Hi Everyone!
I would like to know, what is the best form to make load balance on my A10 if i have 3 ISP links.
Example
LOCAL NET —> Inside – A10 --Outside ----3 ISP links
i understand that is with a Wildcard VS, but i would like be sure of that.
Please if you can help me.
Hi facevedo, This is correct, you should use a Wildcard VIP to catch the traffic destinated to Internet IPs. Please find below a “basic” config example working (ACOS 4.x or later)
vlan 150
untagged ethernet 1
router-interface ve 150
name "Inside"
!
vlan 500
untagged ethernet 2
router-interface ve 500
name "Outside_ISP_A"
!
vlan 501
untagged ethernet 3
router-interface ve 501
name "Outside_ISP_B"
!
interface ve 150
ip address 192.168.100.254
ip allow-promiscuous-vip
!
interface ve 500
ip address 10.10.0.1 255.255.255.0
!
interface ve 501
ip address 10.10.1.1 255.255.255.0
!
interface ethernet 1
enable
!
interface ethernet 2
enable
!
interface ethernet 3
enable
!
ip nat pool ISP_A 10.10.0.50 10.10.0.50 netmask /24
!
ip nat pool ISP_B 10.10.1.50 10.10.1.50 netmask /24
!
ip nat pool-group NAT_Internet
member ISP_A
member ISP_B
!
slb server ISP_A 10.10.0.254
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
!
slb server ISP_B 10.10.1.254
port 0 tcp
health-check-disable
port 0 udp
health-check-disable
slb service-group Internet_TCP tcp
member ISP_A 0
member ISP_B 0
!
slb service-group Internet_UDP udp
member ISP_A 0
member ISP_B 0
!
slb virtual-server VIP 0.0.0.0
port 0 tcp
source-nat pool NAT_Internet
service-group Internet_TCP
use-rcv-hop-for-resp
no-dest-nat
port 0 udp
source-nat pool NAT_Internet
service-group Internet_UDP
use-rcv-hop-for-resp
no-dest-nat
port 0 others
source-nat pool NAT_Internet
service-group Internet_TCP
use-rcv-hop-for-resp
no-dest-nat
Hi, Thanks for your reply…
I have a question, what about the ICMP traffic that is outgoing to my network.
How can i permit that my LAN USER reach something on internit through ICMP…
EXAMPLE
LAN → A10 → ISP → TEST icmp 8.8.8.8
Maybe created another VS Type?
Best Regards!
Fabián A.
Hi Fabian,
You have 3 types of Service configured under the Wildcard VIP : TCP/UDP/Others.
ICMP traffic is managed through Others. With the given configuration, any type of traffic is Load Balanced across the 2 ISPs routers.
Regards,
Yann
Thanks again Yantt, i did that and works good, however i have some troubles with the persistent connections…Particulary the destination persisten.
EXAMPLE User goes to internet —> ISP IP 1 —> SITE WWW Sometimes the replys on the websites goes to another IP
There are some recommended form to make this???
BEst Regards!
Try to add persistence:
!
slb template persist source-ip src-ip-persist
timeout 10
!
slb template persist destination-ip LLB-persist-dest
netmask 255.255.255.0
timeout 10
!
slb virtual-server LLB_vip 0.0.0.0
port 0 tcp
name \_wildcard\_TCP\_65535
source-nat pool ISP-NAT-Group
service-group sg\_pool-isp1-2-tcp
use-rcv-hop-for-resp
no-dest-nat
ha-conn-mirror
template persist destination-ip LLB-persist-dest
port 0 udp
name \_wildcard\_UDP\_65535
source-nat pool ISP-NAT-Group
service-group sg\_pool-isp1-2-udp
use-rcv-hop-for-resp
template udp vpn-ageout
no-dest-nat
template persist source-ip src-ip-persist
port 0 others
name \_wildcard\_Others\_65535
source-nat pool ISP-NAT-Group
service-group sg\_pool-isp1-2
use-rcv-hop-for-resp
no-dest-nat
template persist destination-ip LLB-persist-dest
port 21 ftp
name \_wildcard\_FTP\_21
source-nat pool ISP-NAT-Group
service-group ISP1
use-rcv-hop-for-resp
no-dest-nat
ha-conn-mirror
template persist destination-ip LLB-persist-dest
Thanks i do that, but im still with some troubles:
slb virtual-server wildcard-vip 0.0.0.0
port 0 tcp
name \_wildcard\_v4\_TCP\_0
source-nat pool outbound-nat-group
service-group outbound-tcp-links
use-rcv-hop-for-resp
template tcp TCP-5
no-dest-nat
template persist destination-ip LLB-persist-dest
port 0 udp
name \_wildcard\_v4\_UDP\_0
source-nat pool outbound-nat-group
service-group outbound-udp-links
use-rcv-hop-for-resp use-src-ip-for-dst-persist
no-dest-nat
port 0 others
name \_wildcard\_v4\_Others\_0
source-nat pool outbound-nat-group
service-group outbound-tcp-links
use-rcv-hop-for-resp use-src-ip-for-dst-persist
no-dest-nat
I have 3 publics IPs:
example 100.100.100.100, 100.100.100.101 and 100.100.100.102
When i query a site www.example.com
On the session I can see that the Public IP from A10 changes, is like that does not keep the dst-persistence.
Regards!
I’m not sure to understand where the issue is.
Using Persistence, means the A10 will forward the traffic through the SAME Gateway depending the persistence type (Per Client SRC IP or per Server DST IP). Persistence does not mean the A10 will always reuse the same SRC-NAT IP (if multiple IP in the same NAT Pool) for outgoing traffic through an ISP.
Can you please share your config for a full review ? Can you please also give more details about the behaviour you are seeing and what you are expecting ?
Thanks
Hi i proceed to attached the configuration file…
Regards!
Hi,
Persistency just keep gateway consistency. If you also want to keep same source-nat ip then
you need to add “clientip-sticky-nat” to the outbound virtual services (tcp, udp & others). From CLI guide:
Description Configure client stickiness for outbound NHLD. Syntax [no] clientip-sticky-nat Default Disabled Mode Virtual port Introduced in Release 2.7.0 Usage Sticky NAT for outbound Next Hop Load Distributor (NHLD) provides a virtual-port option to ensure the ACOS device always uses the same outbound link for a given client’s traffic. You can enable it on individual virtual ports. NOTE: The Sticky NAT option applies only to NHLD. The option does not apply to other features, such as SLB.
Regards
JSerrano…OK i understand that…I try now and will probe the behavior on the network… thanks! i will inform after the test.
Hi everyone, it’s works fine all…Thanks by your advices!
Regards!!
hi facevedo,
can you upload your configuration ? i want to see.
thanks