Managing Interceptor Clusters : Configuring cluster load-balancing rules
  
Configuring cluster load-balancing rules
You can configure cluster load-balancing rules under Manage > Appliances: Clusters. Click the cluster name to expand the page and display the cluster tabs, and then Select the Cluster Pages tab to expand the page.
Select Load Balancing Rules to display the Editing Cluster: <cluster name>, Load Balancing Rules page.
Any changes made to the cluster configuration pages modify all the Interceptors after a cluster push.
Load-balancing rules define the characteristics by which traffic is selected for load-balancing and the availability of a LAN-side SteelHead for such traffic.
You can select the cluster name and page to edit at the top of the Editing Cluster: <cluster name>, Inpath Rules (Interceptor) page at the top of the page.
Load-balancing rules define the characteristics by which traffic is selected for load balancing and the availability of a local SteelHead for such traffic. Load balancing often involves SteelHead Interceptor working together with SteelHeads.
Your load-balancing rules must account for these conditions:
Traffic over all subnets and ports that have been selected for redirection.
All SteelHeads you have configured as targets of redirect rules or reserved for the automatic load-balancing rule:
If a cluster SteelHead is specified as a target for a rule, it is reserved for traffic that matches that rule and is not available to the pool used for automatic load balancing.
If a cluster SteelHead is not specified as a target for a rule, it is available for automatic load balancing.
Second-preference cases in which you would rather pass through traffic than tax the automatic load-balancing pool.
IPv4 and IPv6 addresses are supported for load-balancing rules.
This table describes how the SteelHead Interceptor processes load-balancing rules.
Event
Interceptor process
Redirect rule matches and target SteelHeads are available.
Redirects traffic to a SteelHead in the target list.
The SteelHead Interceptor chooses a SteelHead from the list based on a connection distribution algorithm that uses peer affinity.
With the peer affinity algorithm, the SteelHead Interceptor has chosen the target SteelHead before. When the target list includes more than one SteelHead with peer affinity, the SteelHead Interceptor chooses the SteelHead with the most affinity—that is, the appliance to which the Interceptor has forwarded the most connections.
Redirect rule matches but none of the target SteelHeads for the rule are available.
Consults the next rule in the target list.
Pass-through rule matches.
Passes through traffic, traversing bypass routes without optimization.
Processed by service rules if path selection is enabled.
Redirect rule matches but none of the target appliances are available; does not match a pass-through rule.
No rules match.
No rules specified.
The SteelHead Interceptor chooses a SteelHead from the pool of SteelHeads that you have added as part of the cluster but have not assigned as targets in other load-balancing rules. The SteelHead Interceptor chooses a SteelHead based on the connection distribution algorithm described above.
About fair peering
When the SteelHead Interceptor is running in standard mode, you can enable the Fair Peering feature for each load-balancing rule, including the default rule.
In VLAN segregation mode, Fair Peering v2 is enabled by default, and it cannot be disabled.
When the Fair Peering feature is enabled for a load-balancing rule, the target SteelHead cannot exceed a dynamically determined maximum number of remote SteelHeads. When that maximum is reached, peer connections are reassigned. For example, when the maximum limit for one local SteelHead is reached, the load shifts to another local SteelHead.
If a new remote SteelHead comes online, a new maximum value is dynamically computed. As a result, the Fair Peering feature ensures that all remote SteelHeads are always covered. This feature is an alternative to the default load-balancing algorithm which, when a new remote SteelHead is assigned to a local cluster, determines the appropriate local SteelHead to which the new connection should be directed.
Prior to using Fair Peering, be aware of these limitations:
If a load-balancing rule is configured with Fair Peering enabled, the target SteelHead cannot be targeted in any other load-balancing rule.
Load balancing can only occur among SteelHeads that are targeted by load-balancing rules with the same Fair Peering configuration.
About pressure monitoring
Pressure monitoring provides details about the health of the local SteelHeads, so that the Interceptor can better manage and balance traffic. Pressure parameters that are measured include available memory, CPU utilization, and disk load. All three pressures are treated equally, and the Interceptor sends a consolidated message to indicate one of these states: normal, high, or severe.
The value is determined as follows:
Normal—A value of normal is assigned if all three pressures measure normal.
High—A value of high is assigned if one or more pressures measure high but none measure severe.
Severe—A value of severe is assigned if one or more pressures measure severe.
The SteelHeads report displays the pressure values. When the pressure monitoring feature is enabled, pressures are reported but do not necessarily affect the load-balancing functionality of the SteelHead Interceptor. However, when this feature is enabled together with the Fair Peering v2 (“capacity adjustment”) option, the SteelHead Interceptor implements the pressure measurements into load balancing based on the credits available in each SteelHead.
Each SteelHead is assigned credits based on its model number. The credit is equivalent to the SteelHead size used in Fair Peering. The credits determine the percentage of total load a SteelHead can handle in the cluster.
When Fair Peering v2, pressure monitoring, and capacity adjustment are enabled, the pressure data from a SteelHead determines the credits assigned to it and, as a result, the percentage of connections assigned to that SteelHead. For example, if two SteelHeads (LSH1 and LSH2) have credits 250 and 750, respectively, then the SteelHead Interceptor sends 25 percent of the load to LSH1 and 75 percent to LSH2.
Specifically, when pressure data changes, SteelHead credits are affected as follows:
Normal changing to High—SteelHead credits are reduced by 10 percent.
Normal changing to Severe—SteelHead credits are reduced by 20 to 30 percent.
Severe changing to Normal—SteelHead credits are restored accordingly.
Pressure readings are not polled. Rather, SteelHeads report only changes to pressure states.
About pressure monitoring and path selection
When the path selection feature is enabled, service rules specify one or more SteelHeads to which unoptimized traffic is redirected.
The SteelHead Interceptor uses a hashing mechanism to select the SteelHead. The hashing mechanism takes into account the weight of the SteelHead as derived from the connection capacity of the SteelHead. This method allows a SteelHead with a larger connection capacity to receive more redirected traffic than a SteelHead with a smaller connection capacity, assuming both SteelHeads were configured in the same service rule. The hash used to pick a SteelHead from the service rule that matches the traffic flow is derived from the SRC IP address, the DST IP address, the SRC Port, and the DST Port settings of the traffic flow.
When pressure monitoring is enabled, the weight of the SteelHead is adjusted as follows:
Normal pressure—Weight assigned is proportional to the connection capacity of the SteelHead.
High pressure—Weight assigned is half the normal weight.
Severe pressure—No new connections are redirected.
The weight of the SteelHead controls the number new connections and flows that will be redirected to the SteelHead. The weight does not change the connections that are already being redirected to the SteelHead.
Adding or deleting a load-balancing rule
The location of the Load Balancing Rules page depends on whether the appliance is running in standard mode or VLAN segregation mode:
Standard mode—Choose Optimization > Optimization: Load Balancing Rules to display the Load Balancing Rules page.
VLAN segregation mode—Load-balancing rules are configured on a per-instance basis. From the instance dashboard for a given instance, choose Load Balancing Rules under the Optimization section of the navigation bar.
In VLAN segregation mode, Fair Peering v2 is enabled by default, and it cannot be disabled. For this reason, the check box control for enabling Fair Peering v2 is not displayed on the Load Balancing Rules page when the SteelHead Interceptor is running in VLAN segregation mode.
1. Display the Load Balancing Rules page in either standard mode or VLAN segregation mode.
2. Optionally, under Load Balance Settings, configure Fair Peering settings:
Enable Fair Peering v2 (Standard mode only)
Enables the Fair Peering v2 feature across all load-balancing rules. The Fair Peering v2 feature ensures that no local SteelHead exceeds a dynamically determined maximum number of remote peers.
By default, the SteelHead Interceptor selects the target SteelHead on the basis of peer affinity (based on which candidate SteelHead has been used to optimize connections to or from the remote site in the past).
If you enable Fair Peering v2, this global setting overrides any traditional Fair Peering enabled on a per-rule basis.
Fair Peering v2 is supported with Interceptor version 3.0 and later and local SteelHeads running RiOS 6.1.3 or later.
Enable Pressure Monitoring
Provides more detailed information about the health of the local SteelHeads, to enable the Interceptor to better manage and balance traffic.
We recommend that you enable pressure monitoring only in conjunction with Fair Peering v2.
Enable Capacity Adjustment
Reduces the number of new connections sent to local SteelHeads for which the Interceptor determines an unacceptable pressure value. For a local SteelHead with an unacceptable pressure value, this feature artificially and temporarily reduces the capacity of the SteelHead for Interceptor load-balancing calculations. As a result of using a downward-adjusted capacity for a particular SteelHead, the SteelHead Interceptor moves existing paired peers from that SteelHead to less-used SteelHeads.
The SteelHead Interceptor uses the artificially reduced capacity value for that SteelHead Interceptor in load-balancing calculations until the SteelHead returns to a Normal pressure value.
Enable Permanent Capacity Adjustment
Causes capacity reduction—once triggered for a local SteelHead that reaches an unacceptably high pressure value—to be permanent.
To disable permanent capacity adjustment of a SteelHead, you must issue a service restart on the SteelHead Interceptor.
3. Under Load Balancing Rules, configure load-balancing rules:
Add a New Load Balancing Rule
Displays the controls to add a new rule.
Type
Specifies the type of rule from the drop-down list:
Redirect—Configure rules of this type for traffic you want to optimize.
Pass Through—Configure rules of this type as a second-preference rule for cases in which you want to optimize when connections are available on specified targets but, in the event that targets have reached admission control capacity, you would rather pass through traffic than tax the autobalance pool. For example, you might use pass-through rules to handle HTTP traffic on port 80.
When path selection is enabled, if traffic matches the pass-through rule, the service rule table further evaluates the traffic.
Position
Specifies one of these position from the drop-down list:
Select Start to insert the rule at the start of the list.
Select End to inserts the rule at end of the list.
Select a rule number.
Enable Email Notification
Enables email notification of pass-through rules. Specify the email address using the Email page.
This option is available for pass-through rules only and is enabled by default. This option is disabled for redirect rules.
Local SteelHeads
Specifies a comma-separated list of SteelHead IP addresses to which traffic can be redirected. If a rule matches, connections are redirected to the first SteelHead in the list that has capacity for new connections. If no rule matches, peer affinity applies. If there is no existing peer affinity, the connection is redirected to the SteelHead with the least number of current connections.
The target SteelHeads are called cluster SteelHeads. The list you specify here must match the main IP addresses specified in the SteelHeads list.
If IPv6 connection forwarding is enabled, you can enter IPv6 addresses only. Use this format: x:x:x::x/xxx
Source Subnet
Specifies the subnet IP address and netmask for the source network:
All IP (IPv4 + IPv6)—Maps to all IPv4 and IPv6 networks.
All IPv4—Maps to 0.0.0.0/0.
All IPv6—Maps to ::/0.
IPv4—Prompts you for a specific IPv4 subnet address. Use this format for an individual subnet IP address and netmask: xxx.xxx.xxx.xxx/xx
IPv6—Prompts you for a specific IPv6 subnet address. Use this format for an individual subnet IP address and netmask: x:x:x::x/xxx
Destination Subnet
Specifies the subnet IP address and netmask for the destination network:
All IP (IPv4 + IPv6)—Maps to all IPv4 and IPv6 networks.
All IPv4—Maps to 0.0.0.0/0.
All IPv6—Maps to ::/0.
IPv4—Prompts you for a specific IPv4 subnet address. Use this format for an individual subnet IP address and netmask: xxx.xxx.xxx.xxx/xx
IPv6—Prompts you for a specific IPv6 subnet address. Use this format for an individual subnet IP address and netmask: x:x:x::x/xxx
Port or Port Label
Specifies the destination port number, port label, or All. Click Port Label to go to the Networking > Network Services: Port Labels page for reference.
If you order rules so that traffic that is passed through, discarded, or denied is filtered first, All represents all remaining ports.
From Remote SteelHeads
Specifies one of these options from the drop-down list:
Any—Rule applies only when matching any SYN or SYN+ (behavior of load-balancing rule before peering was added).
Probe-only—Match any packet with a probe SYN+.
Non-probe—Match only SYN entering from the LAN side.
IP Address—Match the given IP address when a SYN+ comes from that SteelHead.
Remote SteelHead IPs
Specifies a comma-separated list of SteelHead IP addresses (if you specify IP Address for the From Remote SteelHeads setting). You can enter either IPv4 or IPv6 addresses.
You can enter IPv6 addresses only if either the Source Subnet or the Destination Subnet map to all subnets (All IP [IPv4 + IPv6]), to all IPv6 subnets (All IPv6), or to a specific IPv6 subnet (IPv6). Otherwise, enter an IPv4 address.
VLAN Tag ID
Specifies a VLAN identification number from 0 to 4094, all to apply the rule to all VLANs, or untagged to apply the rule to nontagged connections.
Pass-through traffic maintains any preexisting VLAN tagging between the LAN and WAN interfaces.
To complete the implementation of VLAN tagging, you must set the VLAN tag IDs for the in-path interfaces that the SteelHead Interceptor uses to communicate with other SteelHead Interceptors.
To complete the implementation of VLAN tagging, you must set the VLAN tag IDs for the in-path interfaces that the SteelHead Interceptor uses to communicate with other SteelHead Interceptors.
Description
Describes the rule.
Enable Traditional Fair Peering for this Rule (Standard mode only)
Enables the traditional (v1) Fair Peering feature for the custom load-balancing rule.
If you enable traditional Fair Peering for this rule, this per-rule setting is overridden if Fair Peering v2 is enabled for load balancing.
Add
Adds the new rule to the configuration. The new rule displays in the list at the top of the page.
Remove Selected Rules
Removes the selected rule. Select the check box next to the name and click Remove Selected Rules.
The default rule cannot be removed and is always listed last.
Move Selected Rules
Moves the selected rules. Click the arrow next to the desired rule position; the rule moves to the new position.
The default rule cannot be reordered and is always listed last.