Link Load Balance A10 Thunder

Community Forum Forums Thunder and AX Series Link Load Balance A10 Thunder

This topic contains 12 replies, has 5 voices, and was last updated by avatar ianishar 3 months, 1 week ago.

Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • #13282
    avatar
    facevedo
    Member

    Hi Everyone!

    I would like to know, what is the best form to make load balance on my A10 if i have 3 ISP links.

    Example

    LOCAL NET —> Inside — A10 –Outside —-3 ISP links

    i understand that is with a Wildcard VS, but i would like be sure of that.

    Please if you can help me.

    #13292
    avatar
    yannt
    Member

    Hi facevedo,

    This is correct, you should use a Wildcard VIP to catch the traffic destinated to Internet IPs.

    Please find below a “basic” config example working (ACOS 4.x or later)

    
    vlan 150
     untagged ethernet 1
     router-interface ve 150
     name "Inside"
    !
    vlan 500
     untagged ethernet 2
     router-interface ve 500
     name "Outside_ISP_A"
    !
    vlan 501
     untagged ethernet 3
     router-interface ve 501
     name "Outside_ISP_B"
    !
    interface ve 150
     ip address 192.168.100.254
     ip allow-promiscuous-vip
    !
    interface ve 500
     ip address 10.10.0.1 255.255.255.0
    !
    interface ve 501
     ip address 10.10.1.1 255.255.255.0
    !
    interface ethernet 1
     enable
    !
    interface ethernet 2
     enable
    !
    interface ethernet 3
     enable
    !
    ip nat pool ISP_A 10.10.0.50 10.10.0.50 netmask /24 
    !
    ip nat pool ISP_B 10.10.1.50 10.10.1.50 netmask /24 
    !
    ip nat pool-group NAT_Internet 
      member ISP_A 
      member ISP_B 
    !
    slb server ISP_A 10.10.0.254
       port 0 tcp
           health-check-disable
       port 0 udp
           health-check-disable
    !
    slb server ISP_B 10.10.1.254
       port 0 tcp
           health-check-disable
       port 0 udp
           health-check-disable
    
    slb service-group Internet_TCP tcp
        member ISP_A 0
        member ISP_B 0
    !
    slb service-group Internet_UDP udp
        member ISP_A 0
        member ISP_B 0
    !
    slb virtual-server VIP 0.0.0.0
       port 0 tcp
          source-nat pool NAT_Internet
          service-group Internet_TCP
          use-rcv-hop-for-resp
          no-dest-nat
       port 0 udp
          source-nat pool NAT_Internet
          service-group Internet_UDP
          use-rcv-hop-for-resp
          no-dest-nat
       port 0 others
          source-nat pool NAT_Internet
          service-group Internet_TCP
          use-rcv-hop-for-resp
          no-dest-nat
    
    #13302
    avatar
    facevedo
    Member

    Hi, Thanks for your reply….

    I have a question, what about the ICMP traffic that is outgoing to my network.

    How can i permit that my LAN USER reach something on internit through ICMP….

    EXAMPLE

    LAN –> A10 –> ISP –> TEST icmp 8.8.8.8

    Maybe created another VS Type?

    Best Regards!

    Fabián A.

    #13312
    avatar
    yannt
    Member

    Hi Fabian,

    You have 3 types of Service configured under the Wildcard VIP : TCP/UDP/Others.
    ICMP traffic is managed through Others. With the given configuration, any type of traffic is Load Balanced across the 2 ISPs routers.

    Regards,
    Yann

    #13322
    avatar
    facevedo
    Member

    Thanks again Yantt, i did that and works good, however i have some troubles with the persistent connections…Particulary the destination persisten.

    EXAMPLE
    User goes to internet —> ISP IP 1 —> SITE WWW
    Sometimes the replys on the websites goes to another IP

    There are some recommended form to make this???

    BEst Regards!

    #13332
    avatar
    tjones
    Member

    Try to add persistence:
    !
    slb template persist source-ip src-ip-persist
    timeout 10
    !
    slb template persist destination-ip LLB-persist-dest
    netmask 255.255.255.0
    timeout 10
    !
    slb virtual-server LLB_vip 0.0.0.0
    port 0 tcp
    name _wildcard_TCP_65535
    source-nat pool ISP-NAT-Group
    service-group sg_pool-isp1-2-tcp
    use-rcv-hop-for-resp
    no-dest-nat
    ha-conn-mirror
    template persist destination-ip LLB-persist-dest
    port 0 udp
    name _wildcard_UDP_65535
    source-nat pool ISP-NAT-Group
    service-group sg_pool-isp1-2-udp
    use-rcv-hop-for-resp
    template udp vpn-ageout
    no-dest-nat
    template persist source-ip src-ip-persist
    port 0 others
    name _wildcard_Others_65535
    source-nat pool ISP-NAT-Group
    service-group sg_pool-isp1-2
    use-rcv-hop-for-resp
    no-dest-nat
    template persist destination-ip LLB-persist-dest
    port 21 ftp
    name _wildcard_FTP_21
    source-nat pool ISP-NAT-Group
    service-group ISP1
    use-rcv-hop-for-resp
    no-dest-nat
    ha-conn-mirror
    template persist destination-ip LLB-persist-dest

    #13342
    avatar
    facevedo
    Member

    Thanks i do that, but im still with some troubles:

    slb virtual-server wildcard-vip 0.0.0.0
        port 0 tcp
           name _wildcard_v4_TCP_0
           source-nat pool outbound-nat-group
           service-group outbound-tcp-links
           use-rcv-hop-for-resp
           template tcp TCP-5
           no-dest-nat
           template persist destination-ip LLB-persist-dest
        port 0 udp
           name _wildcard_v4_UDP_0
           source-nat pool outbound-nat-group
           service-group outbound-udp-links
           use-rcv-hop-for-resp use-src-ip-for-dst-persist
           no-dest-nat
        port 0 others
           name _wildcard_v4_Others_0
           source-nat pool outbound-nat-group
           service-group outbound-tcp-links
           use-rcv-hop-for-resp use-src-ip-for-dst-persist
           no-dest-nat

    I have 3 publics IPs:

    example 100.100.100.100, 100.100.100.101 and 100.100.100.102

    When i query a site http://www.example.com

    On the session I can see that the Public IP from A10 changes, is like that does not keep the dst-persistence.

    Regards!

    #13352
    avatar
    yannt
    Member

    I’m not sure to understand where the issue is.

    Using Persistence, means the A10 will forward the traffic through the SAME Gateway depending the persistence type (Per Client SRC IP or per Server DST IP). Persistence does not mean the A10 will always reuse the same SRC-NAT IP (if multiple IP in the same NAT Pool) for outgoing traffic through an ISP.

    Can you please share your config for a full review ? Can you please also give more details about the behaviour you are seeing and what you are expecting ?

    Thanks

    #13422
    avatar
    facevedo
    Member

    Hi i proceed to attached the configuration file….
    Regards!

    #13442
    avatar
    jserrano
    Member

    Hi,
    Persistency just keep gateway consistency. If you also want to keep same source-nat ip then
    you need to add “clientip-sticky-nat” to the outbound virtual services (tcp, udp & others). From CLI guide:

    Description Configure client stickiness for outbound NHLD.
    Syntax [no] clientip-sticky-nat
    Default Disabled
    Mode Virtual port
    Introduced in Release 2.7.0
    Usage Sticky NAT for outbound Next Hop Load Distributor (NHLD) provides a virtual-port option to
    ensure the ACOS device always uses the same outbound link for a given client’s traffic. You
    can enable it on individual virtual ports.
    NOTE: The Sticky NAT option applies only to NHLD. The option does not apply to other
    features, such as SLB.

    Regards

    #13452
    avatar
    facevedo
    Member

    JSerrano…OK i understand that….I try now and will probe the behavior on the network… thanks! i will inform after the test.

    #13462
    avatar
    facevedo
    Member

    Hi everyone, it’s works fine all….Thanks by your advices!

    Regards!!

    #13882
    avatar
    ianishar
    Member

    hi facevedo,

    can you upload your configuration ? i want to see.
    thanks

Viewing 13 posts - 1 through 13 (of 13 total)

You must be logged in to reply to this topic.

Comments are closed.