Load Balancing Concepts

Section 1

©A10 Networks, Inc.

Section objectives
Understand main load balancing goals and concepts
Configure ACOS L4 SLB Virtual Server
Configure two common L4 SLB Virtual Server options (Source IP Persistence + NAT)

©A10 Networks, Inc. 2

Load balancing goals
Share load among multiple servers (load balancing)

Provide high availability of services

©A10 Networks, Inc. 3

Topology: L3 (routed) mode w/o SNAT (p. 1 of 2)

VIP = 100.0.0.10 100.0.1.[100-200]

100.0.0.0/24 100.0.1.0/24

200.0.0.1

Source IP Dest IP Source IP Dest IP

200.0.0.1 100.0.0.10 200.0.0.1 100.0.1.100

Dest IP Source IP Dest IP Source IP

200.0.0.1 100.0.0.10 200.0.0.1 100.0.1.100

©A10 Networks, Inc. 4

Topology: L3 (routed) mode w/o SNAT (p. 2 of 2)

VIP = 100.0.0.10 100.0.1.[100-200]

100.0.0.0/24 100.0.1.0/24

200.0.0.1

Benefits: Points to keep in mind:

No change required on clients or servers Configure SLB as default gateway on servers
Provides additional layer of security

©A10 Networks, Inc. 5

Topology: L3 (routed) mode with SNAT (p. 1 of 2)

VIP = 100.0.0.10 SNAT = 100.0.1.50 100.0.1.[100-200]

100.0.0.0/24 100.0.1.0/24

200.0.0.1

Source IP Dest IP Source IP Dest IP

200.0.0.1 100.0.0.10 100.0.1.50 100.0.1.100

Dest IP Source IP Dest IP Source IP

200.0.0.1 100.0.0.10 100.0.1.50 100.0.1.100

©A10 Networks, Inc. 6

Topology: L3 (routed) mode with SNAT (p. 2 of 2)

VIP = 100.0.0.10 SNAT = 100.0.1.50 100.0.1.[100-200]

100.0.0.0/24 100.0.1.0/24

200.0.0.1

Benefits: Points to keep in mind:

No change required on clients or servers Servers lose Client IP visibility (can
Easy to test be partly remedied by IP header insertion in
HTTP)
Requires Source NAT on SLB

©A10 Networks, Inc. 7

Topology: One-armed L2 (switched) mode (p. 1 of 2)

VIP = 100.0.0.10 SNAT = 100.0.0.50 100.0.0.[100-200]

100.0.0.0/24 100.0.0.0/24

200.0.0.1

Source IP Dest IP Source IP Dest IP

200.0.0.1 100.0.0.10 100.0.0.50 100.0.0.100

Dest IP Source IP Dest IP Source IP

200.0.0.1 100.0.0.10 100.0.0.50 100.0.0.100

©A10 Networks, Inc. 8

Topology: One-armed L2 (switched) mode (p. 2 of 2)

VIP = 100.0.0.10 SNAT = 100.0.0.50 100.0.0.[100-200]

100.0.0.0/24 100.0.0.0/24

200.0.0.1

Benefits: Points to keep in mind:

No change required on clients or servers
Easy to test
Clients can be in servers’ subnet
Servers lose Client IP visibility (can
be partly remedied by IP header insertion in
HTTP (X-ClientIP (customizable))
Requires Source NAT on SLB

©A10 Networks, Inc. 9

Topology: DSR mode (p. 1 of 2)
100.0.0.[100-200]
VIP = 100.0.0.10 Loopback IP = VIP = 100.0.0.10

100.0.0.0/24 100.0.0.0/24

200.0.0.1

Source IP Dest IP Source IP Dest IP

200.0.0.1 100.0.0.10 200.0.0.1 100.0.0.10
SLB MAC Server MAC

Dest IP Source IP
200.0.0.1 100.0.0.10

©A10 Networks, Inc. 10

Topology: DSR mode (p. 2 of 2)
100.0.0.[100-200]
VIP = 100.0.0.10 Loopback IP = VIP = 100.0.0.10

100.0.0.0/24 100.0.0.0/24

200.0.0.1

Benefits: Points to keep in mind:

Highly scalable (SLB processes only incoming Can’t use any ACOS layer 7 features (aFleX
traffic) can still be applied at virtual port level)
Configure VIP IP as loopback on servers

©A10 Networks, Inc. 11

Server Load Balancing (SLB)
ACOS SLB configuration has three core elements:
Servers, Service Groups, Virtual Servers (VIPs)

VIP Server

Service Group - Web Web

DNS

SMTP

Server

Web

DNS

SMTP

©A10 Networks, Inc. 12

SLB: Server
Minimum configuration Server

Name Web

IP address (can use DNS name) DNS

Ports SMTP

Server configuration
CLI: ACOS(config)# slb server <name> […]

Server status and statistics

CLI: ACOS# show slb server […]

©A10 Networks, Inc. 13

SLB: Service Group
Minimum configuration Server

Name Service Group - Web Web

Type (TCP/UDP) DNS
LB Algorithm
SMTP
At least one Server/Port
Server

Web

DNS

SMTP

©A10 Networks, Inc. 14

Load balancing algorithms
Service group – load-balancing algorithms
Round-Robin
Least Connection
Service Least Connection
Weighted Round Robin
Weighted Least Connection
Service Weighted Least Connection
Fastest Response time
Least Request
Round Robin Strict
Stateless (4 options using various hashed combinations of source/destination IPs and ports)

©A10 Networks, Inc. 15

Health Monitor
Service availability is checked using health monitors
Health monitors can be applied to: VIP Server

Service Group - Web Web

Server
DNS
Server:Port SMTP

Service Group Server

Web
Health monitors can test server availability DNS

On layer 3: ping (icmp) SMTP

On layer 4: tcp, udp

On layer 7 (application): http, https, ftp, smtp, pop3, snmp, dns, radius, ldap, rtsp, sip, ntp
Via manually created scripts

Multiple L3/L4/L7 tests can also be combined in a Boolean expression (and/or/not)

©A10 Networks, Inc. 16

Applying health monitor
Physical server health monitor
If HM fails, that server is considered down and service groups configured with that specific server
stop using it for load balancing
Note: Default Server health monitor is icmp.

Physical server port health monitoring

If HM fails, that server port is considered down and service groups configured with that specific
server:port stop using it for load balancing
Note: Default TCP Server Port Health Monitor is tcp handshake

Service group health monitor

If HM fails for a specific member, the service group stops using this member for load balancing
Note: By default there is no health monitor configured on Service Group

©A10 Networks, Inc. 17

Source IP persistence
When to use Source IP persistence
Source IP persistence must be used when clients must have their future connections/traffic
terminated on the same server

ArrowB

©A10 Networks, Inc. 18

Source IP persistence template
Create Source IP Persistence Template
A2(config)#slb template persist source-ip <template name>

Template options include:

Match Type: Port (persistence per VIP:Port -- default)
Server (persistence per VIP)
Service-Group (persistence per URL or Host)
Timeout: How long inactive entries are saved (default = 5 minutes)
Don't Honor Conn Rules: Ignore connection limits defined on Servers and Server Ports and
connect new clients' connections to the Server (default = disabled)
Netmask: Granularity of Client IP address hashing (default = 255.255.255.255 for most granularity)

Assign the Source IP Persistence Template to the Virtual Server Port

©A10 Networks, Inc. 19

NAT: SLB Source NAT template
Source NAT is required to ensure that server replies pass back through the ACOS device
before being forwarded to clients
Create IP Source NAT Pool:
ip nat pool <Name of the template> Start IP address (can be the AX interface IP*)
End IP address (can be the same as Start IP) netmask /24
Note: If the "Start" and "End IP address" are the same, the AX will NAT with
one unique IP address and can NAT up to 64k flows
Example: A1(config)#ip nat pool nat1 10.0.0.4 10.0.0.6 netmask /24
(optional) “vRID ID”: Specify the vRID number to tie to the NAT Pool
(optional) "HA Group": Specify the HA group to tie to the NAT pool

Assign the SLB Source NAT Pool to the Virtual Server Port
* Known as “Smart NAT” or Automatic
©A10 Networks, Inc. 20
Smart NAT (Automatic NAT)
The IP addresses that Smart NAT uses to create the mappings depend on whether VRRP-A
or HA is enabled and floating-IP addresses are configured
If VRRP-A or HA is configured, Smart NAT uses configured floating IP addresses as
NAT addresses
If neither VRRP-A nor HA is configured, Smart NAT uses primary IP address on the
ACOS interface connected to the real server
A virtual port can use both Smart NAT and configured NAT pool(s). By default, the
configured pool addresses are used first, but this can be modified using the “precedence”
command on the v-port:
source-nat auto precedence

©A10 Networks, Inc. 21

NAT Pool Groups
Group containing multiple NAT Pools
Used when NAT Address space is non-contiguous
Can easily expand existing IP pool ranges
Create in GUI – config\NAT\Group, then apply to v-port with same GUI dropdown as
pool
Create in CLI – A1(config)#ip nat pool-group <group name> <nat pool
names>
Apply to v-port with same command used for NAT pools – A1(config-slb vserver-
vport)#source-nat pool-group <group name>
Note: Pool Groups require HA/VRRPa IDs (if configured)

©A10 Networks, Inc. 22

SLB: Virtual Server (VIP) & Virtual Ports (vport)
VIP Minimum configuration VIP Server

Name Service Group - Web Web

DNS
IP address (accessed by end users)
SMTP
Virtual Server Ports (usually)
Server

vPort Minimum configuration Web

DNS
Type: (TCP/UDP/HTTP/HTTPS/Fast-HTTP/RTSP/FTP/MMS/ SMTP
SSL-Proxy/SMTP/SIP/SIP-TCP/SIP-TLS/Others)
Port number (or range)
Service Group (usually)
Pre-configured elements (nat pools, templates, aFlex scripts) are applied at the vport level
creating the Virtual Service

©A10 Networks, Inc. 23

CLI: Workflow
With CLI, build your configuration from bottom up
system
redundancy + clustering
servers
nat pools
templates
virtual server
virtual server port

Then apply pre-configured elements on virtual server port (vPort)

To use programming analogy, configuration elements are like functions. Those functions have to
be called from vPort before they take effect.

©A10 Networks, Inc. 24

GUI: Workflow
In GUI, you can build configuration from top down in one of two ways
Config > SLB > Service > Virtual Server (and then add vPort underneath)
Config > SLB > Service > Virtual Service (all from one place)
Necessary configuration elements’ names are created automatically. Your virtual service is translated at the
CLI level into virtual server + virtual port.
ACOS#show run | sec slb
slb server _s_10.0.2.18 10.0.2.18
port 80 tcp
slb server _s_10.0.2.19 10.0.2.19
port 80 tcp
slb service-group http tcp
member _s_10.0.2.18:80
member _s_10.0.2.19:80
slb virtual-server _10.0.1.12_vserver 10.0.1.12
port 80 http
name vip1-http
service-group http

©A10 Networks, Inc. 25

Lab Load Balancing Concepts
Configure Layer 4 SLB Virtual Server (VIP)
Physical servers
Service Group
Source NAT
Source IP Persistence
Virtual Server

Verify functionality

©A10 Networks, Inc. 26

Section summary
In this section we discussed:
Load balancing’s main goals: server load sharing and high availability of services
Load balancers network integration modes: routed, one-arm, transparent, and DSR
Two common L4 SLB options and their ACOS configuration

We have configured the following:

ACOS Layer 4 SLB Virtual Server
Source IP Persistence
SLB Source NAT

©A10 Networks, Inc. 27