cc/td/doc/product/vpn/solution/aswan15
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Server Load Balancing for VPN Clients

Server Load Balancing for VPN Clients

The Cisco IOS server load balancing (SLB) feature is an IOS-based solution that provides IP server load balancing. Using the IOS SLB feature, you can define a virtual server that represents a group of real servers in a cluster of network servers known as a server farm. In this environment, the clients connect to the IP address of the virtual server. When a client initiates a connection to the virtual server, the IOS SLB function chooses a real server for the connection based on a configured load-balancing algorithm.

For more information on server load balancing, see http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121limit/121e/121e9/iossl b9e.htm#2711438.

In the Cisco network-based IPSec VPN solution release 1.5, server load balancing is necessary to distribute a large number of IPSec tunnels over multiple IOS devices.

A Cisco NPE-400 with VAM can accommodate up to 1500 clients or layer 2 tunnels. The Cisco network-based IPSec VPN solution release 1.5 can be scaled up using multiple Cisco 7200 routers stacked behind a load-balancer.

Below is a sample configuration for server load balancing that uses a Cisco Catalyst 6500 switch with the SLB feature to distribute the client tunnels. It also provides related configurations for two Cisco 7200 routers used in the configuration.

ip slb probe IPSEC ping << ping will be used to determine availability of 7200
address 220.1.1.1 << Loopback address on 7200; this address is the crypto endpoint address.
interval 10
faildetect 30
!
ip slb serverfarm IPSEC
failaction purge

If any server (7200) fails, purge the connection from database.

probe IPSEC

This is a reference to probe method defined above.

!
real 192.168.1.1

The real server address.

weight 1

You can change the weight to divide IPSec tunnels unequally.

maxconns 4000

This is the maximum connections to this server.

faildetect numconns 255
inservice
!
real 192.168.2.1
weight 1
maxconns 3200
inservice
!
ip slb vserver ESP
virtual 220.1.1.1 esp

This is the virtual server address.

serverfarm IPSEC
sticky 3600 group 1

The sticky group is defined to connect IPSec, IKE, and NAT-transparency together.

inservice
!
ip slb vserver IKE
virtual 220.1.1.1 udp isakmp
serverfarm IPSEC
sticky 3600 group 1
inservice
!
ip slb vserver NAT-T
virtual 220.1.1.1 udp 4500
serverfarm IPSEC
sticky 3600 group 1
inservice
!
interface FastEthernet4/2

This is the uplink to the Internet gateway.

ip address 212.1.1.1 255.255.255.0
duplex full
speed 100
!
interface FastEthernet4/3

This is the connection to the first Cisco 7200 router.

ip address 192.168.1.2 255.255.255.0
duplex full
speed 100
!
Below is the connection to the second Cisco 7200 router.
interface FastEthernet4/4 << Connection to 2nd 7200
ip address 192.168.2.2 255.255.255.0
duplex full
speed 100
!

First Server is Cisco 7200 series router.

hostname EUROPA-7200
!

Make sure you define TDP ID.

tag-switching tdp router-id Loopback0 <<
!

Loopback 1 address is used.

crypto map crypmap local-address Loopback1 <<
interface Loopback0

Address is different on both Cisco 7200 routers.

ip address 101.1.1.9 255.255.255.255
!
interface Loopback1

Address is the same as virtual address defined on SLB.

ip address 220.1.1.1 255.255.255.255
!
interface FastEthernet0/0

Private or internal address.

ip address 192.168.1.1 255.255.255.0
no ip unreachables
duplex full
speed 100
crypto map crypmap
Second Server is Cisco 7200 series router.
hostname EUROPA-7200-2
!
tag-switching tdp router-id Loopback0
!
crypto map crypmap local-address Loopback1
!
interface Loopback0
ip address 101.1.1.44 255.255.255.255
!
interface Loopback1
ip address 220.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
no ip unreachables
duplex full
speed 100
crypto map crypmap

hometocprevnextglossaryfeedbacksearchhelp
Posted: Tue May 20 12:27:39 PDT 2003
All contents are Copyright © 1992--2003 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.