SHARE
TWEET

AOL Internal Data

a guest Jun 25th, 2011 14,961 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Introduction
  2. Purpose and Objectives
  3.  
  4. The purpose of this document is to provide the AOL Network Engineering Staff, Management and any other pertinent persons a detailed review, analysis and recommended ìbest practicesî document for the implementation of layer 4 through 7 switching configurations. This is an evolving document, providing information from which an open forum of discussion can take place.
  5. Scope
  6.  
  7. The scope of this document covers a review of SLB concepts, the Foundry ServerIron product line, general and advanced configuration parameters, health check operation and implementation, , and a case study section for easy reference. This document focuses primarily on the operation and configuration of the Foundry Networks ServerIron, though the concepts of SLB covered within are not limited to the Foundry ServerIron product. 90% of the SLB enabled services deployed within AOL is general in nature.
  8. Server Load Balancing Review
  9. Basic SLB Review
  10. Server Load Balancing is a technique used by Layer 4 devices to ìspread the loadî of a particular service across many servers, AKA a server farm. These services can include, but are not limited Web, FTP, SSL, etc. The following drawing depicts a typical SLB topology deployed within AOL:
  11. ?
  12. Figure 1
  13. The ìclientsî connect to the Virtual IP (VIP) that represents the service. The Layer 4 switch then distributes the connection on behalf of the client to one of the servers within the server farms servicing the particular service requested by the client. The Layer 4 switch performs many functions with respect to this, including client connection management, real server (the servers that make up the server farm) health monitoring, security, and even Layer 2 services just to name a few. The configuration can get quite complex, depending on what services are being provided by the Layer 4 switch. Itís important to note here that the ìphysicalî topology is essentially the same as if only a Layer 2 switch were deployed.
  14.  
  15. SLB is classified as ìswitchingî at the OSI Layers 4 through 7. In layer 4 SLB, the switch is distributing client connections based on either TCP or UDP information gleaned from the client request. With the upper layers, the switch is more ìapplication awareî; the device will examine the client request in more detail in an attempt to glean information from which a switching decision can be made. Layer 7 switching involves more processing overhead, but with some applications, can offer a more robust connectivity model for application switching decisions.
  16. Advanced SLB Concepts
  17. Layer 7 Switching
  18. Layer 7 switching involves the switch making SLB decisions based on information gleaned from the client request, at the application level. This includes the actual URL, cookies, and even SSL Ids.
  19.  
  20. URL switching
  21.  
  22.         The ServerIron has the ability to identify portions of (or match the entire) URL request from the client and direct that request to a group of  (or a specific server) based on what was gleaned from the request.
  23.  
  24. Cookie Switching
  25.  
  26.         Similar to URL switching, the ServerIron is looking into the URL data to identify a cookie within the request. Cookies take the form of a ìName=Valueî pair, and the request is directed to the group or specific real server based on that match.
  27.  
  28. SSL switching
  29.  
  30.         SSL switching allows the ServerIron to direct a request from a client to the real servers where an SSL session was initially established.
  31.  
  32. Caching
  33.  
  34. Proxy caching and transparent caching is the ability of the switch to identify based on policies and other configuration parameters client requests for services, and direct them to a cache server farm.
  35. The Foundry ServerIron SLB Products
  36.  
  37. The Foundry ServerIron comes in 2 flavors, the stackable and chassis-based device.
  38. ServerIron XL Stackable
  39. The ServerIron XL is a stackable device with 24 10/100 ports combined with 2 dedicated uplink ports; the uplinks can be either 10/100 or Gigabit Ethernet. The device contains a 400 Mhz Power PC and 32 Mbs of RAM. This device will be refered to as the ìXLî in the remainder of the document.
  40.  
  41. Big ServerIron Chassis
  42. The Big ServerIron is an upgraded BigIron chassis device, with either an M3 or M4 management board. The upgrade consists of an EEPROM installation coupled with a code upgrade. This configuration will be refered to as the ìBSIî for the remainder of the document.
  43. ServerIron 400
  44. The ServerIron 400/800 is a 4 slot and 8 slot chassis device with an M5 / WSM4 management module. The M5 has four processors, a ìmanagementî processor (MP), and three ìbarrel processorsî (BP). The management processor handles basic system functions such as bootup / initialization, MAC / ARP table maintenance, and other system-wide functions. The barrel processors perform the actual SLB function for the slots that are mapped to it (slot mapping is discussed in section #).. This device will be referred to as the SI400 for the remainder of the document.
  45.  
  46. Configuring the SI products consist of  setting  ìgeneral globalî system parameters, ìadvanced global parametersî, and the ìSLBî specific parameters required for SLB functions, as well as interface specific configuration information. They are consistent between the products, with a few noted exceptions. The configuration format can be illustrated as:
  47.  
  48. !
  49. general and advanced global configuration
  50. !
  51. SLB-specific configuration (Real servers and Virtual Servers)
  52. !
  53. Interface configuration (Link parameters, Caching parameters)
  54. !
  55.  
  56. Sections 3 through 6 provide detailed information concerning general configuration recommendations and practices.
  57. General Global System Configuration Parameters
  58.  
  59. General system parameters consist of assigning the Layer 4 switch an IP address, IP default gateway, device hostname, DNS zone, SNMP parameters, syslog server details, and passwords. These are generic, and will be determined prior to or at system installation. Example configuration follows:
  60.  
  61. console timeout 10 (timeout for console connections, set to 10 minutes)
  62. enable password-display (enables non-encrypted password display via sh run, sh config)
  63. enable super-user-password 0 xxxxxx (sets enable password)
  64. hostname serveriron (sets hostname)
  65. ip address 1.1.1.6 255.255.255.0 (sets IP address of the switch)
  66. ip default-gateway 1.1.1.254 (set default gateway)
  67. ip dns domain-name AOL.COM (sets domain name)
  68. ip dns server-address 205.188.152.6 205.188.152.37 (sets DNS servers)
  69. logging 205.188.151.2 (sets syslog hosts)
  70. logging 172.31.15.13
  71. logging 172.20.20.33
  72. logging facility local5 (sets the syslog logging facility on log host)
  73. snmp-server community 0 xxxxro 8 (sets the SNMP community string, along with the ACL required for snmp queries)
  74. snmp-server contact NetOps (sets the snmp contact information)
  75. snmp-server location cr5 22aa (sets the location)
  76.  
  77. It is recommended that the SNMP variable ìlocationî be included for quick reference.
  78.  
  79.  
  80.  
  81.  
  82. Advanced Global System Configuration Parameters
  83.  
  84. The advanced global parameters consists of configuration statements that affect the overall operation of the device. These settings include layer 2 and layer 4 parameters, as well as system security settings.
  85. Mac Aging
  86.  
  87. Background
  88.  
  89. There is no direct advantage to not having mac-aging turned on except under high traffic loads coupled with high density server farms; the mac-aging process will disrupt traffic flow, a process obviously undesirable under these circumstances.
  90.  
  91. MAC Aging Recommendations
  92.  
  93. It is recommended that we disable MAC aging where it is determined the environment is static; i.e. the hosts are not moving from one physical port to another. To configure MAC aging, enter the following CLI command:
  94.  
  95. Serveriron(config)# mac-age 0
  96.  
  97. This is set on all platforms.
  98. Hardware Aging
  99.  
  100. Background
  101.  
  102. A Foundry chassis device ages out Layer 2 CAM (Content Addressable Memory) entries once every 65 seconds after the flow has been established through the device. As is the case with MAC aging, this process is also disruptive to the flow (subsequent packets sent during the CAM ìrelearningî process are dropped). In the past this had a dramatic impact in areas of the network that experienced very high traffic rates.
  103.  
  104. Hardware Aging Recommendations
  105.  
  106. It is recommended we disable Layer 2 hardware aging across the all chassis products, not just Layer 4 devices. To disable hardware aging, enter the following CLI command:
  107.  
  108. Serveriron(config)# l2-hw-age-dis
  109.  
  110. There will be a complete description of Foundry CAM operation forthcoming in future tech notes.
  111. SpanningTree
  112.  
  113. Unless implicitly required by the Layer 2 design / topology, spanning tree should be disabled. To disable spanning tree, enter the following command via CLI:
  114.  
  115. Serveriron(config)# no spanning
  116.  
  117.  
  118. IP Policy
  119.  
  120. To enable the SI400 management module barrel processors for SLB processing, the following global command must be set:
  121.  
  122. ServerIron(config)# ip l4-policy 1 cache tcp 0 global
  123.  
  124. This command initializes the barrel processors at startup. Note: This command also has the effect of forcing ALL of the traffic for a slot through the mapped barrel processor.
  125. Server Router Ports
  126.  
  127. Server Router Ports are required on the uplink ports to the routers. This parameter indicates to the SI on which ports traffic flows between the client and real servers. To configure the server router ports, use the following CLI command:
  128.  
  129. On the XL and BSI:
  130. Serveriron(config)# server router-ports 25 26
  131.  
  132. On the SI400:
  133. serveriron(config)# server router-ports ethernet 2/1
  134. serveriron(config)# server router-ports ethernet 2/2
  135.  
  136. As indicated above, the configuration differs between the XL/BSI and SI400 device; on the XL and BSI, you can enter all the ìrouterî ports on one line; a separate line entry is required for each port on the SI400. As above concerning the ìip policyî statement on the SI400,
  137.  
  138. Router Port Recommendations
  139.  
  140. The server-router port definitions are required for proper SLB operation.
  141. TCP/UDP Age
  142.  
  143. The TCP/UDP-AGE parameter specifies how long an idle TCP or UDP connection remains in the session table. The default for TCP is 30 minutes, while UDP is 5 minutes. For TCP, the SI will delete immediately a TCP session entry once the connection is closed. The connection is considered ìclosedî if the SI observes either the TCP FIN / FIN-ACK sequence or a RESET from either the client or the real server. For UDP, the session remains in the table for the duration of the configured UDP age timer.
  144.  
  145. Age Timer Recommendations
  146.  
  147. This setting is dependent on the application being serviced. For TCP, the default timer should be set at 10 minutes, and adjusted as necessary depending on the application operational requirements dictate. Ten minutes is suggested as a means of resource preservation on the ServerIron, and falls within the range of SST based applications (SST is the proprietary AOL TCP/IP stack in use on many servers within AOL). A detailed discussion of SST is beyond the scope of this document. The UDP-AGE timer should remain at the default setting. To set the TCP or UDP age, use the following CLI commands:
  148.  
  149. Serveriron(config)# tcp-age [time] (default 30 minutes)
  150. Or
  151. Serveriron(config)# udp-age [time] (default 5 minutes*)
  152.  
  153. Age Timer Caveats
  154.  
  155. TCP age is advertised as an ìon the flyî setting; in code revisions 7.1.18 and possibly others with the 7.1 train, it has been determined that a reboot of the device is required. In 7.3.x and SI400 device code revisions, no reboot is required for this setting to take effect.
  156.  
  157. *The UDP-AGE timer applies to all UDP-based applications with the exception of DNS and RADIUS; the SI will immediately age out the session once it determines there has been a reply to a DNS or RADIUS query. This default can be overridden, but it is highly recommended it remain on the default setting. If a change to the default behavior for DNS and RADIUS is deemed necessary, then careful consideration of system resources should be given. DNS and RADIUS queries and responses (in respect to the nature of the application) can be very high rate- if the sessions on the SI are not aged out quickly enough, then resource starvation can occur, and performance can suffer dramatically.
  158. Load Balancing Predictor
  159.  
  160. The SI provides several methods for the SLB predictor (the mechanism which determines how the traffic is distributed amongst the configured real servers) including least connections, least sessions, round-robin, weighted, server response time, least local connections*, and least local sessions*. The predictor can be set globally or locally in the VIP configuration. Setting it locally on the VIP overrides the global setting.
  161.  
  162. Least Connections
  163. The ServerIron sends the request to the real server that currently has the fewest active connections with clients.
  164.  
  165. Least Sessions
  166. The ServerIron sends the request to the real server that currently has the fewest session table entries.
  167.  
  168. Round Robin
  169. The ServerIron sends the request to each server in rotation, regardless of how many connections or sessions each server has.
  170.  
  171. Weighted
  172. The ServerIron uses the weights you assign to the real servers to select a real server. The weights are based on the number of session table entries the ServerIron has for each server.
  173.  
  174. Response Time
  175. The ServerIron selects the real server with the fastest response time.
  176.  
  177. Predictor Recomendations
  178. In general, the load balancer predictor configured should be Round-Robin globally. There are times when this predictor will not provide the desired results; configuring the predictor on the Virtual Server will override the global configuration. Round-robin is also required when port translation is configured.
  179.  
  180. This can be configured both globally and local to the VIP; configuring under the VIP definition overrides the global command. To configure the predictor globally, use the following commands:
  181.  
  182. Serveriron(config)# server predictor round-robin
  183.  
  184. Session Limits
  185.  
  186. The server session limit setting indicates to the SI how much memory resource to set aside for the session table. This should be set to 1 million on the XL and BSI, and 2 million on the SI400 device. If this setting, particularly on the stackable devices, is not configured appropriate to the load on the switch, then high CPU and ultimately poor performance can result. To avoid this potential issue, use the following commands:
  187.  
  188. XL / BSI / SI400
  189.  
  190. Serveriron(config)# server session-limit 1000000
  191.  
  192. SI400 specific
  193.  
  194. The above command as well as the following should be configured:
  195.  
  196. Serveriron(config)# server session-wsm-limit 2000000
  197. Stateless Sessions
  198.  
  199. The term ìstatelessî refers to the SI not maintaining an active session entry in memory for the client transaction. The obvious advantage here is resource usage- no memory is dedicated to maintaining information about the client to server transaction.
  200.  
  201. Stateless Recommendations
  202.  
  203. The use of stateless settings is currently being evaluated. At this time, it is recommended stateless not be used.
  204. Security
  205. Background
  206.  
  207. Foundry Layer 4 devices have network security mechanisms built into the code. These include SYN defense (SYN-DEF, SYN-Guard), TCP rate limiting, and many others. At this point, it is recommended only SYN-DEF be utilized until further testing/verification can be performed on other techniques.
  208. SYN-DEF
  209.  
  210. SYN-Def is a security mechanism that allows the ServerIron to provide syn-defense for the servers and segment it is deployed on. The operation of SYN-DEF differs depending on the product in use. On the XL and BSI devices, the mechanism monitors the three-way handshake between the client and the real server. Once the client has sent the initial SYN, it waits for the configured time specified and expects to see the final ACK from the client within this time frame. If it does not receive the ACK, it drops subsequent SYN requests from the client and clears the session. On the SI4000 device, as well as the stackable code revision 7.3 and above, ìenhanced SYN-DEFî is used. The mechanism will not only monitor the connection attempt, but it will complete the three-way handshake with the server on behalf of the client during the connection setup. This allows the connection on the server to be moved out of the connection queues and into the established queues. Again, the timer starts upon receipt of an initial SYN from a client. If the client fails to send the final ACK within the configured time frame, then the SI will send a TCP RESET to the real server (clearing the session on the server), and clear the session from itís session table. No RESET is sent to the client.
  211.  
  212. Enhanced SYN-DEF also has the ability to monitor ìpass-throughî TCP traffic (traffic passing through the SI, not directed to the SI itself).
  213.  
  214.  
  215. SYN-DEF Recommendations
  216.  
  217. SYN-DEF, as a feature, should be enabled. The recommended configured tolerances warrant further testing, but are directly tied to the traffic patterns through the device it is configured on. Watching the syn-def counters via ìshow server debugî CLI command provides insight into how SYN-DEF is operating, as well as any potential SYN attack that may be in progress. If the counter is tripping constantly, it may prove useful to apply a sniffer to the router interfaces to determine if legitimate traffic is being affected, and what adjustments if any are required. Itís recommended that a setting of 6 seconds be applied initially, and then adjusted (tuned per application requirements) from this point if necessary.
  218.  
  219. To enable syn-def, use the following CLI commands:
  220.  
  221. Serveriron(config)# server syn-def 6
  222. On the SI400 device, you must also configure syn-def at the interface level:
  223. Serveriron(config-if-3/1)# syn-def
  224. Access Control Lists
  225.  
  226. Weíve had persistent challenges in the past getting these to work properly, resulting in many different revisions of code that are ìapplicationî specific. To reduce the amount of potential issues and increase code revision manageability, itís highly recommended Foundry Layer 4 devices not run ACLS.
  227. Source NAT
  228.  
  229. Source-NAT may be required in certain circumstances where the return traffic to the client does not pass back through the ServerIron. One example is when using remote (or backup) servers on a different IP segment other than the one the SI is configured for (i.e. communication between the ServerIron and real server must pass through a router). These instances are rarely used- this command is best used as a troubleshooting tool, and is described in section ().
  230. Force Delete
  231.  
  232. The command ìserver force-deleteî allows the SI to force connection closure when a server or port on that real server is administratively taken out of rotation. This should be set on all SI platforms. To set force-delete, use the following CLI command:
  233.  
  234. Serveriron(config)# server force-delete
  235.  
  236.  
  237.  
  238.  
  239.  
  240. Health Checks
  241.  
  242. Layer 4 through 7 switching inherently implies and requires health check mechanisms to ensure client perceived quality of service, server resource availability, and to some degree, maintenance. Various aspects of the AOL client, as well as many non-client* related services, depend very heavily on services provided by server farms front-ended by layer 4 through 7 switching products- and the ServerIron healthchecks help ensure these services remain available.
  243. What are health checks?
  244.  
  245. In essence, health checks refer to the ability of the Layer 4/7 application switch to determine server and resource availability. The application switch has to perform two tasks: first, it has to ensure that the configured servers are initially available for rotation into the server pool for service, and second, continued monitoring of server and application status and availability must be performed. This is accomplished in various ways depending on the SI product in use.
  246. ServerIron Health Check Operation
  247.  
  248. The Foundry Networks ServerIron  products offer a robust scope of health check options, though some aspects of healthcheck operation differs between the stackable and chassis based products. The SI healthcheck mechanisms can be considered to run in two modes: initialization and operational monitoring.
  249. ServerIron Healthcheck Methods
  250.  
  251. ServerIron Healthchecks take place at layers 2 (Link), 3 (IP), 4 (TCP/UDP) and the application layer (7).
  252. Layer 2/3
  253.  
  254. Layer 2/3 healthchecks consist of the ServerIron ARPing for the real server IP address and IP ICMP echo requests (ping). When you add a real server to the configuration, the ServerIron will ARP for the MAC address of the real server. A successful ARP can be verified via either the cli commands ìsh arpî or ìsh server debugî. The latter command provides a great deal of information about the real server and itís attributes, which includes the real server state, real server port state, number of active connections, just to name a few. It is recommended the reader review the Foundry manuals online for more detail- it is an invaluable tool for troubleshooting purposes.
  255. For this discussion, the server state is of interest. The state can be one of 6 values: Enabled, Failed, Test, Suspect, GRACE_DN, and Active. The state is represented numerically; each state is listed below:
  256.  
  257. (1) ENABLED
  258. The real server is configured, but the server has not responded to an ARP or ping (echo) request. Physical connections, IP address configuration (on the ServerIron and real server) should be verified.
  259.  
  260. (2) FAILED
  261. The real server has failed to respond to repeated pings.
  262.  
  263. (3) TEST
  264. The real server is still reachable at Layer 3, but one or more of the application ports configured on the real server has failed to respond to health checks (either during initialization or configured health checks). The SI will continue to try to the reach the application indefinitely. For example, if the server continues to be reachable at Layer 3 but the application check does not pass, the state will remain TEST so long as the SI cannot reach the application that is failing its health check.
  265.  
  266. (4) SUSPECT
  267. The ServerIron associates a time stamp with each packet sent to and received from the real servers. If the time gap between the last packet received from the server and the last packet sent to the server grows to 3 or 4 seconds, the ServerIron sends a ping (Layer 3 health check) to the server. If the server doesnít respond within the ping interval (a configurable parameter), the ServerIron changes the state to SUSPECT and resends the ping, up to the number of retries specified by the ping retries parameter (also configurable). If the server still doesnít respond after all the retries, the state changes to FAILED. If the server does respond, the state changes to ACTIVE.
  268.  
  269. (5) GRACE_DN
  270. The forced-shutdown(delete) option has been used to gracefully shut the server down.
  271.  
  272. (6) ACTIVE
  273. The server has responded to the Layer 3 health check (IP ping). Also, all the services on the real server have passed their Layer 4 (and if applicable, Layer 7) health checks.
  274. Layer 4
  275. Layer four consists of TCP or UDP checks to the configured real server ports. For TCP, the SI will send the real server a TCP SYN on itís configured ports, expecting a SYN-ACK in response. If the SI sees the SYN-ACK from the real server, then it will respond with a TCP RESET to the real server, and consider the port active. For UDP, the ServerIron sends to the real server ìbogusî data on the configured UDP ports. Since UDP is a connectionless protocol, the ServerIron does not expect to see any response from the real server. An ICMP ìport unreachableî message from the real server indicates to the SI the configured port is not active and should be brought out of rotation.
  276. Layer 7
  277. Layer 7 healthchecks consist of the SI interacting with the actual application on the real server to determine operational status. Layer 7 healthchecks are for ìwell knownî application ports; to the SI these include, but are not limited to, HTTP, SSL, FTP, DNS, and SMTP. By default, there are no Layer 7 healthchecks performed by the SI. If required, they should be enabled via port profiles, or within the real server definition itself.
  278. Real Server Initialization
  279. Initialization takes place at Layer 2 (link), Layer 3 (IP), and Layer 4 (TCP/UDP). Upon adding the real server to the SI configuration, the device will first ARP for the IP address of the real server. After successfully completing the ARP process, it will then ping the real server to verify Layer 3 connectivity. Provided the real server has passed both the layer 2 and layer 3 checks, layer 4 testing takes place after configuring the logical ports (under the real server configuration) that server will be servicing. No layer 7 health checks are performed at this time.
  280. Real Server Operational Monitoring
  281.  
  282. Operational monitoring, depending on the device (XL/BSI vs SI400) and CLI configuration, consists of layer 2/3, 4 and layer 7 checks. Both products will continuously send ARP requests every twenty seconds for the real server to verify layer 2/3 connectivity. Additionally, the SI400 will send ICMP pings to the real server every two seconds, whereas the stackable device does not.
  283. By default, the SI does not perform ìactiveî periodic monitoring of real server application status. Active health checks refer to the SI initiating and sending periodic checks to the configured server services to ensure service availability. Instead, the SI ìpassivelyî monitors the session between itself, the client and the real server. This process is referred to as the ìreassign monitorî, and its operation differs between the XL/BSI and the SI400 based products.
  284. The Reassign Monitor
  285.  
  286. As stated above, depending on the SI product in use, the reassign monitor operation and the indications provided by the CLI differ greatly. The reassign monitor and itís operation is discussed below.
  287. XL/BSI Reassign Monitor Operation
  288.  
  289. On the XL and BSI, the device monitors the connection attempts between itself and the real server. When the SI attempts to pass a new client connection onto a real server, the device will wait for two consecutive SYNs from the client before the connection attempt is passed to the next real server in the rotation for that service. The reassigned servers reassign counter is increased by 3. If the reassign counter increments past the reassign threshold (default 20), then the real server port is marked failed, taken out of rotation, and the initialization process is repeated until that real server port passes the initialization process again. The reassign counter is decremented to zero after a TCP SYN-ACK is received from the real server.
  290. SI400 Reassign Monitor Operation
  291.  
  292. The reassign monitor on the SI400 operates quite differently than the stackable (prior to software revision 7.2.23, the reassign monitor was disabled by default). Instead of monitoring the connection state between itself and the real server, the SI400 monitors the connection between itself and the client device. This is accomplished by monitoring for the final ACK from the client in the TCP three way handshake. Another significant difference is that there is no actual ìreassignî (moving the connection attempt to another available real server) should a real server fail to accept the connection. Based on the application in use, the client will either times out, or the third consecutive connection attempt will be passed to the next active server in rotation.
  293. Periodic Healthchecks (keepalives)
  294.  
  295. Periodic keepalives, or ìactiveî monitoring of server port status is disabled by default. In order to enable periodic keepalives, you must configure a port profile for the port in use on the real server.
  296. Port Profiles
  297.  
  298. Port profiles allow the user to specify to the ServerIron various attributes of the application port in use. These attributes include what type of port (TCP or UDP for non well-known ports), keepalive interval and retries, and many other parameters. The ServerIron assumes that non well-known ports are UDP by default. The keepalive parameters ìintervalî and ìretriesî are analogous to OSPF HELLOs and the ìDEADî timers. One item to keep in mind is that when modifying keepalive parameters for the ports in use, the parameters modified apply to the Layer 7 checks for well-known ports unless Layer 7 checks are disabled. For non well-known ports, the parameters apply to only to Layer 4 checks.
  299. Health Checking Recommendations
  300. These recommendations should provide a stable and predictable environment which facilitates the highest amount of uptime and maintainability, as well as clear indications when things do go ìwrongî
  301. Layer 2/3 Healtchecks
  302. The ARP process described above in section () cannot be modified at this time. However, it doesnít appear there are any suitable reasons why constant ìpingsî every 2 seconds from the chassis device is required, and may in fact contribute to unnecessary traffic load on the segment and real servers.
  303.  
  304.  
  305.  
  306. Layer 3 Health Check Recommendations
  307.  
  308. It is recommended the layer 3 healthchecks be set to 1 every 15 seconds, with 1 retry. To do this, use the CLI commands below:
  309.  
  310. Serveriron(config)# server ping-interval 15
  311. Serveriron(config)# server ping-retry 1
  312.  
  313. These commands are available in software releases 7.3.x for the XL, and 7.2.23 and above for the chassis SI400.
  314. Reassign Monitor
  315. The reassign monitor is an excellent tool for troubleshooting and early warning when a particular host or segment is in trouble. Some reassigns are expected during normal operation, but shouldnít exceed 1 or 2 percent of the total client to server (Total C->S Conn) connections counter in the CLI command ìsh server sessionî.  Unfortunately, these counters are cumulative, so the observation of reassigns should be via a snapshot of the device when trouble-shooting. It is recommended that the reassign counter threshold be set to 100; this provides ample room for reassign activity and the reassign counter to grow without unnecessarily tripping the threshold, which would result in erroneous syslog messages and the associated healthcheck mechanisms being instigated. To configure the reassign threshold, use the following commands:
  316.  
  317. Serveriron(config)# server reassign-threshold 100
  318.  
  319. It may be desirable when trouble-shooting reassign issues to temporarily disable the reassign monitor. To do this, use the following CLI command:
  320.  
  321. Serveriron(config)# server no-reassign-count
  322.  
  323. NOTE: When using DSR mode, the reassign monitor is disabled.
  324. Periodic Healthchecks (keepalives)
  325.  
  326. It is recommended that periodic keepalives are enabled at layer 4 only; layer 7 healthchecks should only be enabled as the application requires. Please consult the Foundry documentation for configuring layer 7 healthchecks. Keepalives should be enabled via port profiles. The settings of one keepalive every 30 seconds, with a retry of value 2 should be sufficient in most cases- this will provide a time of one minute before the SI recognizes the port is down. The reassign monitor will compensate for client connectivity otherwise. To set periodic keepalives at layer 4 only, configure a port profile such as the following:
  327.  
  328. Serveriron(config)# server port 8888
  329. Serveriron(config)# tcp
  330. Serveriron(config)# tcp keepalive 30 1
  331. Serveriron(config)# tcp l4-check-only
  332.  
  333. This identifies to the ServerIron port 8888 is TCP (non well-known ports are UDP by default), sets the keepalive interval to 30 seconds with 2 retries, and enables layer 4 only. The keepalive interval and retry settings may need to be adjusted based on application expectations.
  334.  
  335. Caveats
  336.  
  337. When you configure a port profile for a ìwell knownî port, the healthcheck settings refer to Layer 7 healthchecks by default. Set the ìtcp l4-check-onlyî for ALL ports unless Layer 7 healthchecks are desired.
  338. The following diagram illustrates the configured healthcheck operation:
  339.  
  340. ?
  341.  
  342. The black outline indicates the reassign monitor. The diagram depicts the healthcheck mechanisms and the resultant actions based on configuration.
  343. Server Load Balancing Configuration
  344.  
  345. By default, the ServerIron operates as a Layer 2 switch. To enable Layer4/7 switching, various parameters must be set. These include defining the real and virtual servers, as well as any pertinent parameters for the functions the device will be performing.
  346. The IP Policy Command
  347.  
  348. The IP Policy command is required on the SI400; this enables the 3 barrel processors on the WSM4 / M5 management board for operation. If this is not enabled, then the management processor will be performing the SLB functions- resulting in less than desirable performance.
  349.  
  350. To enable the barrel processors on the WSM4 / M5, use the following global command:
  351.  
  352. ServerIron(config)# ip policy 1 tcp 0 global
  353. Basic Server Load Balancing
  354. Real Server Configuration Parameters
  355.  
  356. Below is a standard ìreal serverî configuration:
  357.  
  358. server real real1 1.1.1.1
  359. port http
  360. port http url "HEAD /"
  361.  
  362. The first line, ìserver real real1 1.1.1.1î, identifies the server as a ìrealî server with the name real1 and IP address 1.1.1.1. The second line tells the ServerIron the layer 4 port this real server will be accepting connections on. This value can be between the ranges of Because HTTP is a ìwell knownî service to the ServerIron, the third line is added automatically for Layer 7 healthcheck purposes. Other real server options that are not standard are discussed in the following sections.
  363. Virtual Server Configuration Parameters
  364.  
  365. The ìvirtual serverî, or VIP, is what the client sees as the host providing the service(s) being requested. The following depicts a ìbasicî Virtual server configuration:
  366.  
  367. server virtual VIP 1.1.1.1 (Virtual Server Name and IP address)
  368. port http (Port serviced by the VIP)
  369. bind http real1 http real2 http real3 http (VIP port to real server port binding)
  370.  
  371. A more complex configuration may look as follows:
  372.  
  373. server virtual VIP 1.1.1.1 (Virtual Server Name and IP address)
  374. port ftp (Port serviced by the VIP)
  375. port ftp dsr (sets FTP to DSR mode)
  376. port ftp sticky (sets stickyness)
  377. port ftp concurrent (sets concurrent mode)
  378.  
  379. Load Balancing Predictor
  380.  
  381. The load balancing predictor was previously discussed in Section (). As stated, this can also be configured on a per-VIP basis. Configuring the predictor on the VIP will override the globally configured predictor settings.
  382.  
  383. Load Balancing Predictor Recommendations
  384.         It is recommended that the initial predictor be set to Round-Robin. To set the predictor under the vip, use the following commands:
  385.  
  386. serveriron(config)# server virtual VIP 1.1.1.1
  387. ServerIron(config-vir-VIP)# predictor round-robin
  388. ìStickyî Ports
  389.  
  390. ìStickyî refers to the ServerIron sending multiple requests for the same resource from a client to the same real server chosen during the real server selection process. A good example of when to use sticky ports would be shopping cart applications (online shopping), where web pages are created dynamically by the real server based on user input. Streaming media applications, SSL, are others that may require sticky ports. To set a real server application port as ìstickyî, use the following CLI commands:
  391.  
  392. serveriron(config)# server virtual VIP 1.1.1.1
  393. serveriron(config-virtual-VIP)# port rtsp sticky
  394. ìConcurrentî Ports
  395.  
  396. Concurrent allows a client to have multiple connections to the same real server on multiple application ports, as is the case with non-passive FTP. To configure concurrent ports, use the following CLI commands:
  397.  
  398. serveriron(config)# server virtual VIP 1.1.1.1
  399. serveriron(config-virtual-VIP)# port rtsp concurrent
  400. Direct Server Return (DSR)
  401.  
  402. Direct Server Return, or ìswitchbackî, refers to the real server communicating directly with the client without the need of the packet flow traversing back through the switch.
  403. Non-DSR Review
  404. In non-DSR, the ServerIron operates in ìhalf-NATî mode. This means the ServerIron will NAT the destination IP address from the VIP to the real server IP address. Two session entries are created in this instance- one for the client ñ to ñ VIP connection, and one for the ServerIron ñ to ñ real server connection. Each session consumes approximately 32 bytes of memory.
  405. DSR Operation
  406. In DSR mode, no NAT function is performed.  Instead, a ìloopbackî interface is configured on the real server with the same IP address of the ServerIron VIP. Client traffic is passed onto the real server without changing the destination IP address. Instead, the SI will set the destination MAC address to that of one of the real servers; the real server will accept the frame at the link level, and pass the datagram up to the IP layer. Since the destination IP address is locally configured, the real server will accept the datagram and pass the segment to the appropriate service. This allows the ServerIron to only create one session entry, the client ñ to ñ VIP session. The ServerIron basically ignores the return traffic from the real server, increasing overall throughput. The are two distinct benefits here- since only one session entry is created, twice the amount of client sessions are now possible and overall throughput increases due to decreased CPU load.
  407. Another possible benefit is that using DSR with the SI400, we reduce the possibility of having recurring ìsession synchronizationî issues between the barrel processors.
  408. DSR / Non-DSR Recommendations
  409. It is recommended that where possible, DSR mode is used. Instances where DSR may not be suitable is when providing load balancing for protocols that require a ìback channelî; for example, some streaming media applications. DSR mode also depends on the capability of configuring a loopback address on the real server operating system, which may not always be possible (i.e. DEC). The benefits of using DSR are twofold, literally. DSR provides for twice the session capacity on the switch and twice the overall performance.
  410. DSR is enabled on a per port basis under the virtual server definition. To configure DSR, use the following cli commands:
  411. Serveriron(config)# server virtual VIP 1.1.1.1
  412. Serveriron(config-virtual-VIP)# port http dsr
  413. *For FTP, particularly non-passive mode FTP, ìstickyî and ìconcurrentî must also be configured for the port when using DSR.
  414. Port Translation
  415. One-to-Many
  416. Port translation is used when the actual real server port does not match the port accepting connections on the VIP. The ServerIron ìtranslatesî the port numbers based on the binding from the VIP port number to the port on the real server. This is the default behavior, and is referred to sometimes as a ìone to manyî configuration.
  417. Many-to-One
  418. By default, the ServerIron will not allow many different ports on the VIP(s) to be bound to the same port on a real server. Disabling the port translation on the VIPs, as well as healthchecks on the ìfakeî ports provides a work-around. The following illustrates this method:
  419.  
  420. server real1 1.1.1.10
  421. port 567
  422. port 568
  423. port http
  424. !
  425. server real2 1.1.1.11
  426. port 567
  427. port 568
  428. port http
  429. !
  430. server real3 1.1.1.12
  431. port 567
  432. port 568
  433. port http
  434. !
  435. server real4 1.1.1.13
  436. port 567
  437. port 568
  438. port http
  439. !
  440. server virtual VIP1 1.1.1.1
  441. port http
  442. no port http translate
  443. bind http real1 568 real2 568 real3 568 real4 568
  444. !
  445. server virtual VIP2 1.1.1.2
  446. port http
  447. no port http translate
  448. bind http real1 567 real2 567 real3 567 real4 567
  449.  
  450. The device will accept HTTP requests on both VIPs, and distribute the connection untranslated to all three real servers on port 80.
  451.  
  452. *Note: Round Robin must be the predictor set.
  453.  
  454. DO NOT CONFIGURE HEALTHCHECKS ON THE ìFAKEî REAL SERVER PORTS!
  455.  
  456. DSR mode cannot be used in conjunction with port translation.
  457. Advanced Server Load Balancing
  458. Layer 7 Switching
  459. To be added in later revisions.
  460. Transparent Caching
  461. To be added in later revisions.
  462. Code Matrix
  463. The following is the recommended code revisions for Foundry Layer 4 switchs:
  464.  
  465. Product
  466. Code Revision
  467. Patch
  468. SI
  469. 7.1.06
  470.  
  471. SI/XL
  472. 7.3
  473. 05d*
  474. BSI
  475. 7.1
  476. 21b**
  477. SI400
  478. 7.2
  479. 26f***
  480.  
  481.  
  482. *Patch revision 05d: Fixes x.x.x.x
  483. **Patch revision 21b has ìdm flashî fix.
  484. ***Patch revision 26f fixes an ACL range issue.
  485.  
  486. Foundry release notes are in the customer technical support area on the Foundry website. Patch revision release notes can be obtained the Foundry onsite support engineers.
  487. System Maintenance
  488. Software Maintenance
  489. Upgrading Code
  490.  
  491. To upgrade code on the XL and BSI devices, the new code is loaded via TFTP into flash and subsequently rebooted. To upgrade code on the XL and BSI device, use the following command:
  492.  
  493. Serveriron# copy tftp flash (tftp server IP) (image name) primary / secondary
  494.  
  495. For the SI400, there are two code releases required- one for the management Processor, and one for the barrel processors. IT IS REQUIRED THAT BOTH RUN THE SAME REVISION / PATCH LEVEL.
  496.  
  497. The barrel processors must be loaded first. To upgrade the code on the barrel processor, use the following command:
  498.  
  499. Serveriron# wsm copy tftp flash (tftp server IP) (image name) primary / secondary
  500.  
  501. To load the management processor, use the following command:
  502.  
  503. Serveriron# copy tftp flash (tftp server IP) (image name) primary / secondary
  504.  
  505. *NOTE If you are upgrading code, please refer to the release notes for that revision to check for boot code dependencies.
  506.  
  507. Hardware Maintenance / Caveats
  508. WSM4 / M5 Chassis Requirements
  509. The SI400 requires ì-Aî lincards. These include both the B8G-A (8 port Gigabit Ethernet Module) and the B24E-A (24 port 10/100 Ethernet Module). There is no restriction on placement of the various modules within the device; however, it is recommended for consistency the Management board be placed into Slot 1.
  510. A BigIron Chassis can be upgraded to an SI400 by replacing the Management board, but as stated above, the appropriate linecards are required.
  511. Upgrading a BigIron L2/L3 device for SLB/BSI Requirements
  512. An M3 or M4 management board with an EEPROM upgrade is required in order to run the BSI code.
  513. Operational Maintenance
  514. Removing A Real Server (or port) from rotation
  515. Temporarily removing a real server from rotation
  516. Disable the port on the real (the force-delete setting forces session clearing within two minutes)
  517.  
  518. Permanently removing a real server
  519. To permanently remove a real server (or port) from the configuration, perform the following steps:
  520.  
  521. Under the real server configuration, enter the following:
  522. Serveriron(config-rs-1)# disable port [port #]
  523.  
  524. Under the virtual server configuration, enter the following:
  525. Serveriron(config-vir-1)# no bind [port #] [real-server] [port #]
  526. Summary
  527. This document hopes to take some of the cloudiness out of configuring a Foundry device for SLB. If there are any suggestions, recommendations please contact Tony Cooper (tonycooper02@aol.com) orÖ
  528.  
  529. Appendix A ñ Case Studys: Example Configurations and Caveats
  530. Basic SLB Configuration Examples
  531. Basic SLB (with Layer 7 healthchecks enabled)
  532. ver 07.2.25T22
  533. module 1 bi-0-port-wsm-management-module
  534. module 2 bi-8-port-gig-module
  535. module 3 bi-24-port-copper-module
  536. module 4 bi-24-port-copper-module
  537. !
  538. no global-stp
  539. !
  540. !
  541. server force-delete
  542. server reassign-threshold 250
  543. server tcp-age 6
  544. server syn-def 6
  545. server router-ports ethernet 2/1
  546. server router-ports ethernet 2/2
  547. !
  548. server real wads-d01b 205.188.165.65
  549.  port http
  550.  port http keepalive
  551.  port http url "GET /admin/hello"
  552. !
  553. server real wads-d02b 205.188.165.66
  554.  port http
  555.  port http keepalive
  556.  port http url "GET /admin/hello"
  557. !
  558. server real wads-d03b 205.188.165.67
  559.  port http
  560.  port http keepalive
  561.  port http url "GET /admin/hello"
  562. !
  563. server real wads-d04b 205.188.165.68
  564.  port http
  565.  port http keepalive
  566.  port http url "GET /admin/hello"
  567. !
  568. server real wads-d05b 205.188.165.69
  569.  port http
  570.  port http keepalive
  571.  port http url "GET /admin/hello"
  572. !
  573. server real wads-d06b 205.188.165.70
  574.  port http
  575.  port http keepalive
  576.  port http url "GET /admin/hello"
  577. !
  578. server real wads-d07b 205.188.165.71
  579.  port http
  580.  port http keepalive
  581.  port http url "GET /admin/hello"
  582. !
  583. server real wads-d08b 205.188.165.72
  584.  port http
  585.  port http keepalive
  586.  port http url "GET /admin/hello"
  587. !
  588. server real wads-d09b 205.188.165.73
  589.  port http
  590.  port http keepalive
  591.  port http url "GET /admin/hello"
  592. !
  593. server real wads-d10b 205.188.165.74
  594.  port http
  595.  port http keepalive
  596.  port http url "GET /admin/hello"
  597. !
  598. server real wads-d11b 205.188.165.75
  599.  port http
  600.  port http keepalive
  601.  port http url "GET /admin/hello"
  602. !
  603. server real wads-d12b 205.188.165.76
  604.  port http
  605.  port http keepalive
  606.  port http url "GET /admin/hello"
  607. !
  608. server real wads-d13b 205.188.165.77
  609.  port http
  610.  port http keepalive
  611.  port http url "GET /admin/hello"
  612. !
  613. server real wads-d14b 205.188.165.78
  614.  port http
  615.  port http keepalive
  616.  port http url "GET /admin/hello"
  617. !
  618. server real wads-d15b 205.188.165.79
  619.  port http
  620.  port http keepalive
  621.  port http url "GET /admin/hello"
  622. !
  623. server real wads-d16b 205.188.165.80
  624.  port http
  625.  port http keepalive
  626.  port http url "GET /admin/hello"
  627. !
  628. server real wads-d17b 205.188.165.81
  629.  port http
  630.  port http keepalive
  631.  port http url "GET /admin/hello"
  632. !
  633. server real wads-d18b 205.188.165.82
  634.  port http
  635.  port http keepalive
  636.  port http url "GET /admin/hello"
  637. !
  638. server real wads-d19b 205.188.165.83
  639.  port http
  640.  port http keepalive
  641.  port http url "GET /admin/hello"
  642. !
  643. server real wads-d20b 205.188.165.84
  644.  port http
  645.  port http keepalive
  646.  port http url "GET /admin/hello"
  647. !
  648. server real wads-d21b 205.188.165.85
  649.  port http
  650.  port http keepalive
  651.  port http url "GET /admin/hello"
  652. !
  653. server real wads-d22b 205.188.165.86
  654.  port http
  655.  port http keepalive
  656.  port http url "GET /admin/hello"
  657. !
  658. server real wads-d23b 205.188.165.87
  659.  port http
  660.  port http keepalive
  661.  port http url "GET /admin/hello"
  662. !
  663. server real wads-d24b 205.188.165.88
  664.  port http
  665.  port http keepalive
  666.  port http url "GET /admin/hello"
  667. !
  668. server real wads-d25b 205.188.165.89
  669.  port http
  670.  port http keepalive
  671.  port http url "GET /admin/hello"
  672. !
  673. server real wads-d26b 205.188.165.90
  674.  port http
  675.  port http keepalive
  676.  port http url "GET /admin/hello"
  677. !
  678. server real wads-d27b 205.188.165.91
  679.  port http
  680.  port http keepalive
  681.  port http url "GET /admin/hello"
  682. !
  683. server real wads-d28b 205.188.165.92
  684.  port http
  685.  port http keepalive
  686.  port http url "GET /admin/hello"
  687. !
  688. server real wads-d29b 205.188.165.93
  689.  port http
  690.  port http keepalive
  691.  port http url "GET /admin/hello"
  692. !
  693. server real wads-d30b 205.188.165.94
  694.  port http
  695.  port http keepalive
  696.  port http url "GET /admin/hello"
  697. !
  698. server real wads-d31b 205.188.165.95
  699.  port http
  700.  port http keepalive
  701.  port http url "GET /admin/hello"
  702. !
  703. server real wads-d32b 205.188.165.96
  704.  port http
  705.  port http keepalive
  706.  port http url "GET /admin/hello"
  707. !
  708. server real wads-d33b 205.188.165.97
  709.  port http
  710.  port http keepalive
  711.  port http url "GET /admin/hello"
  712. !
  713. server real wads-d34b 205.188.165.98
  714.  port http
  715.  port http keepalive
  716.  port http url "GET /admin/hello"
  717. !
  718. server real wads-d35b 205.188.165.99
  719.  port http
  720.  port http keepalive
  721.  port http url "GET /admin/hello"
  722. !
  723. server real wads-d36b 205.188.165.100
  724.  port http
  725.  port http keepalive
  726.  port http url "GET /admin/hello"
  727. !
  728. server real wads-d37b 205.188.165.101
  729.  port http
  730.  port http keepalive
  731.  port http url "GET /admin/hello"
  732. !
  733. server real wads-d38b 205.188.165.102
  734.  port http
  735.  port http keepalive
  736.  port http url "GET /admin/hello"
  737. !
  738. server real wads-d39b 205.188.165.103
  739.  port http
  740.  port http keepalive
  741.  port http url "GET /admin/hello"
  742. !
  743. server real wads-d40b 205.188.165.104
  744.  port http
  745.  port http keepalive
  746.  port http url "GET /admin/hello"
  747. !
  748. !
  749. server virtual ads.web.aol.com 205.188.165.121
  750.  predictor round-robin
  751.  port http
  752.  bind http wads-d40b http wads-d39b http wads-d38b http wads-d37b http
  753.  bind http wads-d36b http wads-d35b http wads-d34b http wads-d33b http
  754.  bind http wads-d32b http wads-d31b http wads-d30b http wads-d29b http
  755.  bind http wads-d28b http wads-d27b http wads-d26b http wads-d25b http
  756.  bind http wads-d24b http wads-d23b http wads-d22b http wads-d21b http
  757.  bind http wads-d20b http wads-d19b http wads-d18b http wads-d17b http
  758.  bind http wads-d16b http wads-d15b http wads-d14b http wads-d13b http
  759.  bind http wads-d12b http wads-d11b http wads-d10b http wads-d09b http
  760.  bind http wads-d08b http wads-d07b http wads-d06b http wads-d05b http
  761.  bind http wads-d04b http wads-d03b http wads-d02b http wads-d01b http
  762. !
  763. !
  764. no spanning-tree
  765. qd-100 160 31 31 31
  766. qd-1000 160 31 31 31
  767. l2-hw-age-dis
  768. system-max tcp-buffer 512
  769. !
  770. console timeout 10
  771. enable password-display
  772. enable super-user-password 0 articul8
  773. hostname wadse2-dr5-sw0
  774. ip address 205.188.165.122 255.255.255.192
  775. ip default-gateway 205.188.165.125
  776. ip dns domain-name AOL.COM
  777. ip dns server-address 205.188.152.6 205.188.152.37
  778. ip policy 1 cache tcp 0 global
  779. logging 205.188.151.2
  780. logging 172.31.15.13
  781. logging 172.20.20.33
  782. logging facility local5
  783. mac-age 0
  784. no flow-control
  785. telnet client 152.163.136.1
  786. telnet client 152.163.136.2
  787. telnet client 205.188.151.9
  788. telnet client 205.188.151.10
  789. telnet client 64.12.64.34
  790. telnet client 64.12.64.33
  791. telnet client 152.163.177.103
  792. telnet timeout 10
  793. snmp-server community 0 Just1SNmPcomuntyRO2bchangd2k+ ro 8
  794. snmp-server contact NetOps
  795. snmp-server location dr5 cz05
  796. clock summer-time
  797. clock timezone us Eastern
  798. sntp server 205.188.152.1
  799. sntp server 205.188.152.2
  800. no web-management
  801. interface e 2/1
  802.  no flow-control
  803. !
  804. interface e 2/2
  805. noÖ. (concantenated)
  806. !
  807. access-list 8 permit 64.12.64.32 0.0.0.15
  808. access-list 8 permit 152.163.82.0 0.0.0.255
  809. access-list 8 permit 152.163.129.0 0.0.0.255
  810. access-list 8 permit 152.163.136.0 0.0.0.255
  811. access-list 8 permit 152.163.177.0 0.0.0.255
  812. access-list 8 permit 172.18.0.0 0.0.255.255
  813. access-list 8 permit 172.20.0.0 0.0.255.255
  814. access-list 8 permit 172.31.0.0 0.0.255.255
  815. access-list 8 permit 192.168.137.0 0.0.0.255
  816. access-list 8 permit 205.188.151.0 0.0.0.255
  817. access-list 8 permit 207.200.78.0 0.0.0.255
  818. access-list 8 permit host 206.222.240.77
  819. !
  820. !
  821. end
  822. Basic SLB with DSR Enabled
  823.  
  824. ver 07.1.18T12
  825. no global-stp
  826. !
  827. !
  828. server force-delete
  829. server reassign-threshold 250
  830. server syn-def 6
  831. server tcp-msl 6
  832. server sticky-age 30
  833. !
  834. server port 554
  835.  tcp
  836. !
  837. !
  838. server real ondmdms1-r01 64.12.38.33
  839.  port rtsp
  840.  port http
  841.  port http url "HEAD /"
  842. !
  843. server real ondmdms1-r02 64.12.38.34
  844.  port rtsp
  845.  port http
  846.  port http url "HEAD /"
  847. !
  848. server real qtdownload1-sd01 64.12.38.35
  849.  port rtsp
  850.  port http
  851.  port http url "HEAD /"
  852. !
  853. server real qtdownload1-sd02 64.12.38.36
  854.  port rtsp
  855.  port http
  856.  port http url "HEAD /"
  857. !
  858. server real qtdownload1-sd03 64.12.38.37
  859.  port rtsp
  860.  port http
  861.  port http url "HEAD /"
  862. !
  863. !
  864. server virtual ondmdms1-VIP 64.12.38.57
  865.  predictor weighted
  866.  port rtsp
  867.  port rtsp dsr
  868.  port http sticky
  869.  port http dsr
  870.  bind rtsp ondmdms1-r01 rtsp ondmdms1-r02 rtsp
  871.  bind http ondmdms1-r01 http ondmdms1-r02 http
  872. !
  873. server virtual vip1-qt 64.12.38.56
  874.  predictor round-robin
  875.  port http
  876.  port http dsr
  877. !
  878. server virtual darwin-vip1 64.12.38.55
  879.  port rtsp sticky
  880.  port rtsp dsr
  881.  port http sticky
  882.  port http dsr
  883.  bind rtsp qtdownload1-sd01 rtsp qtdownload1-sd02 rtsp qtdownload1-sd03 rtsp
  884.  bind http qtdownload1-sd01 http qtdownload1-sd03 http qtdownload1-sd02 http
  885. !
  886. vlan 1 name DEFAULT-VLAN by port
  887.  no spanning-tree
  888. !
  889. console timeout 10
  890. enable password-display
  891. enable super-user-password 0 xxxxx
  892. hostname abasketms1-mr1-sw0
  893. ip address 64.12.38.58 255.255.255.224
  894. ip default-gateway 64.12.38.61
  895. ip dns domain-name AOL.COM
  896. ip dns server-address 64.12.66.5 64.12.66.36
  897. logging 172.20.20.33
  898. logging 172.20.20.33
  899. logging 152.163.177.103
  900. logging 205.188.151.2
  901. logging facility local5
  902. mac-age 0
  903. system-max tcp-buffer 512
  904. !
  905. telnet client 152.163.136.2
  906. telnet client 152.163.136.1
  907. telnet client 205.188.151.9
  908. telnet client 205.188.151.10
  909. telnet client 152.163.177.103
  910. telnet client 64.12.64.34
  911. telnet client 64.12.64.33
  912. telnet timeout 10
  913. snmp-server community 0 Just1SNmPcomuntyRO2bchangd2k+ ro 8
  914. snmp-server contact NetOps
  915. snmp-server location MR1 CH-138
  916. clock timezone us Eastern
  917. sntp server 64.12.66.33
  918. sntp server 64.12.66.2
  919. no web-management
  920. interface e 1
  921.  speed-duplex 100-full
  922.  no flow-control
  923. !
  924. interface e 2
  925.  speed-duplex 100-full
  926.  no flow-control
  927. !
  928. interface e 3
  929. speedÖ. (concatenated)
  930. !
  931. access-list 8 permit 64.12.64.32 0.0.0.15
  932. access-list 8 permit 152.163.82.0 0.0.0.255
  933. access-list 8 permit 152.163.129.0 0.0.0.255
  934. access-list 8 permit 152.163.136.0 0.0.0.255
  935. access-list 8 permit 152.163.177.0 0.0.0.255
  936. access-list 8 permit 172.18.0.0 0.0.255.255
  937. access-list 8 permit 172.20.0.0 0.0.255.255
  938. access-list 8 permit 172.31.0.0 0.0.255.255
  939. access-list 8 permit 192.168.137.0 0.0.0.255
  940. access-list 8 permit 205.188.151.0 0.0.0.255
  941. access-list 8 permit 207.200.78.0 0.0.0.255
  942. access-list 8 permit host 206.222.240.77
  943. !
  944. !
  945. end
  946. Advanced SLB Configuration Examples
  947. SLB with Cookie Switching Enabled
  948. server force-delete
  949. server session-limit 1000000
  950. server reassign-threshold 100
  951. server syn-def 6
  952.  
  953. server port 80
  954.  tcp
  955.  
  956. server port 1030
  957.  tcp
  958.  
  959. server port 1031
  960.  tcp
  961.  
  962. server port 1032
  963.  tcp
  964.  
  965. server port 1033
  966.  tcp
  967.  
  968. server port 8001
  969.  tcp
  970. server router-ports 25 26
  971. !
  972. !
  973. server real plogic-sd03 205.188.135.99
  974.  port 1032
  975.  port 1031
  976.  port 1031 server-id 1027
  977.  port 1030
  978.  port 1030 server-id 1027
  979.  port http
  980.  port http url "HEAD /"
  981.  port http l4-check-only
  982.  port 1033
  983.  port 8001
  984.  port 8001 server-id 1027
  985.  port 1040
  986. !
  987. server real plogic-sd04 205.188.135.100
  988.  port 1032
  989.  port 1031
  990.  port 1031 server-id 1028
  991.  port 1030
  992.  port 1030 server-id 1028
  993.  port http
  994.  port http url "HEAD /"
  995.  port http l4-check-only
  996.  port http server-id 1028
  997.  port 1033
  998.  port 8001
  999.  port 8001 server-id 1028
  1000.  port 1040
  1001. !
  1002. server real plogic-sd05 205.188.135.101
  1003.  port http
  1004.  port http url "HEAD /"
  1005.  port http l4-check-only
  1006.  port http server-id 1029
  1007.  port 1030
  1008.  port 1030 server-id 1029
  1009.  port 1031
  1010.  port 1031 server-id 1029
  1011.  port 1032
  1012.  port 1033
  1013.  port 8001
  1014.  port 8001 server-id 1029
  1015.  port 1040
  1016. !
  1017. server real plogic-sd01 205.188.135.97
  1018.  port 1032
  1019.  port 1031
  1020.  port 1030
  1021.  port http
  1022.  port http url "HEAD /"
  1023.  port http l4-check-only
  1024.  port http server-id 1025
  1025.  port 1033
  1026.  port 1041
  1027.  port 1043
  1028.  port 1044
  1029. !
  1030. server real plogic-sd02 205.188.135.98
  1031.  port 1032
  1032.  port 1031
  1033.  port 1030
  1034.  port http
  1035.  port http url "HEAD /"
  1036.  port http l4-check-only
  1037.  port http server-id 1026
  1038.  port 1033
  1039.  port 1041
  1040.  port 1043
  1041.  port 1044
  1042. !
  1043. server real plogic-sd06 205.188.135.102
  1044.  port http
  1045.  port http url "HEAD /"
  1046.  port http l4-check-only
  1047.  port http server-id 1030
  1048. !
  1049. server real plogic-sd07 205.188.135.103
  1050.  port http
  1051.  port http url "HEAD /"
  1052.  port http l4-check-only
  1053.  port http server-id 1031
  1054.  port 1030
  1055.  port 1030 server-id 1031
  1056.  port 1031
  1057.  port 1031 server-id 1031
  1058.  port 1032
  1059.  port 1032 server-id 1031
  1060.  port 1033
  1061.  port 1033 server-id 1031
  1062.  port 8001
  1063.  port 8001 server-id 1031
  1064. !
  1065. server real plogic-sd08 205.188.135.105
  1066.  port http
  1067.  port http url "HEAD /"
  1068.  port http l4-check-only
  1069.  port http server-id 1032
  1070.  port 1030
  1071.  port 1030 server-id 1032
  1072.  port 1031
  1073.  port 1031 server-id 1032
  1074.  port 1032
  1075.  port 1032 server-id 1032
  1076.  port 1033
  1077.  port 1033 server-id 1032
  1078.  port 8001
  1079.  port 8001 server-id 1032
  1080. !
  1081. server virtual aolsvc.decisionguides 205.188.135.118
  1082.  predictor round-robin
  1083.  port http sticky
  1084.  port http cookie-name "pl_serverid"
  1085.  port http cookie-switching
  1086.  bind http plogic-sd03 http plogic-sd04 http plogic-sd05 http
  1087. !
  1088. server virtual cssvc.decisionguides 205.188.135.119
  1089.  predictor round-robin
  1090.  port http sticky
  1091.  port http cookie-name "pl_serverid"
  1092.  port http cookie-switching
  1093.  bind http plogic-sd03 1030 plogic-sd04 1030 plogic-sd05 1030
  1094. !
  1095. server virtual webcenter.decisionguides 205.188.135.120
  1096.  predictor round-robin
  1097.  port http sticky
  1098.  port http cookie-name "pl_serverid"
  1099.  bind http plogic-sd03 1031 plogic-sd04 1031 plogic-sd05 1031
  1100. !
  1101. server virtual webcenter.netscape 205.188.135.121
  1102.  predictor round-robin
  1103.  port http sticky
  1104.  port http cookie-name "pl_serverid"
  1105.  port http cookie-switching
  1106.  bind http plogic-sd03 1032 plogic-sd04 1032 plogic-sd05 1032
  1107. !
  1108. server virtual aolsvc.recipes.aol.com 205.188.135.114
  1109.  predictor round-robin
  1110.  port http
  1111.  bind http plogic-sd01 http plogic-sd02 http
  1112. !
  1113. server virtual cssvc.recipes.compuserve.com 205.188.135.115
  1114.  predictor round-robin
  1115.  port http
  1116.  bind http plogic-sd01 1030 plogic-sd02 1030
  1117. !
  1118. server virtual webcenter.recipes.aol.com 205.188.135.116
  1119.  predictor round-robin
  1120.  port http
  1121.  bind http plogic-sd01 1031 plogic-sd02 1031
  1122. !
  1123. server virtual webcenter.recipes.netscape.com 205.188.135.117
  1124.  predictor round-robin
  1125.  port http
  1126.  bind http plogic-sd01 1032 plogic-sd02 1032
  1127. !
  1128. server virtual cookinglight.recipes.aol.com 205.188.135.113
  1129.  predictor round-robin
  1130.  port http
  1131.  bind http plogic-sd01 1033 plogic-sd02 1033
  1132. !
  1133. server virtual autotrader.decisionguides 205.188.135.112
  1134.  predictor round-robin
  1135.  port http sticky
  1136.  port http cookie-name "pl_serverid"
  1137.  port http cookie-switching
  1138.  bind http plogic-sd03 1033 plogic-sd04 1033 plogic-sd05 1033
  1139. !
  1140. server virtual aolsvc.illnesses 205.188.135.109
  1141.  predictor round-robin
  1142.  port http
  1143.  bind http plogic-sd01 1041 plogic-sd02 1041
  1144. !
  1145. server virtual webcenter.illnesses 205.188.135.110
  1146.  predictor round-robin
  1147.  port http
  1148.  bind http plogic-sd01 1043 plogic-sd02 1043
  1149. !
  1150. server virtual cssvc.illnesses 205.188.135.111
  1151.  predictor round-robin
  1152.  port http
  1153.  bind http plogic-sd01 1044 plogic-sd02 1044
  1154. !
  1155. server virtual decisionguides.websys.aol.com 205.188.135.106
  1156.  predictor round-robin
  1157.  port http sticky
  1158.  port http cookie-name "pl_serverid"
  1159.  port http cookie-switching
  1160.  bind http plogic-sd03 8001 plogic-sd04 8001 plogic-sd05 8001
  1161. !
  1162. server virtual staging.websys.aol.com 205.188.135.107
  1163.  predictor round-robin
  1164.  port http sticky
  1165.  port http cookie-name "pl_serverid"
  1166.  port http cookie-switching
  1167.  port 1030
  1168.  port 1030 cookie-name "pl_serverid"
  1169.  port 1030 cookie-switching
  1170.  port 1032
  1171.  port 1032 cookie-name "pl_serverid"
  1172.  port 1032 cookie-switching
  1173.  port 1033
  1174.  port 1033 cookie-name "pl_serverid"
  1175.  port 1033 cookie-switching
  1176.  port 8001
  1177.  port 8001 cookie-name "pl_serverid"
  1178.  port 8001 cookie-switching
  1179.  port 1031
  1180.  port 1031 cookie-name "pl_serverid"
  1181.  port 1031 cookie-switching
  1182.  bind http plogic-sd07 http plogic-sd08 http
  1183.  bind 1030 plogic-sd07 1030 plogic-sd08 1030
  1184.  bind 1032 plogic-sd07 1032 plogic-sd08 1032
  1185.  bind 1033 plogic-sd07 1033 plogic-sd08 1033
  1186.  bind 8001 plogic-sd07 8001 plogic-sd08 8001
  1187.  bind 1031 plogic-sd07 1031 plogic-sd08 1031
  1188. !
  1189. server virtual careerfinder.web.aol.com 205.188.135.108
  1190.  predictor round-robin
  1191.  port http sticky
  1192.  port http cookie-name "pl_serverid"
  1193.  port http cookie-switching
  1194.  bind http plogic-sd03 1040 plogic-sd04 1040 plogic-sd05 1040
  1195. !
  1196. vlan 1 name DEFAULT-VLAN by port
  1197.  no spanning-tree
  1198. !
  1199. console timeout 10
  1200. enable password-display
  1201. enable super-user-password 0 articul8
  1202. hostname plogic1-dr1-sw0
  1203. ip address 205.188.135.122 255.255.255.224
  1204. ip default-gateway 205.188.135.125
  1205. ip dns domain-name AOL.COM
  1206. ip dns server-address 205.188.152.6 205.188.152.37
  1207. logging 205.188.151.2
  1208. logging 172.31.15.13
  1209. logging 172.20.20.33
  1210. logging facility local5
  1211. mac-age 0
  1212. no flow-control
  1213. telnet client 152.163.136.1
  1214. telnet client 152.163.136.2
  1215. telnet client 205.188.151.9
  1216. telnet client 205.188.151.10
  1217. telnet client 64.12.64.34
  1218. telnet client 64.12.64.33
  1219. telnet client 152.163.177.103
  1220. telnet timeout 10
  1221. snmp-server community 0 Just1SNmPcomuntyRO2bchangd2k+ ro 8
  1222. snmp-server contact NetOps
  1223. snmp-server location AU36
  1224. clock summer-time
  1225. clock timezone us Eastern
  1226. sntp server 205.188.152.1
  1227. sntp server 205.188.152.2
  1228. no web-management
  1229. interface e 1
  1230.  speed-duplex 100-full
  1231.  no flow-control
  1232. !
  1233. interface e 2
  1234. speedÖ (concatenated)
  1235. !
  1236. access-list 8 permit 64.12.64.32 0.0.0.15
  1237. access-list 8 permit 152.163.82.0 0.0.0.255
  1238. access-list 8 permit 152.163.129.0 0.0.0.255
  1239. access-list 8 permit 152.163.136.0 0.0.0.255
  1240. access-list 8 permit 152.163.177.0 0.0.0.255
  1241. access-list 8 permit 172.18.0.0 0.0.255.255
  1242. access-list 8 permit 172.20.0.0 0.0.255.255
  1243. access-list 8 permit 172.31.0.0 0.0.255.255
  1244. access-list 8 permit 192.168.137.0 0.0.0.255
  1245. access-list 8 permit 205.188.151.0 0.0.0.255
  1246. access-list 8 permit 207.200.78.0 0.0.0.255
  1247. access-list 8 permit host 206.222.240.77
  1248. !
  1249. !
  1250. end
  1251. SLB with URL Switching Enabled
  1252. ver 07.1.18T12
  1253. no global-stp
  1254. !
  1255. !
  1256. server force-delete
  1257. server syn-def 6
  1258. server tcp-msl 6
  1259. server router-ports 25 26
  1260. !
  1261. url-map "policya"
  1262. method pattern
  1263. default 3
  1264. match "MC_RSC=7" 2
  1265. match "MC_RSC=5" 1
  1266. !
  1267. !
  1268. server real mc-s01 64.12.144.1
  1269.  max-conn 10000
  1270.  port 12443
  1271.  port http
  1272.  port http url "HEAD /"
  1273.  port ssl
  1274.  port 1080
  1275.  port 1443
  1276.  port 2080
  1277.  port 2443
  1278.  port 3080
  1279.  port 3443
  1280.  port 4080
  1281.  port 4443
  1282.  port 5080
  1283.  port 5443
  1284.  port 6080
  1285.  port 6443
  1286.  port 7080
  1287.  port 7443
  1288.  port 8080
  1289.  port 8443
  1290.  port 9080
  1291.  port 9443
  1292.  port 10080
  1293.  port 10443
  1294. !
  1295. server real mc-s03 64.12.144.2
  1296.  max-conn 10000
  1297.  port 12443
  1298.  port http
  1299.  port http url "HEAD /"
  1300.  port ssl
  1301.  port 1080
  1302.  port 1443
  1303.  port 6443
  1304.  port 6080
  1305.  port 4443
  1306.  port 4080
  1307.  port 3443
  1308.  port 3080
  1309.  port 2080
  1310.  port 2443
  1311.  port 5080
  1312.  port 5443
  1313.  port 7080
  1314.  port 7443
  1315.  port 8080
  1316.  port 8443
  1317.  port 9080
  1318.  port 9443
  1319.  port 10080
  1320.  port 10443
  1321. !
  1322. server real mc-s05 64.12.144.17
  1323.  max-conn 10000
  1324.  port 13443
  1325.  port 13080
  1326.  port 14443
  1327.  port 14080
  1328.  port 10020
  1329.  port 10010
  1330.  port 12543
  1331.  port 10050
  1332.  port 10050 server-id 1025
  1333.  port 10050 group-id  1 1 3 3
  1334.  port 12443
  1335.  port http
  1336.  port http url "HEAD /"
  1337.  port ssl
  1338.  port 10080
  1339.  port 11080
  1340.  port 11443
  1341.  port 12080
  1342. !
  1343. server real screen2-s03 64.12.144.4
  1344.  port http disable
  1345.  port http url "HEAD /"
  1346.  port ssl
  1347. !
  1348. server real mc-s07 64.12.144.18
  1349.  max-conn 10000
  1350.  port 13443
  1351.  port 13080
  1352.  port 14443
  1353.  port 14080
  1354.  port 10020
  1355.  port 10010
  1356.  port 12543
  1357.  port 10050
  1358.  port 10050 server-id 1027
  1359.  port 10050 group-id  2 2 3 3
  1360.  port 12443
  1361.  port http
  1362.  port http url "HEAD /"
  1363.  port ssl
  1364.  port 10080
  1365.  port 11080
  1366.  port 12080
  1367.  port 11443
  1368. !
  1369. server real screenname3 64.12.144.6
  1370.  port http
  1371.  port http url "HEAD /"
  1372.  port ssl
  1373. !
  1374. server real screenname-03-br 64.12.144.16
  1375.  port http
  1376.  port http url "HEAD /"
  1377.  port ssl
  1378. !
  1379. server virtual sandbox.screenname.aol.com 64.12.144.22
  1380.  predictor round-robin
  1381.  port http
  1382.  port http url-map "policya"
  1383.  port http cookie-name "MC_RSC"
  1384.  port http url-cookie-switching
  1385.  port ssl sticky
  1386.  bind http mc-s07 10050 mc-s05 10050
  1387.  bind ssl mc-s05 ssl mc-s07 ssl
  1388. !
  1389. server virtual my.screenname.aol.com 64.12.144.3
  1390.  predictor round-robin
  1391.  port ssl sticky
  1392.  port http
  1393.  bind ssl mc-s01 12443 mc-s03 12443
  1394.  bind http mc-s01 10080 mc-s03 10080
  1395. !
  1396. server virtual sandboxt.screenname.aol.com 64.12.144.19
  1397.  predictor round-robin
  1398.  port http
  1399.  port ssl sticky
  1400.  bind http mc-s05 10010 mc-s07 10010
  1401.  bind ssl mc-s05 10020 mc-s07 10020
  1402. !
  1403. server virtual aolcom.screenname.aol.com 64.12.144.23
  1404.  predictor round-robin
  1405.  port http
  1406.  port ssl sticky
  1407.  bind http mc-s05 14080 mc-s07 14080
  1408.  bind ssl mc-s05 14443 mc-s07 14443
  1409. !
  1410. server virtual login.screenname.aol.com 64.12.144.24
  1411.  predictor round-robin
  1412.  port http
  1413.  port ssl sticky
  1414.  bind http mc-s05 13080 mc-s07 13080
  1415.  bind ssl mc-s05 13443 mc-s07 13443
  1416. !
  1417. vlan 1 name DEFAULT-VLAN by port
  1418.  no spanning-tree
  1419. !
  1420. console timeout 10
  1421. enable password-display
  1422. enable super-user-password 0 articul8
  1423. hostname snagreg-mr6-sw0
  1424. ip address 64.12.144.26 255.255.255.224
  1425. ip default-gateway 64.12.144.30
  1426. ip dns domain-name AOL.COM
  1427. ip dns server-address 64.12.66.5 64.12.66.36
  1428. logging 172.20.20.33
  1429. logging 152.163.177.103
  1430. logging 205.188.151.2
  1431. logging 172.31.15.13
  1432. logging 172.20.20.33
  1433. logging facility local5
  1434. mac-age 0
  1435. no flow-control
  1436. system-max tcp-buffer 512
  1437. !
  1438. telnet client 152.163.136.2
  1439. telnet client 152.163.136.1
  1440. telnet client 205.188.151.9
  1441. telnet client 205.188.151.10
  1442. telnet client 64.12.64.34
  1443. telnet client 64.12.64.33
  1444. telnet client 152.163.177.103
  1445. telnet timeout 10
  1446. snmp-server community 0 Just1SNmPcomuntyRO2bchangd2k+ ro 8
  1447. snmp-server contact NetOps
  1448. snmp-server location MR6 CQ-605
  1449. clock summer-time
  1450. clock timezone us Eastern
  1451. sntp server 64.12.66.2
  1452. no web-management
  1453. interface e 1
  1454.  speed-duplex 100-full
  1455.  no flow-control
  1456. !
  1457. interface e 2
  1458. speedÖ(concatenated)
  1459. !
  1460. access-list 8 permit 64.12.64.32 0.0.0.15
  1461. access-list 8 permit 152.163.82.0 0.0.0.255
  1462. access-list 8 permit 152.163.129.0 0.0.0.255
  1463. access-list 8 permit 152.163.136.0 0.0.0.255
  1464. access-list 8 permit 152.163.177.0 0.0.0.255
  1465. access-list 8 permit 172.18.0.0 0.0.255.255
  1466. access-list 8 permit 172.20.0.0 0.0.255.255
  1467. access-list 8 permit 172.31.0.0 0.0.255.255
  1468. access-list 8 permit 192.168.137.0 0.0.0.255
  1469. access-list 8 permit 205.188.151.0 0.0.0.255
  1470. access-list 8 permit 207.200.78.0 0.0.0.255
  1471. access-list 8 permit host 206.222.240.77
  1472. !
  1473. !
  1474. end
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top