1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Load balancing with Windows Server 2008

Discussion in 'Networks' started by zebulebu, Jan 22, 2011.

  1. zebulebu

    zebulebu Terabyte Poster

    Just put my first 2K8 loadbalanced IIS cluster in yesterday. It was an 'interesting' experience, to say the least! Having done it numerous times in 2K3 before (though not for a while) I figured I'd just add the loopback adapters to each VM and point them at the VIP created on our hardware load balacners. Oh if only it were that simple :)

    After a bit of ferretting around, I discovered a little nugget about the TCP/IP stack implementation in W2K8 (and Win 7, for that matter). Microsoft changed it pretty drastically to accommodate various IEEE standards. One of them - defined in RFC 1122 - deals with the 'Weak Host/Strong Host' model. This is aimed at improving security for multi-homed hosts. In 'traditional' Windows networking (i.e. pre W2K8), when a packet is addressed to a host, as long as the IP address it's destined for resides on one of the NICs in that host, the packet will be received and processed. In W2K8, however, that is no longer the case. So, in the scenario where you have a host with two nics in (one of which you assign a VIP to for loadbalancing), unless the packet sent is addressed DIRECTLY to the IP address of the NIC, it won't be processed.

    Pretty big change there - and the scenario I was working on is, I think, pretty common (hardware loadbalancer connecting to a VIP on one or more web servers via a loopback adapter on each participating server).

    There is a way round this, and it involves editing the properties of the NICs using netsh. After adding the loopback NIC and giving it the VIP address (Windows now allows you to give it a /32 ( mask without having to delve into the registry - yay!), drop into a command prompt and type the following:

    netsh interface ipv4 set interface "local area connection" weakhostsend=enabled
    netsh interface ipv4 set interface "local area connection" weakhostreceive=enabled
    netsh interface ipv4 set interface "local area connection 2" weakhostsend=enabled
    netsh interface ipv4 set interface "local area connection 2" weakhostreceive=enabled

    (If you've changed them from the default, replace "local area connection" with the names you;ve assigned your NICs)

    All fine and dandy - HOWEVER - there are a couple of 'gotchas' here.

    Firstly, despite what the documentation from our hardware loadbalancer said, after doing this you DO have to change the metric of the loadbalanced NIC. I found that leaving it as the default still caused routing issues (as used to be the case in W2K3) - so make sure you change the metric of the loopback adapter to a higher figure (I always use 254)

    Secondly, once you add the loopback adapter, Windoze will spitefully turn the firewall on again. Make sure you turn it back off - provided, of course, you're running a real firewall. If you're not, then I wouldn't worry about any of this - you shouldn't be working with IT equipment in the first place :biggrin

    Thirdly - and, perhaps, most importantly - when you add the loopback adapter you will lose RDP connectivity to the machine. Now, if this is a VM, you don't have a problem - use the VM console in the VI Client. If, however, it's a physical box, located in a remote data centre or office and you don't have out of band access (i.e. vio iLO, DRAC etc) then you'll be in a world of hurt - so keep that in mind when you do this!

    A couple of good blog posts here and here. Article from our hardware loadbalancer's blog here - ignore the part where it specifically tells you that you don't have to change the metric on the lb nic :)
    Certifications: A few
    WIP: None - f*** 'em
  2. Theprof

    Theprof Petabyte Poster Forum Leader

    Funny you should mention the IIS load balancing cluster... One of the developers was asking me about this, we have a web based application that we've experienced slow downs and this is something that really got me interested. However in our case it's win2k3 with IIS6.

    At some point, probably in the next few months I'll be looking at it again.
    Certifications: A+ | CCA | CCAA | Network+ | MCDST | MCSA | MCP (270, 271, 272, 290, 291) | MCTS (70-662, 70-663) | MCITP:EMA | VCA-DCV/Cloud/WM | VTSP | VCP5-DT | VCP5-DCV

Share This Page