I have a customer who wants his new ASA-5520 to load balance out-going traffic between 2 ISPs, fairly normal request. Now here's the twist. He wants to separate traffic based upon the protocol used, http to one ISP, https to the other.
View 3 RepliesWe have a RV016 load balancing between two broadband WAN connections. On protocols that are sensitive to a change in IP address such as ssh and https, if the client connection goes inactive for a short time (sometimes as short as 10 seconds), the RV016 often changes WAN connection as part of its "load balancing" feature. Most protocols do not even notice, but the more sensitive protocols do and often lock a session or timeout the session which is not a good thing.
We have been able to bind these sensitive protcolols to a particular WAN port but (in our minds) this is not an "ideal" situation. In fact I would consider this to be a broken "load balancing" solution and should be fixed.
I need to build a layer 2 etherchannel on a Cisco 3560X. Now the question:
¿ May I instruct the switch to inspect the outgoing ethernet packets for IP information and therefore execute Layer 3 load balancing on this portchannel regardless of the fact that this will be a plain Layer 2 etherchannel? (for example: port-channel load-balance src-dst-ip)
The documentation does not say that this is not allowed, so in principle it seems to be that it would be feasible.
I am trying to configure ACE 4710 to load balance base on the URL, If it matches the specific URL ( /456/ ), the traffic will be sent to server farm 456 else the traffic will be sent to server farm 123.
I attached an image of the topology.
Ace Config:
rserver host SRV01_123
ip address 192.168.1.101
inservice
[Code].....
I was unable to access my ASA 5520 using HTTP/HTTPS even on the management interface. I had upgrade the ASA IOS to asa832-k8.bin and ASDM to asdm-634-53.bin. But, the issue still the same.
My browser show the error message as attach image.
PGA-Firewall-02# sh run: Saved:ASA Version 8.3(2)!hostname PGA-Firewall-02enable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface GigabitEthernet0/0 nameif public security-level 0 ip
[Code]....
I configured 2960S switch as http server. I'm unable to access the switch GUI with non privilege 15 user, with privilege 15 user it's working.
View 7 Replies View RelatedRight now, in my network there is no proxy server and all users go straight through the ASA to access internet. I would like to put a squid with dansguardian (for web filtering). Steps in getting all http and https traffic from ASA go via my squid?
View 18 Replies View RelatedWe have an ASA5520 pair that we will be installing to load balance SSLVPN connections. Below is a portion of our configs pertaining to the VPN load-balancing feature (configured on both ASAs):My specific question is related to routing of return traffic to load-balanced VPN sessions. Is there some kind of persistence function that tells the return traffic which ASA to route back to? For instance, if ASA1 has a VPN connection having IP address 10.211.112.1 associated to it, and ASA2 has a VPN connection having IP address 10.211.112.100, how does the return traffic for each connection know which ASA to route back to?
View 1 Replies View RelatedWe have two asa5520 configured as primary and standby unit in fail over configuration, and all is working properly. Is it possible, with this configuration (fail over), to configure vpn load balancing/clustering?
View 7 Replies View RelatedWe have Nexus 7K on production. 7K chasis is not load balancing with non-cisco devices with etherchannel or LACP..I have tried all load balancing algorithms but in vain. [code]
View 3 Replies View Relatedi'm going to configure a 881-k9 with:
- Ethernet 0/0 LAN (Private Address)
- Ethernet 0/1 ISP1 (Public Address 1)
- Ethernet 0/2 ISP2 (Public Address 2)
find some configuration example to:
- have load balancing over the two ISP connection, used to connect to Internet
- configure Static NAT to bind:
- TCP 443
- TCP 1723on ISP1 e ISP2 Interface to a LAN Address (SBS2008 Server)
We have a Catalyst 6509 switch, and we hope to use policy based routing to redirect http traffic to my proxy server, where I can find the configuration example?
View 11 Replies View RelatedI'm trying to make MGSCP solution. I have Cisco 7609 with following configuration:
Mod Ports Card Type Model
--- ----- -------------------------------------- ------------------
3 8 CEF720 8 port 10GE with DFC WS-X6708-10GE
5 5 Route Switch Processor 720 10GE (Activ RSP720-3CXL-10GE
7 24 CEF720 24 port 1000mb SFP WS-X6724-SFP
8 24 CEF720 24 port 1000mb SFP WS-X6724-SFP
9 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX.
I have conneccted a server with LACP on Nexus extender. I am starting different file copy from diffferent sources to this server, it does not load balance.
source addresse: 192.168.30.3 / 192.168.30.1
destination: 192.168.30.2
We have to cisco WS-C4900M with Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500e-IPBASE-M), Version 12.2(53)SG5, RELEASE SOFTWARE (fc1).We have four gigabit link connected between those two switches.We have create a LACP port channel with those four ports on both switches. Ether-channel is up and running and defined with a load-balancing method of src-dst-ip.But when we test the load-balancing, it's not using the src-dst-ip rule with the XOR: [code]
View 5 Replies View RelatedI have a 2821 Router, with a VWIC2-2MFT card in it, with two T1s going into that card. The two T1s are a bundled MPLS line.
I then have a cable modem connection going into the gigabit Ethernet GE 0/1 port on the router.
Right now, the cable modem provides a backup connection in case the T1s go down.
What I was wondering is if there was a way to 'combine' the bandwidth from the two T1s with the cable modem?
How to set up redundant LAN Ring topology with load balancing for a cisco catalyst 3560 platform.
View 10 Replies View RelatedWe use Cisco ASA 5520 (in HA configuration) connected to Cisco Switch 3750, ISP connection (25 Mbps) is straight to cisco 3750 switch. Since, Internet traffic is now high, a seecond ISP will be added.Our plan is to do Internet Link Load Balancing. My understanding that AS5520 can not do balancing.What appliance do you think I can use to accomplish the link balance?Also, take in consideration that our current ASA is also our VPN server and there are two DMZ zones.
View 1 Replies View RelatedWe want to achieve a load balancing scenario using Virtual IP on DMZ interface on a Cisco ASA 5520.
The IPs we are going to use on DMZ are 10.15.1.2 and 10.15.1.3
These IPs are going to be NATted to all inside IPs.
Lets say our outside IP is X.X.X.X
This IP points to 10.15.1.2 and 10.15.1.3 with .2 being the primary and .3 being the secondary. When I hit the outside IP, it should point me to .2 and that .2 should take me to the inside IPs.
1) 2 x ASA 5520, running 8.2
2) Both ASA are in same outside and inside interface broadcast domains – common Ethernet on interfaces
3) Both ASA are running single context but are active/standby failovers of each other. There are no more ASA’s in the equation. Just these 2. NOTE: this is not a Active/Active failover configuration. This is simply a 1-context active/standby configuration.
4) I want to share VPN load among two devices and retain active/standby failover functionality. Can I use VPN load balancing feature?
Active/Active failover is understood to mean only two ASA running multi-contexts. Context 1 is active on ASA1 Context 2 is active on ASA2. They are sharing failover information. Active/Active does not mean two independently configured ASA devices, which do not share failover communication, but do VPN load balancing. It is clear that this latter scenario will work and that both ASA are active, but they are not in the Active/Active configuration definition. Some people are calling VPN load balancing on two unique ASA’s “active/active”, but it is not
The other confusing thing I have seen is that VPN config guide for VPN load balancing mentions configuring separate IP address pools on the VPN devices, so that clients on ASA1 do not have IP address overlap with clients on ASA2. When you configure ip address pool on active ASA1, this gets replicated to standby ASA2. In other words, you cannot have two unique IP address pools on a ASA Active/Standby cluster. I guess I could draw addresses from external DHCP server, and then do some kind of routing. Perhaps this will work?
I would like configure a CSS content, that uses the sorry service principal in an advanced way.
I am familiar with the primary Sorry Server command and see that the CSS would send all connections to the named service that is configured as the primary Sorry Server.
What I would like to do is to configure the CSS, so that once it’s decided it’s in a “sorry” state (all the services that are configured with “add service” are down) that it load balances to a different set of services.
To explain what I’ve been trying to do in the form of configuration on the CSS, I’ve pasted some pretend config below.
Connections come into IP address 1.1.1.1, which normally get load balanced between 9.1.1.1, 9.1.1.2 and 9.1.1.3.
If 9.1.1.1, 9.1.1.2 and 9.1.1.3 are all down, the sorry service is used and the CSS starts passing traffic to 1.1.2.1, which I want it to load balance between 9.1.2.1, 9.1.2.2 and 9.1.2.3.
The order that I have applied the config, is different to the below, as I set out to configure in this order: secondary services, secondary content, sorry service, primary services, primary content.
The order of the config below is different, because I wanted it in the order that the traffic flows and the CSS won’t take the config in that order!
The wall I have ran into, is that when I try to create the service I have named “Sorry Service”, I get the following error:
%% Service IP Address conflicts with a local I/F, VIP, mg mt route.
[Code] .....
The best option for load balancing between 2 X Cisco nexus 5548UP switches located at one site and connecting to 2 X Cisco nexus 5548UP switches located at another site.
The sites are connected via a 1GB fibre connection. I am unable to use GLBP until GLBP is supported in further software releases.
Does 3650-X IP Base support Static Load Balancing or i should upgrade to ip service SW ?
View 4 Replies View RelatedI have probem with symmetric load balancig, in case when both ends of ether channel are on the sam switch (we are using VLAN translation).We need to create L2 port channel with both ends on same switch (Cisco WS-C4500X-24X-ES), for example:Po1 – Gi0/1, Gi0/3 (one end of port channel )Po2 – Gi0/2, Gi0/4 (other end of port channel)On ports in Po2 we will configure VLAN mapping.My question is what is the best ether-channel load-balancing scheme with wich we can accomplish full symmetry in both directions? For example, if traffic in one direction goes through Gi0/1 (member of Po1), in other direction also must go through Gi0/1. This is required because we need to connect four appliances for DPI (they are full L2 transparent) and traffic through each appliance need to be symmetric.
I can set-up src-ip, dst-ip, src-dst-ip etc. load balancing, but, actually I need src-ip on Po1 and dst-ip on Po2. Is there any way to set up different load balancing mechanism for different ether channel on same switch (4500X).
If the load balancing is set to src-dst-ip, will a layer 2 switch forward based on that information? Particularly talking about a 6500, with trunk interfaces, since those packets never go to the layer 3 engine, will the load-balancing work as intended?
View 2 Replies View RelatedI have an inquiry about a configuration I deploy in a C2960 switch. I have configured a ether channel with 8 ports, the load balanced method is source mac address. The bundling protocol is LACP.
I have found the ether channel is not balanced as I expect. One of the eight interfaces is congested.
Code...
Right now I have 2 default routes load balancing 100MB internet links. This is on my 2 6509's.
ip route 0.0.0.0 0.0.0.0 10.47.2.1 (FWSM)
ip route 0.0.0.0 0.0.0.0 10.47.2.250 (5510)
Is there anyway to make the first default route take more of the traffic, like 60/40 or 70/30?Any program that I could use to see top users going through the FWSM?
I have the requirement to provide a Cisco Router with 3 x ADSL lines (768k) to increase the internet speed.PPP multilink is not supported from the ISP.
Is it possbile to distribute the traffic between this three ADSL lines?How can I configure this?
I have the following hardware configuration:
1 x CISCO1921-SEC/K9
2 x EHWIC-VA-DSL-B
The third ADSL line is connected over an ADSL modem at one fixed Router Gigabit interface.
One of our customer has 3 ISP Line, out of which Two are Broadband and One is Leased Line. All 3 ISP interfaces are Etherent.
Now, they want Auto Failover with Load balancing among these 3 ISP lines.
Can we do same implementation in Cisco 1941 Router?? What licenses required in router for same?
I am trying to understand what load balancing method is used on a port channel on a Nexus switch . I have a server connected by a VPC to two Nexus switches. The nexus switches are only acting as layer 2 switches. I have a 6509 connected via a upstream link that does all of the routing for my VLANS. If have a server connected to the Nexus switches and it talks to a server on my 6509 what load balancing happens on the Nexus going across VPC 27 which is a layer 2 trunk going up to my 6509. Is it done on layer 2 or layer 3 flows?
My Nexus shows the default load balancing configurations
Port Channel Load-Balancing Configuration:System: source-dest-ip
Port Channel Load-Balancing Addresses Used Per-Protocol:Non-IP: source-dest-macIP: source-dest-ip source-dest-mac
Is it possible to use two different load balancing methods at each end of a port-channel between two switches?
We have a Cisco 6509 at one end of the port-channel and a Cisco blade switch 3020 at the other end. Right now, we are using "src-dst-ip" at both end of the port-channel. We would like to change this. That is, we would like the #3020 switch to use "src-dst-ip" while the 6509 switch should use the "src-dst-port".
Why we want to do this, the reason is that we have FWSMs on the 6509. I've read that by configuring "src-dst-port" on the 6509, one can get a better performance of traffic going through the FWSM. However, the issue is that the 3020 switch does not support "src-dst-port".
What I am attempting to achieve is to aggregate trunk ports out of a VMware server into a single logical connection to give as much bandwidth as possible, the switches are 3750X and are three stacked together with the server connections spread across the stack. What I am not sure about is if two port channel load balance protocols can happy co-exist on the switch, by default the switch is using MAC address load balancing and Vmware wants to use IP Source load balancing. As other trunks and channels exist on the switch I don't want to make a change that will affect the other live connections if changing this is a global setting and not local on the channel.
View 2 Replies View RelatedI have a dual-homed fabric (Nexus 2248 dual attached to two Nexus 5020's via vPC). On this Nexus 2248 is a server that has a four port LACP etherchannel. The ports do not appear to be load balancing correctly. The output below shows the four ports in use and it clearly shows port e138/1/10 as getting the most use. When I use the "show port-channel load-balance forwarding-path..." command on either of the vPC switches for various source and destination IP's that use this link, it shows them correctly load-balancing across the four ports. But we do not see this when looking at stats on both the server side and the switch side.
dc5020-3g# sh int e138/1/10,e138/1/12,e138/1/14,e138/1/16 | i seconds
30 seconds input rate 552 bits/sec, 69 bytes/sec, 0 packets/sec
30 seconds output rate 130120 bits/sec, 16265 bytes/sec, 161 packets/sec
Load-Interval #2: 5 minute (300 seconds)
30 seconds input rate 40 bits/sec, 5 bytes/sec, 0 packets/sec
[code]....
**************** Config info below. This is a vPC pair and the port configs are identical on both switches so I'm only showing the configs for one switch to keep it simple.
dc5020-3g# sh port-channel load-balance
Port Channel Load-Balancing Configuration:
System: source-dest-ip
Port Channel Load-Balancing Addresses Used Per-Protocol:
Non-IP: source-dest-mac
IP: source-dest-ip source-dest-mac
[code]....