Introduction

Cisco LocalDirector is a network appliance that load balances TCP/IP traffic across multiple servers. LocalDirector optimizes the performance of your site by distributing client requests across low-cost servers (called a server farm). LocalDirector reduces the cost of providing large-scale Internet services and accelerates user access to server farm applications.

With LocalDirector you can build a highly redundant and fault-tolerant server farm system. Mission-critical application servers are automatically and transparently placed in and out of service, providing fault tolerance. LocalDirector itself is available with a hot-standby failover mechanism, which builds increased redundancy for the server farm system.

LocalDirector serves as a transparent learning bridge to forward data packets between its interfaces. Because of its bridge capability, LocalDirector must not be installed on the network parallel to another bridge. Figure 1-1 shows a basic network configuration for LocalDirector.

Figure 1-1: LocalDirector Bridge Between Internet and Servers

The load-balancing functions of LocalDirector provide a flexible and adaptable method for directing TCP/IP traffic. LocalDirector load balances the following types of IP protocols, which can be specified for virtual servers and real servers:

Transmission Control Protocol (TCP)—This is the default protocol used by LocalDirector for IP packet transmission.
User Datagram Protocol (UDP)—With the protocol field set to udp, LocalDirector load balances UDP flows.

As a load balancer, LocalDirector can be configured to maximize the number of TCP/IP connections a server farm can manage. TCP/IP traffic is directed to different servers based on service, speed, quantity of connections, or client IP address. The servers can be a collection of heterogeneous hardware platforms and operating systems.

LocalDirector supports the two industry-standard modes of load balancing, as set with the redirection command:

Directed mode—Uses Network Address Translation (NAT) to translate the IP headers in packets. NAT provides quick setup with no network address changes and reduces system administration time.
Dispatched mode—Substitutes the Media Access Control (MAC) address of the server in the packet for the destination address, thus preserving the IP header information. Dispatched mode increases traffic throughput but requires the additional setup of assigning an alias IP address on a real server that matches the virtual IP address on LocalDirector. Dispatched mode should be used for UDP and for TCP when the IP address information must remain unchanged (for example, a multimedia application that embeds IP addresses).

LocalDirector Terminology

The following are LocalDirector terms and definitions:

Virtual server—The representation of an application server farm for clients. Referred to as the virtual_id argument in configuration commands. The value for a virtual_id argument includes the virtual server IP address or name, an optional port number and bind-id, and the protocol designator.
Real server—The internal representation of a physical server being load balanced. Referred to as the real_id argument in configuration commands. The value for a real_id argument includes the IP address or name of a real server, an optional port number and bind-id, and the protocol.
Bind-id—For a virtual server, used with the assign command to direct client requests (based on IP address) to a specific instance of a virtual server. For a real server, used to specify the binding to a unique virtual server.
Predictor—The algorithm used to determine which real server is assigned new connections for load balancing.
Failover—A mechanism for providing fault tolerance and high availability.
Dispatched mode—Places the MAC address of the load-balanced real server in a packet for redirection. The real server has an alias IP address that matches the virtual IP address on LocalDirector. This mode requires subnet adjacency.
Directed mode—Uses NAT to translate the IP headers in packets. NAT translates the IP address of the virtual server to the IP address of the real server that is being load balanced.
Service Manager—Using load balancing and server or application feedback, determines a Forwarding Agent and real server for the packet flow. Once the optimal destination is decided, all other packets in the packet flow are directed to a Forwarding Agent and real server, increasing packet throughput. Within the Cisco Appliance Server Architecture (CASA), the Service Manager function is carried out by the LocalDirector. (CASA is also known as Content Aware Services Architecture and Cisco Application and Services Architecture.)
Forwarding Agent—Fulfills routing decisions made by the Service Manager. Filters packets coming into the virtual network and sends the Service Manager packets without a known server destination. Within CASA, the Forwarding Agent function can be carried out by Cisco routers running with the Forwarding Agent software. Refer to this URL for information on Multi-Node Load Balancing products and technologies:

: http://www.cisco.com/warp/public/cc/pd/ibsw/mulb/

LocalDirector Features

The following list describes LocalDirector features:

Hot-standby stateful failover (optional)—The failover feature enables configuration of highly redundant, fault-tolerant systems.
High throughput—LocalDirector is scalable to meet the needs of large Web sites.
Real-time embedded operating system—This operating system provides full use of the hardware, CPU, and memory.
Simple migration into existing server farms—IP addresses need not be reconfigured when the directed mode of load balancing is used.
Combination of virtual addresses and physical addresses—This combination provides flexibility in domain names and network configuration.
Supports multiple IP addresses—With the use of the alias ip address command, the virtual server can be placed on a different IP network than the real servers without using a router.
Secure Socket Layer (SSL)—SSL extends implementation of the sticky command to use the SSL session ID instead of the client IP address as a key for stateful sticky connections. This allows the sticky command to effectively load balance traffic when proxy servers are used. LocalDirector supports SSL3 servers and SSL2/3 (hybrid) clients.
Transparent support is provided for all common TCP/IP Internet services.
Easy administration of servers—LocalDirector adds and removes servers transparently, and increases quantities of servers as traffic grows.
Compatible with any server operating system—Administrators can mix and match server hardware and operating systems to retain technology investments.
Support for Cisco Appliance Server Architecture (CASA)—CASA allows a standalone LocalDirector to implement Service Manager functionality.
IP precedence—LocalDirector can set an IP precedence value in the IP header, to and from virtual servers. This allows prioritizing of packets for different types of services on virtual servers. The Cisco Policy Manager software, version 1.0, can be used with LocalDirector to support a graphical user interface (GUI) version of this feature.
Support for multiple protocols—By default, LocalDirector supports TCP. You can also configure LocalDirector to load balance UDP connections.
Accelerated server load balancing (ASLB)—This feature accelerates load-balanced traffic when LocalDirector is connected to a Catalyst 6000 family switch.
SNMP support for GETs and traps—LocalDirector provides full support for SNMP GETs and traps as defined in the MIB II specification, RFC-1213. The community field can be specified within the snmp-server command.

LocalDirector Security

LocalDirector protects your network by allowing only specific traffic to pass between virtual and real servers, thus restricting both internal and external access to servers. LocalDirector security features include the following:

SecureAccess—LocalDirector can determine how to handle connections based on the source IP address of the client. When the assign command and the bind-id of the virtual server are used, traffic can be directed to a specific instance of a virtual server or dropped altogether based on the IP address of the user.
SecureBind—Use port-bound servers to restrict traffic to a specific port. TCP traffic to a port that is not specified is sent a reset packet (TCP RST). This feature is not used with UDP and GRE traffic.
SecureBridging—LocalDirector bridges traffic that was not destined for a virtual server. If a real server has a valid registered IP address, clients can access the server through its IP address. For security, you can turn bridging off and not allow direct access to real servers. When the secure command is used to turn bridging off for real servers, client traffic must go through a LocalDirector virtual address.
Secure IP address—Use the static command to translate the IP address of real servers to a virtual IP address. This hides the actual IP address of the real server, but allows it to go outside LocalDirector for information requests.

: The secure services configuration example in Chapter 3, "Configuring LocalDirector," provides implementation details for LocalDirector security features.

LocalDirector Concepts

LocalDirector concepts in this section include the following:

Virtual and Real Servers

A virtual server presents a single IP address that represents a group of real servers. Service requests to the virtual server are load balanced among the real servers. Real servers are actual host servers with unique IP addresses that provide TCP/IP services to the network. The virtual server IP address is published to the user community, but the real server IP addresses can remain unpublished, so that you can hide actual site implementation details and provide single points of contact for users.

Virtual server addresses can only be accessed from the client side of LocalDirector. Also, clients and the real servers bound to LocalDirector virtual servers cannot be located on the same side of LocalDirector.

Port-Bound Servers (SecureBind)

When you define virtual and real servers, you can specify the port traffic that runs on them, providing the following benefits:

You can configure application-specific server farms. In other words, with one virtual IP address and multiple virtual ports, File Transfer Protocol (FTP) traffic can be directed to one server farm, and Hypertext Transfer Protocol (HTTP) traffic can be sent to another, so that you can allocate resources more efficiently.
You can deny or accept access to a server based on service. For example, LocalDirector can deny all traffic except for HTTP traffic, providing increased security.
You can continue to access services on a server that has a failed service daemon. If a particular daemon fails, only that daemon or port fails, not the entire server. For example, multiple Web daemons might be running on the same server; if one Web daemon fails, only that TCP service fails, not the whole server. This setup increases server farm reliability.

Note If you have a TCP port-bound virtual server (for example, 192.168.89.220:80), traffic to any other port on the virtual server results in a TCP RST packet being returned to the client or server requesting the connection (applicable to TCP traffic only).

Client-Assigned Load Balancing

Using client-assigned load balancing, you can load balance clients to different real servers according to their source IP address. Client-assigned load balancing is accomplished by extending the concept of a virtual server to include a bind-id. The bind-id is used with the assign command to associate a client IP address with a specific instance of a virtual server.

There are many possible uses of this feature, including:

Grades of service—You can assign known users to a collection of more powerful servers that deliver faster service.
Special services—You can take users known to be a part of your company to an internal page, but send unknown users to a generic home page.
Not welcome mats—You can assign "problem" clients to a real server that displays a page indicating that the user is not welcome on your site.
Restricted access—Any client IP address not identified by an assign command statement is directed to the default bind-id of 0. If you do not create the bind-id 0 version of the virtual server, then only specified IP addresses have access; all other requests are blocked.

Server Failure Adjustments—TCP Only

If a server is not responding to requests or is responding with TCP RSTs, LocalDirector considers the server to have failed. There are two cases when a real server responds with a TCP RST:

The daemon servicing that type of traffic is down (for example, the HTTP daemon on port 80 has failed).
The server is too busy to accept any more connections.

Values set with the reassign and threshold commands determine whether a server is considered failed, and can adjust how quickly a server that is not accepting connections is taken out of service. The default threshold value is 8, and the default reassign value is 3. Each real server can have different threshold and reassign values. A reassign value of 0 prevents the real server from being tested.

The reassign command controls how many times a connection synchronization (TCP SYN) packet from a requesting client is sent to a nonresponsive server before it is reassigned to another server. The default is three TCP SYN packets. After the third packet receives no response or a TCP RST from the server, the fourth packet is sent to another server.

Each reassign process increments the reassign tally by one. When the tally reaches the threshold value, the server is considered failed. With a default threshold value of 8, the reassign process will happen eight times before the server is considered failed.

To increase the rate at which servers are considered failed, reduce the threshold and reassign values. To keep servers that are refusing connections from being failed by LocalDirector, increase the threshold and reassign values. (For example, a site receiving 400 connections per second may need to increase the threshold value to 30.)

The retry command determines how quickly a server is put in "testing" mode and given another packet after being failed by this process. The retry default is 60 seconds. On the 61st second, a connection from a virtual server is directed to the server to determine if it responds. If that connection receives a response, the server is no longer in the failed state, and is put back in service with the reassign and threshold tallies reset to 0. To increase how quickly a server is given a packet after being failed by LocalDirector, reduce the value of the retry command.

Note Because a live connection is used to retry a failed server, a virtual server bound to the real server must also receive a connection to send to it. If the virtual server has no traffic, the real server stays in testing mode until a live connection is established, regardless of the retry value.

The autounfail command brings a failed server back in service immediately if it responds with data on an existing connection (established before it was failed by LocalDirector). LocalDirector puts the server into testing mode, and if it responds to a new live connection, it is then put in service. If the server does not accept the new connection (either by not answering or by responding with a TCP RST), then the connection is marked as failed again.

When the autounfail command is enabled (it is by default), LocalDirector brings the server back in service as soon as it responds to an existing connection. The server is brought back in service before waiting for the retry time to pass, working only with servers that are responding with data.

The data command limits the number of connections sent to a server that is not sending data. When a real server reaches the number of unanswered connections set with the data command, LocalDirector checks whether other servers bound to the virtual server are also at 80 percent of their threshold capacity (DataIn value from the output of the show real command). If the other servers are close to reaching this value, LocalDirector assumes the site is busy and does not fail the server.

The timeout command sets the number of minutes an idle connection to the server is maintained, preventing incomplete connections from being counted toward LocalDirector load balancing.

Failed Server Recovery

When a real server is failed (it does not respond to a predetermined number of connections set by the threshold command), the following process is used to test whether the real server is ready to accept more connections:

After the number of minutes set with the retry command has passed (the default is 1 minute), the real server is put into the "testing" state. If the show real command is used while in the testing state, testing is displayed in the output.
In the testing state, the server receives one live connection from a client. If the server responds, it is moved back into the "IS" (in service) state; however, if the real server does not respond (or if it responds with a TCP RST), it is moved back to the "failed" state and it is retried again after the number of minutes set with the retry command has passed (as before).

Slowstart

An automatic slowstart algorithm is available to help bring new servers up to speed with the weighted or leastconns options of the predictor command.

Previously, a server brought into service under heavy network traffic would be bombarded with connections because it had 0 connections. The effect of too many connections at once would disable servers or seriously decrease their performance.

The slowstart option can be set using the roundrobin or none options of the predictor command. The roundrobin slowstart option load balances network connections until network traffic is stable. When the number of connections on all bound real servers is within 80 percent of the desired distribution, the predictor switches to either weighted or leastconns, as specified in the configuration.

Slowstart is used in the following instances:

A new real server is bound to a virtual server.
A virtual server just comes out of a failed state to the in-service state.
A real server is taken from the failed or out-of-service state and put in service.
A real server is taken from the maintenance state and put in service.
A real server is taken from an external failed state to an in-service state.
An option of the predictor command for the virtual server is changed.

Note Slowstart is only used with the leastconns and weighted options of the predictor command.

User Datagram Protocol Traffic Support

In software version 3.1 and later, LocalDirector supports User Datagram Protocol (UDP) load balancing, including a mix of UDP with TCP control streams. UDP streams are kept active with the timeout command.

Note In directed mode, LocalDirector does not support applications that need an internal IP address translation (that is, where the IP address is contained in the data portion of the IP packet). Applications using embedded IP addresses should use the dispatch mode.

You can set the number of minutes a UDP connection is active by using the timeout command. When a UDP packet is received on the virtual server, LocalDirector checks the connection cache, looking for an existing connection. If the connection exists, the connection timer is restarted. If the connection does not exist, LocalDirector selects a real server for the virtual server in the normal way, based on the predictor command option configured for the server, as in a TCP-based connection.

For failure of UDP real servers in software version 3.3 and later, LocalDirector watches for an ICMP port unreachable message.

Note A timeout command set to 0 for the real server prevents LocalDirector from caching connection objects. You must then use the predictor command with the roundrobin or loaded arguments.

When an application uses a known connection port, the buddy command can be used to group the connections to ensure that activity on one stream updates timers on all streams.

IP Precedence

IP precedence allows a value or keyword to be added to the IP header information. This value or keyword determines the priority for processing these packets in the routers. The color command in LocalDirector, in conjunction with the Cisco Quality of Service (QoS) Policy Manager, supports the use of an IP precedence value on a virtual server basis. A site can assign each type of service it has to a different virtual server. Each virtual server is assigned an IP precedence value.

Accelerated Server Load Balancing

Accelerated server load balancing (ASLB) allows LocalDirector to use the faster packet-switching speed of Catalyst 6000 family switches to accelerate load-balanced traffic. The Catalyst 6000 family switch forwards the first packet in a flow through LocalDirector, which selects the real server for the connection. The Catalyst 6000 family switch forwards all subsequent packets directly to and from the real server until the client or the server terminates or resets the connection.

ASLB operates on any LocalDirector model with LocalDirector Version 3.2 and later software. Dispatched assisted mode has been added to the redirection command to enable ASLB. Two 10/100BASE-T (all LocalDirector models) or two 1000BASE-SX Gigabit Ethernet ports (LocalDirector 430 only) are required for interface connections with the Catalyst 6000 family switches.

With the Catalyst 6000 family switches, you can specify up to 1024 server virtual IP addresses and TCP port pairs for ASLB. For instructions on configuring Catalyst 6000 family switches, refer to the Catalyst 6000 Family Accelerated Server Load Balancing Installation and Configuration Note.

Multi-Node Load Balancing Environment

LocalDirector uses the Cisco Appliance Server Architecture (CASA) to exist in the Multi-Node Load Balancing (MNLB) environment. In the MNLB environment, LocalDirector is configured as a Service Manager. Cisco routers are configured as Forwarding Agents. The Service Manager determines the load balancing for the Forwarding Agents, based on information it receives from real servers. This increases network efficiency and scalability, and also adds application-aware balancing.

Buddy Virtuals

With UDP support, a client requests a service from a server and the server responds with the requested data. Generally, a TCP connection is received from the client on the server over a well-known port. As a result of that TCP control connection, the server sends back one or more UDP sessions with the data encapsulated in IP datagrams.

UDP is a connectionless transport layer protocol. If the TCP control connection fails, UDP data flow stops. UDP continues as long as the TCP control connection is active.

LocalDirector Hardware Platforms

The LocalDirector 417 platform is introduced in software version 3.3.4. LocalDirector introduced the 430 and 416 hardware platforms in software version 2.2.1. Support continues for the previous LocalDirector hardware platforms (the 410, 415, and 420).

For LocalDirector installation instructions and information, see the hardware installation guide that is shipped with your LocalDirector.

LocalDirector 417 Platform

Local Director software version 3.3.4 supports the 417 platform. Minimum system requirements are:

512 MB of RAM
16 MB Flash memory
Two integrated 10/100BASE-T Ethernet/Fast Ethernet interface cards with RJ-45 receptacles that support autodetect mode and full-duplex operation
One-RJ-45 console port
One DB-15 failover port

LocalDirector 430

The LocalDirector 430 platform minimum system requirements are:

384 MB of RAM
2 MB of Flash memory
One four-port 10/100 BASE-T Ethernet interface card, optional FDDI card, optional Gigabit Ethernet (GigE) card
19-inch (48.26-cm) rack-mount enclosure
DB-9 EIA/TIA-323 console interface port
3.5-inch disk drive

LocalDirector 416

The LocalDirector 416 platform minimum system requirements are:

32 MB of RAM
2 MB of Flash memory
Three 10/100 BASE-T Ethernet interface ports
19-inch (48.26-cm) rack-mount enclosure
DB-9 EIA/TIA-323 console interface port
3.5-inch diskette drive

Table of Contents

Introduction