Link Load Balance A10 Thunder

Hi Everyone!

I would like to know, what is the best form to make load balance on my A10 if i have 3 ISP links.

Example

LOCAL NET ---> Inside -- A10 --Outside ----3 ISP links

i understand that is with a Wildcard VS, but i would like be sure of that.

Please if you can help me.

Comments

  • yanntyannt Member
    edited November 2017
    Hi facevedo,

    This is correct, you should use a Wildcard VIP to catch the traffic destinated to Internet IPs.

    Please find below a "basic" config example working (ACOS 4.x or later)
    vlan 150
     untagged ethernet 1
     router-interface ve 150
     name "Inside"
    !
    vlan 500
     untagged ethernet 2
     router-interface ve 500
     name "Outside_ISP_A"
    !
    vlan 501
     untagged ethernet 3
     router-interface ve 501
     name "Outside_ISP_B"
    !
    interface ve 150
     ip address 192.168.100.254
     ip allow-promiscuous-vip
    !
    interface ve 500
     ip address 10.10.0.1 255.255.255.0
    !
    interface ve 501
     ip address 10.10.1.1 255.255.255.0
    !
    interface ethernet 1
     enable
    !
    interface ethernet 2
     enable
    !
    interface ethernet 3
     enable
    !
    ip nat pool ISP_A 10.10.0.50 10.10.0.50 netmask /24 
    !
    ip nat pool ISP_B 10.10.1.50 10.10.1.50 netmask /24 
    !
    ip nat pool-group NAT_Internet 
      member ISP_A 
      member ISP_B 
    !
    slb server ISP_A 10.10.0.254
       port 0 tcp
           health-check-disable
       port 0 udp
           health-check-disable
    !
    slb server ISP_B 10.10.1.254
       port 0 tcp
           health-check-disable
       port 0 udp
           health-check-disable
    
    slb service-group Internet_TCP tcp
        member ISP_A 0
        member ISP_B 0
    !
    slb service-group Internet_UDP udp
        member ISP_A 0
        member ISP_B 0
    !
    slb virtual-server VIP 0.0.0.0
       port 0 tcp
          source-nat pool NAT_Internet
          service-group Internet_TCP
          use-rcv-hop-for-resp
          no-dest-nat
       port 0 udp
          source-nat pool NAT_Internet
          service-group Internet_UDP
          use-rcv-hop-for-resp
          no-dest-nat
       port 0 others
          source-nat pool NAT_Internet
          service-group Internet_TCP
          use-rcv-hop-for-resp
          no-dest-nat
    
  • facevedofacevedo Member
    edited November 2017
    Hi, Thanks for your reply....

    I have a question, what about the ICMP traffic that is outgoing to my network.

    How can i permit that my LAN USER reach something on internit through ICMP....

    EXAMPLE

    LAN --> A10 --> ISP --> TEST icmp 8.8.8.8

    Maybe created another VS Type?

    Best Regards!

    Fabián A.
  • yanntyannt Member
    edited November 2017
    Hi Fabian,

    You have 3 types of Service configured under the Wildcard VIP : TCP/UDP/Others.
    ICMP traffic is managed through Others. With the given configuration, any type of traffic is Load Balanced across the 2 ISPs routers.

    Regards,
    Yann
  • facevedofacevedo Member
    edited November 2017
    Thanks again Yantt, i did that and works good, however i have some troubles with the persistent connections...Particulary the destination persisten.

    EXAMPLE
    User goes to internet ---> ISP IP 1 ---> SITE WWW
    Sometimes the replys on the websites goes to another IP

    There are some recommended form to make this???

    BEst Regards!
  • edited November 2017
    Try to add persistence:
    !
    slb template persist source-ip src-ip-persist
    timeout 10
    !
    slb template persist destination-ip LLB-persist-dest
    netmask 255.255.255.0
    timeout 10
    !
    slb virtual-server LLB_vip 0.0.0.0
    port 0 tcp
    name _wildcard_TCP_65535
    source-nat pool ISP-NAT-Group
    service-group sg_pool-isp1-2-tcp
    use-rcv-hop-for-resp
    no-dest-nat
    ha-conn-mirror
    template persist destination-ip LLB-persist-dest
    port 0 udp
    name _wildcard_UDP_65535
    source-nat pool ISP-NAT-Group
    service-group sg_pool-isp1-2-udp
    use-rcv-hop-for-resp
    template udp vpn-ageout
    no-dest-nat
    template persist source-ip src-ip-persist
    port 0 others
    name _wildcard_Others_65535
    source-nat pool ISP-NAT-Group
    service-group sg_pool-isp1-2
    use-rcv-hop-for-resp
    no-dest-nat
    template persist destination-ip LLB-persist-dest
    port 21 ftp
    name _wildcard_FTP_21
    source-nat pool ISP-NAT-Group
    service-group ISP1
    use-rcv-hop-for-resp
    no-dest-nat
    ha-conn-mirror
    template persist destination-ip LLB-persist-dest
  • facevedofacevedo Member
    edited November 2017
    Thanks i do that, but im still with some troubles:

    slb virtual-server wildcard-vip 0.0.0.0
        port 0 tcp
           name _wildcard_v4_TCP_0
           source-nat pool outbound-nat-group
           service-group outbound-tcp-links
           use-rcv-hop-for-resp
           template tcp TCP-5
           no-dest-nat
           template persist destination-ip LLB-persist-dest
        port 0 udp
           name _wildcard_v4_UDP_0
           source-nat pool outbound-nat-group
           service-group outbound-udp-links
           use-rcv-hop-for-resp use-src-ip-for-dst-persist
           no-dest-nat
        port 0 others
           name _wildcard_v4_Others_0
           source-nat pool outbound-nat-group
           service-group outbound-tcp-links
           use-rcv-hop-for-resp use-src-ip-for-dst-persist
           no-dest-nat

    I have 3 publics IPs:

    example 100.100.100.100, 100.100.100.101 and 100.100.100.102

    When i query a site www.example.com

    On the session I can see that the Public IP from A10 changes, is like that does not keep the dst-persistence.

    Regards!
  • yanntyannt Member
    edited November 2017
    I'm not sure to understand where the issue is.

    Using Persistence, means the A10 will forward the traffic through the SAME Gateway depending the persistence type (Per Client SRC IP or per Server DST IP). Persistence does not mean the A10 will always reuse the same SRC-NAT IP (if multiple IP in the same NAT Pool) for outgoing traffic through an ISP.

    Can you please share your config for a full review ? Can you please also give more details about the behaviour you are seeing and what you are expecting ?

    Thanks
  • facevedofacevedo Member
    edited November 2017
    Hi i proceed to attached the configuration file....
    Regards!
  • jserranojserrano Member ✭✭
    edited November 2017
    Hi,
    Persistency just keep gateway consistency. If you also want to keep same source-nat ip then
    you need to add "clientip-sticky-nat" to the outbound virtual services (tcp, udp & others). From CLI guide:

    Description Configure client stickiness for outbound NHLD.
    Syntax [no] clientip-sticky-nat
    Default Disabled
    Mode Virtual port
    Introduced in Release 2.7.0
    Usage Sticky NAT for outbound Next Hop Load Distributor (NHLD) provides a virtual-port option to
    ensure the ACOS device always uses the same outbound link for a given client’s traffic. You
    can enable it on individual virtual ports.
    NOTE: The Sticky NAT option applies only to NHLD. The option does not apply to other
    features, such as SLB.

    Regards
  • facevedofacevedo Member
    edited November 2017
    JSerrano...OK i understand that....I try now and will probe the behavior on the network... thanks! i will inform after the test.
  • facevedofacevedo Member
    edited December 2017
    Hi everyone, it's works fine all....Thanks by your advices!

    Regards!!
  • ianisharianishar Member
    edited March 2018
    hi facevedo,

    can you upload your configuration ? i want to see.
    thanks
Sign In or Register to comment.