by default. In releases prior to 09.0.00S, the SYN-ACK threshold is ON by default.
5 - 31
NOTE: The reassignment count applies to the total number of contiguous (back-to-back) unanswered SYNs from all clients who have sent SYNs to the server. To revent state flapping caused by the reassignment counter, enter the following command: ServerIron(config)#server no-reassign-count When you enter this command, the ServerIron will stop incrementing the reassignment counters for real server applications. Syntax: [no] server no-reassign-count NOTE: Starting with release 09.0.00S, "server no-reassign-count" is enabled by default. In releases prior to 09.0.00S, "server no-reassign-count" is disabled by default..
This change was made so that ports could be brought up more quickly. You can optionally change the default behavior so that a port is not marked ACTIVE until it passes both the Layer 4 and (if one is enabled) Layer 7 health checks. In other words, you can optionally use the health-checking procedure that existed in releases prior to 07.1.05. To enable the health-checking procedure that existed in releases prior to 7.1.05, enter the following command: ServerIron(config)#server no-fast-bringup Syntax: [no] server no-fast-bringup
5 - 32
Health Checks
To use the complete SSL health check, enter the following command (notice the no): ServerIron(config)#no server use-simple-ssl-health-check Syntax: [no] server use-simple-ssl-health-check
Error Messages
The following error messages are related to SSL health check, after receiving SSL data while it cannot find the key to decrypt the data. The key is missing possibly due to a time out. ssl_receive_data but tcb->ssl is null SSL cleanup: can't find key ??? SSL interface: ssl_read_data return error !!! ssl_receive_data but tcb->ssl is null SSL cleanup: can't find key ??? SSL interface: ssl_read_data return error !!! ssl_receive_data but tcb->ssl is null SSL cleanup: can't find key ??? SSL interface: ssl_read_data return error !!! The ServerIron normally stops processing the rest of the data and releases the SSL control block data structure. However when the ServerIron does not do that, the ServerIron finds the SSL data structure is null and prints these messages.
NOTE: The ServerIron uses its own management IP address or a source IP address configured on the ServerIron as the source IP address in the health check packets (as opposed to a virtual IP address). If the real servers are in the same subnet as the ServerIron, then the health checks can use the ServerIrons management IP address. Otherwise, the health checks use a source IP address. See Web Hosting with ServerIron and Real Servers in Different Subnets on page 3-194.
5 - 33
Syntax: [no] port <port> keepalive If you use the "no" parameter in front of the command, you are locally disabling the health check. The health checks are locally disabled by default. The <port> parameter can have one of the following values: dns (port 53) ftp (port 21). Ports 20 and 21 both are FTP ports but in the ServerIron, the name ftp corresponds to port 21. http (port 80) imap4 (port 143) ldap (port 389) nntp (port 119) ntp (port 123) pop2 (port 109) pop3 (port 110) radius (UDP port 1812) radius-old (UDP port 1645, which is used in some older RADIUS implementations instead of port 1812) smtp (port 25) snmp (port 161) ssl (port 443) telnet (port 23) tftp (port 69) <number> NOTE: Specify the port number if the port is not one of the well-known names listed above.
The default URL page for HTTP keepalive requests used in HTTP health checks is HEAD /1.0. You can change the URL that the ServerIron requests on a real server basis. NOTE: For HTTP content verification health checks, you may want to change the default URL page for HTTP keepalive requests URL page, since a request for HEAD /1.0 would not return a response containing HTML for content verification. You can specify a GET request for a page containing text that can be searched and verified. See Configuring HTTP Content Matching Lists on page 5-35 for more information. To configure the HTTP keepalive request to send a GET request for sales.html, enter the following commands: ServerIron(config)#server real zip 207.96.3.251 ServerIron(config-rs-zip)#port http url "GET /sales.html" ServerIron(config-rs-zip)#exit ServerIron(config)#server virtual-name-or-ip shoosh 207.96.4.250
5 - 34
Health Checks
ServerIron(config-vs-shoosh)#port http ServerIron(config-vs-shoosh)#bind http zip http ServerIron(config-vs-shoosh)#exit Syntax: port http url [GET | HEAD] [/]<URL-page-name> GET or HEAD is an optional parameter that specifies the request type. By default, HTTP keepalive uses HEAD to retrieve the URL page. You can override the default and configure the ServerIron to use GET to retrieve the URL page. The slash ( / ) is an optional parameter. If you do not set the GET or HEAD parameter, and the slash is not in the configured URL page, then ServerIron automatically inserts a slash before retrieving the URL page. To change the HTTP status codes that the ServerIron considers normal (not indicative of a failure of the HTTP service), enter the following command. ServerIron(config-rs-zip)#port http status-code 200 201 300 302 Syntax: port http status-code <range> [<range>[<range>[<range>]]] The command in this example specifies two ranges (200 201 and 300 302). You can specify up to four ranges (total of eight values). To specify a single message code for a range, enter the code twice. For example to specify 200 only, enter the following command: port http status-code 200 200. NOTE: When you change the status code ranges, the defaults are removed. As a result, you must specify all the valid ranges, even if a range also is within the default ranges. For example, if you still want codes 200 299 to be valid, you must specify them. For the defaults, see 3.8 HTTP Status Codes on page 6-35.
The first command sets the name of the matching list and enters the HTTP matching list CLI level. The first down statement looks for the text 404 in the HTML file sent from the real server in response to an HTTP keepalive request; the second down statement looks for the text File Not Found. If either of these text strings are found in the HTML file, the ServerIron marks port 80 (HTTP) on the real server FAILED. If neither of the text strings are found, the ServerIron marks the port ACTIVE. Syntax: http match-list <matching-list-name> Syntax: down I up simple <text> [log] The down simple and up simple statements specify the selection criteria in the matching list. NOTE: There is a limit of 200 selection criteria statements for all HTTP matching lists. That is, the total number of up and down statements in all HTTP matching lists on the ServerIron must not exceed 200. When an HTML file meets more than one set of selection criteria in a matching list, the ServerIron takes one of the following actions: If the strings that meet the selection criteria are different, the ServerIron takes action based on the string that comes first in the file. For example: ServerIron(config)#http match-list m2 ServerIron(config-http-ml-m2)#down simple "monkey" ServerIron(config-http-ml-m2)#up simple "elephant" ServerIron(config-http-ml-m2)#exit The selection criteria in the matching list above would cause the ServerIron to mark the port FAILED if the text "monkey" is found and ACTIVE if the text "elephant" is found. If the HTML file has the text "monkey" at the beginning and "elephant" at the end, the ServerIron would mark port 80 on the real server FAILED, because "monkey" occurs first in the file. If a string that meets the selection criteria is a subset of another, the longer string takes precedence, regardless of where it occurs in the file. For example: ServerIron(config)#http match-list m3 ServerIron(config-http-ml-m3)#down simple "elephant" ServerIron(config-http-ml-m3)#up simple "elephantine" ServerIron(config-http-ml-m3)#exit In this example, ServerIron would mark the port FAILED if the text elephant is found and ACTIVE if the text elephantine is found. If the HTML file has the text elephant at the beginning and elephantine at the end, the ServerIron would mark port 80 on the real server ACTIVE, because elephantine is longer than elephant. The following is an example of a matching list that uses compound selection criteria, in which the beginning and ending parts of selection criteria are specified: ServerIron(config)#http match-list m4 ServerIron(config-http-ml-m4)#up compound "monkey see" "monkey do" log ServerIron(config-http-ml-m4)#down compound "500" "Internal Server Error" log ServerIron(config-http-ml-m4)#down compound "503" "Service Unavailable" log ServerIron(config-http-ml-m4)#default down ServerIron(config-http-ml-m4)#exit In this example, the default down command causes port 80 on the real server to be marked FAILED if none of the selection criteria are found in the HTTP response message. Syntax: down | up compound <start> <end> [log] Syntax: default down | up In this matching list, the up and down commands include the compound parameter, which allows you to specify beginning and ending parts of a set of selection criteria. Text that begins with the first part and ends with the second part meets the selection criteria.
5 - 36
Health Checks
In this example, the up command specifies that if the HTML file sent from the real server in response to an HTTP keepalive request contains a text string that begins with the text monkey see and ends with the text monkey do, port 80 on the real server is marked ACTIVE. The down commands specify that if the HTML file contains a text string that begins with 500 and ends with Internal Server Error or begins with 503 and ends with Service Unavailable, the port is marked FAILED. The default command specifies what happens if none of the HTML text in the HTTP response message meets the selection criteria. You can specify either up or down; the default is up. If the real server responds to the health check with a RST, the port is marked ACTIVE or FAILED depending on what was specified in the default statement in the matching list. The log parameter causes the following Warning message to be logged when the selection criteria is met: 00d00h00m00s:W:HTTP match-list <matching-list> with compound pattern1 <start> and pattern2 <end> Alert: bring server down and Extract message: <text-between-start-and-end-pattern> In the example, at the successful completion of an HTTP content verification health check, the following message would be logged; that is, if the HTML file sent from the real server in response to an HTTP keepalive request contains a text string that begins with the text monkey see and ends with the text monkey do: ServerIron#show logging Syslog logging: enabled (0 messages dropped, 0 Buffer logging: level ACDMEINW, 1 messages level code: A=alert C=critical D=debugging I=informational N=notification flushes, 0 overruns) logged M=emergency E=error W=warning
Dynamic Log Buffer (50 entries): 02d04h47m12s:W:HTTP match-list m4 with compound pattern1 "monkey see" and pattern2 "monkey do" Alert: bring server up and Extract message: This web page is configured correctly
5 - 37
The port http url command sets the method used for HTTP keepalive requests and the URL of the page to be retrieved. This command is used in HTTP content verification health checks because the default method and URL page for HTTP keepalive requests used in HTTP health checks, HEAD /1.0, does not return an HTML file that the ServerIron can search and verify. You can instead specify the GET method, which does return an HTML file that can be examined using the matching list.
5 - 38
Health Checks
ServerIron(config)#http match-list m1 ServerIron(config-http-m1-m1)#up simple "FTP service" ServerIron(config-http-m1-m1)#default down ServerIron(config-http-ml-m1)#exit In this example, the default down command causes the port on the real server to be marked FAILED if the selection criteria is not found in the response from the server. For information on the command syntax, see Configuring HTTP Content Matching Lists on page 5-35.
5 - 39
Syntax: [no] l7-check Note that the dest-ip <ip-addr> command must be the first command entered for a health-check policy. If this is not the first command entered for the policy, an error message is displayed. If the <matching-list-name> does not refer to an existing matching list, the policy is evaluated to false. The l7-check command is required to ensure that the ServerIron performs a Layer 7 health check. If this command is omitted, the ServerIron performs only a Layer 4 health check, and not the scripted health check.
5 - 40
Health Checks
port 1111 content-check-carray send 0xe1,0xe2,0xe3,0xe4 port 1111 keepalive http match-list m1 default down up simple 0xca,0xcb,0xcd,0xce NOTE: Sending of binary data after 3-way handhsake is not mandatory.
5 - 41
Previously, ServerIron allowed the use of Layer 7 health check parameters for known ports, such as HTTP, LDAP, SMTP, IMP4, POP3, NNTP, Telnet, and FTP, to check the health of unknown ports. For example, a configuration such as the following may be entered: ServerIron(config)# server port 999 ServerIron(config-port-999)#tcp keepalive protocol smtp In this release, health checks for SSL, RTSP, MMS, PNM, LDAPS have been added to check the health of unknown ports, using the server port-policy command. The configuration of server port policies consists of two parts: Configuring a Port Policy Binding the Policy
5 - 42
Health Checks
6.
(Optional) Specify the protocol value. ServerIron(config-port-policy-name)#protocol http url www.mycompanynet.com Syntax: protocol <protocol-options> Enter one of the following for <protocol-options>, specifying the values for the required parameters: http status-code <min> <max> http url <url> http content-match <match-list> dns addr-query <value> dns zone <value> radius key <radius-key> radius password <value> radius nas-ip <ip-address> radius nas-port <value>
7.
(Optional) Enable the Layer 4 check feature in the policy. ServerIron(config-port-policy-name)#l4-check Syntax: ServerIron(config-port-policy-name)# l4-check By default, Layer 7 health check is enabled; however, Layer 4 health check is not. You must enable Layer health check if you want to use that feature.
5 - 43
In Example 1, Port 1234 on Real Server 1 will be marked as up if the Layer 7 health check on Port 8080 on the server with the IP address of 10.10.1.101 passes. EXAMPLE 2: ServerIron(config)#server port-policy p2 ServerIron(config-port-policy-name)#protocol http ServerIron(config-port-policy-name)#l4-check ServerIron(config-port-policy-name)#exit ServerIron(config)#server real r2 10.10.1.102 ServerIron(config-rs-r1)#port 1234 use-port-policy p2 In the example above, a port has not been configured for "policy p2"; therefore, the ServerIron will use the port to which the policy is bound. Port 1234 of real server r2 will be marked as "UP" if the health check to port 1234 on the 10.10.1.101 Server passes the Layer 4 health-check. EXAMPLE 3: In the following example, Port Policy pp1 is configured with a keepalive interval of 5 seconds, while Port Policy pp2 has a keepalive interval of 30 seconds. Port Policy pp1 is bound to Real Server rs1 port 8080 and Real Server rs2 port 9090; therefore, these two ports have a 5 second keepalive interval. Port Policy pp2 is bound to Real Server rs3 port 8080 and Real Server rs4 port 9090. These two ports have a keepalive interval of 30 seconds. ServerIron(config)#server port-policy pp1 ServerIron(config-port-policy-pp1)#keepalive-interval 5 ServerIron(config-port-policy-pp1)#protocol http ServerIron(config-port-policy-pp1)#protocol http url "GET /abc.html" ServerIron(config-port-policy-pp1)#retries 3 ServerIron(config-port-policy-pp1)#exit ServerIron(config)#server port-policy pp2 ServerIron(config-port-policy-pp2)#keepalive-interval 30 ServerIron(config-port-policy-pp2)#protocol http ServerIron(config-port-policy-pp2)#protocol http url "GET /xyz.html" ServerIron(config-port-policy-pp2)#retries 2 ServerIron(config-port-policy-pp2)#exit ServerIron(config)#server real rs1 ServerIron(config-rs-r1)#port 8080 ServerIron(config-rs-r1)#port 8080 use-port-policy pp1 ServerIron(config-rs-r1)#exit ServerIron(config)#server real rs2 ServerIron(config-rs-r2)#port 9090 ServerIron(config-rs-r2)#port 9090 use-port-policy pp1 ServerIron(config-rs-r2)#exit ServerIron(config)#server#real rs3 ServerIron(config-rs-r3)#port 8080 ServerIron(config-rs-r3)#port 8080 use-port-policy pp2 ServerIron(config-rs-r3)#exit ServerIron(config)#server real rs4 ServerIron(config-rs-r4)#port 9090 ServerIron(config-rs-r4)#port 9090 use-port-policy pp2 ServerIron(config-rs-r4)#exit ServerIron(config)#
5 - 44
Health Checks
ServerIron(config)#server port-policy pp1 ServerIron(config-port-policy-pp1)#keepalive-interval 5 Syntax: [no] keepalive-interval <seconds> Enter 1 - 120 for seconds. EXAMPLE In the following example, real server rs1 port 8080 and real server rs2 port 9090 will have a keepalive interval of 5 seconds. Also, real server rs1 port 8080 and real server rs4 port 9080 will have a keepalive interval of 30 seconds. ServerIron(config)#server port-policy pp1 ServerIron(config-port-policy-pp1)#keepalive-interval 5 ServerIron(config-port-policy-pp1)#protocol http ServerIron(config-port-policy-pp1)#protocol http url "GET /abc.html" ServerIron(config-port-policy-pp1)#retries 3 ServerIron(config-port-policy-pp1)#exit ServerIron(config)#server port-policy pp2 ServerIron(config-port-policy-pp2)#keepalive-interval 30 ServerIron(config-port-policy-pp2)protocol http ServerIron(config-port-policy-pp2)protocol http url "GET /xyz.html" ServerIron(config-port-policy-pp2)retries 2 ServerIron(config-port-policy-pp2)exit After configuring the policy, bind it to a real server port. (See Binding the Policy on page 5-43 for details.) For example: ServerIron(config)#server real ServerIron(config-rs-rs1)#port ServerIron(config-rs-rs1)#port ServerIron(config-rs-rs1)#port ServerIron(config-rs-rs1)#exit ServerIron(config)#server real ServerIron(config-rs-rs2)#port ServerIron(config-rs-rs2)#port ServerIron(config-rs-rs2)#port ServerIron(config-rs-rs2)#exit ServerIron(config)#server real ServerIron(config-rs-rs3)#port ServerIron(config-rs-rs3)#port ServerIron(config-rs-rs3)#port ServerIron(config-rs-rs3)#exit ServerIron(config)#server real ServerIron(config-rs-rs4)#port ServerIron(config-rs-rs4)#port ServerIron(config-rs-rs4)#port rs1 8080 8080 keepalive 8080 use-port-policy pp1
5 - 45
Address-based The ServerIron sends an address request for a specific domain name. If the server successfully responds with the IP address for the domain name, the server passes the health check. Zone-based The ServerIron sends a Source-of-Authority (SOA) request for a specific zone name. If the server is authoritative for the zone and successfully responds to the SOA request, the server passes the health check.
To configure the domain name for address-based DNS health checking, enter the following command: ServerIron(config-rs-zip)#port dns addr_query "evil.mojo.com" Syntax: [no] port dns addr_query "<name>" To configure the zone name for zone-based DNS health checking, enter the following command: ServerIron(config-rs-zip)#port dns zone mojo.com Syntax: [no] port dns zone <zone-name>
5 - 46
Health Checks
The health check mechanisms for these ports are described in Health Checks Overview on page 5-1. To configure an unknown TCP port to use the Layer 7 health check for one of the applications listed above, enter commands such as the following: ServerIron(config)#server port 999 ServerIron(config-port-999)#tcp keepalive protocol smtp These commands configure port profile parameters for port 999. The second command in the example makes the port a TCP port and assigns the SMTP Layer 7 health check to the port. Syntax: [no] server port <TCP-portnum> Syntax: [no] tcp keepalive protocol <TCP-port> The protocol <TCP-port> parameter specifies the type of Layer 7 health you want to use for the port. You can specify one of the following: ftp or 21 imap4 or 143 ldap or 389 pop3 or 110 smtp or 25 telnet or 23
5 - 47
To configure an unknown port to use a Layer 7 health check, enter commands such as the following: ServerIron(config)# server port 999 ServerIron(config-port-999)# udp keepalive protocol dns Syntax: server port <UDP-portnum> Syntax: udp keepalive protocol <UDP-portnum> The protocol <UDP-port> parameter specifies the type of Layer 7 health you want to use for the port. You can specify dns or 53.
5 - 48
Health Checks
ServerIron(config)#server virtual-name-or-ip v2 192.168.1.161 ServerIron(config-vs-v2)#port http ServerIron(config-vs-v2)#no port http translate ServerIron(config-vs-v2)#bind http rs32 81 ServerIron(config-vs-v2)#exit ServerIron(config)#server real rs32 64.1.1.32 ServerIron(config-rs-rs32)#port http ServerIron(config-rs-rs32)#port http keepalive ServerIron(config-rs-rs32)#port http url "HEAD /" ServerIron(config-rs-rs32)#port 81 ServerIron(config-rs-rs32)#port 81 keepalive ServerIron(config-rs-rs32)#port 81 url "GET /81keepalive.htm" ServerIron(config-rs-rs32)#exit In this configuration, two VIPs are bound to a single real server. VIP v2 uses port 81 as an alias for port 80; information the ServerIron receives about port 81 is attributed to VIP v2. If VIP v1 is taken down for maintenance, the Layer 7 health check done for port 80 fails, and the ServerIron marks the HTTP port FAILED. However, health checks continue to be performed for port 81. Port 81 (and thus VIP v2) will continue to be reported active as long as it passes its health check.
Health-Check State
When you attach a health-check policy to a real servers application port, the ServerIron uses the health-check policy for periodic health checks and also for the next initial bringup of the server. When a health-check policy is attached, the ServerIron no longer uses the default health check methods for initial bringup and periodic health checks.
1.Real servers include those added using the server real-name command and those added using the server remote-name command. Generally, both types of servers are referred to as real servers. An application port is a port that uses the TCP or UDP protocol. You associate health-check policies with TCP or UDP ports on the real servers (not with physical ports on the servers). September 18, 2008 2008 Foundry Networks, Inc. 5 - 49
For the ServerIron to use a health-check policy, you must enable health checking (keepalive) at either the port profile level or the real server level for the server port. Otherwise, the state of the policy is FALSE and the state of the server port remains the state that it was before you attached the policy. NOTE: Use the show healthck command to display the policy state. Use the show server real-name <name> command to show the real server port state. If health checking for a server port is disabled at the port profile level and also at the real server level, the ServerIron will continue to use the state that is based on the health check during the initial server bringup. The ServerIron will not be able to update the ports state if the state changes. To enable health checking at the port profile level, enter commands such as the following: ServerIron(config)#server port 80 ServerIron(config-port-80)#tcp keepalive enable The commands enable health checking for TCP port 80. For a UDP port, enter commands such as the following: ServerIron(config)#server port 53 ServerIron(config-port-53)# udp keepalive enable To enable health checking at the real server level, enter commands such as the following: ServerIron(config)#server real-name R1 10.10.10.10 ServerIron(config-rs-R1)#port 80 keepalive You can enable health checking at the port profile level, at the real server level, or both. Health checking must be enabled on at least one of these levels for the ServerIron to use the health-check policy you attach to the port.
Health-Check Policy
Health-check policies consist of element-action expressions and logical expressions. An Element-action expression consists of the IP address of the server, the Layer 4 protocol (TCP or UDP), and the application port on the server. For some applications, the element-action expression can also include Layer 7 application-specific health check information. A Logical expression is a set of element-action expressions joined by the Boolean operators OR, AND or NOT. To create a health-check policy that is successful if at least one of the applications passes its health check, use OR. To configure a health-check policy that is successful only if the ServerIron receives a successful reply from all servers and application ports in the policy, use the operator AND. To configure a health-check policy that is successful if none of the elements responds to the health check, use the operator NOT.
You can use the same element-action expressions in multiple logical expressions if desired. You can configure up to 254 health-check policies. To use a health-check policy: 1. 2. 3. Configure the element-action expressions. Configure the health-check policy using element-action expressions and logical expressions joined by the operators AND or OR or NOT. Attach logical expressions to application ports on specific real servers. A health check policy does not take effect until you attach it to an application port on a server.
5 - 50
Health Checks
NOTE: A health-check policy does not take effect (begin sending health check packets) until you attach the policy to an application port on a real server.
5 - 51
These commands configure an element-action expression for unknown port 8080 and associate the default health check parameters for port 80 with the unknown port. To customize the Layer 7 health check parameters for a port, add the information with the protocol command, as in the following example: ServerIron(config)#healthck check1 tcp ServerIron(config-hc-check1)#dest-ip 10.10.10.50 ServerIron(config-hc-check1)#port 8080 ServerIron(config-hc-check1)#protocol http url "GET/sales.html" The protocol command in this example changes the Layer 7 health check parameters for this HTTP port to a GET request for a page named "sales.html". Syntax: [no] healthck <string> tcp | udp This command begins configuration of the element-action expression. The <string> parameter specifies the name for the expression and can be up to 20 characters long. The tcp | udp parameter specifies whether you are configuring an expression for a TCP application port or a UDP application port. There is no default. Syntax: [no] dest-ip <ip-addr> This command specifies the IP address of the real server. Syntax: [no] port <tcp/udp-port> This command specifies the application port number. NOTE: If you do not specify the server IP address and the application port, the ServerIron will list the status of the health check as FALSE (failed). You can specify any valid number, or one of the following port names well-known to the ServerIron: dns port 53 ftp port 21. (Ports 20 and 21 both are FTP ports but in the ServerIron, the name ftp corresponds to port 21.) http port 80 imap4 port 143 ldap port 389 nntp port 119 ntp port 123 pop2 port 109 pop3 port 110 radius port 1812 radius-old the ServerIron name for UDP port 1645, which is used in some older RADIUS implementations instead of port 1812 smtp port 25 snmp port 161 ssl port 443 telnet port 23 tftp port 69
5 - 52
Health Checks
NOTE: If you enter the no port <tcp/udp-port> command to remove the port, the ServerIron also removes the protocol <tcp/udp-port> command (see below) if the port is well-known to the ServerIron. This is because the ServerIron automatically uses the protocol that matches the well-known port. Otherwise, the ServerIron does not remove the protocol. You must remove it separately. Syntax: [no] protocol <tcp/udp-port> This command specifies a port whose health-check mechanism you want to use for the port specified by the port command. You need to use this command only if the port specified by the port command is not one of the ports listed above but the port is the same type as one of the ports listed above. For example, use this command if you want to use the DNS health-check mechanism for a port other than 53. NOTE: You must specify the port using the port command before you enter the protocol command. If the port command specified a port that is well-known to the ServerIron, the ServerIron automatically uses the protocol that matches the port; you do not need to specify it and cannot change it. NOTE: If you remove the Layer 7 health check information (using a no protocol command), the application will fail the health check. If you want the ServerIron to use a Layer 4 health check instead, enter the l4-check command to change the health-check type to Layer 4. If the port is not well-known to the ServerIron and you do not specify a protocol for the Layer 7 health check, but Layer 7 health checking is enabled for the port, the port will fail the health check. See "Changing the Health-Check Type" below. For some ports, you also can customize the Layer 7 information sent with the health check. Here is the syntax. Syntax: [no] protocol http | 80 [url [GET | HEAD] [/]<URL-page-name> | port http status_code <range> [<range>[<range>[<range>]]] | content-match <matching-list-name>] This command changes one of the following HTTP health-check parameters. To change more than one of these parameters, enter a separate protocol http or protocol 80 command for each parameter. url [GET | HEAD] [/]<URL-page-name> This parameter specifies whether the HTTP health check performs a GET request or a HEAD request. For GET requests, you can specify the page that is requested. By default, a GET request asks for page 1.0. port http status_code <range> [<range>[<range>[<range>]]] This parameter changes the HTTP status codes that the ServerIron will accept as valid responses. Each <range> specifies the low number and high number in a range of status codes. You can specify up to four ranges (total of eight values). To specify a single message code for a range, enter the code twice. For example to specify 200 only, enter the following command: port http status_code 200 200. For SLB, the default status code range is 200 299. If the servers reply to the health check contains a status code within this range, the ServerIron considers the HTTP application to be healthy. content-match <matching-list-name> This parameter attaches a match list for an HTTP content verification health check to the real server. An HTTP content verification health check is a type of Layer 7 health check in which the ServerIron examines text in an HTML file sent by a real server in response to an HTTP keepalive request. The ServerIron searches the text in the HTML file for user-specified selection criteria and determines whether the HTTP port on the real server is alive based on what it finds. The selection criteria used in HTTP content verification is contained in a matching list that is attached to one or more real servers. The following is an example of the commands used to set up a matching list. For information on how to configure the match lists, see Configuring HTTP Content Matching Lists on page 5-35.
Syntax: [no] protocol dns | 53 [addr_query "<name>" | zone <zone-name>] This command changes one of the following DNS health-check parameters. To change more than one of these parameters, enter a separate protocol dns or protocol 53 command for each parameter.
5 - 53
addr_query "<name>" This parameter specifies a domain name to be requested from the real server by the ServerIron. If the server successfully responds with the IP address for the domain name, the server passes the health check. There is no default. zone <zone-name> This parameter specifies a DNS zone name. The ServerIron sends a Source-ofAuthority (SOA) request for the zone name. If the server is authoritative for the zone and successfully responds to the SOA request, the server passes the health check. There is no default.
NOTE: If you do not configure one of these parameters, the DNS port will fail the health check. Syntax: [no] protocol radius | 1812 [username <string>] | [password <string>] | [key <string>] This command changes one of the following RADIUS health-check parameters. The health check requests values that are configured on the RADIOS server. To change more than one of these parameters, enter a separate protocol radius or protocol 1812 command for each parameter. username <string> This parameter specifies an authentication username on the server. password <string> This parameter specifies an authentication password on the server. key <string> This parameter specifies an authentication key on the server.
Syntax: [no] protocol ldap | 389 [<num>] This command changes the LDAP version. The health check sent by the ServerIron differs depending on the version. You can specify 2 or 3. The default is 3.
5 - 54
Health Checks
NOTE: The number of retries is the total number of attempts the ServerIron will make. Thus, if you use the default interval and retries values, the ServerIron will send up to three health-check packets, at 5-second intervals. If a server does not respond within 15 seconds of the time the ServerIron sent the first health-check packet, the server fails the health check and the ServerIron concludes that the server is not available. To change the interval for a health check, enter a command such as the following at the configuration level for the element-action expression that contains the health check: ServerIron(config-hc-check1)#interval 30 Syntax: [no] interval <secs> You can specify from 2 120 seconds. The default is 5 seconds. To change the number of retries for a health check, enter a command such as the following at the configuration level for the element-action expression that contains the health check: ServerIron(config-hc-check1)#retries 4 Syntax: [no] retries <num> You can specify from 1 5 retries. The default is 3 retries. NOTE: You also can globally change the interval and retries for a an application port by editing its port profile. See Configuring a Port Profile on page 5-22.
The port is not well-known to the ServerIron but you used the protocol command to specify the protocol of one of the well-known ports. By specifying the protocol, you configure the ServerIron to use the protocols Layer 7 health-check method for the port.
If the TCP port is not one of the ports above or you did not specify a Layer 7 health-check method (using the protocol command), the ServerIron uses the Layer 4 health check for TCP.
5 - 55
NOTE: Changing the health-check type for UDP application ports has no effect. If the application port is RADIUS (1812) or DNS (53) or uses the health-check method of one of these ports, the ServerIron uses a Layer 7 health check. Otherwise, the ServerIron uses the Layer 4 health check for UDP. The Layer 7 health-check methods differ depending on the application: TCP The ServerIron attempts to engage in a normal three-way TCP handshake with the port on the real server: The ServerIron sends a TCP SYN packet to the port on the real server. The ServerIron expects the real server to respond with a SYN ACK. If the ServerIron receives the SYN ACK, the ServerIron sends a TCP RESET, satisfied that the TCP port is alive.
UDP The ServerIron sends a UDP packet with garbage (meaningless) data to the UDP port. If the server responds with an ICMP Port Unreachable message, the ServerIron concludes that the port is not alive. If the server does not respond at all, the ServerIron assumes that the port is alive and received the garbage data. Since UDP is a connectionless protocol, the ServerIron and other clients do not expect replies to data sent to a UDP port. Thus, lack of a response is a good outcome.
ServerIron(config-hc-check1)#l4-check The command in this example configures the ServerIron to use the Layer 4 health check for the application port in the element-action expression. Since the application port in this element-action expression is HTTP, the ServerIron will use the Layer 4 health check for TCP. Syntax: [no] l4-check | l7-check
5 - 56
Health Checks
You can use a health-check policy as an element-action expression in another policy. To configure a health-check policy, enter commands such as the following: ServerIron(config)#healthck "httpsrvr" boolean ServerIron(config-hc-httpsrvr)#and "check1" "check2" These commands configure a health-check policy that uses the element-action expressions "check1" and "check2". Since the AND operator is used, the real servers in both "check1" and "check2" must reply successfully for the health check to be successful. If only one of the servers replies, the health check is unsuccessful and the ServerIron stops using all the server application ports in the health-check policy "httpsrvr". Syntax: [no] healthck "<policy-name>" boolean Syntax: and | or "<element-name>" "<element-name>" The <policy-name> parameter specifies the name of the health-check policy. The name can be up to 20 characters long. The name cannot contain blanks. The and | or | not parameter specifies a logical operator in the health-check policy. You can enter two elementaction expressions along with the logical operator and or or or not. If you specify and, the policy evaluates to true only if all elements (IP addresses) respond to the health check. If you specify or, the policy is true if at least one of the elements responds to the health check. If you specify not, the policy is true if none of the elements responds to the health check.
If you are configuring a boolean UDP health check policy a link, define the static next hop MAC address along with a VLAN ID for on that link; otherwise, the ServerIron cannot learn the next-hop-mac-address of that link. Enter commands such as the following to define a static next-hop-mac-address and a vlan-id: ServerIron(config-link-link3)#next-hop-mac-address 00e0.5208.dd8e vlan-id 40 The address 00e0.5208.dd8e is the MAC address of Link3's access router interface. Vlan-id 40 is the ServerIrons interface that is used to connect Link3's access router is in vlan 40 Syntax: next-hop-mac-address <mac-address> vlan-id <vlan#>
5 - 57
ServerIron(config-hc-nested2)#healthck checkall boolean ServerIron(config-hc-checkall)#or nested1 nested2 In this example, the OR logical operator is used in all the policies. Thus, the "checkall" health check is successful if at least one of the four servers responds. To create more restrictive policies, you can use the AND logical operator. For example, if the AND operator is used in this configuration instead of OR, the health check is successful only if all four servers respond. You also can combine policies that use AND with policies that use OR in nested health-check policies.
5 - 58
Health Checks
Table 5.7: Health-Check Policy Status This Field... Total nodes Max nodes Name Value Displays... The number of health-check policies in the configuration. The number includes attached and unattached policies. The maximum number of health-check policies you can configure. The element-action expression or policy name. The current value of the policy. The value can be one of the following: TRUE The most recent health check performed using this policy was successful. The ServerIron received a valid reply to the health check. FALSE The most recent health check performed using this policy was unsuccessful. N/B The health check is not bound to any VIP and thus is not in use. N/A (Not Attached) The policy is not attached to a real server. NOTE: If the policy is disabled, the value is always TRUE. This is because the ServerIron assumes a server is healthy unless its health check is enabled and the server has not responded appropriately to the health check. Enable The state of the policy, which can be one of the following: Type YES The policy is enabled. NO The policy is disabled. na (not applicable) This field does not apply to the policy. This value indicates that the policy is not attached to a real server.
The element-action expression or policy type. For Layer 3 health checks, this information consists of ICMP and the IP address tested by the health check. Values can be one of the following: tcp An element-action expression for a TCP application port. udp An element-action expression for a UDP application port. and A policy containing element-action expressions joined by AND. or A policy containing element-action expressions joined by OR.
Dest-IP
For element-action expressions, the IP address of the real server. For policies, this field shows the element-action expressions in the policy. The value " - " indicates that the IP address has not been specified.
Port Proto
For element-action expressions, the application port. This field does not apply to policies. For element-action expressions, the health-check method to be used for the port. Note: If the value is " - ", the protocol has not been specified and the port is not well-known to the ServerIron.
5 - 59
Table 5.7: Health-Check Policy Status (Continued) This Field... Layer Displays... The type of health check, which can be one of the following: l4-chk Layer 4 TCP or UDP health check. l7-chk Layer 7 application-specific health check.
Table 5.8: Health-Check Policy Statistics This Field... Sent Received Displays... The number of health-check packets sent by bound health-check policies. The number of replies received. A received reply results in a true condition. Note: Since the ServerIron retries a health check if a reply is not received, a higher sent count than receive count does not necessarily indicate a problem. Invalid Replies The number of replies that were received that had an invalid ID. The ServerIron is sometimes able to resolve an invalid ID. If the ServerIron cannot resolve the invalid ID, the device drops the reply and increments the Dropped Replies counter. The number of replies that the ServerIron dropped.
Dropped Replies
5 - 60
Health Checks
5 - 61
Overview of Server Port Bringup on page 5-62 Command Line Interface on page 5-62
5 - 62
Health Checks
A connection consists of two sessions, a send session and a receive session. For example, a TCP connection between a client and a server consists of two sessions, a client-to-server session and a server-to-client session. NOTE: "Stateless" features such as stateless application ports and stateless health checks do not use session table entries. This section describes how to configure the following session table parameters: Maximum number of sessions Maximum age of TCP session entries Maximum age of UDP session entries Clock scale for TCP and UDP session age timers Logging of session table entries
For this change to take effect, you must save the change to the startup-config file, then reload the software using the following commands: ServerIron(config)#write memory ServerIron(config)#end ServerIron#reload
In the example, if the fast-age threshold is reached, sessions as old as or older than a specified amount of time (for example, 5 minutes) are aged out until the number of available sessions climbs above 150,000. If the random
5 - 63
threshold is reached, sessions are aged out at random until the number of available sessions climbs above 150,000. NOTE: The default maximum number of sessions for each BP on ServerIron Chassis devices is 2,000,000; you can change this with the server session-wsm-limit command. Fast session aging is disabled by default. To configure fast session aging, enter a command such as the following: ServerIron(config)#server session-max-idle 5 30 10 Syntax: [no] session-max-idle <max-idle-time> [<fast-age-threshold> <random-threshold>] The <max-idle-time> specifies the number of minutes allowed for idle sessions when <fast-age-threshold> is configured. When <fast-age-threshold> is reached, sessions that are the same as and older than the threshold are aged out until the number of free sessions exceeds <fast-age-threshold>. The <max-idle-time> can be from 1 30 minutes. The default is 0 minutes (disabled). To enable fast session aging, you must specify a value for <max-idle-time> greater than 0. When the number of available sessions drops below the <fast-age-threshold>, sessions older than <max-idletime> are aged out until the number of free sessions exceeds the threshold. The <fast-age-threshold> is expressed as a percentage of the maximum number of sessions available on the ServerIron. The <fast-agethreshold> can be from 10 70 percent. The default is 33 percent. When the number of available sessions drops below the <random-threshold>, sessions are aged out randomly, without regard to session age, until the number of free sessions exceeds the threshold. The <random-threshold> is expressed as a percentage of the maximum number of sessions available on the ServerIron. The <randomthreshold> can be from 1 30 percent. The default is 0 percent (disabled). NOTE: Even though the <max-idle-time> value is not used with the random-age threshold, you must still specify a value for <max-idle-time> when configuring the random threshold, since specifying a value for <max-idle-time> enables the fast session aging feature.
Syntax: show server sessions If the fast-age threshold is configured, the command displays the total number of sessions that were aged out because the number of free sessions dropped below the fast-age threshold, as well as the number of these sessions that were aged out in the last 60 seconds.
5 - 64
Health Checks
If the random threshold is configured, the command also displays the total number of sessions that were aged out at random because the number of free sessions dropped below the random threshold, as well as the number of sessions that were aged out randomly in the last 60 seconds.
5 - 65
The ServerIron immediately deletes a UDP DNS or RADIUS session table entry when it receives a reply for the application from a real server. You can configure the ServerIron to age these ports like other UDP ports, using the UDP age timer. See Enabling Normal UDP Aging for DNS and RADIUS on page 3-71. For DNS and RADIUS UDP load balancing, the age value does not follow the normal configuration and default value unless udp-normal-age is configured on the port, under the virtual server port definition, port dns udpnormal-age. (See Enabling Normal UDP Aging for DNS and RADIUS on page 3-71.) The default UDP age will always be 2 minutes unless udp-normal-age is configured.
To adjust the clock scale for configurations that require TCP or UDP timeouts longer than the maximum configurable value (60 minutes), enter a command such as the following: ServerIron(config)#server clock-scale 2 When you set the clock scale to 2, the TCP and UDP age timer values are multiplied by 2. Thus, a TCP age of 60 would then be equivalent to 120 minutes instead of 60 minutes. Syntax: [no] server clock-scale <multiplier> The <multiplier> can be a value from 1 20. The default is 1.
You can enable TCP/UDP logging on a global basis for all TCP and UDP ports or for individual TCP or UDP ports. When you enable TCP/UDP logging, you can specify whether all new session table entries generate log messages or only the entries that are used for Source NAT. In addition, you can enable logging for URL or Cookie information. The URL logging option applies only when URL switching is enabled. The Cookie logging option applies only when Cookie switching is enabled. Here is an example of a Syslog message for a session: src-ip = 192.168.002.032 src-port = 00197 dst-ip = 192.168.002.012 dst-port = 00080 protocol = TCP time =0000078656 Url = abcdefghijklmnop Cookie = qrstuvwxyz Internet
5 - 66
Health Checks
The "Internet" parameter at the end of the message applies only to TCS, and indicates that the ServerIron sent the client request to the Internet instead of to a cache server. The time value in this example is in the format for devices on which the system time add date have not been set. For information, see the ServerIron. NOTE: The feature description and command syntax use the terms session and connection. A connection consists of multiple sessions, for the send and receive directions. NOTE: Since the log messages are generated when the software creates a session table entry, features that do not use session table entries do not result in log messages. For example, if you configure a TCP or UDP port to be stateless, the ServerIron does not create session table entries for the port and therefore does not generate log messages for the port.
Slow-Start Mechanism
When the ServerIron begins sending client requests to a real server that has recently gone online, it allows the server to ramp up by using the slow-start mechanism. The slow-start mechanism allows a server (or a port on the server) to handle a limited number of connections at first and then gradually handle an increasing number of connections until the maximum is reached. The ServerIron uses two kinds of slow-start mechanisms:
5 - 67
The non-configurable server slow-start mechanism applies to a real server that has just gone online The configurable port slow-start mechanism applies to individual TCP application ports that have just been activated on a real server
Overview
The ServerIron uses the server slow-start mechanism to adjust the maximum number of connections that can be established for a real server that has just gone online. The ServerIron begins with a connection limit that is lower than the maximum configured value (which is one million by default) and gradually increases this connection limit until the maximum configured value is reached. The server slow-start mechanism is especially useful when least connections is the distribution predictor. Without the server slow-start mechanism, a server that is just brought online could receive all the new connections in a flurry, which could bring the server down. Many servers cannot handle more than 2,000 new connections per second. NOTE: The server slow-start mechanism is always applied to all real servers when they are brought online. Unlike the slow-start mechanism for individual ports, described in the next section, the server slow-start mechanism is not configurable. The two graphs in Figure 5.3 illustrate how the server slow-start mechanism ramps up the connections for a real server during the 30-second slow-start period. The graph on the left shows the rate at which the number of connections increases over the slow-start period. The graph on the right shows how the maximum number of connections the ServerIron allows for the real server increases over the slow-start period.
5 - 68
Health Checks
Figure 5.3
1,000,000
50
500
40
400
30
300
20
200
10
100
10
20
30
10
20
30
The graph on the left shows the rate at which the ServerIron allows connections for a given real server, as follows: From the time the real server is brought online until 10 seconds afterwards, the ServerIron allows the real server up to 10 new connections every second. From 10 seconds to 30 seconds, the ServerIron allows up to 20 new connections every second. After 30 seconds, the connection flow control delivered by the slow-start mechanism ends, and the ServerIron allows up to the maximum number of connections to the server. The maximum number of allowed connections for a real server is set by the max-conn command; this is one million connections by default.
The graph on the right shows how the maximum number of connections allowed for the real server increases over the 30-second slow-start period. The following table lists the maximum number of connections a real server can have during each second of the slow-start period.
Max. Connections 10 20 30
5 - 69
Max. Connections 280 300 320 340 360 380 400 420 440 460 480 500
When the slow-start period ends after 30 seconds, the maximum number of connections a real server can have is determined by the max-conn setting for the real server; this is one million connections by default. NOTE: When you disable and re-enable a real server, the ServerIron will go through the slow-start mechanism for the server if it is not disabled. When you disable and re-enable a real-server port, the ServerIron does not go through the port level slow-start mechanism.
5 - 70
Health Checks
Figure 5.4
Rate at which the ServerIron allows connections for a port on a real server
Total number of connections allowed for the port on the real server
1,000,000
100
2,500
90
80
70
60
1,500
50
40
1,000
10
The graph on the left shows the rate at which the ServerIron allows connections for a given port on a real server, as follows: From the time the port is activated until 10 seconds afterwards, the ServerIron allows the port up to 10 new connections every second. From 10 seconds to 20 seconds, the ServerIron allows up to 20 new connections every second. From 20 seconds to 30 seconds, the ServerIron allows up to 30 new connections every second. From 30 seconds to 40 seconds, the ServerIron allows up to 40 new connections every second. From 40 seconds to 50 seconds, the ServerIron allows up to 50 new connections every second. From 50 seconds to 60 seconds, the ServerIron allows up to 100 new connections every second. After 60 seconds, the connection flow control delivered by the slow-start mechanism ends, and the ServerIron allows up to the maximum number of connections for the port on the server. The maximum number of allowed connections for a real server is set by the max-conn command; this is one million connections by default.
The graph on the right shows how the maximum number of connections allowed for the port on the real server increases over the slow-start period. The following table lists the maximum number of connections a port can have at 10-second intervals.
5 - 71
When the slow-start period ends after 60 seconds, the maximum number of connections a port on a real server can have is determined by the max-conn setting for the real server; this is one million connections by default.
5 - 72
Health Checks
the slow-start period. In this example, <interval1> is 30 seconds, and <interval2> is 30 seconds, so the slow-start period is 60 seconds. The <max-connections> parameter sets a ceiling for the number of concurrent connections allowed for the port during the time the server is active. This can be a number from 1 1000000. No more than this number of connections can be established for the port on the real server where this slow-start mechanism is applied.
5 - 73
Figure 5.5
1,000,000
100
900
90
80
50
40
300
30
Rate 2
20
Rate 1
10
10
20
30
40
50
60
10
20
30
40
50
60
Interval 1
Interval 2
The graph on the left shows the rate at which the ServerIron allows HTTP connections for real server rs1, as follows: From the time port 80 (HTTP) on real server rs1 is activated, until 30 seconds afterwards (until the end of interval 1), the ServerIron allows the real server up to 10 (rate 1) new HTTP connections every second. From 30 seconds to 60 seconds (until the end of interval 2), the ServerIron allows up to 20 (rate 2) new HTTP connections every second. After 60 seconds (interval 1 plus interval 2), the slow-start period ends, and the ServerIron allows up to the maximum number of connections for the server set by the <max-connections> parameter in the slow start list.
The graph on the right shows how the maximum number of possible HTTP connections for real server rs1 increases over the slow-start period: Ten seconds after going online, the maximum number of HTTP connections real server rs1 can have is 300: a maximum of 10 (rate 1) new HTTP connections per second for 30 (interval 1) seconds equals 300 total HTTP connections for real server rs1. After 30 seconds, the maximum number of HTTP connections for real server rs1 increases by 20 (rate 2) connections per second, until 600 HTTP connections (the ceiling specified by the <max-connections> parameter in the slow-start list) is reached. This ceiling of concurrent 600 HTTP connections applies for the entire time the server is active; the ServerIron allows the server no more than this number of concurrent HTTP connections. 2008 Foundry Networks, Inc. September 18, 2008
5 - 74
Health Checks
5 - 75
request to the LDAPS server and waits for a reply. The bind request includes a configurable version number, either 2 or 3 (by default, version 3). If the LDAPS server sends a bind reply with a result code of 0 (no error), the ServerIron resets the connection and marks the port ACTIVE. If the LDAPS server does not send a bind reply by the time the LDAPS keepalive interval expires, the ServerIron retries the health check up to the number of times configured (by default, two retries). If the LDAPS server still does not respond, the ServerIron marks the server port FAILED and removes the LDAPS server from the load-balancing rotation for LDAPS service.
You can configure standard (non-Boolean) LDAPS health checks, as well as Boolean LDAPS health checks. Health checking commands available for other TCP ports are also available for the LDAPS port.
Enhancement Description
When configured to send a string to the server, the ServerIron will establish a TCP connection and immediately send the configured string to the server. The device then waits for the server to send ASCII text and then brings up/down the server port based on the configured match-list policy. New content-check options have also been added to the existing port <port-name> command:
5 - 76
Health Checks
Syntax: [no] port <port-name> content-check <match-list-name> Syntax: [no] port <port-name> content-check send "<string>" Previous to Release 09.2.00, content checking was supported only for unknown ports (decimal notation). Starting in 09.2.00, it is also supported for well-known ports (HTTP, SMTP, and so on). Specifying the <match-list-name> parameter for a content-check is also supported for both known and unknown ports.
Configuration Example
The following commands configure ServerIron to send a SYN packet to server 10.10.1.31, unknown port 1234. On receiving a SYN-ACK from the server, the ServerIron is to send a TCP packet with the data "how are you". The ServerIron will then wait for a response from the server. In the data of the TCP packets sent by the server, the ServerIron will look for the pattern good. If found, ServerIron marks the boolean policy as TRUE, else would mark it as FALSE. ServerIron(config)#healthck service-test tcp ServerIron(config-hc-service-test)#dest-ip 10.10.1.31 ServerIron(config-hc-service-test)#port 1234 ServerIron(config-hc-service-test)#port 1234 content-check m1 ServerIron(config-hc-service-test)#port 1234 content-check send "how are you" ServerIron(config-hc-service-test)#l7-check ServerIron(config-hc-service-test)#exit ServerIron(config)#http match-list m1 ServerIron(config-http-ml-m1)#up simple good ServerIron(config-http-ml-m1)#default down The l7-check command (Layer 7 check) is required for the ServerIron to send the script. The default is l4-check. When l7-check is configured, the ServerIron, after establishing the TCP connection, attempts to test if the Layer 7 application on the server port is functioning properly. If the port is HTTP for example, the ServerIron sends a URL get request and checks the reply packet for a standard HTTP status code. For example, the ServerIron would send "GET /service-test HTTP/1.1\r\nHost:www.foundrynet.com\r\n\r\n", and a response would be expected from the HTTP server. If the check passes, a value of "TRUE" is displayed. If the check does not pass, a value of "FALSE" is displayed. A value of "N/A" means the boolean check has not yet been attached to a port: To verify whether the check is working, enter the following command: SLB-ServerIron(config-hc-service-test)#show healthck Total nodes: 1; Max nodes: 128 Name Value Enable Type Dest-IP Port ProtoLayer -------------------------------------------------------------------------service-test TRUE YES tcp 10.10.1.31 1234 l7-chk
To debug HTTP, use the following command in global configuration mode: Syntax: server debug http keepalive 2
5 - 77
NOTE: To debug HTTP as mentioned, you must have a server that will respond to the health checks before any debugging is displayed.
5 - 78
Layer 7 (L7) switching allows the ServerIron to make forwarding decisions about HTTP traffic using information in a URL, cookie, or SSL session ID. This chapter describes the Layer 7 Switching features in ServerIron. It contains the following major sections: SECTION 1: Advanced Layer 7 Switching Features on page 6-1 SECTION 2: Legacy Layer 7 Switching Features on page 6-46 SECTION 3: Advanced L7 and Legacy L7 "Common Features" on page 6-82 SECTION 4: HTTP 1.1 Support for Advanced and Legacy L7 Switching on page 6-87 You cannot use FWLB and the features described in this chapter on the same ServerIron.
NOTE:
NOTE: Fast session synch is not supported in Layer 7 or tcp-offload configurations. NOTE: You can define up to 256 policies and 512 rules system wide.
6-1
NOTE: You cannot enable URL switching and L7 content switching simultaneously on the same virtual server. NOTE: You can define up to 256 CSW policies and up to 512 CSW rules. To configure L7 content switching, you define content switching rules and policies. A rule specifies the content that the ServerIron looks for in the incoming traffic, and a policy associates rules with one or more actions that specify how the ServerIron handles traffic matching the rule. The following sections explain how to configure L7 content switching on a ServerIron Chassis device, and how to display information about a L7 content switching configuration.
NOTE: You cannot enable URL switching and L7 content switching on the same virtual server.
6-2
tag in an incoming packet. See 1.2.5 XML Tag Rules on page 6-5. In addition, you can combine rules with logical operators AND, OR, and NOT to create nested rules. See 1.2.6 Configuring the Nested Rules on page 6-6.
Table 6.1: URL rules for L7 content switching URL Rule Name URL Exists Description Syntax Example
Matches if a URL string exists in the incoming packet. Matches if the URL string begins with the specified prefix. Matches if the URL string ends with the specified suffix.
URL Prefix
[no] csw-rule <rule-name> url prefix csw-rule r1 url prefix "/home" <value> [no] csw-rule <rule-name> url suffix csw-rule r1 url suffix ".gif" <value>
URL Suffix
6-3
Table 6.1: URL rules for L7 content switching URL Rule Name Description Syntax Example
URL Pattern Matches if the specified pattern exists anywhere within the URL string.
URL Equals Matches if the URL [no] csw-rule <rule-name> url string is equal to the equals <value> specified value. URL Search Matches if the URL [no] csw-rule <rule-name> url string contains any search <value> one of up to five specified values. This type of rule can be used with the persist action.
r1 r1 r1 r1 r1
Table 6.2: HTTP header rules for L7 content switching HTTP Header Rule Name Header Exists Description Syntax Example
Matches if the specified HTTP header field exists in the incoming packet.
[no] csw-rule <rule-name> csw-rule r1 header "host" exists header <header-name> exists
Header Prefix
Matches if the [no] csw-rule <rule-name> csw-rule r1 header "host" prefix "www" value in the header <header-name> specified HTTP prefix <value> header field begins with the specified prefix. Matches if the value in the specified HTTP header field ends with the specified suffix. [no] csw-rule <rule-name> csw-rule r1 header "host" suffix "com" header <header-name> suffix <value>
Header Suffix
6-4
Table 6.2: HTTP header rules for L7 content switching HTTP Header Rule Name Description Syntax Example
Header Pattern Matches if the [no] csw-rule <rule-name> csw-rule r1 header "cookie" pattern specified pattern header <header-name> "Serverid" exists anywhere pattern <value> within the specified HTTP header field. Header Equals Matches if the contents of the specified HTTP header field are equal to the specified value. [no] csw-rule <rule-name> csw-rule r1 header "host" equals header <header-name> "www.yahoo.com" equals <value>
Header Search Matches if the [no] csw-rule <rule-name> specified HTTP header <header-name> header field search <value> contains any one of up to five specified values. This type of rule can be used with the persist action.
search search
Table 6.3: XML tag rules for L7 content switching XML Tag Rule Name XML Tag Exists Description Syntax Example
Matches if the [no] csw-rule <rule-name> xml- csw-rule r1 xml-tag "name" exists tag <tag-name> exists specified XML tag exists in the incoming packet. Matches if the value in the specified XML tag begins with the specified prefix. [no] csw-rule <rule-name> xml- csw-rule r1 xml-tag "name" prefix "ge" tag <tag-name> prefix <value>
6-5
Table 6.3: XML tag rules for L7 content switching XML Tag Rule Name XML Tag Suffix Description Syntax Example
Matches if the value in the specified XML tag ends with the specified suffix.
[no] csw-rule <rule-name> xml- csw-rule r1 xml-tag "name" suffix "ge" tag <tag-name> suffix <value>
Matches if the [no] csw-rule <rule-name> xml- csw-rule r1 xml-tag "name" pattern specified pattern tag <tag-name> pattern <value> "org" exists anywhere within the specified XML tag. Matches if the [no] csw-rule <rule-name> xml- csw-rule r1 xml-tag "name" equals contents of the tag <tag-name> equals <value> "george" specified XML tag are equal to the specified value. Matches if the [no] csw-rule <rule-name> xmlspecified XML tag <tag-name> search <value> tag contains any one of up to five specified values. This type of rule can be used with the persist action. csw-rule r1 xml-tag "name" search "geo" csw-rule r1 xml-tag "name" search "edw"
6-6
A nested rule cannot be specified within the <expression> of another nested rule. The <expression> must refer to more than one rule, unless the ! (logical NOT) operator is used.
If you specify a server group ID, you can optionally specify a cookie name. When you specify a cookie name, the ServerIron performs cookie switching on packets matching the rule, which ensures that packets matching the rule go to the same real server within the server group. See "Configuring Cookie Switching" in the ServerIron for more information.
6-7
ServerID=1
The number corresponds to one of 256 internal hashing buckets on the ServerIron
10
...
255
4 5
Using its load balancing metric, the ServerIron allocates a real server to the hashing bucket The ServerIron sends the HTTP request to the real server allocated to the persist strings hashing bucket
rs3
You can configure the ServerIron to hash the persist string to a server group ID instead of to a hashing bucket, or as an alternative to the hashing persist methods, you can configure the ServerIron to translate the persist string to a server ID, server group ID, server name, or alias name.
6-8
For a given rule, you can configure a primary persist action and a secondary persist action. If the primary persist action does not return a valid persist string, or if the server indicated by the primary persist string is not available, the ServerIron uses the secondary persist action to direct packets to a server. The following commands configure a rule and policy that use the persist action: ServerIron(config)#csw-rule r1 header host exists ServerIron(config)#csw-policy p1 ServerIron(config-csw-p1)#match r1 persist offset 0 length 0 In the example, the csw-rule command creates a rule that matches if an incoming packet contains an HTTP host header field. The csw-policy command creates a policy called p1. The match p1 persist command associates the rule with the persist action. As a result, if an incoming packet has an HTTP host header field, the contents of the host header field are used as the persist string. The ServerIron uses the persist string along with the default hashing-bucket persist method to calculate the real server to which to send the packet. Syntax: [no] match <rule-name> persist offset <offset> length <length> [[<persist-method>] [secondary]] or Syntax: [no] match <rule-name> persist offset <offset> terminator <string> [[<persist-method>] [secondary]] The <offset> specifies the offset in bytes from the beginning of the content matched by the <rule-name> to be used as the persist string. If you specify 0 as the <offset>, the persist string begins at the start of the matched content. The <length> specifies the length in bytes of the persist string. If you specify 0 as the <length>, the persist string ends at the end of the matched content. The terminator <string> specifies the string with which the persist string ends. The <persist-method> specifies the persist method to be used. You can specify one of the following: hash-to-bucket Hashes the persist string to a hashing bucket, as illustrated in Figure 6.1. This is the default. hash-to-group-id Hashes the persist string to a server group ID, instead of to a hashing bucket. group-or-server-id Translates the persist string to the ID of a real server or server group. server-name Translates the persist string to the name of a real server. alias-name Translates the persist string to the name of an alias. The secondary keyword indicates that this is a secondary persist action for the rule. If the primary persist action does not return a valid persist string, or if the server indicated by the primary persist string is not available, the ServerIron uses the secondary persist action to direct packets to a server.
<source-ipaddr> <source-port> <protocol> Rule matched, <action-message> Such as the following: 192.168.9.210 80 HTTP Rule matched, Forward To cause the ServerIron to write a message to Syslog when rule r1 is matched, enter a command such as the following: ServerIron(config-csw-policy1)#match r1 log Additionally, you can change the format of the Syslog message using the following tokens: $SIP Source IP address $DIP Destination IP address $SPT Source port $DPT Destination port $HST Host name $URL URL $RUL Rule name $ACT Action $CNT Matched content, such as the matched method, URL, version, or HTTP header
For example, the following command specifies an alternate format for the Syslog message: ServerIron(config-csw-policy1)#match r1 log "$SIP:$SPT->$DIP:$DPT,ru $RUL hit $ACT" In this example, when a packet matches rule r1, a message such as the following is written to Syslog: 192.168.9.210:80->10.10.10.10:80, ru r1 hit forward
For example, the following command causes the ServerIron to insert the cookie indicated by the port http cookiename command into the HTTP response when rule r1 is matched. ServerIron(config-csw-policy1)#match r1 rewrite insert-cookie Syntax: [no] match <rule-name> rewrite insert-cookie 6 - 10 2008 Foundry Networks, Inc. September 18, 2008
6 - 11
ServerIron(config-vs-vip1)# port http csw-policy "p1" ServerIron(config-vs-vip1)# port http csw ServerIron(config-vs-vip1)# bind http dns-rs-105 http These commands create a rule that searches for the cookie Server ID= within the cookie header of an incoming packet. NOTE: Under the VIP, you need to configure the same cookie name that is defined in rule r1. If the ServerID cookie is found in the request and there is only one cookie in the header, then the cookie header is damaged. if there are multiple cookies in the header, then only the matched cookie is damaged and the request is directed to the server or server group that was indicated by the value of the ServerID cookie. If no match is found under the p1 policy, the default action is taken. In this configure means forward traffic to one of group 1 server and insert cookie in respond.
6 - 12
C CSW Topology
Figure 6.2 shows a simple CSW network topology.
Figure 6.2 CSW Network Topology
For the CSW configuration shown in Figure 6.2 the following rules apply: The ServerIron receives incoming traffic on HTTP port, VIP 1.1.1.100. ServerIron is configured with content switching (CSW) rules and policies. Policy 1 is defined to rewrite URL content and forward request to the Web server 1. If a CSW rule is matched, the ServerIron rewrites the HTTP request and forwards it to Web Server 1 with server ID 1025 and IP address 1.1.1.1. If no CSW rule is matched, the ServerIron takes the default action, sending the HTTP request to Web Server 2 with server ID 1026 and IP address 1.1.1.2.
6 - 13
NOTE: For more information about offsets, see F. Explanation of Offsets on page 6-25. 9. Specify default action for client requests that do not match any other rules. Send such requests to Web server with ID 1026.
6 - 14
6 - 15
Delete Matched-String
To configure a request to delete a matched string in a CSW rule, follow these steps: 1. Define a CSW rule to search for a sub-string in a URL. ServerIron(config)#csw-rule r11 url pattern "-sample" Syntax: csw-rule <rule-name> url pattern <url-content> 2. Define a CSW policy. ServerIron(config)#csw-policy mypolicy
6 - 16
Syntax: csw-policy <policy-name> 3. Specify a primary action to foward a request to a server with an ID of 1025 when rule r11 is matched. ServerIron(config-csw-mypolicy)#match r11 forward 1025 Syntax: match <rule-name> forward <server-id> 4. Specify a dependent action to delete the sub-string -sample when it is found in the URL. ServerIron(config-csw-mypolicy)#match r11 rewrite request-delete matched-string Syntax: match <rule-name> rewrite request-delete matched-string 5. Specify a dependent log action. ServerIron(config-csw-mypolicy)#match r11 log Syntax: match <rule-name> log 6. Specify a default action. ServerIron(config-csw-mypolicy)#default forward 1026 Syntax: default forward <server-id> NOTE: The following section assumes you have already completed the previous configuration. If the ServerIron were to receive a request for URL /abc/xyz-sample/index.html, it would take the following actions: Delete sub-string "-sample" in the URL, which becomes /abc/xyz/index.html. Forward the request to Web Server 1. Log primary Forward action to the log server.
In this case, "-sample" is the deleted string that CSW rule r11 matches. The request is forwarded to the server with server ID 1025, which is defined by primary CSW action match r11 forward 1025. The highlighted URLs in the following two HTTP request messages show the difference between the original request and the rewritten request. If there is no sub-string "-sample" in the URL of the HTTP request, rule r11 is not hit, the request is sent to the server with server ID of 1026, which is defined by the default rule default forward 1026. EXAMPLE: Original HTTP Request GET /abc/xyz-sample/index.html HTTP/1.1\r\n Host: www.foo.com\r\n User-Agent: Mozilla/5.0 Netscape/7.02\r\n Accept-Charset: ISO-8859-1\r\n Cookie: name=foundrynet; userid=12345\r\n \r\n EXAMPLE: Rewritten HTTP Request GET /abc/xyz/index.html HTTP/1.1\r\n Host: www.foo.com\r\n User-Agent: Mozilla/5.0 Netscape/7.02\r\n Accept-Charset: ISO-8859-1\r\n Cookie: name=foundrynet; userid=12345\r\n \r\n
6 - 17
1.
Define a CSW rule to search for a prefix "/abc" in url. ServerIron(config)#csw-rule r12a url prefix "/abc" Syntax: csw-rule <rule-name> url prefix <prefix-content>
2.
3.
Specify a primary action. ServerIron(config-csw-mypolicy)#match r12a forward 1025 Syntax: match <rule-name> forward <server-id>
4.
Specify a dependent rewrite action. ServerIron(config-csw-mypolicy)#match r12a rewrite request-delete offset 4 2 Syntax: match <rule-name> rewrite request-delete offset <offset> <length>
NOTE: The following section assumes you have already completed the previous configuration. The URL prefix "/abc" is matched, offset 0 is at the second "/", which is right after the matched prefix "/abc" in the URL, which is defined in CSW "r12a"; so offset 4 is number "1" which is 4 byte away after the letter "c". The result is that 2 byte "12" is deleted in URL. EXAMPLE: Original HTTP Request GET /abc/xyz12/index.html HTTP/1.1\r\n Host: www.foo.com\r\n User-Agent: Mozilla/5.0 Netscape/7.02\r\n Accept-Charset: ISO-8859-1\r\n Cookie: name=foundrynet; userid=12345\r\n \r\n EXAMPLE: Rewritten HTTP Request GET /abc/xyz/index.html HTTP/1.1\r\n Host: www.foo.com\r\n User-Agent: Mozilla/5.0 Netscape/7.02\r\n Accept-Charset: ISO-8859-1\r\n Cookie: name=foundrynet; userid=12345\r\n \r\n
6 - 18
3.
Specify a primary action. ServerIron(config-csw-mypolicy)#match r12b forward 1025 Syntax: match <rule-name> forward <server-id>
4.
Specify a dependent rewrite action. ServerIron(config-csw-mypolicy)#match r12b rewrite request-delete neg-offset 11 6 Syntax: match <rule-name> rewrite request-delete neg-offset <offset> <length>
NOTE: The following section assumes you have configured the scenario above. When ".html" is matched, offset 0 is white space after letter "l", letter "l" is neg-offset 1, letter "m" is neg-offset 2, letter "t" is neg-offset 3 and so on; neg-offset 11 is "_". Count 6 byte from left to right starting with "_", you can see "_index" is to be deleted. EXAMPLE: Original HTTP Request GET /abc/xyz/defult_index.html HTTP/1.1\r\n Host: www.foo.com\r\n User-Agent: Mozilla/5.0 Netscape/7.02\r\n Accept-Charset: ISO-8859-1\r\n Cookie: name=foundrynet; userid=12345\r\n \r\n EXAMPLE: Rewritten HTTP Request GET /abc/xyz/default.html HTTP/1.1\r\n Host: www.foo.com\r\n User-Agent: Mozilla/5.0 Netscape/7.02\r\n Accept-Charset: ISO-8859-1\r\n Cookie: name=foundrynet; userid=12345\r\n \r\n
Delete String
NOTE: For more information about offsets, see F. Explanation of Offsets on page 6-25. To configure a request to delete a sub-string in a CSW rule, follow these steps: 1. Define a CSW rule. ServerIron(config)#csw-rule r13 url exists Syntax: csw-rule <rule-name> url exists 2. Define a CSW policy. ServerIron(config)#csw-policy mypolicy Syntax: csw-policy <policy-name> 3. Specify a primary action. ServerIron(config-csw-mypolicy)#match r13 forward 1025 Syntax: match <rule-name> forward <server-id> 4. Specify a dependent rewrite action. ServerIron(config-csw-mypolicy)#match r13 rewrite request-delete string "123" Syntax: match <rule-name> rewrite request-delete string <string-content>
6 - 19
NOTE: The following section assumes you have already completed the previous configuration. The url exist matches any url. If it exists in the request, search for "123" in url. if found, only delete "123"; if no "123" is found in the url, the original url is sent to the server. EXAMPLE: Original HTTP request: GET /abc/xyz123/index.html HTTP/1.1\r\n Host: www.foo.com\r\n User-Agent: Netscape/7.02\r\n Accept-Charset: ISO-8859-1\r\n Cookie: name=foundrynet; userid=12345\r\n \r\n EXAMPLE: Rewritten HTTP request: GET /abc/xyz/index.html HTTP/1.1\r\n Host: www.foo.com\r\n User-Agent: Netscape/7.02\r\n Accept-Charset: ISO-8859-1\r\n Cookie: name=foundrynet; userid=12345\r\n \r\n
6 - 20
Offset 0 is at the second "/", which is right after matched prefix "/abc", which is defined in CSW "r21". The result is that string "/hello-world" is inserted at the default offset 0, which is after letter "c". The original URL becomes "/abc/ hello-world/xyz/index.html". The highlighted URLs in the following two HTTP request messages show the difference between the original request and the one after being rewritten. EXAMPLE: Original HTTP request: GET /abc/xyz/index.html HTTP/1.1\r\n Host: www.foo.com\r\n User-Agent: Mozilla/5.0 Netscape/7.02\r\n Accept-Charset: ISO-8859-1\r\n Cookie: name=foundrynet; userid=12345\r\n \r\n EXAMPLE: Rewritten HTTP request: GET /abc/hello-world/xyz/index.html HTTP/1.1\r\n Host: www.foo.com\r\n User-Agent: Mozilla/5.0 Netscape/7.02\r\n Accept-Charset: ISO-8859-1\r\n Cookie: name=foundrynet; userid=12345\r\n \r\n
6 - 21
EXAMPLE: Original HTTP request: GET /abc/xyz/index.html HTTP/1.1\r\n Host: www.fool.com\r\n User-Agent: Mozilla/5.0 Netscape/7.02\r\n Accept-Charset: ISO-8859-1\r\n Cookie: name=foundrynet; userid=12345\r\n \r\n EXAMPLE: Rewritten HTTP request: GET /hello-world/abc/xyz/index.html HTTP/1.1\r\n Host: www.foo.com\r\n User-Agent: Mozilla/5.0 Netscape/7.02\r\n Accept-Charset: ISO-8859-1\r\n Cookie: name=foundrynet; userid=12345\r\n \r\n NOTE: When inserting a string in an HTTP request, make sure the negative offset is correctly specified. Incorrectly specifying the negative offset (out of range) may result in an improper HTTP request..
NOTE: The following section assumes you have already completed the previous configuration. The url exist matches the entire url. So the matched string is whole url "/abc/xyz/index.html". It is replaced by new string "/newabc/newxyz/newindex.html".
6 - 22
EXAMPLE: Original HTTP request: GET /abc/xyz/index.html HTTP/1.1\r\n Host: www.fool.com\r\n User-Agent: Mozilla/5.0 Netscape/7.02\r\n Accept-Charset: ISO-8859-1\r\n Cookie: name=foundrynet; userid=12345\r\n \r\n EXAMPLE: Rewritten HTTP request: GET /newabc/newxyz/newindex.html HTTP/1.1\r\n Host: www.fool.com\r\n User-Agent: Mozilla/5.0 Netscape/7.02\r\n Accept-Charset: ISO-8859-1\r\n Cookie: name=foundrynet; userid=12345\r\n \r\n
NOTE: The following section assumes you have already completed the previous configuration. Because url contains pattern "abc", rule r32 will be hit, then search for string "xyz" also found, so "xyz" will be replaced with string "1234". The following two HTTP request messages show the difference between the original request and the one after being rewritten. EXAMPLE: Original HTTP Request GET /abc/xyz/index.html HTTP/1.1\r\n Host: www.fool.com\r\n User-Agent: Netscape/7.02\r\n Accept-Charset: ISO-8859-1\r\n Cookie: name=foundrynet; userid=12345\r\n
6 - 23
\r\n EXAMPLE: Rewritten HTTP Request GET /abc/1234/index.html HTTP/1.1\r\n Host: www.fool.com\r\n User-Agent: Netscape/7.02\r\n Accept-Charset: ISO-8859-1\r\n Cookie: name=foundrynet; userid=12345\r\n \r\n
rewrite request-delete
Use the rewrite request-delete option in the CSW policy configuration mode to delete content. Syntax: match <rule-name> rewrite request-delete {matched-string | neg-offset <offset> <length> | offset <offset> <length> | string <ASCII string>} matched-stringSpecifies the matched-string option for the request to delete a string defined by a rule. neg-offsetSpecifies the negative-offset option for the delete request. <offset>Value of the deletion offset. <length>Value of the length of content to be deleted.
offsetSpecifies the positive-offset option for the delete request. <offset>Value of the deletion offset. <length>Value of the length of content to be deleted.
stringSpecifies the string option for the delete request. <ASCII string>Value of the string to be deleted.
rewrite request-insert
Use the rewrite request-insert option in the CSW policy configuration mode to insert content. Syntax: match <rule-name> rewrite request-insert {[<ASCii-string> [neg-offset <DECIMAL> | offset <DECIMAL>]] | client-ip | header} <ASCII-string>Value of the string for the offset options in the insert request. neg-offsetSpecifies the negative offset option for the insert request. <DECIMAL>Value of the negative offset. offsetSpecifies the positive offset option for the insert request. <DECIMAL>Value of the positive offset.
6 - 24
client-ipSpecifies client-ip option for the insert request. NOTE: The value of the client-ip must be defined under the VIP command.
headerSpecifies header option for the insert request. NOTE: The value of the header must be defined under the VIP command.
rewrite request-replace
Use this option in the CSW policy configuration mode to replace content. Syntax: match <rule-name> rewrite request-replace {matched-string <ASCII string> | string <ASCII string> <ASCII string>} matched-stringSpecifies the matched-string option for the request to replace a string defined by a rule. <ASCII string> Value of string existing string.
stringSpecifies the string option for the replace request. <ASCII string>Value of the existing string. <ASCII string>Value of the new string.
F. Explanation of Offsets
NOTE: The offset or neg-offset keyword indicates that insertion or deletion starts after or before the offset of the interested content defined in the matched CSW rule. In this example, the ServerIron receives the following message: GET /abc/xyz/index.html HTTP/1.1\r\n Host: www.foo.com\r\n User-Agent: Mozilla/5.0 Netscape/7.02\r\n Accept-Charset: ISO-8859-1\r\n Cookie: name=foundrynet; userid=12345\r\n \r\n The following examples show how the offsets work for various rules:
Prefix Matching
csw-rule ruleA url prefix /abc/x Offset 0 points to "y", which is the next byte after "/abc/x" in the URL.
Suffix Matching
csw-rule ruleB header Host suffix com Offset 0 points to "\r", which is the next byte after "com" in the value of "Host" header "www.foo.com".
Pattern Matching
csw-rule ruleC header Host pattern foo
6 - 25
Offset 0 points to "c", which is the next byte after "foo." in the value of "Host" header "www.foo.com".
Exist Matching
csw-rule ruleD1 url exist Offset 0 points to white space at end of letter "l", which is right after the last byte of URL "/abc/xyz/index.html".
Equal Matching
csw-rule ruleE header "Host" equal "www.foo.com" Offset 0 points to "\r", which is the next byte after "www.foo.com" in the value of "Host" header, "www.foo.com".
9 4
5 0
Content Rewritings Done in HTTP Requests: Cookie Deleted: 0 Cookie Destroyed: 1 Header Insertion: 2 Client IP Insertion: 2 Content Rewritings Done in HTTP Responses: Cookie Inserted: 1 Header Insertion: 0 Total Memory Already Consumed: 64 KB. Syntax: show l7-rewrite-info Table 6.4 defines the fields shown in the screen display.
0 0 0 0
0 0
Table 6.4: L7 Rewrite Information This Field HTTP Content Rewrites Total Allocated Total Freed Displays Shows the memory slots used to perform HTTP content rewrites. The total number of allocation times of memory slots used to perform content rewrites. The total number of freed times of memory slots used for content rewrites.
6 - 26
Table 6.4: L7 Rewrite Information (Continued) This Field Used Now Allocation Failures Content Rewritings Done in HTTP Requests Cookie Deleted Cookie Deletion Err Cookie Destroyed Cookie Destroy Err Header Insertion Header Insertion Err Client IP Insertion Client IP Insertion Err Content Rewritings Done in HTTP Responses Cookie Inserted Cookie Insertion Err Header Insertion Header Insertion Err Total Memory Already Consumed Displays The number of memory slots that are currently used to perform content rewrites. The number of failures that occurred while allocating memory for content rewrites. This section displays information related to cookie deletions, header insertions, and client IP insertions. The total number of cookies deleted in HTTP requests. The number of errors that occurred when deleting cookies in HTTP requests. The number of cookies destroyed during HTTP requests. The number of errors that occurred while destroying cookies in HTTP requests. The total number of headers inserted in HTTP requests. The number of errors that occurred when inserting headers in HTTP requests. The total number of client IP headers inserted in HTTP requests. The number of errors that occurred when inserting client IP headers in HTTP requests. This section contains information about cookie and header insertions. The total number of cookies inserted in HTTP responses. The number of errors that occurred when inserting cookies in HTTP responses. The total number of headers inserted in HTTP responses. The number of errors that occurred when inserting headers in HTTP responses. The total amount of memory allocated for HTTP content rewrites.
Usage Guidelines
When you define an offset or negative offset value to insert or delete a string, the value is not allowed to go beyond the URL value defined by the associated CSW rule. If it does exceed the boundry of the URL value, the ServerIron adjusts it to align with the beginning or the end of the URL. Similarly, the deletion action is not allowed to delete content beyond the URL value defined by its associated CSW rule. If the string to be deleted does exceed the start or end of the boundary of the URL or header value content, ServerIron limits the string to be deleted to the part within the boundary. Syntax: match <rule-name> rewrite request-insert <string> [offset | neg-offset <offset>] <rule-name> defines the name of CSW rule. <string> defines the string to be inserted. <offset> defines the distance of bytes from the offset 0. By default, offset 0 is right after the interested string
6 - 27
defined by matched CSW rule. Key word offset or neg-offsetindicates that the insertion offset starting after or before the offset 0.
6 - 28
For <url> <new-port>, enter the new URL and port number to which the request will be redirected.
To redirect an HTTP request with redirect code 301, entre the following command: ServerIron(config)#csw-policy p1 ServerIron(config-csw-p1)#match r1 redirect "fdry.com" HTTP 301
6 - 29
Table 6.5: Output from the show csw-hdr-info command This Field... Unknown header list Name Hdr Tab Ind Ref Co Unknown header count: Known header list Name The name of each known header field encountered. The name of each unknown header field encountered. The offset in the header table. The reference count of the number of rules using this header. The number of unknown headers encountered. Displays...
6 - 30
Table 6.5: Output from the show csw-hdr-info command (Continued) This Field... Hdr Tab Ind Known header count: XML tag list Name Hdr Tab Ind Ref Co XML tag count: The name of each XML tag encountered. The offset in the XML tag table. The reference count of the number of XML rules using this header. The number of XML tags encountered. Displays... The offset in the header table. The number of unknown headers encountered.
Rules Deleted: 0
Rule Name |Rule Type |Data |Data |Data |Ref C|Prot --------------------------------------------------------------------------ban1 |xml-tag |banner1 |equals |1 |0 |http ban2 |xml-tag |banner1 |equals |2 |0 |http ban3 |xml-tag |banner1 |equals |3 |0 |http banner1 |xml-tag |banner1 |exists | |1 |http volume3 |xml-tag |volume |equals |Volume III|1 |http volumex |xml-tag |volume |equals |xyz |1 |http volxyz |xml-tag |volume |suffix |xyz |1 |http
Syntax: show csw-rule [<rule-name>] The following table describes the information displayed by the show csw-rule command.
Table 6.6: Output from the show csw-rule command This Field... Rule Count Rules Allocated Rules Deleted Rule Name Rule Type Data fields Ref C Prot Displays... The number of L7 content switching rules configured on the device. The total number of rules allocated. The total number of rules deleted since the ServerIron was started. The name of each rule. The type of rule: HTTP method, HTTP version HTTP header, URL, or XML tag. The specification for the rule; that is, the content that the rule matches. The number of nested rules and policies using this rule. The protocol of the packets matched by the rule.
6 - 31
To display detailed information for a specified rule, enter a command such as the following: ServerIron#show csw-rule volume1 detail Rule Name :volume1 Rule Type :xml-tag Header :volume Operator :equals Value :Volume I Ref cnt Sub Rule cnt Sub Rules :1 :1 :volume1
Before Minterm Reduction Min term mask :0x00000002 Min terms :1 After Minterm Reduction Min term cnt :1 Minterms :volume1 Hdr/Meth Ind :8
Syntax: show csw-rule <rule-name> detail The following table describes the information displayed by the show csw-rule detail command.
Table 6.7: Output from the show csw-rule detail command This Field... Rule Name Rule Type Header Operator Value Ref cnt Sub Rule cnt Sub Rules Displays... The name of the rule. The type of rule: HTTP method, HTTP version HTTP header, URL, or XML tag. The HTTP header matched by the rule. The operator used to match the content: exists, prefix, suffix, pattern, equals, or search The content matched by the rule. The number of nested rules and policies using this rule. If this is a nested rule, the number of rules referring to this one. If this is a nested rule, a list of the rules that refer to this rule.
Before Minterm Reduction Min term mask Min terms Number of minterms for the expression. List of minterms.
After Minterm Reduction Min term cnt Minterms Number of minterms for the expression. List of minterms.
6 - 32
Table 6.7: Output from the show csw-rule detail command (Continued) This Field... Hdr/Meth Ind Displays... Index into the header in the method table.
Flag description: A: insert-cookie B: delete-cookie C: destroy-cookie D: req-ins-hdr E: req-ins-client-ip F: resp-ins-hdr L: log Rule Name |Act|Data1 |Data2 |Data3 |Flags |Hit Cnt -----------------------------------------------------------------------------url1024 |fwd|1024 | |N/A |_______ |2 url1025 |fwd|1025 | |N/A |_______ |3 default |fwd|1 | |N/A |_______ |10 -------------------------------------------------------------------------------
Table 6.8: Output from the show csw-policy command This Field... Policy Name Reference Count Rule Name Act Data fields Flags Hit Cnt Displays... The name of the policy. Number of VIPs using this policy. The rules configured under the policy The action specified for each rule. The specification for the rule; that is, the content that the rule matches. Information about the content-rewrite actions for the rule, if configured. The number of times a rule matched.
6 - 33
To display detailed information about a policy, enter a command such as the following: ServerIron#show csw-policy server-sw detail Policy Name :server-sw Reference Count :1 Action code description: fwd: forward rst: reset-client rdr: redirect err: reply-error
Flag description: A: insert-cookie B: delete-cookie C: destroy-cookie D: req-ins-hdr E: req-ins-client-ip F: resp-ins-hdr L: log Rule Name |Act|Offse|Data1 | Data2|Data3 |Flags |Hit Cnt --------------------------------------------------------------url1024 |fwd|0 |1024 | |N/A |_______ |0 url1025 |fwd|1 |1025 | |N/A |_______ |0 default |fwd|0 |1 | |N/A |_______ |0 --------------------------------------------------------------Total Rule Count Simple Rule Count Minterm Count Database Count XML Tag Count Parse Mask Parse Tags Vip Bindings :2 :2 :2 :2 :0 :0x00020000 :url :193.168.28.150 [80]
Syntax: show csw-policy <policy-name> detail In addition to the information shown in Table 6.8, the show csw-policy detail command displays the following information:
Table 6.9: Output from the show csw-policy detail command This Field... Offse Total Rule Count Simple Rule Count Minterm Count Database Count XML Tag Count Parse Mask Parse Tags Vip Bindings Displays... The offset into the minterm table. The total number of rules in the policy. The total number of simple (not nested) rules used in the policy. The number of minterms. The number of search databases. The number of XML tags used in the policy. Mask to indicate the parsing information. The header or XML tags to be parsed. The list of VIPs and port numbers using this policy.
6 - 34
NOTE: You can change the status code ranges. See Changing HTTP Keepalive Method, Value, and Status Codes on page 5-34.
Table 6.10 on page 6-35 lists the standard HTTP status codes.
Table 6.10: HTTP Status Codes Code Meaning ServerIron marks HTTP FAILED TCS 100 199 100 101 200 299 200 201 202 203 204 205 206 Informational Continue Switching protocols (not used yet, but defined) Success OK Created Accepted Non-Authoritative information No Content Reset content Partial content x x x x SLB
6 - 35
Table 6.10: HTTP Status Codes Code Meaning ServerIron marks HTTP FAILED TCS 300 399 300 301 302 303 304 305 400 499 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 500 599 500 501 502 503 504 Redirection Multiple choices Moved Permanently Moved Temporarily See Other Not Modified Use Proxy Client Error Bad Request Unauthorized Payment Required Forbidden Not Found Method not allowed Not Acceptable Proxy Authentication Required Request timeout Conflict Gone Length Required Precondition Failed Request entity too large Request URI too large Unsupported media type Server Error Internal Server Error Not Implemented Bad Gateway Service Unavailable Gateway time-out x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x SLB
6 - 36
Table 6.10: HTTP Status Codes Code Meaning ServerIron marks HTTP FAILED TCS 505 HTTP version not supported - or extension-code x SLB x
Router Client
SI
Internal Network
1.
Client sends request to: https://www.abc.com/index.html
2.
After SSL Offload, ServerIron sends real server: http://www.abc.com/index.html Real Servers
3.
ServerIron sends the same content to client 302 - Redirect http://www.abc.com/login.asp
4.
Real server sends redirect using http as it is not aware of SSL - Offload 302 - Redirect: http://www.abc.com/login.asp
Starting with release 10.1.00, the ServerIron can be programmed to modify such responses and replace "http://" with "https://". This feature can be applied selectively based on response code and the embedded URL. For example, the ServerIron can be programmed to replace only response codes 301 and 302, and only for URLs matching "http://www.abc.com".
In general, this feature is used to modify the redirect URL's in response codes 301 and 302. However, it is not limited to modifying redirects and in theory can be configured to modify any other part of the HTTP-header in any other response code.
6 - 37
6 - 38
EXAMPLE: In this configuration, Serveriron rewrites the HTTP response. Whenever response code 301 or 302 appears in the header, together with a redirect URL http://www.abc.com (signified by the Location header), ServerIron replaces the URL with https://www.abc.com. In other words, "Location: http://www.abc.com" becomes "Location: https:// www.abc.com". csw-rule r1 response-status-code 301 302 csw-rule r11 response-header "Location" pattern "http://www.abc.com" csw-policy "p1" type response-rewrite match "r1" response-header-rewrite match "r11" rewrite response-header-replace "https://www.abc.com/" offset 0 length 19 server real rs1 100.1.1.101 port http port http url "HEAD /"
Step 1: Create a CSW Rule identifying requests whose responses have to be modified
In this step, the requests are identified and responses to the requests are eligible for response modifications. To specify all requests with responses that need to be modified, use the following command: ServerIron(config)# csw-rule r2 url exists Syntax: csw-rule r2 url exists
6 - 39
Show Commands
To show statistics of this feature, enter a command such as the following on the BP console: 2/1# show csw-policy p1 Syntax: show csw-policy <policy-name> To show internal debug counters, enter a command such as the following on the BP console: 2/1# show appfw debug Syntax: show appfw debug
Debug Commands
To turn on debug info for a specific client, enter a command such as the following on the BP console: 2/1# debug appfw-fsm 100.1.1.1 Syntax: debug appfw-fsm <client-ip-address> 6 - 40 2008 Foundry Networks, Inc. September 18, 2008
To turn on debug info for a specific URL, enter a command such as the following on the BP console: 2/1# debug appfw-fsm url index.html Syntax: debug appfw-fsm url <string-to-match>
6 - 41
Configuration Example
This configuration replaces all references to http://www.abc.com with https://www.abc.com in all response data. In other words, the data "href='http://www.abc.com/index.html" becomes "href=https://www.abc.com/index.html". csw-rule r2 url exists csw-rule r21 response-body pattern http://www.abc.com/ csw-policy "p1" type response-rewrite match "r2" response-body-rewrite match "r21" rewrite response-body-replace "https://www.abc.com/" offset 0 length 19 server real rs1 100.1.1.101 port http port http url "HEAD /" server real rs2 100.1.1.102 port http port http url "HEAD /" server virtual-name-or-ip v1 100.1.1.10 port ssl port ssl response-rewrite-policy p1 bind ssl rs1 http rs2 http
6 - 42
Syntax: default rewrite insert-cookie [<cookie-name> [<domain> [<path> [<age]]]] <cookie-name>: specify the name of the cookie to be inserted; <path>: specify the attribute path for the cookie to be inserted. If <path> is not configured or it is configured to be "*", "/" will be defined for the cookie path; <domain>: specify the attribute domain for the cookie to be inserted. If <domain> is not configured or it is configured to be "*", the default domain for the cookie inserted in the HTTP response will be the same as the one in the previous request; <age>: specify how many minutes the browser takes to expire the cookie to be inserted. If <age> is not configured, the cookie will be expired once the browser is closed. If <age> is configured to be 0, the browser will age out the cookie immediately.
NOTE: <cookie-name> is required; while <path>, <domain>, and <age> are optional.
Specifications
The CLI command on ServerIron has a general limitation on the total length of each command; while this command is comprised of many keywords or values. This will bring the limitation that the attributes of <path>, <domain> can be too long. The following is the internal system limitations for some attributes introduced by this command, <cookie-name>: maximum length is 80 bytes; <path>: maximum length is 255 bytes; <domain>: maximum length is 80 bytes; <age>: integer between 0 and 0x1FFFFFFF;
Configuration Guidelines
Cookie insertion is typically configured together with cookie switching. If a specific cookie with valid value is found and the associated action can be taken, ServerIron will take the action based on the cookie value; otherwise, it follows other matched rule, which possibly a cookie insertion is triggered. The following are the steps to configure the cookie insertion with cookie switching, Configure CSW rules and policy Bind the CSW policy to a VIP Enable CSW on the VIP
Example
ServerIron does cookie switching based on the cookie value of "ServerID" or "biz" defined in either rule1 or rule2. If both rule1 and rule2 are not hit but rule3 is hit, it will forward the request to server group 10 and insert a cookie with name "biz", with path being "business". If no rule is hit, ServerIron will take the default action. It will forward the request to server group 1 and insert a cookie with name "ServerID", which expires in 60 minutes,. csw-rule rule1 header "Cookie" search "ServerID=" csw-rule rule2 header "Cookie" search "biz="
6 - 43
csw-rule rule3 url prefix "/business" csw-policy policy1 match rule1 persist offset 0 length 0 group-or-server-id match rule2 persist offset 0 length 0 group-or-server-id match rule3 forward 10 match rule3 rewrite insert-cookie "biz" "*" "/business" default forward 1 default rewrite insert-cookie "ServerID" "*" "*" age 60 server virtual-name-or-ip test 2.2.2.222 port default disable port http port http csw-policy "policy1" port http csw port http keep-alive bind http rs1http server real rs1 1.1.1.1 port http port http url "HEAD /" port http server-id 1100 port http group-id 1 1 port 8080 port 8080 server-id 1208 port 8080 group-id 10 10 server virtual-name-or-ip test 2.2.2.2 port default disable port http port http csw-policy "policy1" port http csw port http keep-alive bind http rs1http rs1 8080 NOTE: Make sure that the system time is configured when you configure cookie age.
Configuring Server and Server Port Persistence with CSW Nested Rules
This document describes the support of CSW rewrite/persist on nested rule and persist on real server port. Currently, CSW support rewrite or persist action on simple rule. The rewrite or persist action on nested rule is not supported because the place of rewrite or persist action can not be decided on nested rule. This new feature adds a new CLI to specify a base rule within nested one that rewrite or persist action can be based on.
6 - 44
Also, the current CSW supports the persistence on the group or server id. The support of the persistence on the real server port gives the customer more granular control. This feature is to be used with the persistence on the group or server id. This is useful when the customer has multiple ports configured on the same group or server, and wants to direct the request to the particular port instead of load balancing among all the ports. Persist or rewrite action can be performed when a nested rule matched, the location of persistence or rewrite string is determined by a master rule within the nested rule.
Usage Example
The customer needs the following request: Two real servers, 192.168.1.100 and 192.168.1.101. Each server has the different application listening on different ports: 10500 and 10520. Each server is configured to different group, 30 and 31. The request with 'pweb' and 'jsession=<groupid>' embedded in the URL is directed to the specified group
6 - 45
ServerIron(config)#server real-name-or-ip rs1 ServerIron(config-rs-rs1)#port 10500 group-id ServerIron(config-rs-rs1)#port 10520 group-id ServerIron(config-rs-rs1)#exit ServerIron(config)#server real-name-or-ip rs2 ServerIron(config-rs-rs2)#port 10500 group-id ServerIron(config-rs-rs2)#port 10520 group-id ServerIron(config-rs-rs2)#exit
192.168.1.100 20 20 30 30 21 21 30 30 192.168.1.101 20 20 31 31 21 21 31 31
The CSW rule: ServerIron(config)#csw-rule r1 url pattern "pweb" ServerIron(config)#csw-rule r2 url pattern "jsession=" ServerIron(config)#csw-rule n1 nested-rule "r1&&r2" master-rule r2 The CSW policy: ServerIron(config)#csw-policy p1 ServerIron(config-csw-p1)# match n1 persist offset 0 length 2 group-or-server-id real-port 10500 The virtual server: ServerIron(config)#server virtual-name-or-ip vip1 10.10.10.100 ServerIron(config-vs-vip1)#bind http rs1 10500 rs1 10520 ServerIron(config-vs-vip1)#bind http rs2 10500 rs2 10520 ServerIron(config-vs-vip1)#port http csw-policy p1 The result: If the request has the string "pweb" and also string "/jsession=30" embedded in the url, Then the rule n1 will be matched and SI will choose to connect to the rs1 (group 30) and the port 10500 If the port 10500 on rs1 is not available, the client request fails over to the port 10500 on rs2.
6 - 46
The network location of the resource is specified in the Host header field in an HTTP request message. For example: Host: www.foundrynet.com The ServerIron can examine both the URL string and Host header field when determining where to send the HTTP request. See RFC 1945 or RFC 2616 for more information on HTTP request messages. The selection criteria in a policy can be a string of characters starting from the beginning of the URL string, end of the URL string, or within any part of the URL string. For example, selection criteria can be a URL string that starts with the text /home. When an HTTP request that has a URL string beginning with the text /home comes into the ServerIron, the policy can direct that request to the server group containing the web content for the sites /home directory (or to another URL switching policy for additional matching). Unlike standard server load balancing, which requires that the same content be on all load-balanced real servers, URL switching allows you to place different web content on different servers. For example, you can place image files on one group of servers and CGI applications on another group. Information in the URL string determines to which server group HTTP requests are sent. To set up URL switching, do the following tasks: 1. 2. 3. Configuring the URL switching policies Configuring the real servers Setting up the virtual server
The ServerIron has URL switching policies in place, which direct HTTP requests based on the following: HTTP requests containing URL strings that start with the text "/home" are sent to server group ID = 1. HTTP requests containing URL strings that end with the text "gif" are sent to server group ID = 2. HTTP requests containing URL strings that have the text "/cgi-bin/" anywhere within are sent to server group ID = 3. If a URL string does not start with the text "/home", end with the text "gif", or contain the text "/cgi-bin/", the HTTP request is sent to server group ID = 1.
6 - 47
Figure 6.4
HTTP requests for URL strings that begin with /home are sent here If the URL string does not end with gif or contain the text /cgi-bin/, the HTTP request is also sent here.
Internet
Link Activity
HTTP requests for URL strings that contain /cgi-bin/ are sent here
6 - 48
NOTE: The URL switching policy p2 in the default command applies to releases before 09.1.00. Starting with Release 09.1.00, you must specify a real server group ID in the default command. Syntax: url-map <policy-name> The <policy-name> parameter assigns a name to the URL switching policy and enters the URL switching policy CONFIG level. Syntax: method prefix | suffix | pattern The method command specifies the matching method that the policy uses on the selection criteria: The prefix method compares the selection criteria to the beginning of the URL string. The suffix method compares the selection criteria to the end of the URL string. The pattern method looks for the selection criteria anywhere within the URL string.
Syntax: match "<selection-criteria>" <server-group-id> | <policy-name> NOTE: Starting with Release 09.1.00, the <policy-name> parameter is not supported. A URL switching policy can contain multiple match commands, each with a different selection criteria. The selection criteria can be up to 80 characters in length. The <server-group-id> parameter specifies the real server group to which the HTTP request is sent, when the URL string matches the selection criteria. For releases prior to 09.1.00, when the URL string matches the selection criteria, you can optionally match the URL string against another policy as specified in the <policy-name> parameter. Starting with release 08.1.00R, the "/home" selection criteria matches URL strings with encoded characters, such as "/h%6fme" or "/%5eome". In previous releases, if the ServerIron encountered encoded characters in the URL string, it went to the next rule. NOTE: If you are using the prefix and pattern matching methods, you can use an asterisk (*) as a wildcard character to specify one or more characters at the end of a URL string, in addition to using text as selection criteria For example, using "/ho*" as the selection criteria matches "/home", /hotels, and /home/main/index.html, as well as "/%5eome", and "/h%6fme". See the definition of policyA on page 6-53 for an example of this If you use the suffix matching method, you cannot use an asterisk (*) as a wildcard character. The asterisk wildcard character is valid for the prefix and pattern matching methods only. For releases before 09.1.00, you can also specify a URL switching policy name instead of a real server group ID. In this case, if part of the URL string matches the selection criteria, the remaining text of the URL string (that is, the text that was not matched by the selection criteria) is evaluated by the specified policy. See the definition of policyA on page 6-53 for an example of this. Syntax: default <server-group-id> | <policy-name> NOTE: Starting with Release 09.1.00, the <policy-name> parameter is not supported. The default command specifies what happens when the URL string does not meet the selection criteria. The <server-group-id> parameter specifies the real server group to which the HTTP request is sent, when the URL string does not match any of the selection criteria in the URL switching policys match command. For releases prior to 09.1.00, you can specify, as with the match command, either a real server group or another URL switching policy. The following commands define URL switching policy p2 for the example in Figure 6.4.
6 - 49
ServerIron(config)#url-map p2 ServerIron(config-url-p2)#method suffix ServerIron(config-url-p2)#match "gif" 2 ServerIron(config-url-p2)#default p3 ServerIron(config-url-p2)#exit URL switching policy p2 uses the suffix matching method. This means that the last part of the URL string is compared to the selection criteria. The match command defines the selection criteria as the text "gif". Thus, any URL string ending with "gif" meets the selection criteria. The second part of the match command causes HTTP requests for URL strings that end in "gif" to be sent to the real server group whose ID = 2. If the URL string does not end with "gif", the default command causes the URL string to be evaluated by URL switching policy p3. NOTE: The URL switching policy p3 applies in the default command to releases before 09.1.00. Starting with Release 09.1.00, you must specify a real server group ID in the default command. NOTE: As the diagram in Figure 6.4 illustrates, there is only one real server in server group ID = 2. Even so, the match command must refer to a server group, rather than an actual real server. Server groups can consist of one or more real servers. The following commands define URL switching policy p3 for the example in Figure 6.4: ServerIron(config)#url-map p3 ServerIron(config-url-p3)#method pattern ServerIron(config-url-p3)#match "/cgi-bin/" 3 ServerIron(config-url-p3)#default 1 ServerIron(config-url-p3)#exit URL switching policy p3 uses the pattern matching method. The match command looks for the selection criteria anywhere within the URL string. In this example, if the text "/cgi-bin/" appears anywhere in the URL string, the HTTP request is sent to the real server group whose ID = 3. If "/cgi-bin/" does not appear in the URL string, the default command sends the HTTP request to the real server group whose ID = 1.
To include a real server in groups that are not consecutively numbered, you can enter up to four server group ID pairs. For example, to include a real server in groups 1 5 and 11 15, enter the following command: ServerIron(config-rs-rs1)#port http group-id 1 5 11 15 You can also specify the server group ID pairs on separate lines, by entering commands such as the following: ServerIron(config-rs-rs1)#port http group-id 1 5 ServerIron(config-rs-rs1)#port http group-id 11 15 To configure the remaining real servers in Figure 6.4, enter commands such as the following: ServerIron(config)#server real-name rs2 207.95.7.2 ServerIron(config-rs-rs2)#port http group-id 1 1 ServerIron(config-rs-rs2)#exit ServerIron(config)#server real rs3 207.95.7.3 ServerIron(config-rs-rs3)#port http group-id 2 2 ServerIron(config-rs-rs3)#exit ServerIron(config)#server real rs4 207.95.7.4 ServerIron(config-rs-rs4)#port http group-id 3 3 ServerIron(config-rs-rs4)#exit ServerIron(config)#server real rs5 207.95.7.5 ServerIron(config-rs-rs5)#port http group-id 3 3 ServerIron(config-rs-rs5)#exit ServerIron(config)#server real rs6 207.95.7.6 ServerIron(config-rs-rs6)#port http group-id 3 3 ServerIron(config-rs-rs6)#exit These commands place real server rs2 in server group ID = 1 (along with real server rs1), real server rs3 in server group ID = 2, and real servers rs4, rs5, and rs6 in server group ID = 3.
6 - 51
The server virtual-name-or-ip command defines a virtual server that has a name and an IP address, and enters the virtual server CONFIG level. Syntax: port http The port http command adds port 80 (HTTP) to the VIP. Syntax: port http url-map <policy-name> The <policy-name> parameter assigns a URL switching policy to the VIP. If you use multiple URL switching policies, you must link them together. For example, policy p1 may send text to policy p2, which, in turn, may send text to policy p3 Thus, the three policies are linked together. Up to 100 URL switching policies can be linked. Syntax: port http url-switch The port http url-switch command activates URL switching for the VIP. Syntax: bind http <real-server-name> http The <real-server-name> parameter specifies the real server whose HTTP services are to be bound to the VIP.
In this configuration, two web sites, www.mysite.com and www.myothersite.com, share the same virtual IP address. HTTP requests for either of these web sites are sent to one of five server groups, depending on the content of the URL string. Requests for www.mysite.com that have URL strings beginning with the text "/h" are sent to server group ID = 10 Requests for Real media files at www.mysite.com are sent to either server group ID = 30 (for high availability files) or server group ID = 40 (for all other Real media files) All other HTTP requests for www.mysite.com are sent to server group ID = 20 All HTTP requests for www.myothersite.com are sent to server group ID = 50 Requests sent to the VIP, but not to either www.mysite.com or www.myothersite.com are sent to server group ID = 10
6 - 52
Figure 6.5
URL Switching Example with Two Web Sites and One VIP
HTTP requests for www.mysite.com are sent to one of these server groups HTTP requests for URL strings that begin with /h* are sent here
Internet
If the URL string does not start with /h* or does not request a Real media file, the HTTP request is sent to this server group
Link Activity
Power
HTTP requests for high-availablility Real media files are sent to this server group
All other requests for Real media files are sent to this server group
HTTP requests for www.myothersite.com are sent to this server group. This server group contains all the web content for www.myothersite.com
NOTE: For clarity, the individual real servers are not depicted in the illustration. The setup procedure for the real servers is the same as the one described in Configuring the Real Servers on page 6-50. The following sections explain how to set up this configuration.
After you set up the virtual server, as described in the next section, policyA and policyB will encounter HTTP requests for www.mysite.com and requests directed to neither www.mysite.com nor myothersite.com. PolicyZ will encounter only HTTP requests for www.myothersite.com. The following commands define policyA: ServerIron(config)#url-map policyA ServerIron(config-url-policyA)#method prefix ServerIron(config-url-policyA)#match /h* 10 ServerIron(config-url-policyA)#match "/real/" policyB ServerIron(config-url-policyA)#default 20 ServerIron(config-url-policyA)#exit The method prefix command causes the policy to examine the first part of the URL string. The match /h* 10 command looks for URL strings that start with the text "/h"; for example, /home/main/index.html or /hardware/images/toolbar.gif. These HTTP requests are sent to server group ID = 10.
6 - 53
The match "/real/" policyB command causes URL strings that start with "/real/" to be evaluated by policyB. Note that rather than sending the entire URL string, policyA sends to policyB only the text that was not matched by the selection criteria. For example, consider a URL string of "/real/high-avail/video1.ram". The first part of the string matches the selection criteria. The remaining text, "high-avail/video1.ram", is passed to policyB for evaluation. NOTE: If the matching method in the policy is pattern, the entire contents of the string are passed to the policy, rather than just part of the string. The default command sends HTTP requests that do not meet the selection criteria in either of the match commands to server group ID = 20. The following commands define policyB: ServerIron(config)#url-map policyB ServerIron(config-url-policyB)#method prefix ServerIron(config-url-policyB)#match "high-avail/" 30 ServerIron(config-url-policyB)#default 40 ServerIron(config-url-policyB)#exit As with policyA, the method prefix command causes the policy to examine the first part of the URL string that is passed to it. The match "high-avail/" 30 command looks for the text "high-avail/" at the beginning of the string passed to it. In this configuration, policyA sends text to policyB. (Up to 100 URL switching policies can be linked in this way.) Thus, for a URL string of "/real/high-avail/video1.ram", policyA would match the text "/real/" and pass "high-avail/ video1.ram" to policyB. The text "high-avail/" would then be the first part of the string received by policyB, and would meet the selection criteria in policyBs match command. The second part of policyBs match command sends HTTP requests meeting the selection criteria to server group ID = 30. The default command sends HTTP requests that do not meet the selection criteria in the match command to server group ID = 40. This means that an HTTP request containing a URL string that starts with "/real" (but not "/real/high-avail") would go to server group ID = 40. The following commands define policyZ: ServerIron(config)#url-map policyZ ServerIron(config-url-policyZ)#default 50 ServerIron(config-url-policyZ)#exit This policy simply sends all HTTP requests it encounters to server group ID = 50. In the sample configuration in Figure 6.5 on page 6-53 all the web content for www.myothersite.com resides on the real servers in server group ID = 50.
6 - 54
ServerIron(config-vs-sharedVIP)#port http ServerIron(config-vs-sharedVIP)#port http ServerIron(config-vs-sharedVIP)#port http ServerIron(config-vs-sharedVIP)#port http ServerIron(config-vs-sharedVIP)#bind http ServerIron(config-vs-sharedVIP)#exit Syntax: port http url-host-id <host> <policy-name>
url-host-id www.mysite.com policyA url-host-id www.myothersite.com policyZ url-map policyA url-switch real-server1 http (other real servers...)
The port http url-host-id www.mysite.com policyA command causes HTTP requests for www.mysite.com to be evaluated by policyA. The port http url-host-id www.myothersite.com policyZ command causes HTTP requests for www.myothersite.com to be evaluated by policyZ. If a request is for neither www.mysite.com nor www.myothersite.com, then the request is evaluated by policyA. In this example, the port http url-map policyA command functions similarly to the default command in a URL switching policy, sending requests that dont meet the other selection criteria to a "catch-all" policy.
Sample URLs
Using the configuration in Figure 6.5 on page 6-53, URL switching policies would direct HTTP requests as follows: www.mysite.com/home/index.html The port http url-host-id command in the virtual server configuration directs HTTP requests for www.mysite.com to policyA. A match command in policyA specifies that URLs that begin with "/h" go to server group 10. www.mysite.com/marketing Since the requested host is www.mysite.com, the HTTP request is evaluated by policyA. The URL string / marketing does not match any of the selection criteria in policyAs match commands. The default command sends the request to server group 20. www.mysite.com/real/high-avail/bigvideo.ram Since the requested host is www.mysite.com, the HTTP request is evaluated by policyA. A match command in policyA specifies that URL strings that begin with "/real/" be evaluated by policyB. The text "high-avail/bigvideo.ram" is passed to policyB. A match command in policyB specifies that strings that begin with "high-avail/" go to server group 30. www.mysite.com/real/oldstuff/clinton.ram Since the requested host is www.mysite.com, the HTTP request is evaluated by policyA. A match command in policyA specifies that URL strings that begin with "/real/" be evaluated by policyB. The text "oldstuff/clinton.ram" is September 18, 2008 2008 Foundry Networks, Inc. 6 - 55
passed to policyB. Since the text "oldstuff/clinton.ram" does not match the selection criteria in policyBs match command, the default command sends the request to server group 40. www.myothersite.com/home.html The port http url-host-id command in the virtual server configuration directs HTTP requests for www.myothersite.com to policyZ. The default command in policyZ sends all HTTP requests to server group 50. 209.157.22.241/home.html In this case, the IP address of the VIP is being requested, rather than a specific host. The port http url-map command in the virtual server configuration directs HTTP requests for neither www.mysite.com nor www.myothersite.com to policyA. A match command in policyA specifies that URLs that begin with "/h" go to server group 10.
Internet
Link Activity
In this configuration, three domains, www.user1.com, www.user2.com, and www.user3.com share virtual IP address 192.168.1.123. HTTP requests sent to www.user1.com go to port 80 on one of the load-balanced real servers in server group ID=60. Requests for www.user2.com go to port 8080, and requests for www.user3.com go to port 8081. Requests coming into the VIP that are addressed to none of these three domains are sent to port 80 on the real server in server group ID=70. The following sections explain how to set up this configuration.
ServerIron(config-url-urlmap2)#default 60 ServerIron(config-url-urlmap2)#exit ServerIron(config)#url-map urlmap3 ServerIron(config-url-urlmap3)#tcp-port 8081 ServerIron(config-url-urlmap3)#default 60 ServerIron(config-url-urlmap3)#exit ServerIron(config)#url-map urlmap4 ServerIron(config-url-urlmap4)#default 70 ServerIron(config-url-urlmap4)#exit In the URL switching policies above, the tcp-port commands specify the TCP port where HTTP requests evaluated by the policy are sent. The default commands specify the server group to which the HTTP requests are sent. HTTP requests that are evaluated by policy urlmap1 are sent to TCP port 80 on one of the load-balanced real servers in server group ID = 60. Requests evaluated by policy urlmap2 are sent to TCP port 8080 on a server in server group ID = 60. And requests evaluated by policy urlmap3 are sent to TCP port 8081 on a server in server group ID = 60. If an HTTP request is evaluated by policy urlmap4, it is sent to TCP port 80 (the default port) on the server in server group ID = 70. Syntax: tcp-port <port-number>
6 - 57
6 - 58
Client
Internet
2
Remote Access Router
The next time Client requests resource from Server, the HTTP request has a cookie with ServerID = 1
Link Activity
In the diagram: 1. The client requests a resource from the server. Using its load-balancing metric, the ServerIron sends the HTTP request to one of the servers bound to the VIP.
6 - 59
2.
The server responds to the request. The server's HTTP response contains a Set-Cookie header that includes a NAME=VALUE pair relevant to cookie switching. The NAME part is a user-defined token (for example, ServerID) that identifies the cookie; the VALUE part refers to the ID of either a server group consisting of one or more load-balanced real servers, or a specific real server. The NAME=VALUE pair in the Set-Cookie header is stored on the client. The next time the client requests a resource from the server, the HTTP request contains a Cookie header that includes the NAME=VALUE pair. The ServerIron examines the Cookie header in the HTTP request, looking for the name of the cookie; that is, the NAME part of the NAME=VALUE pair. If the cookie is found, the ServerIron directs the HTTP request to the server or server group whose ID is specified in the VALUE part of the NAME=VALUE pair.
3. 4. 5. 6.
Cookie switching provides a function similar to the "sticky" port feature in Server Load Balancing. Both features cause sequential HTTP requests from a client to go to the same server (or in the case of cookie switching, to a load-balanced server group). The difference is in how sessions are handled: In Server Load Balancing, when you configure port 80 (HTTP) on a virtual server to be sticky, HTTP requests from a client always go to the same real server until the session times out (that is, the sticky age timer expires). When the session times out, the ServerIron uses a load balancing metric to select a new real server to handle requests from the client. If a users transaction is not complete when the session times out, it may be load-balanced to a new server, and the user may have to log in again. Cookie switching, in contrast, works independently of session. HTTP requests from a client always go to the server (that is, the real server or a server group) specified in the cookie, regardless of the interval between requests. Requests are never load balanced to a different server.
To set up cookie switching, do the following tasks: 1. 2. 3. Configuring the servers Configuring the server to send a Set-Cookie header that contains a NAME=VALUE pair relevant to cookie switching Enabling cookie switching on the virtual server
Figure 6.7 on page 6-59 shows a configuration with one real server and one server group consisting of two real servers. The following commands configure those two real servers in the server group: ServerIron(config)#server real-name ServerIron(config-rs-rs1)#port http ServerIron(config-rs-rs1)#exit ServerIron(config)#server real-name ServerIron(config-rs-rs2)#port http ServerIron(config-rs-rs2)#exit rs1 192.168.1.1 group-id 1 1 rs2 192.168.1.2 group-id 1 1
Syntax: server real-name <real-server-name> <ip-addr> Syntax: port http group-id <server-group-id-pairs> The port http group-id commands indicate the server group to which the real servers belong. The server group is expressed as a pair of numbers, indicating a range of real server group IDs. The first number is the lowestnumbered server group ID, and the second is the highest-numbered server group ID. In this example, both real servers belong only to the server group with ID = 1, so the last two numbers in the port http group-id commands are 1 1 (note the space between the two numbers). Valid numbers for server group IDs are 0 1023. See Configuring the Real Servers on page 6-50 for more information on setting up server groups. 6 - 60 2008 Foundry Networks, Inc. September 18, 2008
To direct HTTP requests to a specific real server, you can either configure a real server to be the only member of a server group, or you can assign an ID to a real server. If you assign an ID to a real server, the ServerIron directs HTTP requests that contain the servers ID value in the Cookie header to that real server. For example, the following commands assign a server ID to real server rs100 in Figure 6.7: ServerIron(config)#server real-name rs100 192.168.1.100 ServerIron(config-rs-rs100)#port http server-id 1024 ServerIron(config-rs-rs100)#exit The port http server-id command sets the server ID for the real server at 1024. HTTP requests coming into the ServerIron that have a cookie value that refers to this server ID are always sent to this real server. Syntax: port http server-id <server-id> Valid numbers for server IDs are 1024 2047.
VALUE refers to the ID of a server group (0 1023) or a real server (1024 2047). See 2.1.2.1 Configuring the Real Servers on page 6-60 for information on setting up IDs for real servers and server groups. NOTE: The exact procedure for configuring a server to send a Set-Cookie header depends on your server configuration and is not discussed here. However, the following is an example of a JavaScript command to create a cookie whose NAME is ServerID and VALUE is 1: SetCookie("ServerID","1") Consult RFC 2109 or your JavaScript documentation for more information on the Set-Cookie header. To configure cookie insertion to work with cookie switching, do the following tasks: 1. 2. 3. 4. 5. 6. 7. 8. 9. Configuring the servers Enabling cookie switching on the virtual server Enabling cookie insertion Setting the cookie domain (optional) Setting the cookie path (optional) Setting the cookie age (optional) Enabling cookie deletion (optional) Enabling cookie damage (optional) Allocating additional memory to cookie handling (optional)
You can also display information about the cookies inserted by the ServerIron.
The following commands configure two real servers in a server group: ServerIron(config)#server real-name ServerIron(config-rs-rs1)#port http ServerIron(config-rs-rs1)#exit ServerIron(config)#server real-name ServerIron(config-rs-rs2)#port http ServerIron(config-rs-rs2)#exit rs1 192.168.1.1 group-id 1 1 rs2 192.168.1.2 group-id 1 1
Syntax: [no] server real-name <real-server-name> <ip-addr> Syntax: [no] port http group-id <server-group-id-pairs> The port http group-id commands indicate the server group to which the real servers belong. The server group is expressed as a pair of numbers, indicating a range of real server group IDs. The first number is the lowestnumbered server group ID, and the second is the highest-numbered server group ID. In this example, both real servers belong only to the server group with ID = 1, so the last two numbers in the port http group-id commands are 1 1 (note the space between the two numbers). Valid numbers for server group IDs are 0 1023. To direct HTTP requests to a specific real server, you can either configure a real server be the only member of a server group, or you can assign an ID to a real server. If you assign an ID to a real server, the ServerIron directs HTTP requests that contain the servers ID value in the Cookie header to that real server. For example, the following commands assign a server ID to real server rs100: ServerIron(config)#server real-name rs100 192.168.1.100
6 - 62
ServerIron(config-rs-rs100)#port http server-id 1024 ServerIron(config-rs-rs100)#exit The port http server-id command sets the server ID for the real server at 1024. HTTP requests coming into the ServerIron that have a cookie value that refers to this server ID are always sent to this real server. Syntax: [no] port http server-id <server-id> Valid numbers for server IDs are 1024 2047.
When any of these events occur, the ServerIron directs the HTTP request to a server or server group using its load balancing metric. When the ServerIron receives the HTTP response back from the server, the ServerIron inserts a Set-Cookie header with a value indicating the selected server or server group, then forwards the HTTP response to the client. For example, if you specified the cookie name "ServerID" in the port http cookie-name command, the following header is inserted into the HTTP response sent to the client: Set-Cookie: ServerID=<id>; path=/\r\n <id> is the ID of the destination real server or server group where subsequent HTTP requests from the client are directed.
By default, the ServerIron does not specify values for the Domain or Expire attributes in the header, so the client will use the cookie only for the domain specified in the HTTP request, and the cookie will expire when the clients
6 - 63
browser is closed. See 2.3.1.4 Setting the Cookie Domain on page 6-64 and 2.3.1.6 Setting the Cookie Age on page 6-65 for information on changing the default settings. Note that if you change the cookie name in the port http cookie-name command after the ServerIron has sent a Set-Cookie header to the client, persistence with the client may be lost, since the old cookie name will be in the next HTTP request sent by the client. The ServerIron may direct the request to a different server or server group. You can enable cookie insertion either on a specific port on a specific virtual server, or globally on all virtual ports on the ServerIron. To enable cookie insertion on port 80 (HTTP) on virtual server cookieVIP, enter commands such as the following: ServerIron(config)#server virtual-name-or-ip cookieVIP 192.168.1.241 ServerIron(config-vs-cookieVIP)#port http insert-cookie Syntax: [no] port <port> insert-cookie To enable cookie insertion globally on all ports, enter the following command: ServerIron(config)#server insert-cookie Syntax: [no] server insert-cookie
6 - 64
6 - 65
6 - 66
Syntax: show policy-map [<policy-map-name>] This display shows the following information about a URL switching policy.
Table 6.11: URL Switching Policy Information This Field... Current Policy Created Deleted Name Valid Tree root Method Key Type Displays... The number of URL switching policies in effect on the ServerIron The total number of URL switching policies that have been created The number of URL switching policies that have been deleted The name of the URL switching policy Whether the internal structure of the policy is valid Whether the policies that are linked to by this policy have been allocated The matching method in effect for this policy either prefix, suffix, or pattern Either "default" or the selection criteria in effect for this policy What happens when the selection criteria is met. This can one of the following: Data Map Policy: The URL string is sent to another URL switching policy for additional matching Group ID: The HTTP request is sent to a server group
6 - 67
34 0
34 0
Total Memory Already Consumed: 1600 KB. Total Memory Can Be Reached: 25600 KB. Syntax: show cookie-info To display cookie handling information just for BP 1 in slot 2, enter the following commands: ServerIron#rconsole 2 1 ServerIron2/1# show cookie-info Cookie: Total Inserted: Total Deleted: Total Destroyed: Content Rewrites: Total Allocated: Used Now: 3 9 5 Total Insertion Error: Total Deletion Error: Total Destroy Error: 0 0 0
34 0
34 0
Total Memory Already Consumed: 1600 KB. Total Memory Can Be Reached: 25600 KB. Syntax: rconsole <slotnum> <cpunum> Syntax: show cookie-info This command displays the following information.
Table 6.12: Output from the show cookie-info command This Field... Cookie: Total Inserted: Total Insertion Error: Displays... Information about the number of cookies inserted, deleted, or destroyed. The number of cookies inserted by the ServerIron into HTTP responses. The number of errors encountered while attempting to insert a cookie into a HTTP responses.
6 - 68
Table 6.12: Output from the show cookie-info command (Continued) This Field... Total Deleted: Total Deletion Error: Total Destroyed: Total Destroy Error: Content Rewrites: Total Allocated: Total Freed: Used Now: Allocation Failures: Total Memory Already Consumed: Total Memory Can Be Reached: Displays... The number of ServerIron-set cookies deleted from HTTP requests. The number of errors encountered while attempting to delete a cookie from an HTTP request. The number of ServerIron-set cookies that the ServerIron has damaged in HTTP requests. The number of errors encountered while attempting to damage a cookies in HTTP requests. Information about the total number of cookie insertion, deletion, damage, or other content rewriting operations. The number of memory slots that have been allocated to rewrite HTTP messages. The number of memory slots that have been freed following an HTTP content rewriting operation. The number of memory slots currently used for HTTP content rewriting operations. The number of errors encountered when allocating memory slots to HTTP content rewriting operations. The amount of memory currently allocated to HTTP content rewriting operations. The maximum amount of memory that can be allocated to HTTP content rewriting operations.
6 - 69
Figure 6.8
ServerIron first matches URL string against URL switching policies and determines to which server group the packet should be directed. ServerIron then looks at the Cookie header for a NAME=VALUE pair relevant to cookie switching.
If the VALUE part of the NAME=VALUE pair in the cookie refers to the ID of a server within the server group, the packet is directed to that server. Otherwise, the packet is directed to one of the servers in the appropriate server group.
3
Internet
Server returns requested resource in HTTP response, along with a Set-Cookie header that refers to the ID of the responding server (for example, ServerID = 1025) Server Group ID=1
Client
The next time Client requests resource from Server, the HTTP request has a cookie that refers to a specific server (for example, ServerID = 1025)
Link Activity
In the diagram: 1. 2. 3. The client requests a resource (for example /images/foundry.gif) from the server. The ServerIron first matches the URL string against URL switching policies and determines to which server group the HTTP request should be directed. After selecting a server group for the request, the ServerIron looks at the Cookie header for a NAME=VALUE pair relevant to cookie switching (for example, ServerID=1025). 4. If such a NAME=VALUE pair is found, the ServerIron directs the request to the specific real server whose ID corresponds to the VALUE part of the NAME=VALUE pair. If no NAME=VALUE pair is found, the request is directed to one of the load-balanced real servers in the server group determined in Step 2.
When the server responds to the request, the HTTP response message contains a Set-Cookie header that includes a NAME=VALUE pair relevant to cookie switching. The NAME part is a user-defined token (for example, ServerID) that identifies the cookie; the VALUE part refers to the ID of the specific real server that responded to the request. The NAME=VALUE pair in the Set-Cookie header is stored on the client. The next time the client requests a resource from the server, the HTTP request contains a Cookie header that includes the NAME=VALUE pair. Using the procedure in Steps 2 3, the ServerIron directs the HTTP request to the real server whose ID corresponds to the VALUE part of the NAME=VALUE pair.
5. 6. 7.
The illustration above shows a configuration where the GIF images are stored on servers in server group ID = 1, and all other files are stored on servers in server group ID = 2. When a client sends an HTTP request that contains the URL string /images/foundry.gif, the request would be handled as follows: The first time the client requests this resource, the ServerIron uses a URL switching policy to determine the server to which to direct the request. The URL switching policy has selection criteria that specifies HTTP requests containing URL strings ending with gif are to be sent to one of the load-balanced real servers in
6 - 70
server group ID = 1 Since the HTTP request has no NAME=VALUE pair relevant to Cookie switching, the ServerIron forwards the request to one of the servers in the server group (rather than a specific real server); for example, real server rs2. The HTTP response sent back by the real server includes a Set-Cookie header that contains a NAME=VALUE pair that refers to the server ID. In the configuration above, real server rs2 would send back a Set-Cookie header with a NAME=VALUE pair of ServerID=1025. This NAME=VALUE pair is stored on the client. The next time the client requests this resource, the Cookie header in the HTTP request contains this NAME=VALUE pair. The ServerIron uses a URL switching policy to determine the server to which to direct the request, then directs the HTTP request to the server indicated by the VALUE part of the NAME=VALUE pair. In the configuration above, an HTTP request that has a Cookie header containing ServerID=1025 would be directed to the real server with the ID of 1025; that is, real server rs2.
To set up concurrent URL and cookie switching, do the following tasks: 1. 2. 3. 4. Configuring the URL switching policies Configuring server groups and server IDs Configuring the servers to send a Set-Cookie header that contains a NAME=VALUE pair relevant to cookie switching. Enabling concurrent URL and cookie switching on the virtual server
6 - 71
6 - 72
SetCookie("ServerID","1025") Consult RFC 2109 or your JavaScript documentation for more information on the Set-Cookie header.
In the example, the cookie name is ServerID. When the ServerIron encounters an HTTP request sent to this VIP, the URL string in the request is matched against the selection criteria in URL switching policy gifPolicy, and the ServerIron determines to which server group the request should be sent. The ServerIron then looks in the Cookie header for a cookie with ServerID as the NAME part of the NAME=VALUE pair. If the cookie is found, the request is directed to the real server whose ID is specified in the VALUE part of the NAME=VALUE pair. If the cookie is not found, the request is directed to the server group determined by the URL switching policy. Syntax: port http url-map <policy-name> Syntax: port http cookie-name <name> Syntax: port http url-cookie-switching The port http url-map command specifies the URL switching policy to be active for this VIP. The port http cookie-name command specifies the name of the cookie to be used in cookie switching. This must be the same as the NAME token you configured your server to include in responses to HTTP requests. The port http url-cookie-switching command enables concurrent URL and cookie switching on the virtual server.
6 - 73
To configure the ServerIron to insert a header into the HTTP responses it sends from the virtual server, enter the following commands: ServerIron(config)#server virtual-name-or-ip mysite 192.168.9.51 ServerIron(config-vs-mysite)#port http response-insert "FDRY-SI: proto=HTTP+MMS" In this example, the ServerIron inserts the following header into the HTTP responses it sends from the virtual server: FDRY-SI: proto=HTTP+MMS\r\n This is an example of a customized header. The ServerIron can insert both standard and customized HTTP headers into HTTP requests or responses. Syntax: port <virtual-port> response-insert <header>
6 - 74
port http url-switch port http request-insert client-ip bind http www65 http To disable the Layer 4 health check for an individual application on an individual firewall, enter a command such as the following at the firewall configuration level of the CLI: ServerIron(config-rs-FW1)#port http no-health-check The command in this example disables Layer 4 health checks for port HTTP on firewall FW1. When you add an application port to a firewall definition, the ServerIron automatically enables the Layer 4 health check for that port. You must disable the Layer 4 health check if the firewall is unable to act as a proxy for the application and respond to the health check. If the firewall does not respond to the health check, the ServerIron assumes that the port is unavailable and stops sending traffic for the port to the firewall.
6 - 75
Cookie hashing causes HTTP requests that contain the same cookie header always to go to the same real server. Selective cookie hashing looks for user-specified cookies in the cookie header. HTTP requests that contain the same values in the user-specified cookies always go to the same real server. URL string hashing causes HTTP requests that contain the same URL string always to go to the same real server. URL segment hashing maps a segment of a URL string to a server group. HTTP requests that contain this same URL segment always go to the same server group. Unlike cookie hashing or URL string hashing, URL segment hashing sends HTTP requests to a load-balanced server group, rather than to an actual real server.
The number corresponds to one of 256 internal hashing buckets on the ServerIron
10
...
255
4 5
Using its load balancing metric, the ServerIron allocates a real server to the hashing bucket The ServerIron sends the HTTP request to the real server allocated to the cookies hashing bucket
rs3
Flow description in the diagram: 1. 2. 3. 4. The ServerIron examines the cookie header in an HTTP request sent to the virtual server. The ServerIron assigns a number between 0 255 to the contents of the cookie header. This number corresponds to a hashing bucket on the ServerIron. Using its load balancing metric, the ServerIron allocates one of the real servers bound to the virtual server to the hashing bucket. Possible load balancing metrics are least connections, weighted percentage, and round robin. By default, the least connections metric is applied globally to all virtual servers. If you define a metric specifically for this virtual server, that metric takes precedence over the globally defined metric. The ServerIron directs the HTTP request to the real server assigned to the cookies hashing bucket. All future HTTP requests that have the same cookie header are sent to the same real server. This means that in the example in Figure 6.9 on page 6-76, HTTP requests that have a cookie header
5.
6 - 76
consisting of the text Cookie: Version=1; Customer=S_MacGOWAN; Product=bottle are always sent to real server rs3. The following commands enable cookie hashing on a virtual server: ServerIron(config)#server virtual-name-or-ip cookieHash 209.157.22.241 ServerIron(config-vs-cookieHash)#port http ServerIron(config-vs-cookieHash)#port http cookie-hashing ServerIron(config-vs-cookieHash)#bind http rs1 http ServerIron(config-vs-cookieHash)#bind http rs2 http ServerIron(config-vs-cookieHash)#bind http rs3 http Syntax: port http cookie-hashing The port http cookie-hashing command enables cookie hashing on the virtual server. Note that you cannot have cookie hashing and cookie switching enabled on the same virtual server. The bind http commands bind the real servers to the VIP. The ServerIron allocates these real servers to its hashing buckets.
6 - 77
Figure 6.10
The ServerIron examines user-specified cookies in the Cookie header in an HTTP request
The ServerIron logically reduces the values in the selected cookies to a number between 0 255
The number corresponds to one of 256 internal hashing buckets on the ServerIron
10
...
255
4 5
Using its load balancing metric, the ServerIron allocates a real server to the hashing bucket The ServerIron sends the HTTP request to the real server allocated to the cookies hashing bucket
rs2
The following commands enable selective cookie hashing on a virtual server: ServerIron(config)#server virtual-name-or-ip cookieHash 192.168.1.123 ServerIron(config-vs-cookieHash)#port http ServerIron(config-vs-cookieHash)#port http cookie-hash-name Category ServerIron(config-vs-cookieHash)#port http cookie-hash-name Type ServerIron(config-vs-cookieHash)#port http cookie-hashing ServerIron(config-vs-cookieHash)#bind http rs1 http ServerIron(config-vs-cookieHash)#bind http rs2 http ServerIron(config-vs-cookieHash)#bind http rs3 http Syntax: port http cookie-hash-name <cookie-name> The port http cookie-hash-name commands specify the names of the cookies to be used in selective cookie hashing. This is the NAME part of a cookies NAME=VALUE pair. You can specify up to five cookie names. If one or more of the selected cookie names are found in a cookie header, the ServerIron performs hashing based on their values. In the sample configuration above, one of the following can take place: If a cookie header has both of the selected cookies, hashing is performed based on the values in the two cookies. All requests that contain the same two NAME=VALUE pairs are always sent to the same real server. If a cookie header has only one of the selected cookies (for example "Category", but not "Type"), hashing is performed based on the value in the single cookie. All requests that contain the same NAME=VALUE pair are always sent to the same real server. If neither of the selected cookies are found in the cookie header, the ServerIron load balances the requests using the predictor (load-balancing metric).
6 - 78
Figure 6.11
/doc/ServerIron/1199/web-switching/hhh.html
The ServerIron logically reduces the URL string to a number between 0 255
The number corresponds to one of 256 internal hashing buckets on the ServerIron
10
...
255
4 5
Using its load balancing metric, the ServerIron allocates a real server to the hashing bucket The ServerIron sends the HTTP request to the real server allocated to the URLs hashing bucket
rs9
In this diagram: 1. 2. 3. 4. The ServerIron examines the URL string in an HTTP request sent to the VIP. The ServerIron assigns a number between 0 255 to the contents of the URL string. This number corresponds to a hashing bucket on the ServerIron. Using its load balancing metric, the ServerIron allocates one of the real servers bound to the virtual server to the hashing bucket. Possible load balancing metrics are least connections, weighted percentage, and round robin. By default, the least connections metric is applied globally to all virtual servers. If you define a metric specifically for this virtual server, that metric takes precedence over the globally defined metric. The ServerIron directs the HTTP request to the real server matching the URLs hashing bucket. All future HTTP requests that have the same URL string are sent to the same real server. In the example in Figure 6.11, HTTP requests that have a URL string consisting of the text /doc/1199/webswitching/hhh.html are always sent to real server rs9. The following commands enable URL string hashing on a virtual server: ServerIron(config)#server virtual-name-or-ip URLstringHash 209.157.22.241 ServerIron(config-vs-URLstringHash)#port http ServerIron(config-vs-URLstringHash)#port http hash-url-string ServerIron(config-vs-URLstringHash)#bind http rs7 http ServerIron(config-vs-URLstringHash)#bind http rs8 http ServerIron(config-vs-URLstringHash)#bind http rs9 http Syntax: port http hash-url-string The port http hash-url-string command enables URL string hashing on the virtual server. The bind http commands bind the real servers to the VIP. The ServerIron allocates these real servers to its hashing buckets.
5.
6 - 79
If the user-defined token is found in the URL string, the ServerIron uses the segment of the URL string immediately following the token to map HTTP requests to a server group. If the token is not found in the URL string, the ServerIron uses the segment at the beginning of the URL string to map HTTP requests to a server group.
Figure 6.12 illustrates how the ServerIron selects a server group when the user-defined token is part of the URL string.
Figure 6.12 Using URL Segment Hashing to Direct HTTP Requests to a Server Group (Token Found)
Token
ServerIron examines URL string in HTTP request, looks for user-specified token value
/homepages/myname/mypages/index.html
The ServerIron logically reduces the part of the URL string immediately following the token to a number between 0 1023
3 4
The ServerIron sends the HTTP request to the server group whose ID matches the number
Server Group ID = 3
In this diagram: 1. 2. The ServerIron searches the URL string in an HTTP request for a user-defined token. In the example above, the token is homepages. You can define multiple tokens that apply to this VIP. The ServerIron assigns a number between 0 1023 to the segment of the URL string that immediately follows the token. In the example above, the segment of the URL string that immediately follows the token is myname. This number corresponds to the ID of a server group. The ServerIron directs the HTTP request to the server group whose ID matches this number. All future HTTP requests that have a URL string containing the token followed by the segment are sent to the same server group. This means that in the example in Figure 6.12, HTTP requests that have /homepages/myname anywhere within the URL string are always sent to one of the load-balanced real servers in server group ID = 3. If the user-defined token(s) are not found in the URL string, the ServerIron uses the first part of the URL string to map HTTP requests to a real server. Figure 6.13 illustrates how this works.
3. 4.
6 - 80
Figure 6.13
Using URL Segment Hashing to Direct HTTP Requests to a Server Group (Token(s) not Found)
If the user-defined token is not found, the ServerIron looks at the first part of the URL string.
/mystuff/mypages/index.html
The ServerIron logically reduces the first part of the URL string to a number between 0 1023
3 4
The ServerIron sends the HTTP request to the server group whose ID matches the number
Server Group ID = 4
When none of the user-defined tokens appear in the URL string, the ServerIron uses the first part of the URL string to map HTTP requests to a server group. In the example above, the first part of the URL string is mystuff. All HTTP requests that have a URL string that begins with the segment mystuff would be sent to one of the loadbalanced real servers in server group ID = 4.
6 - 81
of Hits
To display information about hash bucket assignments and the number of hits each bucket has received, enter the following command: ServerIron#show server hash Virtual port Hash Buckets: Virtual Server <x>: Bucket: Server 1: s3 4: s2 8: s3 10: s2 12: s3 15: s2 18: s2 21: s2 23: s2 Syntax: show server hash This command displays hash bucket assignment and number of hits only on master ServerIron in sym-active cookie hashing configuration. NOTE: In an active-active SSLB configuration that uses cookie hashing, the show server hash command displays information about hashing bucket assignments and number of hits only on the master ServerIron.
Hit 2 2 4 1 2 1 3 2 3
Server s2 s2 s2 s2 s2 s3 s2 s3 25: s2
Hit 3 1 1 1 2 1 1 2 2
6 - 82
balancing metric to select to which of the other real servers it directs the request. If there are no other real servers bound to the VIP besides the ones in the server group, then the request is dropped. You can change the default behavior so that instead of being sent to a real server bound to the VIP, the requests are dropped. To do this, enter commands such as the following on each real server in the server group: ServerIron(config)#server real-name server1 207.95.7.1 ServerIron(config-rs-server1)#exceed-max-drop In this example, if server1 reaches its maximum connections threshold, and all the real servers in the server group to which server1 belongs also reach their maximum connections thresholds, HTTP requests that would normally go to server1s server group are dropped. Syntax: [no] exceed-max-drop
6 - 83
The default TCP window size is 8000 bytes. Setting the TCP window size to 1460 bytes causes a client to send only one packet before waiting for the ServerIron to send an ACK, assuming a Maximum Segment Size (MSS) of 1460 bytes. This setting applies only to SYN ACK and ACK packets sent from the ServerIron to the client. The ServerIron does not modify the TCP window size for traffic sent from real servers to clients by way of the ServerIron.
Syntax: show server proxy This display shows the following information.
Table 6.13: L7 Switching Statistics This Field... Slot alloc Curr free slot Slot freed Slot alloc fail Pkt freed Displays... Number of proxies allocated Number of proxies possible Number of proxies finished Number of proxy allocation failures Number of packets stored by proxy
6 - 84
Table 6.13: L7 Switching Statistics (Continued) This Field... Max slot alloc Pkt freed Fwd Stored pkt Session T/O Sess T/O pkt free Session del Sess del pkt free DB cleanup cnt DB cleanup pkt free Serv RST to SYN Send RST to C URL not in 1st pkt URL not complete Cookie not in 1st pk Cookie not complete Sess T/O rev Sess 0 Sess T/O Sess diff Dup SYN Sess diff Curr slot used Curr pkt stored Displays... Maximum number of concurrent proxies Number of packets freed by proxy Number of stored packets sent to server Number of session timeouts Number of stored packets freed due to session timeout Number of sessions freed by proxy Number of stored packets deleted when session was freed Proxy cleanup count Number of stored packets freed during proxy cleanup Number of times the server sent RST to TCP SYN Number of times the ServerIron sent RST to client Number of times the URL string was not in the first packet Number of times the URL string was not complete Number of times the Cookie header was not in the first packet Number of times the Cookie header was not complete Number of session timeouts with no reverse session Number of session timeouts, internal proxy error Number of duplicate SYNs received, internal proxy error Number of existing proxies Current number of packets stored by proxy
Table 6.10 on page 6-35 lists the standard HTTP status codes.
6 - 85
Table 6.14: HTTP Status Codes Code Meaning ServerIron marks HTTP FAILED TCS 100 199 100 101 200 299 200 201 202 203 204 205 206 300 399 300 301 302 303 304 305 400 499 400 401 402 403 404 405 406 407 408 409 Informational Continue Switching protocols (not used yet, but defined) Success OK Created Accepted Non-Authoritative information No Content Reset content Partial content Redirection Multiple choices Moved Permanently Moved Temporarily See Other Not Modified Use Proxy Client Error Bad Request Unauthorized Payment Required Forbidden Not Found Method not allowed Not Acceptable Proxy Authentication Required Request timeout Conflict x x x x x x x x x x x x x x x x x x x x SLB
6 - 86
Table 6.14: HTTP Status Codes (Continued) Code Meaning ServerIron marks HTTP FAILED TCS 410 411 412 413 414 415 500 599 500 501 502 503 504 505 Gone Length Required Precondition Failed Request entity too large Request URI too large Unsupported media type Server Error Internal Server Error Not Implemented Bad Gateway Service Unavailable Gateway time-out HTTP version not supported - or extension-code x x x x x x x x x x x x SLB x x x x x x
4.2 Preventing the ServerIron from Downgrading the HTTP Version to 1.0
When the ServerIron receives an HTTP request from a client, it uses its L7 switching configuration to determine to which real server it should send the request. The ServerIron then establishes a TCP connection with the selected real server and sends it the request. If the request sent from the client to the ServerIron uses HTTP version 1.1, the ServerIron downgrades the HTTP version to 1.0 when it sends the request to the real server. If you want to use HTTP 1.1 for the connection between the ServerIron and the real servers, you can prevent the ServerIron from downgrading the HTTP version to 1.0 by entering the following commands: ServerIron(config)#server virtual-name-or-ip noDowngrade 192.168.1.234
6 - 87
ServerIron(config-vs-noDowngrade)#port http no-http-downgrade ServerIron(config-vs-noDowngrade)#exit Syntax: port http no-http-downgrade In HTTP version 1.0 (RFC 1945), a client can send only one request per TCP connection; in HTTP version 1.1 (RFC 2616) a client can send multiple requests per TCP connection. If the ServerIron sends requests to a real server using HTTP 1.1, all the requests in the TCP connection are sent to the same real server that the ServerIron selected using the first request, regardless of the contents of the URL string or Cookie header in the subsequent requests.
6 - 88
HTTP header hashing Content switching Cookie insertion, deletion or damage; HTTP header insertion.
The keepalive mode requires that a Layer 7 switching feature must be configured before you can enable the keepalive mode. Additionally, this feature supports source NAT.
6 - 89
Beginning with release 11.0.00, ServerIron can be configured to handle the first request of a pipelined request correctly and optionally send reset to the subsequent requests. This will help prevent performance degradation. Reset can be enabled in keepalive mode or TCP offload mode. This feature works only when Content Switching is enabled on a virtual server port. if pipelined HTTP requests are sent in one connection, ServerIron will make the switching decision based on the first request and will forward only the first request to the real server. When the real server sends a complete response to the first request, the ServerIron will forward the response to the client. After the client acknowledges the complete response, one of the following occurs: For HTTP traffic, the ServerIron closes the connection by sending a RST to the client For SSL-terminate or SSL-proxy, the ServerIron closes the connection by sending a FIN to the client.
NOTE: Also, resetting the HTTP connection can be done in the keepalive mode or the TCP offload mode. To reset pipelined HTTP request in the keepalive mode, first make sure Content Switching is enabled on a virtual server port that will be used for the pipeline reset request. Then, enter commands such as the following: ServerIron(config)# server virtual-name-or-ip VS1 10.10.10.10 ServerIron(config-vs-VS1)# port http ServerIron(config-vs-VS1)# port http keep-alive reset-pipeline-request Syntax: Syntax:[no] port [portid] keep-alive [reset-pipeline-request] To reset pipelined HTTP request in the TCP offload mode, enter commands such as the following: ServerIron(config)# server virtual-name-or-ip VS1 10.10.10.10 ServerIron(config-vs-VS1)# port http ServerIron(config-vs-VS1)# port http tcp-offload reset-pipeline-request Syntax: [no] port <port> tcp-offload [age <minutes>] [reset-pipeline-request] or Syntax: [no] port <port> tcp-offload [reset-pipeline-request]
6 - 90
Displaying More Characters for Server Field on Show Server All Command Output
NOTE: Software release 10.1.00 adds this feature to ServerIron. The show sessions all command output (command is issued at BP console) displays only 6 characters for server or cache name. If the customer plans on using long names with common characters in the beginning then it would not be possible to distinguish between servers. In the example below, the cache appliances are named NetCache01, NetCache02, NetCache03, NetCache04 and NetCache05 SSH@SI1/1#show sessions all * * * * * 0 Session Info: Flags - 0:UDP, 1:TCP, 2:IP, 3:INT, 4:INVD, H: sessInHash, N: sessInNextEntry Index ==== 0 1 2 3 4 5 6 7 8 9 10 Src-IP Dst-IP S-port D-port Age Next Serv Flags ====== ====== ===== ===== === ==== ==== ======= 82.114.160.33 201.7.184.3 20477 80 43 000000 NetCac TCS1 H 201.7.184.5 83.132.68.226 80 2044 32 06555a NetCac TCS1 H 83.132.68.226 201.7.184.5 2044 80 32 000000 NetCac TCS1 H 201.7.184.5 210.213.94.26 80 4131 32 06548c NetCac TCS1 H 210.213.94.26 201.7.184.5 4131 80 32 000000 NetCac TCS1 H 201.7.184.5 203.106.143.57 80 1546 60 065310 NetCac TCS1 H 203.106.143.57 201.7.184.5 1546 80 33 000000 NetCac TCS1 H 201.7.184.5 68.142.212.210 80 45429 60 065590 NetCac TCS1 H 68.142.212.210 201.7.184.5 45429 80 60 000000 NetCac TCS1 H 201.7.184.5 80.126.212.201 80 62705 32 0655a2 NetCac TCS1 H 80.126.212.201 201.7.184.5 62705 80 32 000000 NetCac TCS1 H
This enhancement provides user a configurable option to display long server names by masking other columns such as "Next" column. The display width for "serv" column can be increased from 6 characters to 12-14 characters.
6 - 91
Total C->S Conn = 0 Total S->C Conn = 0 Total Reassign = 0 Unsuccessful Conn = 0 Server State - 1:enabled, 2:failed, 3:test, 4:suspect, 5:grace_dn, 6:active Real Server MyServer01 MyServer02 MyServer03 St CltConn:Cur/Tot SerConn:Cur/Tot CurrTrans IdleSerCon 1 11/46 3/5 2 1 1 0/0 0/0 0 0 1 0/0 0/0 0 0 TotTrans 147 0 0
Table 6.15: Fields in the show server session keep-alive display This Field... CltConn:Cur/Tot: SerConn:Cur/Tot: Displays... Number of current and total client-side connections on this BP. Number of current and total server-side connections on this BP. When persistent connection is enabled, the number of current and total server-side connections is typically much less than the current and total client-side connections, because a server-side connection can be reused by requests from any client-side connection. Number of busy server side connections that are in the process of serving HTTP transactions. The difference between number of current client-side connections and CurrTrans indicates the number of current idle client-side connections. Number of idle server-side connections that are available to be reused by new requests made to the same server. The sum of CurrTrans and IdleSerCon is equal to the number of current server-side connections. TotTrans: Total number of HTTP transactions that have been successfully completed for the server. Since a persistent connection allows multiple HTTP transactions to be done, TotTrans may typically have a much higher value than the total number of both client-side and server-side connections.
CurrTrans:
IdleSerCon:
TotTrans
In the example above, MyServer01 on WSM CPU ServerIron4/1 has 11 concurrent client-side connections and 3 concurrent server-side connections to the Real Server MyServer01. Two of the three server-side connections are processing different HTTP transactions and the third one is idle. In addition, clients made a total of 46 connections to the ServerIron; while the ServerIron just needs to create a total of 5 server-side reusable keep-alive connections to MyServer01 to serve all the requests sent on the 46 client-side connections. In those 46 client-side connections and 5 server-side connections, 147 HTTP transactions have been completed. Syntax: show server session keep-alive NOTE: This command only works on ServerIron.
6 - 92
Configuration Example
Figure 6.14 illustrates how the initial SSLHP messages exchanged between a client and server, client_hello and server_hello, establish an SSL Session ID.
6 - 93
Figure 6.14
Server
server_hello Confirms security parameters If session_id was zero, server sends a new value for session_id, establishing a new session If session_id from client was non-zero, server sends back same session_id if possible. (Otherwise server sends back new session_id) If the server sends back same session_id, the SSL session is resumed
If the value in the session_id field that the client sends to the server is non-zero, the ServerIron can connect the client to the server that originally sent the Session ID value. Figure 6.15 illustrates how this function, called SSL Session ID switching, works. NOTE: SSL Session ID switching is supported for SSL v3.0 and higher only. In SSL versions prior to 3.0, the session ID was established later in the handshaking process, after the client and server had started exchanging encrypted data. If the session ID is encrypted, the ServerIron cannot make forwarding decisions based on this information.
Figure 6.15 How the ServerIron uses an SSL Session ID to Select a Real Server
Client
Internet
2 3
Link Activity Console Power Link Activity
When client wants to resume session, it sends a client_hello message containing the session_id it received from the server
ServerIron stores session_id value in an internal database that maps session_id values to real servers
Real server rs10 responds with server_hello message containing non-zero session_id
ServerIron looks up session_id value in its internal database, sees that this session_id value maps to real server rs10
In this diagram: 1. The first time a client attempts to establish an SSL connection to the server, there is no history of a previous SSL session, so the session_id field in the client_hello message it sends to the server is empty.
6 - 94
2.
The server (in this example, real server rs10) sees that the session_id field in the client_hello message is empty, indicating the client wants to establish a new SSL session. The server responds to the client with a server_hello message that contains a session_id field with a non-zero value. The ServerIron examines the value in the session_id field sent by the server. The ServerIron adds this value to an internal database, associating it with the real server that sent it. This association between the session_id value and the real server resides in the ServerIrons database for a user-specified amount of time (default 30 minutes), after which it is aged out. In this example, the ServerIron would map the value in the session_id field to real server rs10. When the client resumes the SSL connection to the server, it sends a client_hello message containing the session_id value sent by the server. The ServerIron examines the value in the session_id field sent by the client and looks it up in its internal database. If the value in the session_id field maps to a real server, the ServerIron initiates a TCP connection to the server and passes the client_hello message to it. The ServerIron forwards subsequent packets between the client and server with modifications to the IP and TCP header for sequence number, acknowledgment number, and checksum adjustment.
3.
4. 5. 6.
6 - 95
6 - 96
This chapter describes the High Availability feature in ServerIron. NOTE: In high availability configurations, with Foundry hardware based SSL acceleration in either SSL Termination or SSL Proxy mode, synchronization of proxied or terminated SSL sessions is not supported. NOTE: WSM6-1 and WSM6-2 are different hardware modules. WSM6-1 has 1BP and WSM6-2 has 2BP. A module with a higher number of BPs cannot sync its traffic to another module that has a lower number of BPs. High Availability (HA) for Server Load Balancing (SLB) consists of three ServerIron services: Hot Standby SLB - One ServerIron is always active while the other ServerIron is always standby. Supported on both chassis and XL systems. On chassis systems, hot standby is supported only in Switch (S) code, not Router (R) code. See Hot Standby SLB on page 7-1. Symmetric SLB - Also called active-standby VIP. Both ServerIrons can receive SLB traffic, but only the active VIP handles the L4-7 SLB, while the standby VIP functions as a standby. The VIP with the highest configured sym-priority handles the flow. Available on both chassis and XL systems, Symmetric SLB is supported in both Switch (S) code and Router (R) code. See Symmetric SLB on page 7-16. Sym-Active SLB - True active-active. Both ServerIrons can receive SLB traffic, and both are active for the same VIP. Configuring sym-active and sym-priority on the VIP enables a device to process traffic. SymActive is supported only on chassis systems (not XL) in both Switch (S) code and Router (R) code. See SymActive SLB on page 7-34.
With Direct Server Return (DSR), return traffic is not processed by the ServerIron. Instead, the real server sends return traffic directly to the client. You can apply DSR to each of the HA scenarios (Hot Standby SLB, Symmetric SLB, and Sym-Active SLB). NOTE: When a device is active, it responds to ARPs and processes all traffic for the VIP. When a device is acting as standby, it performs no processing functions for the specified VIP (other than session syncing with the active device, if enabled).
September 2008
7-1
There are two versions of Hot Standby SLB: Standard Hot Standby - The ServerIrons management IP, VIPs, and real servers are all in the same subnet. Source-IP/src-standby-ip Hot Standby - The ServerIrons management IP and VIPs are in one subnet. Real servers are in a different subnet. Additional commands are required for this version.
For Hot Standby SLB, one ServerIron is always active while the other ServerIron is always standby (idle). Hot Standby allows you to configure two ServerIrons to serve as a redundant pair (primary and secondary). If the active ServerIron fails, the idle standby ServerIron assumes the active duties and becomes the new active device. Hot Standby is the only HA service counting the number of available router-ports and server ports for failover behavior. The ServerIron with the highest number of active ports is declared the active device. In addition to portcount loss, a system reload or crash triggers a failover.
Client
ve interface
SI-A
Active
Session sync
SI-B
Standby
L2S
Real servers
When ServerIron A comes up in a Hot Standby configuration, it comes up in Standby state. When it sends Hello messages and sees that no other ServerIron is responding to those Hello messages, ServerIron A assumes the active state. When ServerIron-B comes up, it also goes through Hello-message processing. When ServerIron B sends Hello messages, ServerIron A responds to ServerIron B with ServerIron A's Active Status. ServerIron B assumes Standby status. ServerIron A in Active State performs the following 4 stages of synchronization: Port map synchronization MAC table synchronization Server information synchronization
7-2
September 2008
High Availability
Session synchronization
Once the entire synchronization process is complete, ServerIron B calculates to see if ServerIron A has a higher router-port + server-port count or if ServerIron B itself has the highest count. If ServerIron A and ServerIron B tie, then ServerIron B continues in Standby state. If ServerIron A has a lesser count of router-port + server-port, ServerIron B forces ServerIron A to go to Standby State, and ServerIron B assumes Active state. From now on, ServerIron A will be in Active State and ServerIron B will be Standby State until some event forces a change in their status. Events leading to change can include: An increase or decrease in the count of router-port + server-ports Failure of one BP forcing all 3BPs to fail A reload
While standby ServerIron B is idle, it continuously listens to Active ServerIron A for fail-over preparation. ServerIron A synchronizes its session table on all 3 BPs to match the same 3 BPs on Standby ServerIron B. This action occurs the moment a session is created on Active ServerIron A. Synchronization of a session involves sesssion creation, session deletion, and age updates. No CLI commands are required to invoke session synchronization from Active ServerIron A to Standby ServerIron B. ServerIron A and ServerIron B perform L2/L3/ L4/L7 healthchecks independently. To avoid a loop, ServerIron B becomes a dumb device in Standby. All it does is receive session-sync messages from Active, perform health checks, and process Hello messages. ServerIron B is completely isolated and does not process any SLB traffic. If ServerIron A fails, ServerIron B becomes Active and immediately takes over the processing of SLB traffic. Since the sessions were already synchronized from ServerIron A when it was Active, failover is transparent to users. Despite the stability of this solution, having an inactive device (ServerIron B) with all its VIPs in standby state may be viewed as a limitation. For this reason, Foundry created a new HA feature called Symmetric SLB (see page 716).
September 2008
7-3
Figure 7.2
Client
ve interface
SI-A
Active
Session sync
SI-B
Standby
L2S
Real servers
Follow these steps to enable the minimum required configuration shown in Figure 7.2. Client connections and server connections must be on the same interfaces on both ServerIrons. 1. On ServerIron A, place the untagged hot standby port (sync-link) in its own port-specific VLAN and disable STP: ServerIron-A(config)#vlan 2 by port ServerIron-A(config-vlan-2)#untagged ethe 2/1 ServerIron-A(config-vlan-2)#no spanning-tree Placing the hot standby port in its own VLAN prevents unneccessary traffic from going over the directly connected backup link. With Hot Standby, you cannot have spanning-tree configured anywhere on any link connected between the two ServerIrons. By default, spanning tree is usually enabled on switches but disabled on routers. 2. To avoid system conflicts, globally disable spanning-tree on VLAN 1: ServerIron-A(config)#vlan 1 name DEFAULT-VLAN by port ServerIron-A(config-vlan-1)#no spanning-tree
7-4
September 2008
High Availability
3.
Configure the server backup port, shared chassis-MAC address between the ServerIrons, and any connected router-ports:
! server backup ethe 2/1 00e0.5201.0c72 vlan-id 2 server router-ports ethernet 2/3 server router-ports ethernet 2/4 !
Must be same on both SIs. Came from one of the SIs. See show chassis.
The server backup ethernet command must be configured exactly the same on both ServerIrons. It has three parameters: Syntax: server backup ethernet <portnum> <mac-addr> <vlan-id> The <portnum> parameter specifies where the syn-link is connected, which is the port that connects this ServerIron switch to the other one. In the example, 2/1 is the port number. The <mac-addr> parameter specifies the chassis-MAC address of one of the ServerIrons. Be sure to use a chassis MAC from one of the two devices, not the MAC of one of the backup ports. Use show chassis to locate the chassis MAC. If both devices already have the same chassis MAC (a manufacturing blooper), then one of them must change.
SLB-chassis#show chassis power supply 1 not present power supply 2 ok power supply 1 to 2 from left to right fan 1 (left side panel, back fan) ok fan 2 (left side panel, front fan) ok fan 3 (rear/back panel, left fan) ok fan 4 (rear/back panel, right fan) ok Current temperature : 32.0 C degrees Warning level : 55 C degrees, shutdown level : 66 C degrees Boot Prom MAC: 00e0.5201.0c72
Chassis MAC
The <vlan-id> parameter specifies a VLAN you want to use for active-standby synchronization traffic. In this example, the sync-link Hot Standby port is in VLAN 2. The server router-ports command enables the ServerIron to count the number of upstream (or downstream) router ports connected to the switch. Both ServerIrons must use the same router-ports numbers, such as 2/ 3 in this example. The reason is the standby ServerIron is a dummy device that learns nothing, such as MACs, on its own. 4. Save the configuration: ServerIron-SLB-A #wr mem .Write startup-config in progress. .Write startup-config done. ServerIron-SLB-A# reload NOTE: Be sure to reload the software after configuring or changing the server backup port number. If you change the port number of the backup while the ServerIron is load balancing, clients will not be able to ping the VIP.
September 2008
7-5
5.
Configure the second ServerIron (ServerIron-B). On this system, port 2/1 is the hot standby port. Using the same port numbers and MAC address is a requirement. Notice the chassis-MAC address on each ServerIron matches: ServerIron-B# server backup ethe 2/1 00e0.5201.0c72 vlan-id 2 ServerIron-B# server router-ports ethernet 2/3 ServerIron-B# server router-ports ethernet 2/4 ServerIron-B(config)# vlan 1 name DEFAULT-VLAN by port ServerIron-B(config-vlan-1)# no spanning-tree ServerIron-B(config-vlan-1)# vlan 2 by port ServerIron-B(config-vlan-2)# untagged ethe 2/1 ServerIron-B(config-vlan-2)# no spanning-tree ServerIron-B#wr mem .Write startup-config in progress. .Write startup-config done. ServerIron-SLB-B#reload NOTE: If you plan to configure real servers to use a source IP address configured on the ServerIron as a default gateway, use the source-standby-address or source-nat-address command rather than the source-ip or source-nat command.
6.
Use show server backup and show log to obtain a clear picture of the ServerIrons status in the Hot Standby configuration:
The following screen shots display the different stages of reload and show how a ServerIron comes up in a Hot Standby configuration.
SLB-SI-A#show server backup Sync-link port on this SI Server Backup port = 2/2 Switch state = Standby SLB state = 1 Starts the SLB sync. Five stages: 0>1>2>3>4>0 Peer sync state = 0 0 means the MAC shown below is not valid SLB Partner MAC valid= 0 Peer SI's chassis MAC SLB Partner MAC = 0000.0000.0000 SLB Partner VLAN ID = 2 VLAN used to perform the heartbeat between boxes SLB Partner port cnt = 0 Applicable only for XL, chassis = 255 SLB Backup preference = 0 minutes SLB Backup timer = 1000 milliseconds Transitions, activates = 0,standby = 0 Pdus sent = 0, Pdus recv = 0 Null Pdus sent = 0, Mac pdu sent = 0 No pdus = 0, no port maps = 0 Routers ports = 0, Server ports = 0 Partner Routers ports = 0, Partner Server ports= 0
7-6
September 2008
High Availability
SLB-SI-A#sh serv backup Server Backup port = 2/2 Switch state = Active Assumes Active since no peer was detected by sending null pdus SLB state = 0 State returns to 0 Peer sync state = 0 SLB Partner MAC valid= 0 Still didn't find a peer SI, so this entry is all zeros SLB Partner MAC = 0000.0000.0000 SLB Partner VLAN ID = 2 SLB Partner port cnt = 255 SLB Backup preference = 0 minutes SLB Backup timer = 1000 milliseconds Transitions, activates = 0,standby = 0 Pdus sent = 0, Pdus recv = 0 Null Pdus sent = 215, Mac pdu sent = 0 No pdus = 0, no port maps = 0 Routers ports = 1, Server ports = 1 Becomes 1 Partner Routers ports = 0, Partner Server ports= 0
September 2008
7-7
SLB-SI-A#sh serv backup Server Backup port = 2/2 Switch state = Standby SLB state = 0 Peer sync state = 0 Goes from 0>1>2>3>4>0 SLB Partner MAC valid= 0 Peer SI-B's chassis MAC SLB Partner MAC = 0001.2345.6789 when SLB state goes to 0 SLB Partner VLAN ID = 2 SLB Partner port cnt = 255 SLB Backup preference = 0 minutes SLB Backup timer = 1000 milliseconds Transitions, activates = 0,standby = Pdus sent = 0, Pdus recv = Null Pdus sent = 244, Mac pdu sent = No pdus = 1, no port maps = Routers ports = 1, Server ports = Partner Routers ports = 0, Partner Server ports=
.
Table 7.1: Field Descriptions for show server backup Field Switch state Description Indicates whether this ServerIron is the active ServerIron or the standby. The state can be one of the following: Active Standby
7-8
September 2008
High Availability
Table 7.1: Field Descriptions for show server backup (Continued) Field SLB state Description When a ServerIron comes up in the hot standby configuration (supported using switch images only), it requests information from the peer ServerIron. In particular it requests the following: Port map information MAC information Server mapping information Session information (Fail-over session sync)
After this processing is completed, the ServerIron goes to the "SLB synchronization complete" state. The "SLB State" field in the show server backup command denotes which of the above states the ServerIron is in: SLB_SYNC_COMPLETE state (Value = 0). All synchronization requests from the local ServerIron have been sent to the peer ServerIron. This process is now complete (value = 0). SLB_SYNC_REQ_MAP state (Value = 1). Denotes the local ServerIron is requesting the peer ServerIron for port map information. SLB_SYNC_REQ_MAC state (Value = 2). Denotes the local ServerIron is requesting the peer ServerIron for MAC information. SLB_SYNC_REQ_SERVERS state (Value = 3). Denotes the local ServerIron is requesting the peer ServerIron for Server mapping. SLB_SYNC_REQ_L4 state (Value = 4). Denotes the local ServerIron is requesting the peer ServerIron for session synchronization (fail-over session sync).
Indicates whether the SLB partner MAC address listed in the SLB Partner MAC field is valid. The value can be one of the following: 0 invalid 1 valid
The chassis MAC address on the other ServerIron, thus indicating Layer 2 connectivity between the ServerIrons. If this field contains all zeros, double-check the connection between the ServerIrons and verify that both ServerIrons are powered on. Also verify that Spanning Tree is disabled on both ServerIrons. Spanning Tree interferes with Hot Standby. The number of physical ports on the other ServerIron. The number of times this ServerIron has changed from standby to active. The number of times this ServerIron has changed from active to standby. The number of Layer 4 synchronization packets this ServerIron has sent to the other ServerIron. The number of MAC-layer synchronization packets this ServerIron has sent to the other ServerIron. The number of missed Layer 4 or MAC-layer PDUs.
SLB Partner port cnt Transitions, activates Transitions, standby Pdus sent Mac pdu sent No pdus
September 2008
7-9
Table 7.1: Field Descriptions for show server backup (Continued) Field no port maps Description The number of missed port map PDUs. Port map PDUs are used by the ServerIron to discover information about the maps on the other ServerIron.
Client
! server source-standby-ip 172.20.1.252/24 172.20.1.254 server source-ip 172.20.1.250/24 172.20.1.254 ! ! server virtual vs1 11.1.1.1 ... ve2 interface !
172.20.1.254
SI-A
SI-B
! server source-standby-ip 172.20.1.252/24 172.20.1.254 server source-ip 172.20.1.251/24 172.20.1.254 ! ! server virtual vs1 11.1.1.1 ... !
L2S
7 - 10
September 2008
High Availability
SI-A
! server server server ! ! server ... !
SI-B
L2S
virtual vs1 11.1.1.1
September 2008
7 - 11
! server source-nat server source-nat-ip 172.20.1.250 255.255.255.0 172.20.1.254 port-range 2 ! ! server virtual vs1 11.1.1.1 ... !
SI-A
SI-B
! server source-nat server source-nat-ip 172.20.1.250 255.255.255.0 172.20.1.254 port-range 1 ! ! server virtual vs1 11.1.1.1 ... !
L2S
7 - 12
September 2008
High Availability
September 2008
7 - 13
To enable this feature, enter the following command: ServerIron(config)#server backup-vip-cnt Syntax: [no] server backup-vip-count
7 - 14
September 2008
High Availability
To configure the ServerIron in the middle to forward the synching messages, enter the following command on the ServerIron connecting the active and the backup ServerIrons: ServerIron(config)#server fwd-l4-sync Syntax: server fwd-l4-sync
September 2008
7 - 15
Symmetric SLB
Symmetric SLB (SSLB) is active-standby VIP. Both ServerIrons handle traffic, but the active VIP handles the L4-7 and the standby VIP serves only as a standby. Each ServerIron is the active ServerIron for a specific set of VIPs, while the other ServerIron is the backup for the same set of VIPs. In SSLB, you determine which ServerIrons are active and backup for a VIP by associating a sym-priority with the VIP. You assign a different priority to the same VIP on each ServerIron. The ServerIron on which the VIP has the highest priority is the active ServerIron for that VIP and the others are standbys. When all ServerIrons and associated links are available, the ServerIron with the highest priority for the VIP services the VIP. SSLB does not require any changes to the Spanning Tree configuration in the network. Regardless of whether the network is using Spanning Tree, SSLB provides redundancy for the VIPs and allows all the ServerIrons configured for SSLB to actively perform Server Load Balancing. In addition, you do not need to dedicate ServerIron links to SSLB. SSLB works within the networks topology. NOTE: You cannot have a router hop between the ServerIrons. They must have Layer 2 connectivity. Additionally, you cannot use Hot Standby and SSLB features on the same ServerIron. NOTE: If a ServerIron is running software with a router image and the ServerIrons are in an Active-Active configurations, you need to enable VRRP or VRRP-E on these ServerIrons; otherwise, FTP, RTSP, and MMS protocols may not work. Also, configure the IP address of the real servers default gateway IP address in VRRP-E configuration and the "owner" IP address in VRRP configuration. NOTE: System limitation. The ServerIron does not support symmetric SLB with shared source NAT IPs. The reason is because the VIP and the source IP may not be active on the same ServerIron, and as a result, the ServerIron will not know how to forward return traffic. Configure sym-active as a workaround.
7 - 16
September 2008
High Availability
Figure 7.4
L2S
ISP1 ISP2 VRRP1
VRRP2
SI-A
SI-B
server virtual vip1 1.1.1.1 sym-priority 10 . . server virtual vip2 1.1.1.2 sym-priority 20 . . server virtual vip3 1.1.1.3 sym-priority 30
L2S
server virtual vip1 1.1.1.1 sym-priority 5 . . server virtual vip2 1.1.1.2 sym-priority 25
Real server
In the previous diagram, two upstream routers are connected to two different ISPs. This setup allows clients to access the ServerIrons from different directions. Clients coming from ISP1 want an active VIP1 (on ServerIron-A). The same VIP1 accessed by ISP2 is on standby (on ServerIron-B). On a per ServerIron basis, some VIPs are active while others are on standby. In contrast, all VIPs per ServerIron are either active or standby in a Hot Standby scenario. To configure Symmetric SLB, configure the sym-priority <value> command on each active and standby VIP. The higher the <value>, the higher the preference (priority). The range is from 0 255. You also can configure the priority to dynamically adjust to changes in the health of applications on the VIP. In the diagram, ServerIron-As VIP1 has a priority of 10. ServerIron-Bs VIP1 has a priority of 5. Therefore, ServerIron-A is active. When traffic comes to VIP1, ServerIron-A creates the session. When VIP1 on ServerIron-A goes down, VIP1 on ServerIron-B becomes active. Only the active VIP owner responds to ARP, traffic, session synching, and so on. The Symmetric solution provides granular control of the VIPs. Enabled by default, any L2 link can be used for automatic session synchronization between the ServerIrons. Unlike Hot Standby, the ServerIrons need not be directly connected. To specify a specific port (optional), use the session-sync server subcommand on both devices. See Configuring VLAN Option for Active-Active Links on page 7-28.
September 2008
7 - 17
NOTE: To correctly handle the return traffic in this scenario, you should apply Source-NAT or DSR to a Symmetric SLB configuration. Enable one or the other (not both) for a real server. For Source-NAT, take note of the IronCore vs JetCore WSP CPU load distribution differences. The load is distributed to the CPUs based on the source IP. On IronCore hardware, Source-NAT requires three source IPs (one for each CPU). JetCore hardware does not have this issue. Following is another common Symmetric topology, where the real servers are directly connected to the ServerIrons.
Figure 7.5 Common Symmetric Configuration
Client
L2S
ISP1 ISP2 VRRP1
VRRP2
SI-A
rs1 rs2 rs3
SI-B
rs4 rs5 rs6
NOTE: To see the session sync, go to the BP and issue show session all 0.
Failover Conditions
Both ServerIrons are active with SSLB. Therefore, failover depends on which device has ownership of the VIP. If a link is broken, both ServerIrons are still active. The only time a VIP can failover is during a reload or system crash. Use show log and show server virtual-name-or-ip to gather failover information. The show server virtualname-or-ip command displays state information (5 = active, 3 = standby, 2 = inactive, 1 = inactive).
High Availability
Router to Clients
SI
SI
Layer 2 Switch
VPN1
VPN2
Layer 2 Switch
Here are the CLI commands to implement the configuration shown in Figure 7.6 on page 7-19. Notice that the VPN configuration commands on both ServerIrons are identical. The only information unique to each ServerIron is the management IP address.
Active ServerIron
The following commands change the CLI to global CONFIG level, add the management IP address, and identify the default gateway.
September 2008
7 - 19
ServerIron> enable ServerIron# configure terminal ServerIron(config)# ip address 192.168.1.1 255.255.255.0 ServerIron(config)# ip default-gateway 192.168.1.254 The following commands add the real server definitions for the VPN devices: ServerIron(config)# server real-name VPN1 192.168.1.10 ServerIron(config-rs-VPN1)# port 500 ServerIron(config-rs-VPN1)# exit ServerIron(config)# server real-name VPN2 192.168.1.11 ServerIron(config-rs-VPN2)# port 500 ServerIron(config-rs-VPN2)# exit The following commands configure the virtual server definition for the VPN address. ServerIron(config)# server virtual-name-or-ip VPNaddr 192.168.1.100 ServerIron(config-vs-VPNaddr)# sw-l4-vpn-tunnel ServerIron(config-vs-VPNaddr)# port 500 ServerIron(config-vs-VPNaddr)# bind 500 vpn1 500 vpn2 500 ServerIron(config-vs-VPNaddr)# exit The following commands configure the hot-standby information. Since the backup link between the ServerIrons should be in its own port-based VLAN, the vlan command creates a new port-based VLAN and changes the CLI to the configuration level for the VLAN. The untag ethernet command adds the port that is connected to the other ServerIron as an untagged port. The no spanning-tree command disables STP in the VLAN. ServerIron(config)# vlan 2 ServerIron(config-vlan-2)# untag ethernet 2/1 ServerIron(config-vlan-2)# no spanning-tree ServerIron(config-vlan-2)# exit The following commands enable Layer 4 switching for TCP traffic and save the configuration changes to the startup-config file. ServerIron(config)# ip policy 1 cache tcp 0 global ServerIron(config)# write memory The following commands reload the software. This is required to place the backup configuration into effect. ServerIron(config)# end ServerIron# reload
Standby ServerIron
Here are the commands for configuring the standby ServerIron. The only difference between these commands and the commands for the active ServerIron is the management IP address. For simplicity, the same port number is used on each ServerIron for the backup port. If you use different backup port numbers, the backup port numbers also will differ between the two configurations. ServerIron> enable ServerIron# configure terminal ServerIron(config)# ip address 192.168.1.2 255.255.255.0 ServerIron(config)# ip default-gateway 192.168.1.254 ServerIron(config)# server real-name VPN1 192.168.1.10 ServerIron(config-rs-VPN1)# port 500 ServerIron(config-rs-VPN1)# exit ServerIron(config)# server real-name VPN2 192.168.1.11 ServerIron(config-rs-VPN2)# port 500 ServerIron(config-rs-VPN2)# exit ServerIron(config)# server virtual-name-or-ip VPNaddr 192.168.1.100 ServerIron(config-vs-VPNaddr)# sw-l4-vpn-tunnel ServerIron(config-vs-VPNaddr)# port 500 ServerIron(config-vs-VPNaddr)# bind 500 vpn1 500 vpn2 500 ServerIron(config-vs-VPNaddr)# exit ServerIron(config)# vlan 2 7 - 20 2008 Foundry Networks, Inc. September 2008
High Availability
ServerIron(config-vlan-2)# untag ethernet 2/1 ServerIron(config-vlan-2)# no spanning-tree ServerIron(config-vlan-2)# exit ServerIron(config)# ip policy 1 cache tcp 0 global ServerIron(config)# write memory ServerIron(config)# end ServerIron# reload
September 2008
7 - 21
Configuring the Interval and Wait Time for SSLB Discovery Packets
A ServerIron in an SSLB configuration uses discovery packets to request SSLB information from the other ServerIrons. SSLB discovery packets are proprietary Layer 2 broadcast packets and are sent on all ports in all port-based VLANs. Use the server sym-pdu-rate command to change the interval and wait time for SSLB discovery packets. By default, a ServerIron in an SSLB configuration sends discovery packets at 200-millisecond intervals while the default wait time interval is twice the send interval at 400-millisecond. The ServerIron will wait up to 20 equivalent intervals to receive a discovery packet from another ServerIron. If the ServerIron does not receive a discovery packet from the other ServerIron within 20 intervals, the ServerIron concludes that its partner ServerIron is unavailable and assumes control of the VIPs being managed by that ServerIron. For example, if the interval for sending SSLB discovery packets is 200 milliseconds (the default), the ServerIron will wait 20 X 400 milliseconds (eight seconds) to receive a discovery packet from another ServerIron. You can change the send interval multiplier and the wait time multiplier. The send interval is equal to 200 milliseconds multiplied by the send interval multiplier. The default send interval multiplier is 1, so the default send interval is 200 milliseconds. You can specify a multiplier from 1 60. The total wait time interval is equal to 400 milliseconds multiplied by the wait time multiplier. The default wait time multiplier is 20; therefore, the default wait time is eight seconds (20 x 400 milliseconds).
The SSLB timer affects the rate at which the ServerIron sends SSLB protocol packets to its SSLB partners. The timer does not affect client or server traffic to or from a VIP. All the ServerIrons in your configuration must use the same SSLB send interval and wait time. If you change the interval and wait time on one ServerIron, make the same change on all the other ServerIrons in the SSLB configuration. To configure the interval and wait time for SSLB discovery packets, enter a command such as the following: ServerIron(config)#server sym-pdu-rate 2 30 This command does the following: Changes the default send interval (200 ms) and wait interval (400 ms) by a factor of 2 Increases the wait time multiplier from the default 20 to 30.
In effect, this command: Changes the interval at which the ServerIron sends SSLB discovery packets to once every 400 milliseconds Changes the wait interval for discovery packet to once every 800 milliseconds Changes the maximum amount of time the ServerIron will wait for an SSLB discovery packet from another ServerIron to 24 seconds (30 x 2 x 400 milliseconds).
Syntax: [no] server sym-pdu-rate <send-wait-multiplier> <wait-time-multiplier> The <send-wait-multiplier> parameter specifies the multiplier for the SSLB send and wait interval. You can specify a multiplier from 1 60. The default is 1. The <wait-time-multiplier> parameter specifies how many multiples of the wait interval the ServerIron will wait for an SSLB discovery packet. You can specify a multiplier from 1 60. The default is 20.
High Availability
SSLB to continue trying to use a real server farm that is no longer responding, instead of failing over to the other ServerIron to load balance requests for the VIP and application. You can configure a decrement value for the SSLB priority. If an application on a VIP that is enabled for SSLB fails a health check, the ServerIron decrements the VIPs SSLB priority by the amount you specify for the decrement. If the priority value becomes lower than the VIPs priority on the other ServerIron, the software fails the VIP over to the other ServerIron. NOTE: When you configure a decrement value, the value takes effect only if all the applications ports on the real servers fail their health checks. Thus, if the application is still available on at least one of the real servers bound to the VIP, the software does not decrement the priority. NOTE: When you configure the decrement value, do not specify a value that will make the VIPs priority 0. For example, if the VIPs SSLB priority is 10, do not specify 10 as the decrement value. Specify a lower number. Priority value 0 disables SSLB, in which case the VIP becomes active on both ServerIrons. Figure 7.7 shows an example of an SSLB configuration that uses the default priority handling (not the dynamic priority handling).
Figure 7.7 SSLB without dynamic priority
Without dynamic SSLB priority, VIP1 fails over to ServerIron B only if the entire VIP or the ServerIron becomes unavailable. If a single application on VIP1 becomes unavailable, ServerIron A remains the active ServerIron for the VIP .
Internet
Router
Router
ServerIron B
SI
SI
Real Server 1
Real Server 2
Real Server 3
Real Server 4
Using the default priority handling, the software fails over a VIP to the other ServerIron only of the entire VIP or the ServerIron itself becomes unavailable. If an application on the VIP becomes unavailable on all the real servers bound to the VIP, but the VIP itself is still available, the software continues using the same ServerIron for the VIP. As a result, clients are unable to access the unavailable application even if the application is available through the other ServerIron. Figure 7.8 shows an example of a configuration that uses dynamic SSLB priority.
September 2008
7 - 23
Figure 7.8
Without dynamic SSLB priority, VIP1 fails over to ServerIron B only if the entire VIP or the ServerIron becomes unavailable. If a single application on VIP1 becomes unavailable, ServerIron A remains the active ServerIron for the VIP .
Internet
Router
Router
ServerIron A VIP1, priority 30 = Active Decrement value = 9 VIP2, priority 20 = Standby Decrement value = 9
SI
SI
ServerIron B VIP1, priority 30 = Standby Decrement value = 9 VIP2, priority 20 = Active Decrement value = 9
Real Server 1
Real Server 2
Real Server 3
Real Server 4
In this configuration, a ServerIron fails over a VIP to the other ServerIron if more than one application on the VIP becomes unavailable. If one application becomes unavailable, the software reduces the VIPs priority by 9 (the decrement value), in this case to 21. At this point, the ServerIron that is active by default for the VIP still has the higher priority, so failover does not occur. However, if a second application becomes unavailable, then the priority becomes 12, which is less than the priority for the VIP on the other ServerIron (20). When an application becomes available again (and passes a health check), the ServerIron increments the VIPs priority by the decrement amount, thus replacing the priority amount that the software removed when the application failed. If the increment makes the VIPs priority higher than the priority on the other ServerIron, the software fails back over to the ServerIron that originally had the higher priority for the VIP. If more than one ServerIron has the highest priority for a VIP, the ServerIron that has the highest value for the lowest four bytes of its base MAC address becomes the active ServerIron for the VIP. NOTE: If all the applications that are configured for SSLB on the VIP become unavailable, the software sets the SSLB priority for that VIP to 1 (the lowest value). The following commands configure the SSLB priority parameters for the configuration in Figure 7.8.
Commands on ServerIron A
ServerIronA(config-vs-VIP1)# sym-priority 30 ServerIronA(config-vs-VIP1)# dyn-sym-pri-factor 9
Commands on ServerIron B
ServerIronB(config-vs-VIP1)# sym-priority 20 ServerIronB(config-vs-VIP1)# dyn-sym-pri-factor 9 The dyn-sym-pri-factor commands in this example configure the decrement value to 9. Each time an application on the VIP fails a health check (fails on all the real servers bound to the VIP), the ServerIron decrements the VIPs SSLB priority by 9. If the priority reaches a value that is lower than the VIPs priority on the other ServerIron, the software fails over active load balancing for the VIP to the other ServerIron. In this example, failover of the VIP from ServerIron A to ServerIron B occurs if two applications are unavailable (have failed their health checks). 7 - 24 2008 Foundry Networks, Inc. September 2008
High Availability
Syntax: [no] dyn-sym-pri-factor <num> The <num> parameter can be a value from 0 255 and specifies the amount by which you want the ServerIron to decrement a VIPs priority when an application on the VIP fails a health check. There is no default. If you specify a value, then the software performs dynamic SSLB priority for the VIP. To remove a configured decrement, issue dyn-sym-pri-factor 0. The no form of the command does not disable the command. NOTE: Make sure you specify priority and decrement values that provide the level of sensitivity you want. For example, if you want the software to fail over load balancing of a VIP if even a single application fails a health check, then configure the values so that the difference between the two priorities (sym-priority command) is less than the decrement value (dyn-sym-pri-factor command). NOTE: Do not specify a value that will make the VIPs priority 0. For example, if the VIPs SSLB priority is 10, do not specify 10 as the decrement value. Specify a lower number. Priority value 0 disables SSLB, in which case the VIP becomes active on both ServerIrons.
20/ 10
September 2008
7 - 25
This example shows the configuration and priority information for VIP1 in Figure 7.8. The priority information is shown by the fields in bold type. These fields show the following information.
Table 7.2: Virtual Server Information for SSLB This Field... Sym Displays... Information for SSLB. The following information is displayed: group The SSLB group number. state The state, which should be 5 for the active ServerIron and 3 for other ServerIrons. priority The SSLB priority configured on the ServerIron. keep The number of times an SSLB backup has failed to communicate with the active ServerIron. By default, the counter is incremented by 1 every 400 milliseconds the backup ServerIron is late responding to the active ServerIrons keepalive message. The counter is reset to 0 each time the backup ServerIron replies to a keepalive message. If the counter goes higher than the maximum number allowed (20 by default, thus 8 seconds), the standby ServerIron takes over as the new active ServerIron. Normally, this field almost always contains 0. Note: This field is applicable only on the active ServerIron. dyn priority/factor The current dynamically set priority and the decrement value. In this example, an application has failed a health check, so the dynamic priority is 20 instead of 30. The decrement value is 10. If the priority and dyn priority values match, then all the VIPs applications that are configured for SSLB are responding to their health checks. Activates The number of times this ServerIron has become the active ServerIron. Inactive The number of times this ServerIron has changed from being the active ServerIron. Best-standby-mac The MAC address of the backup ServerIron with the second-highest priority. This ServerIron will become the active ServerIron if a failover occurs.
High Availability
You can minimize interruption to sessions created on the standby ServerIron by configuring each ServerIron to delay reactivation following its recovery after a failover. By delaying reactivation of a recovered ServerIron, you provide time for sessions created by the standby ServerIron to terminate normally. To configure delay reactivation, enter the following command: ServerIron(config)#server delay-symmetric Syntax: [no] server delay-symmetric [<mins>] The <mins> parameter specifies the number of minutes you want the recovered ServerIron to wait before becoming active again. You can specify from 2 120 minutes. The default is 60 minutes. You must enter the same command using the same number of minutes on both ServerIrons in the configuration.
Table 7.3: SSLB Display Information This Field... Server Symmetric port Group_id Candidate cnt Port No-rx Displays... The ServerIron port number on which the ServerIron perceives other ServerIrons running SSLB. The SSLB group ID. The group ID is always 1. The number of ports on which the ServerIron perceives a partner ServerIron running SSLB. The port connected to the other ServerIron. Information Foundry technical support can use to help resolve SSLB configuration issues.
September 2008
7 - 27
2.
7 - 28
September 2008
High Availability
Active-active SYN-Guard and NAT configurations use the server active-active-port ethernet <portnum> command to identify the port that connects the ServerIron to its active-active partner. The port you specify must be in its own port-based VLAN. To use a tagged port, specify the VLAN ID for the active-active link when you specify the port. When you specify the VLAN ID, the ServerIron forwards active-active traffic on the specified VLAN only. The traffic is not sent to the other VLANs of which the port is a member. To configures the active-active link, enter the command such as the following: ServerIronB(config)# server active-active-port ethernet 3/5 200 This command configures the active-active link on port 3/5 on VLAN 200 only. The active-active traffic is not forwarded to the other VLANs that port 3/5 is in. Syntax: [no] server active-active-port ethernet <portnum> [<vlan-id>]
September 2008
7 - 29
Fast session synchronization is enabled by default. There are no CLI commands to enable or disable this feature. However, if VRRP is configured on your ServerIrons you need to configure a primary and secondary IP address on the VRRP interface of the VRID owner. The secondary IP address must be associated with the VRID.
e 2/4
e 3/2
Router1
e 1/6
Primary IP: 192.53.5.1 Secondary IP: 192.53.5.2 VRID 1 IP address: 192.53.5.2 Priority: 255
e 1/5
NOTE: Associating the secondary IP with the VRID and other configuration mentioned above is a requirement only for VRRP. There is no such requirement for VRRP-E in order to support fast session synchronization feature. The configuration examples below show how to configure the VRRP owner and backup with the primary and secondary IP addresses.
Configuring a Backup
Router2(config)# router vrrp Router2(config)# inter e 1/5 Router2(config-if-1/5)# ip address 192.53.5.3/24 Router2(config-if-1/5)# ip vrrp vrid 1 Router2(config-if-1/5-vrid-1)# backup Router2(config-if-1/5-vrid-1)# ip-address 192.53.5.2 Router2(config-if-1/5-vrid-1)# activate
7 - 30
September 2008
High Availability
NOTE: You can provide more redundancy to the ServerIrons by also configuring a second VRID with Router 2 as the Owner and on Router 1 as the Backup. This type of configuration is sometimes called Multigroup VRRP. In order to support fast session synchronization feature in this type of configuration, you would also need a secondary IP address on Router 2 and the second VRID needs to be associated with this secondary IP address on Router 2.
September 2008
7 - 31
within the trunk link failed. This enhancement allows the administrator to trigger failover even after the failure of one of the ports within the trunk link. This release adds the following command under an interface and the ip vrrp-extended vrid <vrid-num> command: "track-trunk-port ethernet <slot/port>"
This command is for VRRP-E only. It can only be configured for a primary trunk when VRRP-E is enabled. You must: Add "track-port" before you add "track-trunk-port" for the same trunk. Add "no track-trunk-port" before you add "no track-port" for the same trunk.
The decreased track-priority for a trunk can be calculated as the following: Assume <track-priority> is the track-priority configured in "track-port" or default track-priority value. If all trunk ports are up, the track-priority decreased is 0. If no trunk ports are up, the track-priority decreased is <track-priority> of the trunk. Otherwise, it must be calculated as the following: "track-priority> * (<num-config-ports> - <num-active-ports>)/ <num-config-ports>"
Sample Configuration
ServerIron#sh run trunk server ethe trunk server ethe trunk switch ethe ServerIron#sh run 7 - 32 | i 4/1 4/5 4/9 int trunk to 4/4 to 4/6 to 4/10 ve 1 2008 Foundry Networks, Inc. September 2008
High Availability
!Building configuration... !Current configuration : 346 bytes interface ve 1 ip address 2.2.2.21 255.255.255.0 ip vrrp-extended vrid 1 backup priority 200 track-priority 100 advertise backup ip-address 2.2.2.30 vip-group 1 track-port e 4/1 priority 80 track-trunk-port e 4/1 track-port e 4/5 track-trunk-port e 4/5 track-port e 4/9 track-trunk-port e 4/9 enable ! To remove track-port, track-trunk-port needs to be removed first ServerIron(config-vif-1-vrid-1)#no track-port e 4/9 Must disable track-trunk-port before track-port ServerIron(config-vif-1-vrid-1)# NOTE: To remove trunk, track-trunk-port needs to be removed first ServerIron(config-vif-1-vrid-1)#no trunk swi e 4/9 to 4/10 Need to remove track-port in vrrp(e) configuration first! To configure this feature, follow these steps: 1. This command can ONLY be configured for trunk primary. ServerIron(config-vif-13-vrid-1)#track-trunk-port ethernet 4/34 Error - track trunk port must be the trunk primary. ServerIron(config-vif-13-vrid-1)# 2. Add "track-port" before adding "track-trunk-port" for the same trunk. ServerIron(config-vif-13-vrid-1)#track-trunk-port ethernet 4/33 Must track-port this trunk before track-trunk-port the same trunk ServerIron(config-vif-13-vrid-1)# 3. Add "no track-trunk-port" before adding "no track-port" for the same trunk. ServerIron(config-vif-13-vrid-1)#no track-port e 4/33 Must disable track-trunk-port before track-port ServerIron(config-vif-13-vrid-1)#
Sample Configuration
In the following configurion, both SI-A and SI-B have a trunk with a FastIron switch. The trunk has two ports (e4/ 33-34) and the primary trunk is e4/33. VRRP-E vrid 1 is configured in interface e4/17.
SI-A
trunk switch ethe 4/33 to 4/34 !
September 2008
7 - 33
vlan 2 by port untagged ethe 4/17 router-interface ve 13 ! router vrrp-extended ! interface ve 13 ip access-group 130 in ip address 10.13.30.170 255.255.255.0 ip vrrp-extended vrid 1 backup priority 106 track-priority 21 ip-address 10.13.30.254 track-port e 4/33 track-trunk-port e 4/33 enable !
SI-B
trunk switch ethe 4/33 to 4/34 ! vlan 2 by port untagged ethe 4/17 router-interface ve 13 ! router vrrp-extended ! interface ve 13 ip access-group 130 in ip address 10.13.30.171 255.255.255.0 ip vrrp-extended vrid 1 backup priority 100 track-priority 20 ip-address 10.13.30.254 track-port e 4/33 track-trunk-port e 4/33 enable !
Sym-Active SLB
Sym-Active SLB is true active-active. Both ServerIrons handle traffic (active-active), and both ServerIrons are active for the same VIP on both ServerIrons. NOTE: Sym-Active SLB is supported only on ServerIron Chassis devices.
7 - 34
September 2008
High Availability
Figure 7.9
Client
SI-A
SI-B
Server 200 sym-priority 190 60% CPU symmetric 10% CPU 35% CPU sym-active 35% CPU When sym-active is enabled on both ServerIrons, both boxes handle traffic equally for each VIP. A box with symactive configured is enabled to process and forward traffic to/from the client, regardless of an assigned lower VIP priority.
Layer 3 Sym-Active
Layer 3 support for ServerIron Chassis devices is provided. The following is an example configuration of symmetric SLB with one subnet and one virtual routing interface. NOTE: This configuration is supported on ServerIron Chassis device.
September 2008
7 - 35
Figure 7.10
Layer 2 Switch
VLAN1, Port Based, VE 1, IP addr 172.1.1.3 VRRPE VRID 3, VRIP 172.1.1.1, Backup pri 100 VRRPE VRID 4, VRIP 172.1.1.2, Backup pri 100
OSPF Area 0
Port e1
VLAN1, Port Based, VE 1, IP addr 172.1.1.4 VRRPE VRID 3, VRIP 172.1.1.1, Backup pri 100 VRRPE VRID 4, VRIP 172.1.1.2, Backup pri 100
Port e1 VLAN1, Port Based, VE 1, 10.2.24.2 SSLB VIP: HTTP: 10.2.24.100 SSL: 10.2.24.101 FTP: 10.2.24.102 MMS: 10.2.24.103 DNS: 10.2.24.105 VLAN1, Port Based, VE 1, Port 3/1 10.2.24.251
Port 3/1
SI
Port 3/2 ServerIron 254
SI
ServerIron 253 Port 3/2
VLAN1, Port Based, VE1, IP addr 100.1.1.251 VRRPE VRID 5, VRIP 100.1.1.254, Backup pri 100 VRRPE VRID 6, VRIP 100.1.1.253, Backup pri 100
Layer 2 Switch
Layer 2 Switch
Real Servers 100.1.1.29, 30, 31 HTTP, SSL, FTP, DNS, RTSP, MMS Gateway: 100.1.1.254
Real Servers 100.1.1.129, 130, 131 HTTP, SSL, FTP, DNS, RTSP, MMS Gateway: 100.1.1.253
rs29
rs30
rs31
rs29.1
rs30.1
rs31.1
NOTE: To allow failover and session synchronization in an Sym-Active configuration to work properly, there must be a Layer 2 connection between the two ServerIrons. This connection is required so that Layer 2 broadcasts, including ARP to the VIP from the ServerIron with lower symmetric priority, can be exchanged between the two ServerIrons. In configurations with multiple VLANs, the Layer 2 link must be on the subnet where the VIPs are configured.
7 - 36
September 2008
High Availability
ServerIron(config-ve-1-vrid-4)# ip-address 172.1.1.2 ServerIron(config-ve-1-vrid-4)# track-port e 1 ServerIron(config-ve-1-vrid-4)# track-port e 2 ServerIron(config-ve-1-vrid-4)# enable ServerIron(config-ve-1)# exit ServerIron(config)# vlan 2 by port ServerIron(config-vlan-2)# untagged ethe 23 ServerIron(config-vlan-2)# exit ServerIron(config)# ip route 0.0.0.0 0.0.0.0 10.2.24.254 ServerIron(config)# router vrrp ServerIron(config)# route-only ServerIron(config)# router ospf ServerIron(config-ospf-router)# area 0 ServerIron(config-ospf-router)# redistribution connected ServerIron(config-ospf-router)# redistribution static ServerIron(config-ospf-router)# exit
ServerIron(config-port-21)# session-sync ServerIron(config-port-21)# exit ServerIron(config)# server port 1755 ServerIron(config-port-1755)# session-sync ServerIron(config-port-1755)# tcp ServerIron(config-port-1755)# udp ServerIron(config-port-1755)# exit ServerIron(config)# server port 53 ServerIron(config-port-53)# session-sync ServerIron(config-port-53)# exit ServerIron(config)# server port 443 ServerIron(config-port-443)# session-sync ServerIron(config-port-443)# tcp ServerIron(config-port-443)# exit ServerIron(config)# server router-ports ethernet 3/1 ServerIron(config)# server real rs29 100.1.1.29 ServerIron(config-rs-rs29)# port ssl ServerIron(config-rs-rs29)# port mms ServerIron(config-rs-rs29)# port http ServerIron(config-rs-rs29)# port http url "HEAD /" ServerIron(config-rs-rs29)# port ftp ServerIron(config-rs-rs29)# port dns ServerIron(config-rs-rs29)# exit ServerIron(config)# server real rs30 100.1.1.30 ServerIron(config-rs-rs30)# port ssl ServerIron(config-rs-rs30)# port mms ServerIron(config-rs-rs30)# port http ServerIron(config-rs-rs30)# port http url "HEAD /" ServerIron(config-rs-rs30)# port ftp ServerIron(config-rs-rs30)# port dns ServerIron(config-rs-rs30)# exit ServerIron(config)# server real rs31 100.1.1.31 ServerIron(config-rs-rs31)# port ssl ServerIron(config-rs-rs31)# port mms ServerIron(config-rs-rs31)# port http ServerIron(config-rs-rs31)# port http url "HEAD /" ServerIron(config-rs-rs31)# port ftp ServerIron(config-rs-rs31)# port dns ServerIron(config-rs-rs31)# exit ServerIron(config)# server real rs29.1 100.1.1.129 ServerIron(config-rs-rs29.1)# port dns ServerIron(config-rs-rs29.1)# port ftp ServerIron(config-rs-rs29.1)# port http ServerIron(config-rs-rs29.1)# port http url "HEAD /" ServerIron(config-rs-rs29.1)# port mms ServerIron(config-rs-rs29.1)# port ssl ServerIron(config-rs-rs29.1)# exit ServerIron(config)# server real rs30.1 100.1.1.130 ServerIron(config-rs-rs30.1)# port dns ServerIron(config-rs-rs30.1)# port ftp ServerIron(config-rs-rs30.1)# port http ServerIron(config-rs-rs30.1)# port http url "HEAD /" ServerIron(config-rs-rs30.1)# port mms ServerIron(config-rs-rs30.1)# port ssl ServerIron(config-rs-rs30.1)# exit ServerIron(config)# server real rs31.1 100.1.1.131 ServerIron(config-rs-rs31.1)# port dns ServerIron(config-rs-rs31.1)# port ftp ServerIron(config-rs-rs31.1)# port http 7 - 38 2008 Foundry Networks, Inc. September 2008
High Availability
ServerIron(config-rs-rs31.1)# port http url "HEAD /" ServerIron(config-rs-rs31.1)# port mms ServerIron(config-rs-rs31.1)# port ssl ServerIron(config-rs-rs31.1)# exit ServerIron(config)# server virtual-name-or-ip www 10.2.24.100 ServerIron(config-vs-www)# sym-priority 254 ServerIron(config-vs-www)# sym-active ServerIron(config-vs-www)# predictor round-robin ServerIron(config-vs-www)# port http ServerIron(config-vs-www)# bind http rs31.1 http rs30.1 http rs29.1 http rs30 http ServerIron(config-vs-www)# bind http rs31 http rs29 http ServerIron(config-vs-www)# exit ServerIron(config)# server virtual-name-or-ip ftp 10.2.24.102 ServerIron(config-vs-ftp)# sym-priority 254 ServerIron(config-vs-ftp)# sym-active ServerIron(config-vs-ftp)# port ftp ServerIron(config-vs-ftp)# bind ftp rs31.1 ftp rs30.1 ftp rs29.1 ftp rs29 ftp ServerIron(config-vs-ftp)# bind ftp rs30 ftp rs31 ftp ServerIron(config-vs-ftp)# exit ServerIron(config)# server virtual-name-or-ip mms 10.2.24.103 ServerIron(config-vs-mms)# sym-priority 254 ServerIron(config-vs-mms)# sym-active ServerIron(config-vs-mms)# port mms ServerIron(config-vs-mms)# bind mms rs31.1 mms rs30.1 mms rs29.1 mms rs29 mms ServerIron(config-vs-mms)# bind mms rs30 mms rs31 mms ServerIron(config-vs-mms)# exit ServerIron(config)# server virtual-name-or-ip dns 10.2.24.105 ServerIron(config-vs-dns)# sym-priority 254 ServerIron(config-vs-dns)# sym-active ServerIron(config-vs-dns)# port dns ServerIron(config-vs-dns)# bind dns rs31.1 dns rs30.1 dns rs29.1 dns rs29 dns ServerIron(config-vs-dns)# bind dns rs30 dns rs31 dns ServerIron(config-vs-dns)# exit ServerIron(config)# server virtual-name-or-ip ssl 10.2.24.101 ServerIron(config-vs-ssl)# sym-priority 254 ServerIron(config-vs-ssl)# sym-active ServerIron(config-vs-ssl)# port ssl sticky ServerIron(config-vs-ssl)# bind ssl rs31.1 ssl rs30.1 ssl rs29.1 ssl rs31 ssl ServerIron(config-vs-ssl)# bind ssl rs30 ssl rs29 ssl ServerIron(config-vs-ssl)# exit
September 2008
7 - 39
ServerIron(config-ve-1)# ip vrrp-extended vrid 4 ServerIron(config-ve-1-vrid-4)# backup ServerIron(config-ve-1-vrid-4)# ip-address 172.1.1.2 ServerIron(config-ve-1-vrid-4)# track-port e 1 ServerIron(config-ve-1-vrid-4)# track-port e 2 ServerIron(config-ve-1-vrid-4)# enable ServerIron(config-ve-1)# exit ServerIron(config)# ip route 0.0.0.0 0.0.0.0 10.2.24.253 ServerIron(config)# router vrrp ServerIron(config)# route-only ServerIron(config)# router ospf ServerIron(config-ospf-router)# area 0 ServerIron(config-ospf-router)# redistribution connected ServerIron(config-ospf-router)# redistribution static ServerIron(config-ospf-router)# exit
High Availability
ServerIron(config-port-21)# exit ServerIron(config)# server port 1755 ServerIron(config-port-1755)# session-sync ServerIron(config-port-1755)# tcp ServerIron(config-port-1755)# udp ServerIron(config-port-1755)# exit ServerIron(config)# server port 53 ServerIron(config-port-53)# session-sync ServerIron(config-port-53)# exit ServerIron(config)# server port 443 ServerIron(config-port-443)# session-sync ServerIron(config-port-443)# tcp ServerIron(config-port-443)# exit ServerIron(config)# server router-ports ethernet 3/1 ServerIron(config)# server real rs29 100.1.1.29 ServerIron(config-rs-rs29)# port ssl ServerIron(config-rs-rs29)# port mms ServerIron(config-rs-rs29)# port http ServerIron(config-rs-rs29)# port http url "HEAD /" ServerIron(config-rs-rs29)# port ftp ServerIron(config-rs-rs29)# port dns ServerIron(config-rs-rs29)# exit ServerIron(config)# server real rs30 100.1.1.30 ServerIron(config-rs-rs30)# port ssl ServerIron(config-rs-rs30)# port mms ServerIron(config-rs-rs30)# port http ServerIron(config-rs-rs30)# port http url "HEAD /" ServerIron(config-rs-rs30)# port ftp ServerIron(config-rs-rs30)# port dns ServerIron(config-rs-rs30)# exit ServerIron(config)# server real rs31 100.1.1.31 ServerIron(config-rs-rs31)# port ssl ServerIron(config-rs-rs31)# port mms ServerIron(config-rs-rs31)# port http ServerIron(config-rs-rs31)# port http url "HEAD /" ServerIron(config-rs-rs31)# port ftp ServerIron(config-rs-rs31)# port dns ServerIron(config-rs-rs31)# exit ServerIron(config)# server real rs29.1 100.1.1.129 ServerIron(config-rs-rs29.1)# port dns ServerIron(config-rs-rs29.1)# port ftp ServerIron(config-rs-rs29.1)# port http ServerIron(config-rs-rs29.1)# port http url "HEAD /" ServerIron(config-rs-rs29.1)# port mms ServerIron(config-rs-rs29.1)# port ssl ServerIron(config-rs-rs29.1)# exit ServerIron(config)# server real rs30.1 100.1.1.130 ServerIron(config-rs-rs30.1)# port dns ServerIron(config-rs-rs30.1)# port ftp ServerIron(config-rs-rs30.1)# port http ServerIron(config-rs-rs30.1)# port http url "HEAD /" ServerIron(config-rs-rs30.1)# port mms ServerIron(config-rs-rs30.1)# port ssl ServerIron(config-rs-rs30.1)# exit ServerIron(config)# server real rs31.1 100.1.1.131 ServerIron(config-rs-rs31.1)# port dns ServerIron(config-rs-rs31.1)# port ftp ServerIron(config-rs-rs31.1)# port http ServerIron(config-rs-rs31.1)# port http url "HEAD /" September 2008 2008 Foundry Networks, Inc. 7 - 41
ServerIron(config-rs-rs31.1)# port mms ServerIron(config-rs-rs31.1)# port ssl ServerIron(config-rs-rs31.1)# exit ServerIron(config)# server virtual-name-or-ip www 10.2.24.100 ServerIron(config-vs-www)# sym-priority 100 ServerIron(config-vs-www)# sym-active ServerIron(config-vs-www)# predictor round-robin ServerIron(config-vs-www)# port http ServerIron(config-vs-www)# bind http rs31.1 http rs30.1 http rs29.1 http rs30 http ServerIron(config-vs-www)# bind http rs31 http rs29 http ServerIron(config-vs-www)# exit ServerIron(config)# server virtual-name-or-ip ftp 10.2.24.102 ServerIron(config-vs-ftp)# sym-priority 100 ServerIron(config-vs-ftp)# sym-active ServerIron(config-vs-ftp)# port ftp ServerIron(config-vs-ftp)# bind ftp rs31.1 ftp rs30.1 ftp rs29.1 ftp rs29 ftp ServerIron(config-vs-ftp)# bind ftp rs30 ftp rs31 ftp ServerIron(config-vs-ftp)# exit ServerIron(config)# server virtual-name-or-ip mms 10.2.24.103 ServerIron(config-vs-mms)# sym-priority 100 ServerIron(config-vs-mms)# sym-active ServerIron(config-vs-mms)# port mms ServerIron(config-vs-mms)# bind mms rs31.1 mms rs30.1 mms rs29.1 mms rs29 mms ServerIron(config-vs-mms)# bind mms rs30 mms rs31 mms ServerIron(config-vs-mms)# exit ServerIron(config)# server virtual-name-or-ip dns 10.2.24.105 ServerIron(config-vs-dns)# sym-priority 100 ServerIron(config-vs-dns)# sym-active ServerIron(config-vs-dns)# port dns ServerIron(config-vs-dns)# bind dns rs31.1 dns rs30.1 dns rs29.1 dns rs29 dns ServerIron(config-vs-dns)# bind dns rs30 dns rs31 dns ServerIron(config-vs-dns)# exit ServerIron(config)# server virtual-name-or-ip ssl 10.2.24.101 ServerIron(config-vs-ssl)# sym-priority 100 ServerIron(config-vs-ssl)# sym-active ServerIron(config-vs-ssl)# port ssl sticky ServerIron(config-vs-ssl)# bind ssl rs31.1 ssl rs30.1 ssl rs29.1 ssl rs31 ssl ServerIron(config-vs-ssl)# bind ssl rs30 ssl rs29 ssl ServerIron(config-vs-ssl)# exit
7 - 42
September 2008
High Availability
Figure 7.11
Router to Clients
SI
Layer 2 Switch
SI
VPN1
VPN2
Layer 2 Switch
Here are the CLI commands to implement the active-active configuration shown in Figure 7.11.
ServerIron A
The following commands change the CLI to global CONFIG level, add the management IP address, and identify the default gateway. ServerIron> enable ServerIron# configure terminal ServerIron(config)# ip address 192.168.1.1 255.255.255.0 ServerIron(config)# ip default-gateway 192.168.1.254 The following commands enable session synchronization port 500. This is required both to ensure continued service following a failover and to enable each ServerIron to send server replies back to the clients, regardless of which ServerIron load balanced the request. ServerIron(config)# server port 500 ServerIron(config-port-500)# session-sync ServerIron(config-port-500)# exit The following commands add the real server definitions for the VPN devices:
September 2008
7 - 43
ServerIron(config)# server real-name VPN1 192.168.1.10 ServerIron(config-rs-VPN1)# port 500 ServerIron(config-rs-VPN1)# exit ServerIron(config)# server real-name VPN2 192.168.1.11 ServerIron(config-rs-VPN2)# port 500 ServerIron(config-rs-VPN2)# exit The following commands configure the virtual server definition for the VPN address. ServerIron(config)# server virtual-name-or-ip VPNaddr 192.168.1.100 ServerIron(config-vs-VPNaddr)# sw-l4-vpn-tunnel ServerIron(config-vs-VPNaddr)# sym-priority 254 ServerIron(config-vs-VPNaddr)# sym-active ServerIron(config-vs-VPNaddr)# port 500 ServerIron(config-vs-VPNaddr)# bind 500 vpn1 500 vpn2 500 ServerIron(config-vs-VPNaddr)# exit The following commands enable Layer 4 switching for TCP traffic and save the configuration changes to the startup-config file. ServerIron(config)# ip policy 1 cache tcp 0 global ServerIron(config)# write memory
ServerIron B
Here are the commands for configuring ServerIron B in Figure 7.11 on page 7-43. ServerIron> enable ServerIron# configure terminal ServerIron(config)# ip address 192.168.1.2 255.255.255.0 ServerIron(config)# ip default-gateway 192.168.1.254 ServerIron(config)# server port 500 ServerIron(config-port-500)# session-sync ServerIron(config-port-500)# exit ServerIron(config)# server real-name VPN1 192.168.1.10 ServerIron(config-rs-VPN1)# port 500 ServerIron(config-rs-VPN1)# exit ServerIron(config)# server real-name VPN2 192.168.1.11 ServerIron(config-rs-VPN2)# port 500 ServerIron(config-rs-VPN2)# exit ServerIron(config)# server virtual-name-or-ip VPNaddr 192.168.1.100 ServerIron(config-vs-VPNaddr)# sw-l4-vpn-tunnel ServerIron(config-vs-VPNaddr)# sym-priority 2 ServerIron(config-vs-VPNaddr)# sym-active ServerIron(config-vs-VPNaddr)# port 500 ServerIron(config-vs-VPNaddr)# bind 500 vpn1 500 vpn2 500 ServerIron(config-vs-VPNaddr)# exit ServerIron(config)# ip policy 1 cache tcp 0 global ServerIron(config)# write memory ServerIron(config)# end ServerIron# reload
7 - 44
September 2008
High Availability
You can configure up to eight hot-standby pairs within a single broadcast domain in a hot-standby topology. To do this, configure a backup group ID on each of the ServerIrons. Both ServerIrons in a given pair have the same ID. The ID uniquely identifies the pair. When you configure a backup group ID, both ServerIrons in a hot-standby pair use the ID when exchanging backup information. If a ServerIron receives a backup information packet but the packet's backup group ID does not match the ServerIron's backup group ID, the ServerIron will not process this packet for hot standby. If the broadcast domain contains multiple hot-standby pairs, you must configure backup group IDs on all pairs. If the broadcast domain contains only one hot-standby pair, you do not need to configure a backup group ID.
Configuring a Backup-Group ID
Use the [no] server backup-group <id> command to configure a backup-group ID. Enter the same ID on both ServerIrons in a hot-standby pair. Do not enter the same ID on a ServerIron that is not one of the ServerIrons in the hot-standby pair. The default value is 0. This feature is turned on by default. To configure a backup-group ID, enter the following command: ServerIron(config)# server backup-group 1 Syntax: [no] server backup-group <id> The <id> parameter specifies the backup-group ID and can be a number from 0 to 7. Use the show server backup command in a hot standby topology to display the backup ID information. If there is a group-ID mismatch, both ServerIrons will become active (instead of one standby and one active).
Symmetric Topology
Symmetric SLB increases performance and simplifies a redundant topology. It provides these benefits by allowing you to implement redundancy on an individual VIP basis. Unlike a conventional hot-standby configuration, you can actively use all the ServerIrons in a Symmetric SLB configuration simultaneously. You can configure up to seven symmetric SLB pairs within a single broadcast domain in a symmetric topology. To do this, configure a symmetric group ID on each of the ServerIrons. Both ServerIrons in a given pair must have the same ID. The ID uniquely identifies the pair. When you configure a symmetric group ID, both ServerIrons in a symmetric SLB pair use the ID when exchanging symmetric protocol information. If a ServerIron receives a symmetric protocol information packet but the packet's symmetric group ID does not match the ServerIron's symmetric group ID, the ServerIron discards the packet. If the broadcast domain contains multiple symmetric pairs, you must configure symmetric group IDs on all pairs. If the broadcast domain contains only one symmetric pair, you do not need to configure a symmetric group ID.
September 2008
7 - 45
7 - 46
September 2008