AOL Internal Data

1. Introduction
2. Purpose and Objectives
3.  
4. The purpose of this document is to provide the AOL Network Engineering Staff, Management and any other pertinent persons a detailed review, analysis and recommended ìbest practicesî document for the implementation of layer 4 through 7 switching configurations. This is an evolving document, providing information from which an open forum of discussion can take place.
5. Scope
6.  
7. The scope of this document covers a review of SLB concepts, the Foundry ServerIron product line, general and advanced configuration parameters, health check operation and implementation, , and a case study section for easy reference. This document focuses primarily on the operation and configuration of the Foundry Networks ServerIron, though the concepts of SLB covered within are not limited to the Foundry ServerIron product. 90% of the SLB enabled services deployed within AOL is general in nature.
8. Server Load Balancing Review
9. Basic SLB Review
10. Server Load Balancing is a technique used by Layer 4 devices to ìspread the loadî of a particular service across many servers, AKA a server farm. These services can include, but are not limited Web, FTP, SSL, etc. The following drawing depicts a typical SLB topology deployed within AOL:
11. ?
12. Figure 1
13. The ìclientsî connect to the Virtual IP (VIP) that represents the service. The Layer 4 switch then distributes the connection on behalf of the client to one of the servers within the server farms servicing the particular service requested by the client. The Layer 4 switch performs many functions with respect to this, including client connection management, real server (the servers that make up the server farm) health monitoring, security, and even Layer 2 services just to name a few. The configuration can get quite complex, depending on what services are being provided by the Layer 4 switch. Itís important to note here that the ìphysicalî topology is essentially the same as if only a Layer 2 switch were deployed.
14.  
15. SLB is classified as ìswitchingî at the OSI Layers 4 through 7. In layer 4 SLB, the switch is distributing client connections based on either TCP or UDP information gleaned from the client request. With the upper layers, the switch is more ìapplication awareî; the device will examine the client request in more detail in an attempt to glean information from which a switching decision can be made. Layer 7 switching involves more processing overhead, but with some applications, can offer a more robust connectivity model for application switching decisions.
16. Advanced SLB Concepts
17. Layer 7 Switching
18. Layer 7 switching involves the switch making SLB decisions based on information gleaned from the client request, at the application level. This includes the actual URL, cookies, and even SSL Ids.
19.  
20. URL switching
21.  
22. The ServerIron has the ability to identify portions of (or match the entire) URL request from the client and direct that request to a group of (or a specific server) based on what was gleaned from the request.
23.  
24. Cookie Switching
25.  
26. Similar to URL switching, the ServerIron is looking into the URL data to identify a cookie within the request. Cookies take the form of a ìName=Valueî pair, and the request is directed to the group or specific real server based on that match.
27.  
28. SSL switching
29.  
30. SSL switching allows the ServerIron to direct a request from a client to the real servers where an SSL session was initially established.
31.  
32. Caching
33.  
34. Proxy caching and transparent caching is the ability of the switch to identify based on policies and other configuration parameters client requests for services, and direct them to a cache server farm.
35. The Foundry ServerIron SLB Products
36.  
37. The Foundry ServerIron comes in 2 flavors, the stackable and chassis-based device.
38. ServerIron XL Stackable
39. The ServerIron XL is a stackable device with 24 10/100 ports combined with 2 dedicated uplink ports; the uplinks can be either 10/100 or Gigabit Ethernet. The device contains a 400 Mhz Power PC and 32 Mbs of RAM. This device will be refered to as the ìXLî in the remainder of the document.
40.  
41. Big ServerIron Chassis
42. The Big ServerIron is an upgraded BigIron chassis device, with either an M3 or M4 management board. The upgrade consists of an EEPROM installation coupled with a code upgrade. This configuration will be refered to as the ìBSIî for the remainder of the document.
43. ServerIron 400
44. The ServerIron 400/800 is a 4 slot and 8 slot chassis device with an M5 / WSM4 management module. The M5 has four processors, a ìmanagementî processor (MP), and three ìbarrel processorsî (BP). The management processor handles basic system functions such as bootup / initialization, MAC / ARP table maintenance, and other system-wide functions. The barrel processors perform the actual SLB function for the slots that are mapped to it (slot mapping is discussed in section #).. This device will be referred to as the SI400 for the remainder of the document.
45.  
46. Configuring the SI products consist of setting ìgeneral globalî system parameters, ìadvanced global parametersî, and the ìSLBî specific parameters required for SLB functions, as well as interface specific configuration information. They are consistent between the products, with a few noted exceptions. The configuration format can be illustrated as:
47.  
48. !
49. general and advanced global configuration
50. !
51. SLB-specific configuration (Real servers and Virtual Servers)
52. !
53. Interface configuration (Link parameters, Caching parameters)
54. !
55.  
56. Sections 3 through 6 provide detailed information concerning general configuration recommendations and practices.
57. General Global System Configuration Parameters
58.  
59. General system parameters consist of assigning the Layer 4 switch an IP address, IP default gateway, device hostname, DNS zone, SNMP parameters, syslog server details, and passwords. These are generic, and will be determined prior to or at system installation. Example configuration follows:
60.  
61. console timeout 10 (timeout for console connections, set to 10 minutes)
62. enable password-display (enables non-encrypted password display via sh run, sh config)
63. enable super-user-password 0 xxxxxx (sets enable password)
64. hostname serveriron (sets hostname)
65. ip address 1.1.1.6 255.255.255.0 (sets IP address of the switch)
66. ip default-gateway 1.1.1.254 (set default gateway)
67. ip dns domain-name AOL.COM (sets domain name)
68. ip dns server-address 205.188.152.6 205.188.152.37 (sets DNS servers)
69. logging 205.188.151.2 (sets syslog hosts)
70. logging 172.31.15.13
71. logging 172.20.20.33
72. logging facility local5 (sets the syslog logging facility on log host)
73. snmp-server community 0 xxxxro 8 (sets the SNMP community string, along with the ACL required for snmp queries)
74. snmp-server contact NetOps (sets the snmp contact information)
75. snmp-server location cr5 22aa (sets the location)
76.  
77. It is recommended that the SNMP variable ìlocationî be included for quick reference.
78.  
79.  
80.  
81.  
82. Advanced Global System Configuration Parameters
83.  
84. The advanced global parameters consists of configuration statements that affect the overall operation of the device. These settings include layer 2 and layer 4 parameters, as well as system security settings.
85. Mac Aging
86.  
87. Background
88.  
89. There is no direct advantage to not having mac-aging turned on except under high traffic loads coupled with high density server farms; the mac-aging process will disrupt traffic flow, a process obviously undesirable under these circumstances.
90.  
91. MAC Aging Recommendations
92.  
93. It is recommended that we disable MAC aging where it is determined the environment is static; i.e. the hosts are not moving from one physical port to another. To configure MAC aging, enter the following CLI command:
94.  
95. Serveriron(config)# mac-age 0
96.  
97. This is set on all platforms.
98. Hardware Aging
99.  
100. Background
101.  
102. A Foundry chassis device ages out Layer 2 CAM (Content Addressable Memory) entries once every 65 seconds after the flow has been established through the device. As is the case with MAC aging, this process is also disruptive to the flow (subsequent packets sent during the CAM ìrelearningî process are dropped). In the past this had a dramatic impact in areas of the network that experienced very high traffic rates.
103.  
104. Hardware Aging Recommendations
105.  
106. It is recommended we disable Layer 2 hardware aging across the all chassis products, not just Layer 4 devices. To disable hardware aging, enter the following CLI command:
107.  
108. Serveriron(config)# l2-hw-age-dis
109.  
110. There will be a complete description of Foundry CAM operation forthcoming in future tech notes.
111. SpanningTree
112.  
113. Unless implicitly required by the Layer 2 design / topology, spanning tree should be disabled. To disable spanning tree, enter the following command via CLI:
114.  
115. Serveriron(config)# no spanning
116.  
117.  
118. IP Policy
119.  
120. To enable the SI400 management module barrel processors for SLB processing, the following global command must be set:
121.  
122. ServerIron(config)# ip l4-policy 1 cache tcp 0 global
123.  
124. This command initializes the barrel processors at startup. Note: This command also has the effect of forcing ALL of the traffic for a slot through the mapped barrel processor.
125. Server Router Ports
126.  
127. Server Router Ports are required on the uplink ports to the routers. This parameter indicates to the SI on which ports traffic flows between the client and real servers. To configure the server router ports, use the following CLI command:
128.  
129. On the XL and BSI:
130. Serveriron(config)# server router-ports 25 26
131.  
132. On the SI400:
133. serveriron(config)# server router-ports ethernet 2/1
134. serveriron(config)# server router-ports ethernet 2/2
135.  
136. As indicated above, the configuration differs between the XL/BSI and SI400 device; on the XL and BSI, you can enter all the ìrouterî ports on one line; a separate line entry is required for each port on the SI400. As above concerning the ìip policyî statement on the SI400,
137.  
138. Router Port Recommendations
139.  
140. The server-router port definitions are required for proper SLB operation.
141. TCP/UDP Age
142.  
143. The TCP/UDP-AGE parameter specifies how long an idle TCP or UDP connection remains in the session table. The default for TCP is 30 minutes, while UDP is 5 minutes. For TCP, the SI will delete immediately a TCP session entry once the connection is closed. The connection is considered ìclosedî if the SI observes either the TCP FIN / FIN-ACK sequence or a RESET from either the client or the real server. For UDP, the session remains in the table for the duration of the configured UDP age timer.
144.  
145. Age Timer Recommendations
146.  
147. This setting is dependent on the application being serviced. For TCP, the default timer should be set at 10 minutes, and adjusted as necessary depending on the application operational requirements dictate. Ten minutes is suggested as a means of resource preservation on the ServerIron, and falls within the range of SST based applications (SST is the proprietary AOL TCP/IP stack in use on many servers within AOL). A detailed discussion of SST is beyond the scope of this document. The UDP-AGE timer should remain at the default setting. To set the TCP or UDP age, use the following CLI commands:
148.  
149. Serveriron(config)# tcp-age [time] (default 30 minutes)
150. Or
151. Serveriron(config)# udp-age [time] (default 5 minutes*)
152.  
153. Age Timer Caveats
154.  
155. TCP age is advertised as an ìon the flyî setting; in code revisions 7.1.18 and possibly others with the 7.1 train, it has been determined that a reboot of the device is required. In 7.3.x and SI400 device code revisions, no reboot is required for this setting to take effect.
156.  
157. *The UDP-AGE timer applies to all UDP-based applications with the exception of DNS and RADIUS; the SI will immediately age out the session once it determines there has been a reply to a DNS or RADIUS query. This default can be overridden, but it is highly recommended it remain on the default setting. If a change to the default behavior for DNS and RADIUS is deemed necessary, then careful consideration of system resources should be given. DNS and RADIUS queries and responses (in respect to the nature of the application) can be very high rate- if the sessions on the SI are not aged out quickly enough, then resource starvation can occur, and performance can suffer dramatically.
158. Load Balancing Predictor
159.  
160. The SI provides several methods for the SLB predictor (the mechanism which determines how the traffic is distributed amongst the configured real servers) including least connections, least sessions, round-robin, weighted, server response time, least local connections*, and least local sessions*. The predictor can be set globally or locally in the VIP configuration. Setting it locally on the VIP overrides the global setting.
161.  
162. Least Connections
163. The ServerIron sends the request to the real server that currently has the fewest active connections with clients.
164.  
165. Least Sessions
166. The ServerIron sends the request to the real server that currently has the fewest session table entries.
167.  
168. Round Robin
169. The ServerIron sends the request to each server in rotation, regardless of how many connections or sessions each server has.
170.  
171. Weighted
172. The ServerIron uses the weights you assign to the real servers to select a real server. The weights are based on the number of session table entries the ServerIron has for each server.
173.  
174. Response Time
175. The ServerIron selects the real server with the fastest response time.
176.  
177. Predictor Recomendations
178. In general, the load balancer predictor configured should be Round-Robin globally. There are times when this predictor will not provide the desired results; configuring the predictor on the Virtual Server will override the global configuration. Round-robin is also required when port translation is configured.
179.  
180. This can be configured both globally and local to the VIP; configuring under the VIP definition overrides the global command. To configure the predictor globally, use the following commands:
181.  
182. Serveriron(config)# server predictor round-robin
183.  
184. Session Limits
185.  
186. The server session limit setting indicates to the SI how much memory resource to set aside for the session table. This should be set to 1 million on the XL and BSI, and 2 million on the SI400 device. If this setting, particularly on the stackable devices, is not configured appropriate to the load on the switch, then high CPU and ultimately poor performance can result. To avoid this potential issue, use the following commands:
187.  
188. XL / BSI / SI400
189.  
190. Serveriron(config)# server session-limit 1000000
191.  
192. SI400 specific
193.  
194. The above command as well as the following should be configured:
195.  
196. Serveriron(config)# server session-wsm-limit 2000000
197. Stateless Sessions
198.  
199. The term ìstatelessî refers to the SI not maintaining an active session entry in memory for the client transaction. The obvious advantage here is resource usage- no memory is dedicated to maintaining information about the client to server transaction.
200.  
201. Stateless Recommendations
202.  
203. The use of stateless settings is currently being evaluated. At this time, it is recommended stateless not be used.
204. Security
205. Background
206.  
207. Foundry Layer 4 devices have network security mechanisms built into the code. These include SYN defense (SYN-DEF, SYN-Guard), TCP rate limiting, and many others. At this point, it is recommended only SYN-DEF be utilized until further testing/verification can be performed on other techniques.
208. SYN-DEF
209.  
210. SYN-Def is a security mechanism that allows the ServerIron to provide syn-defense for the servers and segment it is deployed on. The operation of SYN-DEF differs depending on the product in use. On the XL and BSI devices, the mechanism monitors the three-way handshake between the client and the real server. Once the client has sent the initial SYN, it waits for the configured time specified and expects to see the final ACK from the client within this time frame. If it does not receive the ACK, it drops subsequent SYN requests from the client and clears the session. On the SI4000 device, as well as the stackable code revision 7.3 and above, ìenhanced SYN-DEFî is used. The mechanism will not only monitor the connection attempt, but it will complete the three-way handshake with the server on behalf of the client during the connection setup. This allows the connection on the server to be moved out of the connection queues and into the established queues. Again, the timer starts upon receipt of an initial SYN from a client. If the client fails to send the final ACK within the configured time frame, then the SI will send a TCP RESET to the real server (clearing the session on the server), and clear the session from itís session table. No RESET is sent to the client.
211.  
212. Enhanced SYN-DEF also has the ability to monitor ìpass-throughî TCP traffic (traffic passing through the SI, not directed to the SI itself).
213.  
214.  
215. SYN-DEF Recommendations
216.  
217. SYN-DEF, as a feature, should be enabled. The recommended configured tolerances warrant further testing, but are directly tied to the traffic patterns through the device it is configured on. Watching the syn-def counters via ìshow server debugî CLI command provides insight into how SYN-DEF is operating, as well as any potential SYN attack that may be in progress. If the counter is tripping constantly, it may prove useful to apply a sniffer to the router interfaces to determine if legitimate traffic is being affected, and what adjustments if any are required. Itís recommended that a setting of 6 seconds be applied initially, and then adjusted (tuned per application requirements) from this point if necessary.
218.  
219. To enable syn-def, use the following CLI commands:
220.  
221. Serveriron(config)# server syn-def 6
222. On the SI400 device, you must also configure syn-def at the interface level:
223. Serveriron(config-if-3/1)# syn-def
224. Access Control Lists
225.  
226. Weíve had persistent challenges in the past getting these to work properly, resulting in many different revisions of code that are ìapplicationî specific. To reduce the amount of potential issues and increase code revision manageability, itís highly recommended Foundry Layer 4 devices not run ACLS.
227. Source NAT
228.  
229. Source-NAT may be required in certain circumstances where the return traffic to the client does not pass back through the ServerIron. One example is when using remote (or backup) servers on a different IP segment other than the one the SI is configured for (i.e. communication between the ServerIron and real server must pass through a router). These instances are rarely used- this command is best used as a troubleshooting tool, and is described in section ().
230. Force Delete
231.  
232. The command ìserver force-deleteî allows the SI to force connection closure when a server or port on that real server is administratively taken out of rotation. This should be set on all SI platforms. To set force-delete, use the following CLI command:
233.  
234. Serveriron(config)# server force-delete
235.  
236.  
237.  
238.  
239.  
240. Health Checks
241.  
242. Layer 4 through 7 switching inherently implies and requires health check mechanisms to ensure client perceived quality of service, server resource availability, and to some degree, maintenance. Various aspects of the AOL client, as well as many non-client* related services, depend very heavily on services provided by server farms front-ended by layer 4 through 7 switching products- and the ServerIron healthchecks help ensure these services remain available.
243. What are health checks?
244.  
245. In essence, health checks refer to the ability of the Layer 4/7 application switch to determine server and resource availability. The application switch has to perform two tasks: first, it has to ensure that the configured servers are initially available for rotation into the server pool for service, and second, continued monitoring of server and application status and availability must be performed. This is accomplished in various ways depending on the SI product in use.
246. ServerIron Health Check Operation
247.  
248. The Foundry Networks ServerIron products offer a robust scope of health check options, though some aspects of healthcheck operation differs between the stackable and chassis based products. The SI healthcheck mechanisms can be considered to run in two modes: initialization and operational monitoring.
249. ServerIron Healthcheck Methods
250.  
251. ServerIron Healthchecks take place at layers 2 (Link), 3 (IP), 4 (TCP/UDP) and the application layer (7).
252. Layer 2/3
253.  
254. Layer 2/3 healthchecks consist of the ServerIron ARPing for the real server IP address and IP ICMP echo requests (ping). When you add a real server to the configuration, the ServerIron will ARP for the MAC address of the real server. A successful ARP can be verified via either the cli commands ìsh arpî or ìsh server debugî. The latter command provides a great deal of information about the real server and itís attributes, which includes the real server state, real server port state, number of active connections, just to name a few. It is recommended the reader review the Foundry manuals online for more detail- it is an invaluable tool for troubleshooting purposes.
255. For this discussion, the server state is of interest. The state can be one of 6 values: Enabled, Failed, Test, Suspect, GRACE_DN, and Active. The state is represented numerically; each state is listed below:
256.  
257. (1) ENABLED
258. The real server is configured, but the server has not responded to an ARP or ping (echo) request. Physical connections, IP address configuration (on the ServerIron and real server) should be verified.
259.  
260. (2) FAILED
261. The real server has failed to respond to repeated pings.
262.  
263. (3) TEST
264. The real server is still reachable at Layer 3, but one or more of the application ports configured on the real server has failed to respond to health checks (either during initialization or configured health checks). The SI will continue to try to the reach the application indefinitely. For example, if the server continues to be reachable at Layer 3 but the application check does not pass, the state will remain TEST so long as the SI cannot reach the application that is failing its health check.
265.  
266. (4) SUSPECT
267. The ServerIron associates a time stamp with each packet sent to and received from the real servers. If the time gap between the last packet received from the server and the last packet sent to the server grows to 3 or 4 seconds, the ServerIron sends a ping (Layer 3 health check) to the server. If the server doesnít respond within the ping interval (a configurable parameter), the ServerIron changes the state to SUSPECT and resends the ping, up to the number of retries specified by the ping retries parameter (also configurable). If the server still doesnít respond after all the retries, the state changes to FAILED. If the server does respond, the state changes to ACTIVE.
268.  
269. (5) GRACE_DN
270. The forced-shutdown(delete) option has been used to gracefully shut the server down.
271.  
272. (6) ACTIVE
273. The server has responded to the Layer 3 health check (IP ping). Also, all the services on the real server have passed their Layer 4 (and if applicable, Layer 7) health checks.
274. Layer 4
275. Layer four consists of TCP or UDP checks to the configured real server ports. For TCP, the SI will send the real server a TCP SYN on itís configured ports, expecting a SYN-ACK in response. If the SI sees the SYN-ACK from the real server, then it will respond with a TCP RESET to the real server, and consider the port active. For UDP, the ServerIron sends to the real server ìbogusî data on the configured UDP ports. Since UDP is a connectionless protocol, the ServerIron does not expect to see any response from the real server. An ICMP ìport unreachableî message from the real server indicates to the SI the configured port is not active and should be brought out of rotation.
276. Layer 7
277. Layer 7 healthchecks consist of the SI interacting with the actual application on the real server to determine operational status. Layer 7 healthchecks are for ìwell knownî application ports; to the SI these include, but are not limited to, HTTP, SSL, FTP, DNS, and SMTP. By default, there are no Layer 7 healthchecks performed by the SI. If required, they should be enabled via port profiles, or within the real server definition itself.
278. Real Server Initialization
279. Initialization takes place at Layer 2 (link), Layer 3 (IP), and Layer 4 (TCP/UDP). Upon adding the real server to the SI configuration, the device will first ARP for the IP address of the real server. After successfully completing the ARP process, it will then ping the real server to verify Layer 3 connectivity. Provided the real server has passed both the layer 2 and layer 3 checks, layer 4 testing takes place after configuring the logical ports (under the real server configuration) that server will be servicing. No layer 7 health checks are performed at this time.
280. Real Server Operational Monitoring
281.  
282. Operational monitoring, depending on the device (XL/BSI vs SI400) and CLI configuration, consists of layer 2/3, 4 and layer 7 checks. Both products will continuously send ARP requests every twenty seconds for the real server to verify layer 2/3 connectivity. Additionally, the SI400 will send ICMP pings to the real server every two seconds, whereas the stackable device does not.
283. By default, the SI does not perform ìactiveî periodic monitoring of real server application status. Active health checks refer to the SI initiating and sending periodic checks to the configured server services to ensure service availability. Instead, the SI ìpassivelyî monitors the session between itself, the client and the real server. This process is referred to as the ìreassign monitorî, and its operation differs between the XL/BSI and the SI400 based products.
284. The Reassign Monitor
285.  
286. As stated above, depending on the SI product in use, the reassign monitor operation and the indications provided by the CLI differ greatly. The reassign monitor and itís operation is discussed below.
287. XL/BSI Reassign Monitor Operation
288.  
289. On the XL and BSI, the device monitors the connection attempts between itself and the real server. When the SI attempts to pass a new client connection onto a real server, the device will wait for two consecutive SYNs from the client before the connection attempt is passed to the next real server in the rotation for that service. The reassigned servers reassign counter is increased by 3. If the reassign counter increments past the reassign threshold (default 20), then the real server port is marked failed, taken out of rotation, and the initialization process is repeated until that real server port passes the initialization process again. The reassign counter is decremented to zero after a TCP SYN-ACK is received from the real server.
290. SI400 Reassign Monitor Operation
291.  
292. The reassign monitor on the SI400 operates quite differently than the stackable (prior to software revision 7.2.23, the reassign monitor was disabled by default). Instead of monitoring the connection state between itself and the real server, the SI400 monitors the connection between itself and the client device. This is accomplished by monitoring for the final ACK from the client in the TCP three way handshake. Another significant difference is that there is no actual ìreassignî (moving the connection attempt to another available real server) should a real server fail to accept the connection. Based on the application in use, the client will either times out, or the third consecutive connection attempt will be passed to the next active server in rotation.
293. Periodic Healthchecks (keepalives)
294.  
295. Periodic keepalives, or ìactiveî monitoring of server port status is disabled by default. In order to enable periodic keepalives, you must configure a port profile for the port in use on the real server.
296. Port Profiles
297.  
298. Port profiles allow the user to specify to the ServerIron various attributes of the application port in use. These attributes include what type of port (TCP or UDP for non well-known ports), keepalive interval and retries, and many other parameters. The ServerIron assumes that non well-known ports are UDP by default. The keepalive parameters ìintervalî and ìretriesî are analogous to OSPF HELLOs and the ìDEADî timers. One item to keep in mind is that when modifying keepalive parameters for the ports in use, the parameters modified apply to the Layer 7 checks for well-known ports unless Layer 7 checks are disabled. For non well-known ports, the parameters apply to only to Layer 4 checks.
299. Health Checking Recommendations
300. These recommendations should provide a stable and predictable environment which facilitates the highest amount of uptime and maintainability, as well as clear indications when things do go ìwrongî
301. Layer 2/3 Healtchecks
302. The ARP process described above in section () cannot be modified at this time. However, it doesnít appear there are any suitable reasons why constant ìpingsî every 2 seconds from the chassis device is required, and may in fact contribute to unnecessary traffic load on the segment and real servers.
303.  
304.  
305.  
306. Layer 3 Health Check Recommendations
307.  
308. It is recommended the layer 3 healthchecks be set to 1 every 15 seconds, with 1 retry. To do this, use the CLI commands below:
309.  
310. Serveriron(config)# server ping-interval 15
311. Serveriron(config)# server ping-retry 1
312.  
313. These commands are available in software releases 7.3.x for the XL, and 7.2.23 and above for the chassis SI400.
314. Reassign Monitor
315. The reassign monitor is an excellent tool for troubleshooting and early warning when a particular host or segment is in trouble. Some reassigns are expected during normal operation, but shouldnít exceed 1 or 2 percent of the total client to server (Total C->S Conn) connections counter in the CLI command ìsh server sessionî. Unfortunately, these counters are cumulative, so the observation of reassigns should be via a snapshot of the device when trouble-shooting. It is recommended that the reassign counter threshold be set to 100; this provides ample room for reassign activity and the reassign counter to grow without unnecessarily tripping the threshold, which would result in erroneous syslog messages and the associated healthcheck mechanisms being instigated. To configure the reassign threshold, use the following commands:
316.  
317. Serveriron(config)# server reassign-threshold 100
318.  
319. It may be desirable when trouble-shooting reassign issues to temporarily disable the reassign monitor. To do this, use the following CLI command:
320.  
321. Serveriron(config)# server no-reassign-count
322.  
323. NOTE: When using DSR mode, the reassign monitor is disabled.
324. Periodic Healthchecks (keepalives)
325.  
326. It is recommended that periodic keepalives are enabled at layer 4 only; layer 7 healthchecks should only be enabled as the application requires. Please consult the Foundry documentation for configuring layer 7 healthchecks. Keepalives should be enabled via port profiles. The settings of one keepalive every 30 seconds, with a retry of value 2 should be sufficient in most cases- this will provide a time of one minute before the SI recognizes the port is down. The reassign monitor will compensate for client connectivity otherwise. To set periodic keepalives at layer 4 only, configure a port profile such as the following:
327.  
328. Serveriron(config)# server port 8888
329. Serveriron(config)# tcp
330. Serveriron(config)# tcp keepalive 30 1
331. Serveriron(config)# tcp l4-check-only
332.  
333. This identifies to the ServerIron port 8888 is TCP (non well-known ports are UDP by default), sets the keepalive interval to 30 seconds with 2 retries, and enables layer 4 only. The keepalive interval and retry settings may need to be adjusted based on application expectations.
334.  
335. Caveats
336.  
337. When you configure a port profile for a ìwell knownî port, the healthcheck settings refer to Layer 7 healthchecks by default. Set the ìtcp l4-check-onlyî for ALL ports unless Layer 7 healthchecks are desired.
338. The following diagram illustrates the configured healthcheck operation:
339.  
340. ?
341.  
342. The black outline indicates the reassign monitor. The diagram depicts the healthcheck mechanisms and the resultant actions based on configuration.
343. Server Load Balancing Configuration
344.  
345. By default, the ServerIron operates as a Layer 2 switch. To enable Layer4/7 switching, various parameters must be set. These include defining the real and virtual servers, as well as any pertinent parameters for the functions the device will be performing.
346. The IP Policy Command
347.  
348. The IP Policy command is required on the SI400; this enables the 3 barrel processors on the WSM4 / M5 management board for operation. If this is not enabled, then the management processor will be performing the SLB functions- resulting in less than desirable performance.
349.  
350. To enable the barrel processors on the WSM4 / M5, use the following global command:
351.  
352. ServerIron(config)# ip policy 1 tcp 0 global
353. Basic Server Load Balancing
354. Real Server Configuration Parameters
355.  
356. Below is a standard ìreal serverî configuration:
357.  
358. server real real1 1.1.1.1
359. port http
360. port http url "HEAD /"
361.  
362. The first line, ìserver real real1 1.1.1.1î, identifies the server as a ìrealî server with the name real1 and IP address 1.1.1.1. The second line tells the ServerIron the layer 4 port this real server will be accepting connections on. This value can be between the ranges of Because HTTP is a ìwell knownî service to the ServerIron, the third line is added automatically for Layer 7 healthcheck purposes. Other real server options that are not standard are discussed in the following sections.
363. Virtual Server Configuration Parameters
364.  
365. The ìvirtual serverî, or VIP, is what the client sees as the host providing the service(s) being requested. The following depicts a ìbasicî Virtual server configuration:
366.  
367. server virtual VIP 1.1.1.1 (Virtual Server Name and IP address)
368. port http (Port serviced by the VIP)
369. bind http real1 http real2 http real3 http (VIP port to real server port binding)
370.  
371. A more complex configuration may look as follows:
372.  
373. server virtual VIP 1.1.1.1 (Virtual Server Name and IP address)
374. port ftp (Port serviced by the VIP)
375. port ftp dsr (sets FTP to DSR mode)
376. port ftp sticky (sets stickyness)
377. port ftp concurrent (sets concurrent mode)
378.  
379. Load Balancing Predictor
380.  
381. The load balancing predictor was previously discussed in Section (). As stated, this can also be configured on a per-VIP basis. Configuring the predictor on the VIP will override the globally configured predictor settings.
382.  
383. Load Balancing Predictor Recommendations
384. It is recommended that the initial predictor be set to Round-Robin. To set the predictor under the vip, use the following commands:
385.  
386. serveriron(config)# server virtual VIP 1.1.1.1
387. ServerIron(config-vir-VIP)# predictor round-robin
388. ìStickyî Ports
389.  
390. ìStickyî refers to the ServerIron sending multiple requests for the same resource from a client to the same real server chosen during the real server selection process. A good example of when to use sticky ports would be shopping cart applications (online shopping), where web pages are created dynamically by the real server based on user input. Streaming media applications, SSL, are others that may require sticky ports. To set a real server application port as ìstickyî, use the following CLI commands:
391.  
392. serveriron(config)# server virtual VIP 1.1.1.1
393. serveriron(config-virtual-VIP)# port rtsp sticky
394. ìConcurrentî Ports
395.  
396. Concurrent allows a client to have multiple connections to the same real server on multiple application ports, as is the case with non-passive FTP. To configure concurrent ports, use the following CLI commands:
397.  
398. serveriron(config)# server virtual VIP 1.1.1.1
399. serveriron(config-virtual-VIP)# port rtsp concurrent
400. Direct Server Return (DSR)
401.  
402. Direct Server Return, or ìswitchbackî, refers to the real server communicating directly with the client without the need of the packet flow traversing back through the switch.
403. Non-DSR Review
404. In non-DSR, the ServerIron operates in ìhalf-NATî mode. This means the ServerIron will NAT the destination IP address from the VIP to the real server IP address. Two session entries are created in this instance- one for the client ñ to ñ VIP connection, and one for the ServerIron ñ to ñ real server connection. Each session consumes approximately 32 bytes of memory.
405. DSR Operation
406. In DSR mode, no NAT function is performed. Instead, a ìloopbackî interface is configured on the real server with the same IP address of the ServerIron VIP. Client traffic is passed onto the real server without changing the destination IP address. Instead, the SI will set the destination MAC address to that of one of the real servers; the real server will accept the frame at the link level, and pass the datagram up to the IP layer. Since the destination IP address is locally configured, the real server will accept the datagram and pass the segment to the appropriate service. This allows the ServerIron to only create one session entry, the client ñ to ñ VIP session. The ServerIron basically ignores the return traffic from the real server, increasing overall throughput. The are two distinct benefits here- since only one session entry is created, twice the amount of client sessions are now possible and overall throughput increases due to decreased CPU load.
407. Another possible benefit is that using DSR with the SI400, we reduce the possibility of having recurring ìsession synchronizationî issues between the barrel processors.
408. DSR / Non-DSR Recommendations
409. It is recommended that where possible, DSR mode is used. Instances where DSR may not be suitable is when providing load balancing for protocols that require a ìback channelî; for example, some streaming media applications. DSR mode also depends on the capability of configuring a loopback address on the real server operating system, which may not always be possible (i.e. DEC). The benefits of using DSR are twofold, literally. DSR provides for twice the session capacity on the switch and twice the overall performance.
410. DSR is enabled on a per port basis under the virtual server definition. To configure DSR, use the following cli commands:
411. Serveriron(config)# server virtual VIP 1.1.1.1
412. Serveriron(config-virtual-VIP)# port http dsr
413. *For FTP, particularly non-passive mode FTP, ìstickyî and ìconcurrentî must also be configured for the port when using DSR.
414. Port Translation
415. One-to-Many
416. Port translation is used when the actual real server port does not match the port accepting connections on the VIP. The ServerIron ìtranslatesî the port numbers based on the binding from the VIP port number to the port on the real server. This is the default behavior, and is referred to sometimes as a ìone to manyî configuration.
417. Many-to-One
418. By default, the ServerIron will not allow many different ports on the VIP(s) to be bound to the same port on a real server. Disabling the port translation on the VIPs, as well as healthchecks on the ìfakeî ports provides a work-around. The following illustrates this method:
419.  
420. server real1 1.1.1.10
421. port 567
422. port 568
423. port http
424. !
425. server real2 1.1.1.11
426. port 567
427. port 568
428. port http
429. !
430. server real3 1.1.1.12
431. port 567
432. port 568
433. port http
434. !
435. server real4 1.1.1.13
436. port 567
437. port 568
438. port http
439. !
440. server virtual VIP1 1.1.1.1
441. port http
442. no port http translate
443. bind http real1 568 real2 568 real3 568 real4 568
444. !
445. server virtual VIP2 1.1.1.2
446. port http
447. no port http translate
448. bind http real1 567 real2 567 real3 567 real4 567
449.  
450. The device will accept HTTP requests on both VIPs, and distribute the connection untranslated to all three real servers on port 80.
451.  
452. *Note: Round Robin must be the predictor set.
453.  
454. DO NOT CONFIGURE HEALTHCHECKS ON THE ìFAKEî REAL SERVER PORTS!
455.  
456. DSR mode cannot be used in conjunction with port translation.
457. Advanced Server Load Balancing
458. Layer 7 Switching
459. To be added in later revisions.
460. Transparent Caching
461. To be added in later revisions.
462. Code Matrix
463. The following is the recommended code revisions for Foundry Layer 4 switchs:
464.  
465. Product
466. Code Revision
467. Patch
468. SI
469. 7.1.06
470.  
471. SI/XL
472. 7.3
473. 05d*
474. BSI
475. 7.1
476. 21b**
477. SI400
478. 7.2
479. 26f***
480.  
481.  
482. *Patch revision 05d: Fixes x.x.x.x
483. **Patch revision 21b has ìdm flashî fix.
484. ***Patch revision 26f fixes an ACL range issue.
485.  
486. Foundry release notes are in the customer technical support area on the Foundry website. Patch revision release notes can be obtained the Foundry onsite support engineers.
487. System Maintenance
488. Software Maintenance
489. Upgrading Code
490.  
491. To upgrade code on the XL and BSI devices, the new code is loaded via TFTP into flash and subsequently rebooted. To upgrade code on the XL and BSI device, use the following command:
492.  
493. Serveriron# copy tftp flash (tftp server IP) (image name) primary / secondary
494.  
495. For the SI400, there are two code releases required- one for the management Processor, and one for the barrel processors. IT IS REQUIRED THAT BOTH RUN THE SAME REVISION / PATCH LEVEL.
496.  
497. The barrel processors must be loaded first. To upgrade the code on the barrel processor, use the following command:
498.  
499. Serveriron# wsm copy tftp flash (tftp server IP) (image name) primary / secondary
500.  
501. To load the management processor, use the following command:
502.  
503. Serveriron# copy tftp flash (tftp server IP) (image name) primary / secondary
504.  
505. *NOTE If you are upgrading code, please refer to the release notes for that revision to check for boot code dependencies.
506.  
507. Hardware Maintenance / Caveats
508. WSM4 / M5 Chassis Requirements
509. The SI400 requires ì-Aî lincards. These include both the B8G-A (8 port Gigabit Ethernet Module) and the B24E-A (24 port 10/100 Ethernet Module). There is no restriction on placement of the various modules within the device; however, it is recommended for consistency the Management board be placed into Slot 1.
510. A BigIron Chassis can be upgraded to an SI400 by replacing the Management board, but as stated above, the appropriate linecards are required.
511. Upgrading a BigIron L2/L3 device for SLB/BSI Requirements
512. An M3 or M4 management board with an EEPROM upgrade is required in order to run the BSI code.
513. Operational Maintenance
514. Removing A Real Server (or port) from rotation
515. Temporarily removing a real server from rotation
516. Disable the port on the real (the force-delete setting forces session clearing within two minutes)
517.  
518. Permanently removing a real server
519. To permanently remove a real server (or port) from the configuration, perform the following steps:
520.  
521. Under the real server configuration, enter the following:
522. Serveriron(config-rs-1)# disable port [port #]
523.  
524. Under the virtual server configuration, enter the following:
525. Serveriron(config-vir-1)# no bind [port #] [real-server] [port #]
526. Summary
527. This document hopes to take some of the cloudiness out of configuring a Foundry device for SLB. If there are any suggestions, recommendations please contact Tony Cooper (tonycooper02@aol.com) orÖ
528.  
529. Appendix A ñ Case Studys: Example Configurations and Caveats
530. Basic SLB Configuration Examples
531. Basic SLB (with Layer 7 healthchecks enabled)
532. ver 07.2.25T22
533. module 1 bi-0-port-wsm-management-module
534. module 2 bi-8-port-gig-module
535. module 3 bi-24-port-copper-module
536. module 4 bi-24-port-copper-module
537. !
538. no global-stp
539. !
540. !
541. server force-delete
542. server reassign-threshold 250
543. server tcp-age 6
544. server syn-def 6
545. server router-ports ethernet 2/1
546. server router-ports ethernet 2/2
547. !
548. server real wads-d01b 205.188.165.65
549. port http
550. port http keepalive
551. port http url "GET /admin/hello"
552. !
553. server real wads-d02b 205.188.165.66
554. port http
555. port http keepalive
556. port http url "GET /admin/hello"
557. !
558. server real wads-d03b 205.188.165.67
559. port http
560. port http keepalive
561. port http url "GET /admin/hello"
562. !
563. server real wads-d04b 205.188.165.68
564. port http
565. port http keepalive
566. port http url "GET /admin/hello"
567. !
568. server real wads-d05b 205.188.165.69
569. port http
570. port http keepalive
571. port http url "GET /admin/hello"
572. !
573. server real wads-d06b 205.188.165.70
574. port http
575. port http keepalive
576. port http url "GET /admin/hello"
577. !
578. server real wads-d07b 205.188.165.71
579. port http
580. port http keepalive
581. port http url "GET /admin/hello"
582. !
583. server real wads-d08b 205.188.165.72
584. port http
585. port http keepalive
586. port http url "GET /admin/hello"
587. !
588. server real wads-d09b 205.188.165.73
589. port http
590. port http keepalive
591. port http url "GET /admin/hello"
592. !
593. server real wads-d10b 205.188.165.74
594. port http
595. port http keepalive
596. port http url "GET /admin/hello"
597. !
598. server real wads-d11b 205.188.165.75
599. port http
600. port http keepalive
601. port http url "GET /admin/hello"
602. !
603. server real wads-d12b 205.188.165.76
604. port http
605. port http keepalive
606. port http url "GET /admin/hello"
607. !
608. server real wads-d13b 205.188.165.77
609. port http
610. port http keepalive
611. port http url "GET /admin/hello"
612. !
613. server real wads-d14b 205.188.165.78
614. port http
615. port http keepalive
616. port http url "GET /admin/hello"
617. !
618. server real wads-d15b 205.188.165.79
619. port http
620. port http keepalive
621. port http url "GET /admin/hello"
622. !
623. server real wads-d16b 205.188.165.80
624. port http
625. port http keepalive
626. port http url "GET /admin/hello"
627. !
628. server real wads-d17b 205.188.165.81
629. port http
630. port http keepalive
631. port http url "GET /admin/hello"
632. !
633. server real wads-d18b 205.188.165.82
634. port http
635. port http keepalive
636. port http url "GET /admin/hello"
637. !
638. server real wads-d19b 205.188.165.83
639. port http
640. port http keepalive
641. port http url "GET /admin/hello"
642. !
643. server real wads-d20b 205.188.165.84
644. port http
645. port http keepalive
646. port http url "GET /admin/hello"
647. !
648. server real wads-d21b 205.188.165.85
649. port http
650. port http keepalive
651. port http url "GET /admin/hello"
652. !
653. server real wads-d22b 205.188.165.86
654. port http
655. port http keepalive
656. port http url "GET /admin/hello"
657. !
658. server real wads-d23b 205.188.165.87
659. port http
660. port http keepalive
661. port http url "GET /admin/hello"
662. !
663. server real wads-d24b 205.188.165.88
664. port http
665. port http keepalive
666. port http url "GET /admin/hello"
667. !
668. server real wads-d25b 205.188.165.89
669. port http
670. port http keepalive
671. port http url "GET /admin/hello"
672. !
673. server real wads-d26b 205.188.165.90
674. port http
675. port http keepalive
676. port http url "GET /admin/hello"
677. !
678. server real wads-d27b 205.188.165.91
679. port http
680. port http keepalive
681. port http url "GET /admin/hello"
682. !
683. server real wads-d28b 205.188.165.92
684. port http
685. port http keepalive
686. port http url "GET /admin/hello"
687. !
688. server real wads-d29b 205.188.165.93
689. port http
690. port http keepalive
691. port http url "GET /admin/hello"
692. !
693. server real wads-d30b 205.188.165.94
694. port http
695. port http keepalive
696. port http url "GET /admin/hello"
697. !
698. server real wads-d31b 205.188.165.95
699. port http
700. port http keepalive
701. port http url "GET /admin/hello"
702. !
703. server real wads-d32b 205.188.165.96
704. port http
705. port http keepalive
706. port http url "GET /admin/hello"
707. !
708. server real wads-d33b 205.188.165.97
709. port http
710. port http keepalive
711. port http url "GET /admin/hello"
712. !
713. server real wads-d34b 205.188.165.98
714. port http
715. port http keepalive
716. port http url "GET /admin/hello"
717. !
718. server real wads-d35b 205.188.165.99
719. port http
720. port http keepalive
721. port http url "GET /admin/hello"
722. !
723. server real wads-d36b 205.188.165.100
724. port http
725. port http keepalive
726. port http url "GET /admin/hello"
727. !
728. server real wads-d37b 205.188.165.101
729. port http
730. port http keepalive
731. port http url "GET /admin/hello"
732. !
733. server real wads-d38b 205.188.165.102
734. port http
735. port http keepalive
736. port http url "GET /admin/hello"
737. !
738. server real wads-d39b 205.188.165.103
739. port http
740. port http keepalive
741. port http url "GET /admin/hello"
742. !
743. server real wads-d40b 205.188.165.104
744. port http
745. port http keepalive
746. port http url "GET /admin/hello"
747. !
748. !
749. server virtual ads.web.aol.com 205.188.165.121
750. predictor round-robin
751. port http
752. bind http wads-d40b http wads-d39b http wads-d38b http wads-d37b http
753. bind http wads-d36b http wads-d35b http wads-d34b http wads-d33b http
754. bind http wads-d32b http wads-d31b http wads-d30b http wads-d29b http
755. bind http wads-d28b http wads-d27b http wads-d26b http wads-d25b http
756. bind http wads-d24b http wads-d23b http wads-d22b http wads-d21b http
757. bind http wads-d20b http wads-d19b http wads-d18b http wads-d17b http
758. bind http wads-d16b http wads-d15b http wads-d14b http wads-d13b http
759. bind http wads-d12b http wads-d11b http wads-d10b http wads-d09b http
760. bind http wads-d08b http wads-d07b http wads-d06b http wads-d05b http
761. bind http wads-d04b http wads-d03b http wads-d02b http wads-d01b http
762. !
763. !
764. no spanning-tree
765. qd-100 160 31 31 31
766. qd-1000 160 31 31 31
767. l2-hw-age-dis
768. system-max tcp-buffer 512
769. !
770. console timeout 10
771. enable password-display
772. enable super-user-password 0 articul8
773. hostname wadse2-dr5-sw0
774. ip address 205.188.165.122 255.255.255.192
775. ip default-gateway 205.188.165.125
776. ip dns domain-name AOL.COM
777. ip dns server-address 205.188.152.6 205.188.152.37
778. ip policy 1 cache tcp 0 global
779. logging 205.188.151.2
780. logging 172.31.15.13
781. logging 172.20.20.33
782. logging facility local5
783. mac-age 0
784. no flow-control
785. telnet client 152.163.136.1
786. telnet client 152.163.136.2
787. telnet client 205.188.151.9
788. telnet client 205.188.151.10
789. telnet client 64.12.64.34
790. telnet client 64.12.64.33
791. telnet client 152.163.177.103
792. telnet timeout 10
793. snmp-server community 0 Just1SNmPcomuntyRO2bchangd2k+ ro 8
794. snmp-server contact NetOps
795. snmp-server location dr5 cz05
796. clock summer-time
797. clock timezone us Eastern
798. sntp server 205.188.152.1
799. sntp server 205.188.152.2
800. no web-management
801. interface e 2/1
802. no flow-control
803. !
804. interface e 2/2
805. noÖ. (concantenated)
806. !
807. access-list 8 permit 64.12.64.32 0.0.0.15
808. access-list 8 permit 152.163.82.0 0.0.0.255
809. access-list 8 permit 152.163.129.0 0.0.0.255
810. access-list 8 permit 152.163.136.0 0.0.0.255
811. access-list 8 permit 152.163.177.0 0.0.0.255
812. access-list 8 permit 172.18.0.0 0.0.255.255
813. access-list 8 permit 172.20.0.0 0.0.255.255
814. access-list 8 permit 172.31.0.0 0.0.255.255
815. access-list 8 permit 192.168.137.0 0.0.0.255
816. access-list 8 permit 205.188.151.0 0.0.0.255
817. access-list 8 permit 207.200.78.0 0.0.0.255
818. access-list 8 permit host 206.222.240.77
819. !
820. !
821. end
822. Basic SLB with DSR Enabled
823.  
824. ver 07.1.18T12
825. no global-stp
826. !
827. !
828. server force-delete
829. server reassign-threshold 250
830. server syn-def 6
831. server tcp-msl 6
832. server sticky-age 30
833. !
834. server port 554
835. tcp
836. !
837. !
838. server real ondmdms1-r01 64.12.38.33
839. port rtsp
840. port http
841. port http url "HEAD /"
842. !
843. server real ondmdms1-r02 64.12.38.34
844. port rtsp
845. port http
846. port http url "HEAD /"
847. !
848. server real qtdownload1-sd01 64.12.38.35
849. port rtsp
850. port http
851. port http url "HEAD /"
852. !
853. server real qtdownload1-sd02 64.12.38.36
854. port rtsp
855. port http
856. port http url "HEAD /"
857. !
858. server real qtdownload1-sd03 64.12.38.37
859. port rtsp
860. port http
861. port http url "HEAD /"
862. !
863. !
864. server virtual ondmdms1-VIP 64.12.38.57
865. predictor weighted
866. port rtsp
867. port rtsp dsr
868. port http sticky
869. port http dsr
870. bind rtsp ondmdms1-r01 rtsp ondmdms1-r02 rtsp
871. bind http ondmdms1-r01 http ondmdms1-r02 http
872. !
873. server virtual vip1-qt 64.12.38.56
874. predictor round-robin
875. port http
876. port http dsr
877. !
878. server virtual darwin-vip1 64.12.38.55
879. port rtsp sticky
880. port rtsp dsr
881. port http sticky
882. port http dsr
883. bind rtsp qtdownload1-sd01 rtsp qtdownload1-sd02 rtsp qtdownload1-sd03 rtsp
884. bind http qtdownload1-sd01 http qtdownload1-sd03 http qtdownload1-sd02 http
885. !
886. vlan 1 name DEFAULT-VLAN by port
887. no spanning-tree
888. !
889. console timeout 10
890. enable password-display
891. enable super-user-password 0 xxxxx
892. hostname abasketms1-mr1-sw0
893. ip address 64.12.38.58 255.255.255.224
894. ip default-gateway 64.12.38.61
895. ip dns domain-name AOL.COM
896. ip dns server-address 64.12.66.5 64.12.66.36
897. logging 172.20.20.33
898. logging 172.20.20.33
899. logging 152.163.177.103
900. logging 205.188.151.2
901. logging facility local5
902. mac-age 0
903. system-max tcp-buffer 512
904. !
905. telnet client 152.163.136.2
906. telnet client 152.163.136.1
907. telnet client 205.188.151.9
908. telnet client 205.188.151.10
909. telnet client 152.163.177.103
910. telnet client 64.12.64.34
911. telnet client 64.12.64.33
912. telnet timeout 10
913. snmp-server community 0 Just1SNmPcomuntyRO2bchangd2k+ ro 8
914. snmp-server contact NetOps
915. snmp-server location MR1 CH-138
916. clock timezone us Eastern
917. sntp server 64.12.66.33
918. sntp server 64.12.66.2
919. no web-management
920. interface e 1
921. speed-duplex 100-full
922. no flow-control
923. !
924. interface e 2
925. speed-duplex 100-full
926. no flow-control
927. !
928. interface e 3
929. speedÖ. (concatenated)
930. !
931. access-list 8 permit 64.12.64.32 0.0.0.15
932. access-list 8 permit 152.163.82.0 0.0.0.255
933. access-list 8 permit 152.163.129.0 0.0.0.255
934. access-list 8 permit 152.163.136.0 0.0.0.255
935. access-list 8 permit 152.163.177.0 0.0.0.255
936. access-list 8 permit 172.18.0.0 0.0.255.255
937. access-list 8 permit 172.20.0.0 0.0.255.255
938. access-list 8 permit 172.31.0.0 0.0.255.255
939. access-list 8 permit 192.168.137.0 0.0.0.255
940. access-list 8 permit 205.188.151.0 0.0.0.255
941. access-list 8 permit 207.200.78.0 0.0.0.255
942. access-list 8 permit host 206.222.240.77
943. !
944. !
945. end
946. Advanced SLB Configuration Examples
947. SLB with Cookie Switching Enabled
948. server force-delete
949. server session-limit 1000000
950. server reassign-threshold 100
951. server syn-def 6
952.  
953. server port 80
954. tcp
955.  
956. server port 1030
957. tcp
958.  
959. server port 1031
960. tcp
961.  
962. server port 1032
963. tcp
964.  
965. server port 1033
966. tcp
967.  
968. server port 8001
969. tcp
970. server router-ports 25 26
971. !
972. !
973. server real plogic-sd03 205.188.135.99
974. port 1032
975. port 1031
976. port 1031 server-id 1027
977. port 1030
978. port 1030 server-id 1027
979. port http
980. port http url "HEAD /"
981. port http l4-check-only
982. port 1033
983. port 8001
984. port 8001 server-id 1027
985. port 1040
986. !
987. server real plogic-sd04 205.188.135.100
988. port 1032
989. port 1031
990. port 1031 server-id 1028
991. port 1030
992. port 1030 server-id 1028
993. port http
994. port http url "HEAD /"
995. port http l4-check-only
996. port http server-id 1028
997. port 1033
998. port 8001
999. port 8001 server-id 1028
1000. port 1040
1001. !
1002. server real plogic-sd05 205.188.135.101
1003. port http
1004. port http url "HEAD /"
1005. port http l4-check-only
1006. port http server-id 1029
1007. port 1030
1008. port 1030 server-id 1029
1009. port 1031
1010. port 1031 server-id 1029
1011. port 1032
1012. port 1033
1013. port 8001
1014. port 8001 server-id 1029
1015. port 1040
1016. !
1017. server real plogic-sd01 205.188.135.97
1018. port 1032
1019. port 1031
1020. port 1030
1021. port http
1022. port http url "HEAD /"
1023. port http l4-check-only
1024. port http server-id 1025
1025. port 1033
1026. port 1041
1027. port 1043
1028. port 1044
1029. !
1030. server real plogic-sd02 205.188.135.98
1031. port 1032
1032. port 1031
1033. port 1030
1034. port http
1035. port http url "HEAD /"
1036. port http l4-check-only
1037. port http server-id 1026
1038. port 1033
1039. port 1041
1040. port 1043
1041. port 1044
1042. !
1043. server real plogic-sd06 205.188.135.102
1044. port http
1045. port http url "HEAD /"
1046. port http l4-check-only
1047. port http server-id 1030
1048. !
1049. server real plogic-sd07 205.188.135.103
1050. port http
1051. port http url "HEAD /"
1052. port http l4-check-only
1053. port http server-id 1031
1054. port 1030
1055. port 1030 server-id 1031
1056. port 1031
1057. port 1031 server-id 1031
1058. port 1032
1059. port 1032 server-id 1031
1060. port 1033
1061. port 1033 server-id 1031
1062. port 8001
1063. port 8001 server-id 1031
1064. !
1065. server real plogic-sd08 205.188.135.105
1066. port http
1067. port http url "HEAD /"
1068. port http l4-check-only
1069. port http server-id 1032
1070. port 1030
1071. port 1030 server-id 1032
1072. port 1031
1073. port 1031 server-id 1032
1074. port 1032
1075. port 1032 server-id 1032
1076. port 1033
1077. port 1033 server-id 1032
1078. port 8001
1079. port 8001 server-id 1032
1080. !
1081. server virtual aolsvc.decisionguides 205.188.135.118
1082. predictor round-robin
1083. port http sticky
1084. port http cookie-name "pl_serverid"
1085. port http cookie-switching
1086. bind http plogic-sd03 http plogic-sd04 http plogic-sd05 http
1087. !
1088. server virtual cssvc.decisionguides 205.188.135.119
1089. predictor round-robin
1090. port http sticky
1091. port http cookie-name "pl_serverid"
1092. port http cookie-switching
1093. bind http plogic-sd03 1030 plogic-sd04 1030 plogic-sd05 1030
1094. !
1095. server virtual webcenter.decisionguides 205.188.135.120
1096. predictor round-robin
1097. port http sticky
1098. port http cookie-name "pl_serverid"
1099. bind http plogic-sd03 1031 plogic-sd04 1031 plogic-sd05 1031
1100. !
1101. server virtual webcenter.netscape 205.188.135.121
1102. predictor round-robin
1103. port http sticky
1104. port http cookie-name "pl_serverid"
1105. port http cookie-switching
1106. bind http plogic-sd03 1032 plogic-sd04 1032 plogic-sd05 1032
1107. !
1108. server virtual aolsvc.recipes.aol.com 205.188.135.114
1109. predictor round-robin
1110. port http
1111. bind http plogic-sd01 http plogic-sd02 http
1112. !
1113. server virtual cssvc.recipes.compuserve.com 205.188.135.115
1114. predictor round-robin
1115. port http
1116. bind http plogic-sd01 1030 plogic-sd02 1030
1117. !
1118. server virtual webcenter.recipes.aol.com 205.188.135.116
1119. predictor round-robin
1120. port http
1121. bind http plogic-sd01 1031 plogic-sd02 1031
1122. !
1123. server virtual webcenter.recipes.netscape.com 205.188.135.117
1124. predictor round-robin
1125. port http
1126. bind http plogic-sd01 1032 plogic-sd02 1032
1127. !
1128. server virtual cookinglight.recipes.aol.com 205.188.135.113
1129. predictor round-robin
1130. port http
1131. bind http plogic-sd01 1033 plogic-sd02 1033
1132. !
1133. server virtual autotrader.decisionguides 205.188.135.112
1134. predictor round-robin
1135. port http sticky
1136. port http cookie-name "pl_serverid"
1137. port http cookie-switching
1138. bind http plogic-sd03 1033 plogic-sd04 1033 plogic-sd05 1033
1139. !
1140. server virtual aolsvc.illnesses 205.188.135.109
1141. predictor round-robin
1142. port http
1143. bind http plogic-sd01 1041 plogic-sd02 1041
1144. !
1145. server virtual webcenter.illnesses 205.188.135.110
1146. predictor round-robin
1147. port http
1148. bind http plogic-sd01 1043 plogic-sd02 1043
1149. !
1150. server virtual cssvc.illnesses 205.188.135.111
1151. predictor round-robin
1152. port http
1153. bind http plogic-sd01 1044 plogic-sd02 1044
1154. !
1155. server virtual decisionguides.websys.aol.com 205.188.135.106
1156. predictor round-robin
1157. port http sticky
1158. port http cookie-name "pl_serverid"
1159. port http cookie-switching
1160. bind http plogic-sd03 8001 plogic-sd04 8001 plogic-sd05 8001
1161. !
1162. server virtual staging.websys.aol.com 205.188.135.107
1163. predictor round-robin
1164. port http sticky
1165. port http cookie-name "pl_serverid"
1166. port http cookie-switching
1167. port 1030
1168. port 1030 cookie-name "pl_serverid"
1169. port 1030 cookie-switching
1170. port 1032
1171. port 1032 cookie-name "pl_serverid"
1172. port 1032 cookie-switching
1173. port 1033
1174. port 1033 cookie-name "pl_serverid"
1175. port 1033 cookie-switching
1176. port 8001
1177. port 8001 cookie-name "pl_serverid"
1178. port 8001 cookie-switching
1179. port 1031
1180. port 1031 cookie-name "pl_serverid"
1181. port 1031 cookie-switching
1182. bind http plogic-sd07 http plogic-sd08 http
1183. bind 1030 plogic-sd07 1030 plogic-sd08 1030
1184. bind 1032 plogic-sd07 1032 plogic-sd08 1032
1185. bind 1033 plogic-sd07 1033 plogic-sd08 1033
1186. bind 8001 plogic-sd07 8001 plogic-sd08 8001
1187. bind 1031 plogic-sd07 1031 plogic-sd08 1031
1188. !
1189. server virtual careerfinder.web.aol.com 205.188.135.108
1190. predictor round-robin
1191. port http sticky
1192. port http cookie-name "pl_serverid"
1193. port http cookie-switching
1194. bind http plogic-sd03 1040 plogic-sd04 1040 plogic-sd05 1040
1195. !
1196. vlan 1 name DEFAULT-VLAN by port
1197. no spanning-tree
1198. !
1199. console timeout 10
1200. enable password-display
1201. enable super-user-password 0 articul8
1202. hostname plogic1-dr1-sw0
1203. ip address 205.188.135.122 255.255.255.224
1204. ip default-gateway 205.188.135.125
1205. ip dns domain-name AOL.COM
1206. ip dns server-address 205.188.152.6 205.188.152.37
1207. logging 205.188.151.2
1208. logging 172.31.15.13
1209. logging 172.20.20.33
1210. logging facility local5
1211. mac-age 0
1212. no flow-control
1213. telnet client 152.163.136.1
1214. telnet client 152.163.136.2
1215. telnet client 205.188.151.9
1216. telnet client 205.188.151.10
1217. telnet client 64.12.64.34
1218. telnet client 64.12.64.33
1219. telnet client 152.163.177.103
1220. telnet timeout 10
1221. snmp-server community 0 Just1SNmPcomuntyRO2bchangd2k+ ro 8
1222. snmp-server contact NetOps
1223. snmp-server location AU36
1224. clock summer-time
1225. clock timezone us Eastern
1226. sntp server 205.188.152.1
1227. sntp server 205.188.152.2
1228. no web-management
1229. interface e 1
1230. speed-duplex 100-full
1231. no flow-control
1232. !
1233. interface e 2
1234. speedÖ (concatenated)
1235. !
1236. access-list 8 permit 64.12.64.32 0.0.0.15
1237. access-list 8 permit 152.163.82.0 0.0.0.255
1238. access-list 8 permit 152.163.129.0 0.0.0.255
1239. access-list 8 permit 152.163.136.0 0.0.0.255
1240. access-list 8 permit 152.163.177.0 0.0.0.255
1241. access-list 8 permit 172.18.0.0 0.0.255.255
1242. access-list 8 permit 172.20.0.0 0.0.255.255
1243. access-list 8 permit 172.31.0.0 0.0.255.255
1244. access-list 8 permit 192.168.137.0 0.0.0.255
1245. access-list 8 permit 205.188.151.0 0.0.0.255
1246. access-list 8 permit 207.200.78.0 0.0.0.255
1247. access-list 8 permit host 206.222.240.77
1248. !
1249. !
1250. end
1251. SLB with URL Switching Enabled
1252. ver 07.1.18T12
1253. no global-stp
1254. !
1255. !
1256. server force-delete
1257. server syn-def 6
1258. server tcp-msl 6
1259. server router-ports 25 26
1260. !
1261. url-map "policya"
1262. method pattern
1263. default 3
1264. match "MC_RSC=7" 2
1265. match "MC_RSC=5" 1
1266. !
1267. !
1268. server real mc-s01 64.12.144.1
1269. max-conn 10000
1270. port 12443
1271. port http
1272. port http url "HEAD /"
1273. port ssl
1274. port 1080
1275. port 1443
1276. port 2080
1277. port 2443
1278. port 3080
1279. port 3443
1280. port 4080
1281. port 4443
1282. port 5080
1283. port 5443
1284. port 6080
1285. port 6443
1286. port 7080
1287. port 7443
1288. port 8080
1289. port 8443
1290. port 9080
1291. port 9443
1292. port 10080
1293. port 10443
1294. !
1295. server real mc-s03 64.12.144.2
1296. max-conn 10000
1297. port 12443
1298. port http
1299. port http url "HEAD /"
1300. port ssl
1301. port 1080
1302. port 1443
1303. port 6443
1304. port 6080
1305. port 4443
1306. port 4080
1307. port 3443
1308. port 3080
1309. port 2080
1310. port 2443
1311. port 5080
1312. port 5443
1313. port 7080
1314. port 7443
1315. port 8080
1316. port 8443
1317. port 9080
1318. port 9443
1319. port 10080
1320. port 10443
1321. !
1322. server real mc-s05 64.12.144.17
1323. max-conn 10000
1324. port 13443
1325. port 13080
1326. port 14443
1327. port 14080
1328. port 10020
1329. port 10010
1330. port 12543
1331. port 10050
1332. port 10050 server-id 1025
1333. port 10050 group-id 1 1 3 3
1334. port 12443
1335. port http
1336. port http url "HEAD /"
1337. port ssl
1338. port 10080
1339. port 11080
1340. port 11443
1341. port 12080
1342. !
1343. server real screen2-s03 64.12.144.4
1344. port http disable
1345. port http url "HEAD /"
1346. port ssl
1347. !
1348. server real mc-s07 64.12.144.18
1349. max-conn 10000
1350. port 13443
1351. port 13080
1352. port 14443
1353. port 14080
1354. port 10020
1355. port 10010
1356. port 12543
1357. port 10050
1358. port 10050 server-id 1027
1359. port 10050 group-id 2 2 3 3
1360. port 12443
1361. port http
1362. port http url "HEAD /"
1363. port ssl
1364. port 10080
1365. port 11080
1366. port 12080
1367. port 11443
1368. !
1369. server real screenname3 64.12.144.6
1370. port http
1371. port http url "HEAD /"
1372. port ssl
1373. !
1374. server real screenname-03-br 64.12.144.16
1375. port http
1376. port http url "HEAD /"
1377. port ssl
1378. !
1379. server virtual sandbox.screenname.aol.com 64.12.144.22
1380. predictor round-robin
1381. port http
1382. port http url-map "policya"
1383. port http cookie-name "MC_RSC"
1384. port http url-cookie-switching
1385. port ssl sticky
1386. bind http mc-s07 10050 mc-s05 10050
1387. bind ssl mc-s05 ssl mc-s07 ssl
1388. !
1389. server virtual my.screenname.aol.com 64.12.144.3
1390. predictor round-robin
1391. port ssl sticky
1392. port http
1393. bind ssl mc-s01 12443 mc-s03 12443
1394. bind http mc-s01 10080 mc-s03 10080
1395. !
1396. server virtual sandboxt.screenname.aol.com 64.12.144.19
1397. predictor round-robin
1398. port http
1399. port ssl sticky
1400. bind http mc-s05 10010 mc-s07 10010
1401. bind ssl mc-s05 10020 mc-s07 10020
1402. !
1403. server virtual aolcom.screenname.aol.com 64.12.144.23
1404. predictor round-robin
1405. port http
1406. port ssl sticky
1407. bind http mc-s05 14080 mc-s07 14080
1408. bind ssl mc-s05 14443 mc-s07 14443
1409. !
1410. server virtual login.screenname.aol.com 64.12.144.24
1411. predictor round-robin
1412. port http
1413. port ssl sticky
1414. bind http mc-s05 13080 mc-s07 13080
1415. bind ssl mc-s05 13443 mc-s07 13443
1416. !
1417. vlan 1 name DEFAULT-VLAN by port
1418. no spanning-tree
1419. !
1420. console timeout 10
1421. enable password-display
1422. enable super-user-password 0 articul8
1423. hostname snagreg-mr6-sw0
1424. ip address 64.12.144.26 255.255.255.224
1425. ip default-gateway 64.12.144.30
1426. ip dns domain-name AOL.COM
1427. ip dns server-address 64.12.66.5 64.12.66.36
1428. logging 172.20.20.33
1429. logging 152.163.177.103
1430. logging 205.188.151.2
1431. logging 172.31.15.13
1432. logging 172.20.20.33
1433. logging facility local5
1434. mac-age 0
1435. no flow-control
1436. system-max tcp-buffer 512
1437. !
1438. telnet client 152.163.136.2
1439. telnet client 152.163.136.1
1440. telnet client 205.188.151.9
1441. telnet client 205.188.151.10
1442. telnet client 64.12.64.34
1443. telnet client 64.12.64.33
1444. telnet client 152.163.177.103
1445. telnet timeout 10
1446. snmp-server community 0 Just1SNmPcomuntyRO2bchangd2k+ ro 8
1447. snmp-server contact NetOps
1448. snmp-server location MR6 CQ-605
1449. clock summer-time
1450. clock timezone us Eastern
1451. sntp server 64.12.66.2
1452. no web-management
1453. interface e 1
1454. speed-duplex 100-full
1455. no flow-control
1456. !
1457. interface e 2
1458. speedÖ(concatenated)
1459. !
1460. access-list 8 permit 64.12.64.32 0.0.0.15
1461. access-list 8 permit 152.163.82.0 0.0.0.255
1462. access-list 8 permit 152.163.129.0 0.0.0.255
1463. access-list 8 permit 152.163.136.0 0.0.0.255
1464. access-list 8 permit 152.163.177.0 0.0.0.255
1465. access-list 8 permit 172.18.0.0 0.0.255.255
1466. access-list 8 permit 172.20.0.0 0.0.255.255
1467. access-list 8 permit 172.31.0.0 0.0.255.255
1468. access-list 8 permit 192.168.137.0 0.0.0.255
1469. access-list 8 permit 205.188.151.0 0.0.0.255
1470. access-list 8 permit 207.200.78.0 0.0.0.255
1471. access-list 8 permit host 206.222.240.77
1472. !
1473. !
1474. end