cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1029
Views
10
Helpful
6
Replies

LACP load balance question

Torsten Jahnke
Level 1
Level 1

I have 3 public DNS Servers and I want to provide them as HA Service. The question is now how can I establish this without a physical load balancer. My idea is to use LACP to get this working.

Goal:

The 3 Servers should be connected to the Switch where a LACP is configured and when I need to shutdown one of the Server for maintenance the Service is still available without any interruption. The public IP address will be assigned to the LACP.

Is this possible with LACP and which configuration is recommended for doing this? Does anyone has a better recommendation?

Thanks a lot!

Torsten Jahnke
founder and inventor of keweonDNS
6 Replies 6

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Thorsten,

the LACP protocol manages a bundle of member interfaces sending and receiving LACP messages on each member link to ensure that the other side is alive and that the system-id of remote end links is the same on all links and also the group number is the same.

It provides consistency checks to avoid errors in cabling and it can check the health of each member link.

LACP by itself does not provide load balacing features or algorythms.

The load balancing method configured at global level applies to all bundles defined on the switch (This is true for conventional IOS or IOS XE switches).

Now to perform load balancing towards three DNS servers relying on etherchannel load balancing algorythm looks like difficult.

In fact, what is on the remote side of the LACP bundle you are configuring ?

You cannot connect the three servers NICs because they will have different LACP system-id, if there is another switch in the path the LACP tunnel is able to come up  but then the load balancing decision would be made this other switch (if possible).

 

IF you have a multilayer switch like C6500 or C6800 ( or newer C9300, C9400, C9500) you can use destination based NAT to create a "poor man" load balancer.

You will have a public VIP address and then you will convert DNS requests made to the VIP to one of the three real servers defined in a NAT pool with option rotary.

It is a "poor man" solution because the NAT will happen regardless of the state of each real server (it is not able to verify / probe the DNS service on each real server).

If your switch does not support NAT, considering DNS traffic should not be so high in volume the server load balancing destination NAT can be performed by a SW based router like an ISR 4431.

see the following link

 

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/200608-Server-Load-Balancing-Using-Dynamic-NAT.html

 

Hope to help

Giuseppe

 

Thanks a lot for this answer.

NAT might be an option because the DNS Servers will become a high load system. At the moment I have round about 15 Million users on my DNS Servers but I have no chance to do a reboot or something like this. All systems are currently working as PoC/PoT and my users know this but on a long term this is a no go.

I still need a different idea for solving this.

What's about the Idea to use 3 switches and connect each server to one of them. All switches will be connected to one VLAN.

 

The connection is within this way
Carrier Public IP -> Switch -> DNS Server

 

Thanks a lot!

Torsten Jahnke
founder and inventor of keweonDNS

Hello Torsten,

 

>> NAT might be an option because the DNS Servers will become a high load system. At the moment I have round about 15 Million users on my DNS Servers but I have no chance to do a reboot or something like this. All systems are currently working as PoC/PoT and my users know this but on a long term this is a no go.

 

with 15 millions of users a full load balancer is the best choice from a technical point of view.

I understand it may be expensive, but it is the only solution that will work on the long run.

You say that you cannot reboot a single server now and this can be an issue.

 

Can you explain what do you mean with PoC/PoT ?

My understanding is that your servers are now three independent servers each of them with its own public IP address.

This should be the reason why you cannot reboot a single server.

 

>> What's about the Idea to use 3 switches and connect each server to one of them. All switches will be connected to one VLAN.

>> The connection is within this way
Carrier Public IP -> Switch -> DNS Server

 

This allows to create three separate failure domains (if a switch fails only one server is impacted) but it does not help in creating a load balancer solution.

 

Hope to help

Giuseppe

 

 

I have invented an AI and a DNS solution which protects your system within a never seen way.
Long story short, all poison online threats will moved to a blacklist filtering system and at the moment I protect against various threats. At the moment I filter 26 different categories and I'm heavy financial limited.

The idea behind this is very simple. Scan the entire internet for various threats, find them, filter them out and copy all this crap into a database to blacklist.

This will protect against data sniffing, data stealing and online threats as like as ransomware, virus and other things. I have everything invented in 2003 and I'm online since 2011. No client or installation is required and that's the reason why it's running on DNS. It's working on ANY operation system.
The technology behind all of this is heavy complicate but at the end there are just DNS Server. Not a proxy or something like this. Just native DNS to be GDPR/DSGVO 100% compliant. 
At the moment I'm running different DNS, DoH and DoT Servers to proof that it is possible to protect against all of this. It's a lot more then stupid RPZ list and on my actual database contains 59 million unique entries. When I would have the final AI and I would have the money for this then I expect round about 700 million blacklist entries. That's the entire PoC/PoT (Proof of concept and proof of technology) and at the moment I'm searching an Investor for this. There will be much more behind all of this but this is a different story.


The only problem I have is to have the DNS Server either clustered or something else. The DoH and DoT servers are already solved to get them redundant.
I have really no idea how to get the "normal" DNS via Port 53 clustered or HA without a load balancer. That's problem which I can't get solved at the moment. I really don't know how to do it without a load balancer but I want to have it solved without a load balancer. There is a way but I can't see it at the moment ;)

Thanks a lot!

Torsten Jahnke
founder and inventor of keweonDNS

Hello Thorsten,

thanks for your interesting explanation.

You would need at least a device capable of NAT to create a "poor man" load balancer.

If high volume is expected you should look at an ASR 1001, you may find a used one at a reasonable price (now there is ASR-1001 X that is newer)

 

Hope to help

Giuseppe

 

 

Woww... thanks a lot!!

When this thing will do the Job this would save a lot of money ;)

 

Million times thanks again!!

Thanks a lot!

Torsten Jahnke
founder and inventor of keweonDNS
Review Cisco Networking for a $25 gift card