|
If you have a remote-client configuration in which you are using two or more VPN Concentrators connected on the same network to handle remote sessions, you can configure these devices to share their session load. This feature is called load balancing. Load balancing directs session traffic to the least loaded device, thus distributing the load among all devices. It makes efficient use of system resources and provides increased performance and high availability.
Note Load balancing is effective only on remote sessions initiated with the Cisco VPN Client (Release 3.0 and later) or the Cisco VPN 3002 Hardware Client (Release 3.5). All other clients, including LAN-to-LAN connections, can connect to a VPN Concentrator on which load balancing is enabled, but they cannot participate in load balancing. |
To implement load balancing, you group together logically two or more devices on the same private LAN-to-LAN network, private subnet, and public subnet into a virtual cluster.
All devices in the virtual cluster carry session loads. One device in the virtual cluster, the virtual cluster master, directs incoming calls to the other devices, called secondary devices. The virtual cluster master monitors all devices in the cluster, keeps track of how busy each is, and distributes the session load accordingly. The role of virtual cluster master is not tied to a physical device; it can shift among devices. For example, if the current virtual cluster master fails, one of the secondary devices in the cluster takes over that role and immediately becomes the new virtual cluster master.
The virtual cluster appears to outside clients as a single virtual cluster IP address. This IP address is not tied to a specific physical device. It belongs to the current virtual cluster master; hence, it is virtual. A VPN Client attempting to establish a connection connects first to this virtual cluster IP address. The virtual cluster master then sends back to the client the public IP address of the least-loaded available host in the cluster. In a second transaction (transparent to the user), the client connects directly to that host. In this way, the virtual cluster master directs traffic evenly and efficiently across resources.
Note All clients other than the Cisco VPN Client or the Cisco 3002 Hardware Client connect directly to the VPN Concentrator as usual; they do not use the virtual cluster IP address. |
If a machine in the cluster fails, the terminated sessions can immediately reconnect to the virtual cluster IP address. The virtual cluster master then directs these connections to another active device in the cluster. Should the virtual cluster master itself fail, a secondary device in the cluster immediately and automatically takes over as the new virtual session master. Even if several devices in the cluster fail, users can continue to connect to the cluster as long as any one device in the cluster is up and available.
Before you can configure load balancing on a VPN Concentrator, you must do the following:
In the Configuration | Interfaces window, check to see that the public and private interfaces have been defined and have status UP. If either interface is undefined, you must define it now. For more information on defining interfaces, see the section on Configuration | Interfaces.
Complete the following steps to configure the filters for the private and public interfaces to allow the VCA load balancing protocol:
Step 2 Select the General tab.
Step 3 Click the drop-down Filter menu button and choose Private (Default).
Step 4 Click Apply.
Step 5 In the Configuration | Interface window, select Ethernet2 (Public). The Configuration | Interfaces | Ethernet2 window appears.
Step 6 Select the General tab.
Step 7 Click the drop-down Filter menu button and choose Public (Default).
Step 8 Click Apply.
Step 9 Open the Configuration | Policy Management | Traffic Management | Filters window.
Step 10 Select Private (Default) from the Filter list.
Step 11 Click Assign Rules to Filter. The Configuration | Policy Management | Traffic Management | Assign Rules to Filter window appears.
Step 12 Make sure that VCA In (forward/in) and VCA Out (forward/out) are in the Current Rules in Filter list. If they are not in this list, add them.
Step 13 Click Done.
Step 14 In the Configuration | Policy Management | Traffic Management | Filters window, select Public (Default) from the Filter list.
Step 15 Click Assign Rules to Filter. The Configuration | Policy Management | Traffic Management | Assign Rules to Filter window appears.
Step 16 Make sure that VCA In (forward/in) and VCA Out (forward/out) are in the Current Rules in Filter list. If they are not in this list, add them.
Step 17 Click Done.
Step 18 Click the Save Needed icon to save your edits.
This screen allows you to enable load balancing on the VPN Concentrator.
Enabling load balancing involves two steps:
Step 2 Configure the device: enable load balancing on the device and define device-specific properties. These values vary from device to device.
Before you can enable load balancing on your VPN Concentrator, you must complete the steps outlined in the Preliminary Steps section.
Establish a virtual cluster by defining a common VPN virtual cluster IP address, UDP port, and shared secret. These values must be identical on every device in the virtual cluster.
Note All devices in the virtual cluster must be on the same public and private IP subnet. |
Enter the single IP address that represents the entire virtual cluster. Choose an IP address that is within the public subnet address range shared by all the VPN Concentrators in the virtual cluster.
If another application is using this port, enter the UDP destination port number you want to use for load balancing.
The VPN Concentrators in the virtual cluster communicate via LAN-to-LAN tunnels using IPSec. To ensure that all load-balancing information communicated between the VPN Concentrators is encrypted, check the Encryption check box.
This option is available only if you have checked the preceding Encryption option. Enter the IPSec shared secret for the virtual cluster. The shared secret is a common password that authenticates members of the virtual cluster. IPSec uses the shared secret as a pre-shared key to establish secure tunnels between virtual cluster peers.
Re-enter the IPSec shared secret.
Configure the following fields to establish this VPN Concentrator as a member of the virtual cluster.
Check the Load Balancing Enable check box to include this VPN Concentrator in the virtual cluster.
Enter a priority for this VPN Concentrator within the virtual cluster. The priority is a number from 1 to 10 that indicates the likelihood of this device becoming the virtual cluster master either at start-up or when an existing master fails. The higher you set the priority (for example 10), the more likely this device becomes the virtual cluster master.
If your virtual cluster includes different models of VPN Concentrators, we recommend that you choose the device with the greatest load capacity to be the virtual cluster master. For this reason, priority defaults are hardware dependent. (See Table 13-1.)
If your virtual cluster is made up of identical devices (for example, if all the devices in the virtual cluster are VPN Concentrator 3060s), set the priority of every device to 10. Setting all identical devices to the highest priority shortens the length of time needed to select the virtual cluster master.
If the devices in the virtual cluster are powered up at different times, the first device to be powered up assumes the role of virtual cluster master. Because every virtual cluster requires a master, each device in the virtual cluster checks at power-up to ensure that the cluster has a virtual master. If none exists, that device takes on the role. Devices powered up and added to the cluster later become secondary devices.
If all the devices in the virtual cluster are powered up simultaneously, the device with the highest priority setting becomes the virtual cluster master.
If two or more devices in the virtual cluster are powered up simultaneously and both have the highest priority setting, the one with the lowest IP address becomes the virtual cluster master.
Once the virtual cluster is established and operating, if the VPN Concentrator that holds the role of the virtual cluster master should fail, the secondary device with the highest priority setting takes over. Again in this case, if two or more devices in the virtual cluster both have the highest priority setting, the one with the lowest IP address becomes the virtual cluster master.
If this VPN Concentrator is behind a firewall using NAT, NAT has assigned it a public IP address. Enter the NAT IP address.
If this device is not using NAT, enter 0.0.0.0. The default setting is 0.0.0.0.
To add this VPN concentrator to the specified virtual cluster and thus establish load balancing on this device, click Apply. The Manager returns to the Configuration | System screen.
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
To discard your entries, click Cancel. The Manager returns to the Configuration | System screen.
Posted: Wed Jul 16 12:45:19 PDT 2003
All contents are Copyright © 1992--2003 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.