topic Re: a few questions about CSS in Application Networking

a few questions about CSS

shibindong — Sat, 06 Dec 2008 02:20:27 GMT

router IP is 10.1.1.1

load balaner VIP is 10.1.1.10

2 syslog server need to be load balanced: 10.1.1.2 and 10.1.1.3, with default gateway: 10.1.1.1

when I use layer2 design on the load balancer, I need to configure "group" to make sure that return traffic from server still need to pass through LB.

it works well until we found out that all the traffic source record in Syslog server are :10.1.1.10, which is VIP on the LB, so that I change to layer3 approach on the LB:

on the server, default gateway changed to 10.1.1.11, which is layer 3 IP on the LB;

on the router, create 2 static host routes: 10.1.1.2 255.255.255.255 -> 10.1.1.11 and 10.1.1.3 255.255.255.255 -> 10.1.1.11

I still have a few questions:

1). shall I point the default gateway to 10.1.1.10 (VIP) or 10.1.1.11, which is configured on the LB circuitVLAN10?

2). in the LB, I configued:

service Server13

ip address 10.1.1.2

protocol udp

port 514

and I also specified the "protocol udp"and"port 514" in the service part:

owner L3_Owner

content L3_Rule_syslog

add service Server13

add service Server14

vip address 10.1.1.10

balance leastconn

protocol udp

port 514

advanced-balance sticky-srcip

active

do I need to specified that at 2 parts both? what is the difference?

3). when I shut down 1 server, I can see server down from "show keeplive", but it still direct traffic to the down server, I know I can fix this by restart the LB, is there any automatical way?

I have post the samiliar question before, so far i have not get any right answer yet, thanks in advance!

Re: a few questions about CSS

Gilles Dufour — Mon, 08 Dec 2008 09:26:54 GMT

1/ you should point to the redundant-interface ip address if you are in vip/interface redundancy mode.

You should point to interface ip if you are in box-to-box redundancy mode.

2/ you don't need to speficy protocol and port on the service if you want to reuse the same proto/port are the content rule.

3/ as long as the udp connection is open, even if the server goes down, we keep using the open connection.

You should maybe disable flow creation since syslog traffic is one-way anyway.

You then get a per-packet loadbalancing.

The command is "flow-state 514 udp flow-disable nat-disable"

Gilles.

Re: a few questions about CSS

shibindong — Tue, 09 Dec 2008 11:34:46 GMT

thanks!!! Gilles. I get great help from you!

regarding question 3, can I say it is because of UDP issue? If I change to TCP, the problem can be solved? by the way, what does command "flow-state 514 udp flow-disable nat-disable" mean for?

Re: a few questions about CSS

Gilles Dufour — Tue, 09 Dec 2008 17:28:17 GMT

For question #3, yes the problem is probably due to the nature of udp which is connection-less. So all packets from the same src to the same dst will be a single flow with no begining and no end.

Unless the flow times out (no traffic for a while) we keep using the same flow entry even if the server goes down.

For tcp, this would be different since the client would expect an ACK for each data sent and if no response, the client will open a new connection and be re-balanced to a new server.

The flow-state command let's you decide if you want a flow to be created or not.

With no flow entry, the CSS is forced to do a new loadbalancing decision for every packet.

This could be a problem if your traffic is too high.

Gilles.

Re: a few questions about CSS

shibindong — Wed, 10 Dec 2008 11:37:48 GMT

I am not quite clear about your explaination:

1) Can I understand that, the syslog (UDP) flow is always in the CSS, because of it is UDP traffic which is one-way and no begin and no end. can I set the flow-time out value to a samll value, so that flow can be deleted if the inactive time for syslog is larger than that?

2) what does per-packet mean? if the per-packet means:

ABCDEFGHI ->CSS -> A C E G I one server

-> B D F H another server

can server receive full version syslog?

3) I added this command you recommended in the CSS, and I suspend 1 server, I still can see the traffic go to the down server...