SLB Help Needed

Unanswered Question
Mar 17th, 2008

Hi, folks:

This is my situation and I am hoping some of you can help me.

I am at a client site and they are trying to get SLB to work.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Kevin Dorrell Tue, 03/18/2008 - 00:57

Victor,

I have not got much experience with SLB, but I did do an exercise on it recently, so I compared my config with yours. The most glaring difference is that in my config I have nat server in the ip slb serverfarm section.

Not much to go on, I'm afraid, but you could try it.

Kevin Dorrell

Luxembourg

lamav Tue, 03/18/2008 - 02:35

OK, Kevin. Thanks for caring enough to try to help me.

I do think that GLBP will not work with SLB and that HSRP should be configured instead. And of course, they need to configure the second switch for SLB!

I saw some questions on SLB within the last 2 weeks on here that generated a lot of responses, so I really thought I would get more feedback.

Kevin Dorrell Tue, 03/18/2008 - 03:04

Victor,

On the issue about HSRP and GLBP, I'm not sure why one would support SLB and not the other, unless of course you are going all the way and implementing stateful NAT. I have an idea that HSRP supports stateful NAT but GLBP does not. The question is, can you do stateful SLB (which after all is a type of NAT)? If so, that could be the constraint that rules out GLBP.

When you work it out, could you post back please - I would be interested to hear how the story ends.

Kevin Dorrell

Luxembourg

lamav Tue, 03/18/2008 - 03:09

Well, I think the load balancing feature of GLBP interferes with the proper operation of SLB. That is why I think it wont work.

I am not doing any NATing. Its a pretty simple (or should be) setup really.

I just want to create a virtual server for a server farm group and leave the default load balancing method (round robin).

Besides having to use HSRP, I think that only one switch can act as the HSRP active router for all vlans, otherwise asymmetric routing will occur.

[EDIT] As an aside, I think that SLB is process switched, not CEF switched. Wondering if that is correct...?

Hoping someone else has experience with this...

Thanks

lamav Tue, 03/18/2008 - 18:41

kevin:

The answer is that you cant use GLBP with SLB because GLBP uses asymmetric routing by design. With SLB, since its stateful, you must route the traffic through the same SLB switch in both directions, otherwise, you get groken connections. In short, the traffic path must be deterministic, where GLBP inherently injects some unpredictability.

HTH

Victor

Kevin Dorrell Wed, 03/19/2008 - 01:24

Victor,

Thank you, that is interesting, and somewhere on the lines I was thinking of.

I'm sure you are already aware that with normal NAT, there is the stateful NAT feature which allows stateful NAT through two synchonised routers, and therefore can handle asymetric routing.

Stateful NAT can also handle HSRP. That is, it can synchronise the NAT on two HSRP-redundant routers so that in the event of an HSRP failover you do not lose your existing sessions. But I'm not sure if stateful NAT supports GLBP.

Now, with SLB: does SLB have a stateful synchronisation option like normal NAT? In the event of an HSRP (or GLBP) failover, you lose all your current translations.

Kevin Dorrell

Luxembourg

lamav Wed, 03/19/2008 - 07:21

Good morning, Kevin:

I am aware of stateful NAT and you were thinking along the correct lines when you were thinking about statefulness. SLB is also stateful and maintains a connection table -- sort of looks like a NAT table, in fact. Thats why it cannot work with asymmetric routing. If it receives a packet on the return trip from a source other than the source in its connection table, it will drop the packet.

Anyway, yes, there is a mechanism to pass stateful information between SLB switches for failover. Its called Stateful Backup. And it will help reconvergence after an SLB switch failover.

As an aside, SLB is NOT a supported protocol for SSO redundancy. So state information will NOT be kept if you depend on the SSO mechanism when you run dual SUPs.

HTH

Victor

Actions

This Discussion