Cisco SLB, NAT and GRE

By paarlberg ·
We have the need to load balance traffic between the US and South Africa. We have redundant links in South Africa that we need to utilize load balancing on specific traffic.

Currently we have the following setup for testing.

US side
Cisco 3640 2x FE interfaces (test network)

SA side
Cisco 6506 SUP720-3bxl (production network)

On the US Side we have SLB configured pointing to the real IP of the servers in SA. We also have 2 GRE tunnels between the single 6506 in SA to the single 3640 in the US.

We have routed 2x /30 for the tunnels and 2x /30 for secondary IP addresses on the specific server in SA.

We need to be able to have the SLB IP presented to the external host for data feeds and not the actual 2x /30 on the server in SA.

The 3640 config is below, IP addresses are not actual for obvious reasons.

ip slb serverfarm SANEWSSERVER
nat server
ip slb vserver SANEWSSERVER
virtual tcp 0

Any requests from or are not NAT'ed on the 3640 and are presented as the actual IP, therefore bypassing any return path via SLB.

Any suggestions?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

For clarification

by NetMan1958 In reply to Cisco SLB, NAT and GRE

I'm not sure I really understand what you are trying to do. Are the servers you want to load balance in SA? If so, you should set up the slb on the 6506 in SA and clients in the US would access it via the virtual IP.

If you are trying to load balance all traffic between the US and SA, I think you would want to configure 2 equal cost routes on each end.

Collapse -

More info

by paarlberg In reply to For clarification

Here is the situation.

We have 2 links in SA to the same upstream provider (not a lot of options there).

The server we are trying to load balance traffic to is a news server in SA which receives its feeds from a provider in the US. We have a Datacenter in the US that we are using as an in between to help load balance as it is easier on an outbound interface than an inbound. The US datacenter has the ability to peer with the news provider and removing usage charges for transfers.

All clients connecting to the news server are within SA on our network.

The load balance needs to be on all traffic from the news feed provider in the US to the news cache server in SA.

Hope that helps.

Collapse -

Well, I'm not sure if this will help

by NetMan1958 In reply to More info

But if everything seems to be working except for this:
"Any requests from or are not NAT'ed on the 3640 and are presented as the actual IP, therefore bypassing any return path via SLB."

Take a look at this article:

Here's an excerpt:
"After you configure the SLB feature on the Catalyst 6000, you must configure each of the real servers with an
alias for a unique loopback device or interface. This configuration is necessary to give each machine in the
Server Farm the same IP address as the actual Virtual Server. The destination real server can then respond
directly to clients with the alias address just as the server responds for its own unique address."

Collapse -

Site to Site VPN is limited by bandwidth of the links

by CG IT In reply to Cisco SLB, NAT and GRE

If your network in the USA directly connects to your network in SA via a site to site VPN connection, then your limited to the VPN link and it's bandwidth [your Internet Service Provider bandwith assigned to you]. Very low bandwidth and throughput will cause latency. If you use two site to site VPN connections and you wish to load balance between each one, the router that establishes the VPN connections has to provide load balancing on the external interfaces used for site to site VPN. If your equipment does not have that capability, then unless you change the equipment, your stuck with what you have.

Here's an old but useful Cisco document for SLB but I don't think, based on your question, that SLB is going to be helpful in load balancing over a VPN link.**86a0080134735.shtml

Collapse -


by paarlberg In reply to Cisco SLB, NAT and GRE

I will work with the staff in SA and see what we can come up with. We have about 350mbps international transit in SA and about 250ms of latency, light only travels so fast :-(. We have multiple gig links in the US.

Collapse -

VPN is most likely the problem and the type of VPN as well

by CG IT In reply to Thanks

You would probably get a better QoS if you went with a different connection method. Dedicated link between locations. With this type of setup, your SLB will function better as your not actually using a VPN tunnel to pass data.

VPN, while easy to setup and secure, costs in QoS especially with large data transfers. You lose to much performance.

Collapse -

Dedicated not an option

by paarlberg In reply to VPN is most likely the pr ...

The cost for a dedicated 100meg link from SA to the US will cost over $120k per month. We are looking at other options in the future, but a dedicated option is out of the question at the moment.

We are looking at multiple dedicated links for SA to London and London to the US in the future. Then we can better load balance the traffic.

Related Discussions

Related Forums