RE: Load balancing & NAT [7:60663]
At 11:36 PM + 1/12/03, Emilia Lambros wrote: >Basically any changes to the sticky/persistent part are not options :( the >hardware that's in and performing the load balancing won't be changed >because it works - the NAT portion just needs some ... horrible kludges? :) But isn't NAT itself, independent of vendor and implementation, a kludge? Sometimes it's a good kludge, considering the circumstances. I have long proclaimed that Australians should be the best at networking. Anyone who grows up thinking a platypus, that ultimate biological kludge of multispecies spare parts moving in close coordination, shouldn't be fazed by any of this. :-) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60928&t=60663 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Load balancing & NAT [7:60663]
Basically any changes to the sticky/persistent part are not options :( the hardware that's in and performing the load balancing won't be changed because it works - the NAT portion just needs some ... horrible kludges? :) -Original Message- From: Clayton Price [mailto:[EMAIL PROTECTED]] Sent: Sunday, 12 January 2003 10:35 AM To: [EMAIL PROTECTED] Subject: Re: Load balancing & NAT [7:60663] Could you change the persistence to use cookies instead of source IP address (assuming it is a browser based connection)? That would allow you to still load balance across the multiple app servers. Clayton ""Emilia Lambros"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I'm looking more for a way to play with how the nat pool I have behaves with > IP address use. The NAT config and translations are all working, however I > can't find a situation online that shows me how I can force translations to > not overload quite so much, or how I can make more IP addresses be used so > my load balancing works with sticky sessions set. > > For as long as only 1 IP is being used, all connections to the application > servers go to one application server. Even with 2 IPs being used, I would > have more of a chance of connections going to the 2nd application server to > create some load balancing but as I said, I'm sitting on 8500 connections > and 1 IP being used. I know in theory I can go up to 65K+ connections on > that 1 IP, but I would prefer more like a couple of hundred per IP. > > The majority of articles I've read show how to configure, say rotary pools > or tcp load distribution but not examples of how you can use it another way > that I could perhaps, adapt. As I said though, I can't play with the config > because its a live environment so its a little harder to play and test with, > without a guarantee that it will work :) > > > > -Original Message- > From: The Long and Winding Road > [mailto:[EMAIL PROTECTED]] > Sent: Thursday, 9 January 2003 11:24 AM > To: [EMAIL PROTECTED] > Subject: Re: Load balancing & NAT [7:60663] > > > if you have a CCO customer account, there are a lot of articles in the TAC > database > > this one is a good start, I believe. > > http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note0 > 9186a0080093fca.shtml > watch the wrap. > > HTH > > -- > TANSTAAFL > "there ain't no such thing as a free lunch" > > > > > ""Emilia Lambros"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hi all, > > > > I have an application being load balanced at one site (sticky sessions set > > such that each connection from 1 IP will continue its transactions to the > > same server it started on) and at another site, the users accessing the > load > > balanced application. > > > > The users come in from different office locations across private WAN > links, > > nat inside is on each of their interfaces and on each interface out of the > > router those WAN links connect to, is nat outside. > > > > I have changed their initial configuration based on NAT overload to an > > interface IP address to be a pool of addresses overloaded. I was hoping > > that the connections would spill over to the second IP in the pool at some > > stage sooner than the 8500 NAT connections I have currently, but no go. I > > may as well have NAT'd to 1 IP again :) > > > > Is there a way to overload NAT, but have it using more than 1 IP in the > > pool? e.g. a pool of 30 IPs, its currently using 1.. I'd love the router > to > > even round robin the use of IPs out of the pool but I can't play with the > > config to try it (live environment) and can't find any documentation > online > > explaining exactly what I need NAT to do/not do :( > > > > Thanks, > > > > Em :) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60922&t=60663 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Load balancing & NAT [7:60663]
Could you change the persistence to use cookies instead of source IP address (assuming it is a browser based connection)? That would allow you to still load balance across the multiple app servers. Clayton ""Emilia Lambros"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I'm looking more for a way to play with how the nat pool I have behaves with > IP address use. The NAT config and translations are all working, however I > can't find a situation online that shows me how I can force translations to > not overload quite so much, or how I can make more IP addresses be used so > my load balancing works with sticky sessions set. > > For as long as only 1 IP is being used, all connections to the application > servers go to one application server. Even with 2 IPs being used, I would > have more of a chance of connections going to the 2nd application server to > create some load balancing but as I said, I'm sitting on 8500 connections > and 1 IP being used. I know in theory I can go up to 65K+ connections on > that 1 IP, but I would prefer more like a couple of hundred per IP. > > The majority of articles I've read show how to configure, say rotary pools > or tcp load distribution but not examples of how you can use it another way > that I could perhaps, adapt. As I said though, I can't play with the config > because its a live environment so its a little harder to play and test with, > without a guarantee that it will work :) > > > > -Original Message- > From: The Long and Winding Road > [mailto:[EMAIL PROTECTED]] > Sent: Thursday, 9 January 2003 11:24 AM > To: [EMAIL PROTECTED] > Subject: Re: Load balancing & NAT [7:60663] > > > if you have a CCO customer account, there are a lot of articles in the TAC > database > > this one is a good start, I believe. > > http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note0 > 9186a0080093fca.shtml > watch the wrap. > > HTH > > -- > TANSTAAFL > "there ain't no such thing as a free lunch" > > > > > ""Emilia Lambros"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hi all, > > > > I have an application being load balanced at one site (sticky sessions set > > such that each connection from 1 IP will continue its transactions to the > > same server it started on) and at another site, the users accessing the > load > > balanced application. > > > > The users come in from different office locations across private WAN > links, > > nat inside is on each of their interfaces and on each interface out of the > > router those WAN links connect to, is nat outside. > > > > I have changed their initial configuration based on NAT overload to an > > interface IP address to be a pool of addresses overloaded. I was hoping > > that the connections would spill over to the second IP in the pool at some > > stage sooner than the 8500 NAT connections I have currently, but no go. I > > may as well have NAT'd to 1 IP again :) > > > > Is there a way to overload NAT, but have it using more than 1 IP in the > > pool? e.g. a pool of 30 IPs, its currently using 1.. I'd love the router > to > > even round robin the use of IPs out of the pool but I can't play with the > > config to try it (live environment) and can't find any documentation > online > > explaining exactly what I need NAT to do/not do :( > > > > Thanks, > > > > Em :) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60887&t=60663 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Load balancing & NAT [7:60663]
Doug, I used the term "horrible kludge" several hours before I saw your post. The multiple NAT pool kludge is horrible because it is neither scalable nor maintenance-free, nor does it include any dynamic distribution of load across the resultant multiple (outside local) addresses in use. It almost removes the requirement for the load-balancing part of the load-balancers, leaving them with server failover tasks only. As I stated in my post, I'd be looking for a different form of sticky (or a different NAT device). rgds Marc Doug S wrote: > > I liked the comment and definitely agree that some of the authors of Cisco > training material should be named and publicly humiliated, although the > sheer volume of mistakes could make this a somewhat overwhelming task for > the public doing the humiliating. Still, I want to add my opinion that Cisco > documentation and training material is of a lot higher quality a lot of > what's out there, not to name names like MS Press or anything. > > The reason I blindly accepted and posted that particular quote is because it > DOES match my personal experience, which, I admit is considerably less than > the other posters in this thread. The only experience I have is in a lab on > 2500's and 2600's running something around IOS 12.1(T). > > I also want to point of that this behavior of only overloading the first > address in the pool sounds like exactly what the original poster is > experiencing. The fact that Emilia's and my experience contradicts Peter's > and TLaWR makes me think that there are differences in how this works on > different platforms, as TJ suggests. > > I'd also like to hear people's opinions on why my solution is a "horrible" > kludge, as opposed to just a plain old vanilla kludge. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60858&t=60663 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Load balancing & NAT [7:60663]
At 10:12 PM + 1/10/03, Doug S wrote: >I liked the comment and definitely agree that some of the authors of Cisco >training material should be named and publicly humiliated, although the >sheer volume of mistakes could make this a somewhat overwhelming task for >the public doing the humiliating. Still, I want to add my opinion that Cisco >documentation and training material is of a lot higher quality a lot of >what's out there, not to name names like MS Press or anything. I'm the last person to be an apologist for some of the documentation, but fairness says there are a couple of things to consider. 1. Most Cisco documentation is what might be called "performance skills" based rather than "cognitive" or "design". There's very little information about alternative solutions, or other things that I think of as network architecture. Historically, CID (which originally was an internal course) was the only course that went into tradeoffs, although there are a good many more Cisco-only courses that do. 2. Since the market crash, there's been much less marketability for books that deal with design rather than cookbook or certification-cram content. It's unfortunate -- corporate "economies" are equating configuration skills with design skills. 3. It's almost impossible to keep any kind of general documentation updated on all the permutations of platforms, releases, and bugs. Conceptually, I suppose, Cisco could develop a context-sensitive living hyperdocument that links basic documentation, release notes and bug reports, etc., and have a much better support product, but that would still be support rather than tradeoff oriented. > >The reason I blindly accepted and posted that particular quote is because it >DOES match my personal experience, which, I admit is considerably less than >the other posters in this thread. The only experience I have is in a lab on >2500's and 2600's running something around IOS 12.1(T). I'm sort of laughing and crying, thinking of my most dramatic classroom bug. I was teaching a private ACRC class for MCI, with a mixture of 2500, 4000, and 4500 routers, on, IIRC, IOS 11.0 or so. I had just finished showing GRE for IP, and someone asked a question about running IPX over the same tunnel as the IP. I _know_ this works. So, I said, "no problem". I switched a router console to the projector, added an IPX network to one end of the tunnel, and it went in just fine. Next, I switched to the other router. No sooner had I finished typing IPX network , did both routers go into the most incredible crash mode I have ever seen. They dropped into ROMMON, and then kept cycling back to the start of boot, never giving me keyboard control. Powering them on and off brought back sanity, but I soon found that this crash was reproducible on 4000's and 4500's, but not 2500's. The TRULY weird thing is that when I left a router running overnight in its boot loop, it eventually stabilized and gave console control -- but still would crash if I configured IPX tunneling over GRE. > >I also want to point of that this behavior of only overloading the first >address in the pool sounds like exactly what the original poster is >experiencing. The fact that Emilia's and my experience contradicts Peter's >and TLaWR makes me think that there are differences in how this works on >different platforms, as TJ suggests. There _might_ be theoretical problems of load distribution here, depending on how the address cached in other machines. Source-destination hash is very good in most cases, but if you had this configuration on both ends, everything would go over the same link no matter how many interfaces you had. If the load balancing were destination-based, it could get awful. > >I'd also like to hear people's opinions on why my solution is a "horrible" >kludge, as opposed to just a plain old vanilla kludge. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60857&t=60663 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Load balancing & NAT [7:60663]
And more importantly, from a semantics perspective - is a "horrible kludge" a bad thing or a good thing? Or a case of two wrongs not making a right. ... double negatives are fun. Thanks! TJ [EMAIL PROTECTED] -Original Message- From: Doug S [mailto:[EMAIL PROTECTED]] Sent: Friday, January 10, 2003 5:13 PM To: [EMAIL PROTECTED] Subject: Re: Load balancing & NAT [7:60663] I liked the comment and definitely agree that some of the authors of Cisco training material should be named and publicly humiliated, although the sheer volume of mistakes could make this a somewhat overwhelming task for the public doing the humiliating. Still, I want to add my opinion that Cisco documentation and training material is of a lot higher quality a lot of what's out there, not to name names like MS Press or anything. The reason I blindly accepted and posted that particular quote is because it DOES match my personal experience, which, I admit is considerably less than the other posters in this thread. The only experience I have is in a lab on 2500's and 2600's running something around IOS 12.1(T). I also want to point of that this behavior of only overloading the first address in the pool sounds like exactly what the original poster is experiencing. The fact that Emilia's and my experience contradicts Peter's and TLaWR makes me think that there are differences in how this works on different platforms, as TJ suggests. I'd also like to hear people's opinions on why my solution is a "horrible" kludge, as opposed to just a plain old vanilla kludge. ** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60855&t=60663 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Load balancing & NAT [7:60663]
I liked the comment and definitely agree that some of the authors of Cisco training material should be named and publicly humiliated, although the sheer volume of mistakes could make this a somewhat overwhelming task for the public doing the humiliating. Still, I want to add my opinion that Cisco documentation and training material is of a lot higher quality a lot of what's out there, not to name names like MS Press or anything. The reason I blindly accepted and posted that particular quote is because it DOES match my personal experience, which, I admit is considerably less than the other posters in this thread. The only experience I have is in a lab on 2500's and 2600's running something around IOS 12.1(T). I also want to point of that this behavior of only overloading the first address in the pool sounds like exactly what the original poster is experiencing. The fact that Emilia's and my experience contradicts Peter's and TLaWR makes me think that there are differences in how this works on different platforms, as TJ suggests. I'd also like to hear people's opinions on why my solution is a "horrible" kludge, as opposed to just a plain old vanilla kludge. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60853&t=60663 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Load balancing & NAT [7:60663]
I wonder - is this a situation where specific code level, or the family of products in question, etc., is causing a discrepancy? I know the PIX (currently), for example, works as TLaWR states below ... However, perhaps in IOS when you specify ip nat pool overload (start) (finish) netmask (mask) it treats it differently since you are explicitly saying to 'overload' ? ... just curious ... Thanks! TJ [EMAIL PROTECTED] -Original Message- From: The Long and Winding Road [mailto:[EMAIL PROTECTED]] Sent: Friday, January 10, 2003 11:12 AM To: [EMAIL PROTECTED] Subject: Re: Load balancing & NAT [7:60663] ""Doug S"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > The way PAT works when overloading multiple addresses is to overload the > first address in the pool until ALL port numbers are used up. I can't point > you to any publicly available documentation on this, but cut and pasted from > Network Academy curriculum: > > "However, on a Cisco IOS router, NAT will > overload the first address in the pool until > it's maxed out, and then move on to the > second address, and so on." I don't think so. I think whoever put this into Cisco training materials ought to be named and publicly humiliated. I know from cold hard experience that if you have a pool with several addresses and overload configured, each addres in the pool is translated one to one, and then the last number is shared among all comers after that. isn't there any real technical review of the training materials? > > I've seen people wanting to get around this behavior for a variety of > reasons and I haven't seen anyone post a good reply. I've come up with a a > workaround that I beleive should work for you, although you'll have to take > a good look at your inside local addresses and figure out how to best define > those in to two equal groups. Each group could then be separately > translated to a different address. > > For instance, if you are now transating 8000 inside addresses all in the > range of 10.0.32.0/19 to one overloaded pool, you could configure it to > translate 10.0.32.0/20 to one overloaded pool and 10.0.48.0/20 to a separate > overloaded pool something like > > #access-list 1 permit 10.0.32.0 0.0.15.255 > #access-list 2 permit 10.0.48.0 0.0.15.255 > #ip nat pool LOWER_ADDRESSES_TRANSLATE_TO 209.211.100.1 209.211.100.5 pre 24 > #ip nat pool HIGHER_ADDRESSES_TRANSLATE_TO 209.211.100.6 209.211.100.10 pre > 24 > #ip nat inside source list 1 pool LOWER_ADDRESSES_TRANSLATE_TO overload > #ip nat inside source list 2 pool HIGHER_ADDRESSES_TRANSLATE_TO overload > > Forgive me if I've screwed up the syntax somewhere, but the idea is there. > As I said, you'll have to put some thought into what best works in your > addressing scheme to best separate translated addresses in to two roughly > equal groups. You might even find it helpful to partition them in to more > than two groups. > > Hope it helps. ** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60825&t=60663 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Load balancing & NAT [7:60663]
""Peter Walker"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > This does NOT match my previous experience. My experience has been that > IOS seems to use NAT (not overloaded) until all pool addresses are used > then start overloading the last one. I dont know what happens once all > when this address gets maxed out. when doing PAT ( NAT overload ) there is a theoretical possibility of 65000 connections ( i.e. the number of TCP ports ) obviously, this would not be practical because of the numbers of well known ports in use. The NAT engine would add the dimension of TCP source port to the state table. So if I am at address 111.111.111.111 and my source port is , the NAT engine might translate this to public IP 222.222.222.222 with a source port of The next guy out, source address 111.111.111.112 with a source port of ( same app ) might be translated ast public IP 222.222.222.222 with a source port of 8881 Etc. The destination application doesn't care what the source port is ( in theory ) although in this particular case, I wonder if the destination host might have a problem. I suppose a well behaved application would not, but you never can tell. > > The only reason we noticed this was due to the fact that we were running > port sentry on a number of unix hosts and noticed that periodically random > machines were being port scanned from outside our net (something that > should not be able to occur if PAT is being used). We finally tracked it > down to NAT (single outside IP to single inside IP) entries appearing in > our NAT translations tables on the router. > > The only solution that we (or TAC) could come up with was to reduce the NAT > pool to a single IP. > > Peter Walker > CISSP, CCN[NID]P, CSS1, CIPPTS, etc > > > --On 09 January 2003 20:15 + Doug S wrote: > > > The way PAT works when overloading multiple addresses is to overload the > > first address in the pool until ALL port numbers are used up. I can't > > point you to any publicly available documentation on this, but cut and > > pasted from Network Academy curriculum: > > > > "However, on a Cisco IOS router, NAT will > > overload the first address in the pool until > > it's maxed out, and then move on to the > > second address, and so on." Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60820&t=60663 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Load balancing & NAT [7:60663]
""Doug S"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > The way PAT works when overloading multiple addresses is to overload the > first address in the pool until ALL port numbers are used up. I can't point > you to any publicly available documentation on this, but cut and pasted from > Network Academy curriculum: > > "However, on a Cisco IOS router, NAT will > overload the first address in the pool until > it's maxed out, and then move on to the > second address, and so on." I don't think so. I think whoever put this into Cisco training materials ought to be named and publicly humiliated. I know from cold hard experience that if you have a pool with several addresses and overload configured, each addres in the pool is translated one to one, and then the last number is shared among all comers after that. isn't there any real technical review of the training materials? > > I've seen people wanting to get around this behavior for a variety of > reasons and I haven't seen anyone post a good reply. I've come up with a a > workaround that I beleive should work for you, although you'll have to take > a good look at your inside local addresses and figure out how to best define > those in to two equal groups. Each group could then be separately > translated to a different address. > > For instance, if you are now transating 8000 inside addresses all in the > range of 10.0.32.0/19 to one overloaded pool, you could configure it to > translate 10.0.32.0/20 to one overloaded pool and 10.0.48.0/20 to a separate > overloaded pool something like > > #access-list 1 permit 10.0.32.0 0.0.15.255 > #access-list 2 permit 10.0.48.0 0.0.15.255 > #ip nat pool LOWER_ADDRESSES_TRANSLATE_TO 209.211.100.1 209.211.100.5 pre 24 > #ip nat pool HIGHER_ADDRESSES_TRANSLATE_TO 209.211.100.6 209.211.100.10 pre > 24 > #ip nat inside source list 1 pool LOWER_ADDRESSES_TRANSLATE_TO overload > #ip nat inside source list 2 pool HIGHER_ADDRESSES_TRANSLATE_TO overload > > Forgive me if I've screwed up the syntax somewhere, but the idea is there. > As I said, you'll have to put some thought into what best works in your > addressing scheme to best separate translated addresses in to two roughly > equal groups. You might even find it helpful to partition them in to more > than two groups. > > Hope it helps. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60819&t=60663 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Load balancing & NAT [7:60663]
This does NOT match my previous experience. My experience has been that IOS seems to use NAT (not overloaded) until all pool addresses are used then start overloading the last one. I dont know what happens once all when this address gets maxed out. The only reason we noticed this was due to the fact that we were running port sentry on a number of unix hosts and noticed that periodically random machines were being port scanned from outside our net (something that should not be able to occur if PAT is being used). We finally tracked it down to NAT (single outside IP to single inside IP) entries appearing in our NAT translations tables on the router. The only solution that we (or TAC) could come up with was to reduce the NAT pool to a single IP. Peter Walker CISSP, CCN[NID]P, CSS1, CIPPTS, etc --On 09 January 2003 20:15 + Doug S wrote: > The way PAT works when overloading multiple addresses is to overload the > first address in the pool until ALL port numbers are used up. I can't > point you to any publicly available documentation on this, but cut and > pasted from Network Academy curriculum: > > "However, on a Cisco IOS router, NAT will > overload the first address in the pool until > it's maxed out, and then move on to the > second address, and so on." Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60800&t=60663 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Load balancing & NAT [7:60663]
It all makes sense now :) As much of a kludge as it is, the individual NAT pools will be perfect. There's several offices, which means several IP addresses will be used if I make individual pools. -Original Message- From: Doug S [mailto:[EMAIL PROTECTED]] Sent: Friday, 10 January 2003 6:45 AM To: [EMAIL PROTECTED] Subject: RE: Load balancing & NAT [7:60663] The way PAT works when overloading multiple addresses is to overload the first address in the pool until ALL port numbers are used up. I can't point you to any publicly available documentation on this, but cut and pasted from Network Academy curriculum: "However, on a Cisco IOS router, NAT will overload the first address in the pool until it's maxed out, and then move on to the second address, and so on." I've seen people wanting to get around this behavior for a variety of reasons and I haven't seen anyone post a good reply. I've come up with a a workaround that I beleive should work for you, although you'll have to take a good look at your inside local addresses and figure out how to best define those in to two equal groups. Each group could then be separately translated to a different address. For instance, if you are now transating 8000 inside addresses all in the range of 10.0.32.0/19 to one overloaded pool, you could configure it to translate 10.0.32.0/20 to one overloaded pool and 10.0.48.0/20 to a separate overloaded pool something like #access-list 1 permit 10.0.32.0 0.0.15.255 #access-list 2 permit 10.0.48.0 0.0.15.255 #ip nat pool LOWER_ADDRESSES_TRANSLATE_TO 209.211.100.1 209.211.100.5 pre 24 #ip nat pool HIGHER_ADDRESSES_TRANSLATE_TO 209.211.100.6 209.211.100.10 pre 24 #ip nat inside source list 1 pool LOWER_ADDRESSES_TRANSLATE_TO overload #ip nat inside source list 2 pool HIGHER_ADDRESSES_TRANSLATE_TO overload Forgive me if I've screwed up the syntax somewhere, but the idea is there. As I said, you'll have to put some thought into what best works in your addressing scheme to best separate translated addresses in to two roughly equal groups. You might even find it helpful to partition them in to more than two groups. Hope it helps. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60766&t=60663 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Load balancing & NAT [7:60663]
The way PAT works when overloading multiple addresses is to overload the first address in the pool until ALL port numbers are used up. I can't point you to any publicly available documentation on this, but cut and pasted from Network Academy curriculum: "However, on a Cisco IOS router, NAT will overload the first address in the pool until it's maxed out, and then move on to the second address, and so on." I've seen people wanting to get around this behavior for a variety of reasons and I haven't seen anyone post a good reply. I've come up with a a workaround that I beleive should work for you, although you'll have to take a good look at your inside local addresses and figure out how to best define those in to two equal groups. Each group could then be separately translated to a different address. For instance, if you are now transating 8000 inside addresses all in the range of 10.0.32.0/19 to one overloaded pool, you could configure it to translate 10.0.32.0/20 to one overloaded pool and 10.0.48.0/20 to a separate overloaded pool something like #access-list 1 permit 10.0.32.0 0.0.15.255 #access-list 2 permit 10.0.48.0 0.0.15.255 #ip nat pool LOWER_ADDRESSES_TRANSLATE_TO 209.211.100.1 209.211.100.5 pre 24 #ip nat pool HIGHER_ADDRESSES_TRANSLATE_TO 209.211.100.6 209.211.100.10 pre 24 #ip nat inside source list 1 pool LOWER_ADDRESSES_TRANSLATE_TO overload #ip nat inside source list 2 pool HIGHER_ADDRESSES_TRANSLATE_TO overload Forgive me if I've screwed up the syntax somewhere, but the idea is there. As I said, you'll have to put some thought into what best works in your addressing scheme to best separate translated addresses in to two roughly equal groups. You might even find it helpful to partition them in to more than two groups. Hope it helps. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60739&t=60663 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Load balancing & NAT [7:60663]
IIRC when I last looked at this, it worked as you require, but that might have been v2 NAT rather than v3 which is current. Have you restarted the router, superstition dictates that you should. Failing this, how many app servers are there? You *could* use multiple NAT pools, which would admittedly be a horrible kludge, depends on how desperately you want this. Is there not a better way of using sticky on the load-balancers? Are you in a position to change the app to use cookies for example? or maybe persistent connections so the LBs aren't responsible for sticky? rgds Marc Emilia Lambros wrote: > > I'm looking more for a way to play with how the nat pool I have behaves with > IP address use. The NAT config and translations are all working, however I > can't find a situation online that shows me how I can force translations to > not overload quite so much, or how I can make more IP addresses be used so > my load balancing works with sticky sessions set. > > For as long as only 1 IP is being used, all connections to the application > servers go to one application server. Even with 2 IPs being used, I would > have more of a chance of connections going to the 2nd application server to > create some load balancing but as I said, I'm sitting on 8500 connections > and 1 IP being used. I know in theory I can go up to 65K+ connections on > that 1 IP, but I would prefer more like a couple of hundred per IP. > > The majority of articles I've read show how to configure, say rotary pools > or tcp load distribution but not examples of how you can use it another way > that I could perhaps, adapt. As I said though, I can't play with the config > because its a live environment so its a little harder to play and test with, > without a guarantee that it will work :) > > -Original Message- > From: The Long and Winding Road > [mailto:[EMAIL PROTECTED]] > Sent: Thursday, 9 January 2003 11:24 AM > To: [EMAIL PROTECTED] > Subject: Re: Load balancing & NAT [7:60663] > > if you have a CCO customer account, there are a lot of articles in the TAC > database > > this one is a good start, I believe. > > http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note0 > 9186a0080093fca.shtml > watch the wrap. > > HTH > > -- > TANSTAAFL > "there ain't no such thing as a free lunch" > > ""Emilia Lambros"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hi all, > > > > I have an application being load balanced at one site (sticky sessions set > > such that each connection from 1 IP will continue its transactions to the > > same server it started on) and at another site, the users accessing the > load > > balanced application. > > > > The users come in from different office locations across private WAN > links, > > nat inside is on each of their interfaces and on each interface out of the > > router those WAN links connect to, is nat outside. > > > > I have changed their initial configuration based on NAT overload to an > > interface IP address to be a pool of addresses overloaded. I was hoping > > that the connections would spill over to the second IP in the pool at some > > stage sooner than the 8500 NAT connections I have currently, but no go. I > > may as well have NAT'd to 1 IP again :) > > > > Is there a way to overload NAT, but have it using more than 1 IP in the > > pool? e.g. a pool of 30 IPs, its currently using 1.. I'd love the router > to > > even round robin the use of IPs out of the pool but I can't play with the > > config to try it (live environment) and can't find any documentation > online > > explaining exactly what I need NAT to do/not do :( > > > > Thanks, > > > > Em :) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60693&t=60663 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Load balancing & NAT [7:60663]
I'm looking more for a way to play with how the nat pool I have behaves with IP address use. The NAT config and translations are all working, however I can't find a situation online that shows me how I can force translations to not overload quite so much, or how I can make more IP addresses be used so my load balancing works with sticky sessions set. For as long as only 1 IP is being used, all connections to the application servers go to one application server. Even with 2 IPs being used, I would have more of a chance of connections going to the 2nd application server to create some load balancing but as I said, I'm sitting on 8500 connections and 1 IP being used. I know in theory I can go up to 65K+ connections on that 1 IP, but I would prefer more like a couple of hundred per IP. The majority of articles I've read show how to configure, say rotary pools or tcp load distribution but not examples of how you can use it another way that I could perhaps, adapt. As I said though, I can't play with the config because its a live environment so its a little harder to play and test with, without a guarantee that it will work :) -Original Message- From: The Long and Winding Road [mailto:[EMAIL PROTECTED]] Sent: Thursday, 9 January 2003 11:24 AM To: [EMAIL PROTECTED] Subject: Re: Load balancing & NAT [7:60663] if you have a CCO customer account, there are a lot of articles in the TAC database this one is a good start, I believe. http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note0 9186a0080093fca.shtml watch the wrap. HTH -- TANSTAAFL "there ain't no such thing as a free lunch" ""Emilia Lambros"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi all, > > I have an application being load balanced at one site (sticky sessions set > such that each connection from 1 IP will continue its transactions to the > same server it started on) and at another site, the users accessing the load > balanced application. > > The users come in from different office locations across private WAN links, > nat inside is on each of their interfaces and on each interface out of the > router those WAN links connect to, is nat outside. > > I have changed their initial configuration based on NAT overload to an > interface IP address to be a pool of addresses overloaded. I was hoping > that the connections would spill over to the second IP in the pool at some > stage sooner than the 8500 NAT connections I have currently, but no go. I > may as well have NAT'd to 1 IP again :) > > Is there a way to overload NAT, but have it using more than 1 IP in the > pool? e.g. a pool of 30 IPs, its currently using 1.. I'd love the router to > even round robin the use of IPs out of the pool but I can't play with the > config to try it (live environment) and can't find any documentation online > explaining exactly what I need NAT to do/not do :( > > Thanks, > > Em :) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60670&t=60663 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Load balancing & NAT [7:60663]
oops - forgot where I was going here is a jump page http://www.cisco.com/cgi-bin/Support/browse/psp_view.pl?p=Internetworking:NA T requires CCO customer login. and this one for more detail in design and operation http://www.cisco.com/cgi-bin/Support/browse/psp_view.pl?p=Internetworking:NA T&s=Implementation_and_Configuration watch the wrap on this one - who knows how the groupstudy server will mangle this one. -- TANSTAAFL "there ain't no such thing as a free lunch" ""Emilia Lambros"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi all, > > I have an application being load balanced at one site (sticky sessions set > such that each connection from 1 IP will continue its transactions to the > same server it started on) and at another site, the users accessing the load > balanced application. > > The users come in from different office locations across private WAN links, > nat inside is on each of their interfaces and on each interface out of the > router those WAN links connect to, is nat outside. > > I have changed their initial configuration based on NAT overload to an > interface IP address to be a pool of addresses overloaded. I was hoping > that the connections would spill over to the second IP in the pool at some > stage sooner than the 8500 NAT connections I have currently, but no go. I > may as well have NAT'd to 1 IP again :) > > Is there a way to overload NAT, but have it using more than 1 IP in the > pool? e.g. a pool of 30 IPs, its currently using 1.. I'd love the router to > even round robin the use of IPs out of the pool but I can't play with the > config to try it (live environment) and can't find any documentation online > explaining exactly what I need NAT to do/not do :( > > Thanks, > > Em :) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60665&t=60663 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Load balancing & NAT [7:60663]
if you have a CCO customer account, there are a lot of articles in the TAC database this one is a good start, I believe. http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note0 9186a0080093fca.shtml watch the wrap. HTH -- TANSTAAFL "there ain't no such thing as a free lunch" ""Emilia Lambros"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi all, > > I have an application being load balanced at one site (sticky sessions set > such that each connection from 1 IP will continue its transactions to the > same server it started on) and at another site, the users accessing the load > balanced application. > > The users come in from different office locations across private WAN links, > nat inside is on each of their interfaces and on each interface out of the > router those WAN links connect to, is nat outside. > > I have changed their initial configuration based on NAT overload to an > interface IP address to be a pool of addresses overloaded. I was hoping > that the connections would spill over to the second IP in the pool at some > stage sooner than the 8500 NAT connections I have currently, but no go. I > may as well have NAT'd to 1 IP again :) > > Is there a way to overload NAT, but have it using more than 1 IP in the > pool? e.g. a pool of 30 IPs, its currently using 1.. I'd love the router to > even round robin the use of IPs out of the pool but I can't play with the > config to try it (live environment) and can't find any documentation online > explaining exactly what I need NAT to do/not do :( > > Thanks, > > Em :) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60664&t=60663 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Load balancing & NAT [7:60663]
Hi all, I have an application being load balanced at one site (sticky sessions set such that each connection from 1 IP will continue its transactions to the same server it started on) and at another site, the users accessing the load balanced application. The users come in from different office locations across private WAN links, nat inside is on each of their interfaces and on each interface out of the router those WAN links connect to, is nat outside. I have changed their initial configuration based on NAT overload to an interface IP address to be a pool of addresses overloaded. I was hoping that the connections would spill over to the second IP in the pool at some stage sooner than the 8500 NAT connections I have currently, but no go. I may as well have NAT'd to 1 IP again :) Is there a way to overload NAT, but have it using more than 1 IP in the pool? e.g. a pool of 30 IPs, its currently using 1.. I'd love the router to even round robin the use of IPs out of the pool but I can't play with the config to try it (live environment) and can't find any documentation online explaining exactly what I need NAT to do/not do :( Thanks, Em :) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60663&t=60663 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
