Session-Aware Load Balancing Clustering (SLBC)

Fortigate HA High availability SLBC instaelearn.com
Fortigate HA High availability SLBC instaelearn.com

The Session-aware Load Balancing Cluster (SLBC) protocol is used for clusters consisting of FortiControllers that perform load balancing of both TCP and UDP sessions. Session-Aware Load Balancing Clusters consist of one or more FortiControllers acting as load balancers and FortiGate-5000s and operating as workers all installed in one or two FortiGate-5000 series chassis. SLBC clusters load balance TCP and UDP sessions. As a session-aware load balancer, the FortiController includes FortiASIC DP processors that maintain state information for all TCP and UDP sessions. The FortiASIC DP processors are capable of directing any TCP or UDP session to any worker installed in the same chassis. This session-awareness means that all TCP and UDP traffic being processed by a specific worker continues to be processed by the same worker. Session-awareness also means that more complex networking features such as network address translation (NAT), fragmented packets, complex UDP protocols, and complex protocols such as SIP that use pinholes, can be load balanced by the cluster.      

An SLBC consists of one or two FortiControllers installed in chassis slots 1 and 2 and from one to 12 workers installed chassis slots 3 and up. Network traffic is received by the FortiControllers and load balanced to the workers by the DP processors on the FortiControllers. Networks are connected to the FortiController front panel interfaces and communication between the FortiControllers and the workers uses the chassis fabric and base backplanes. An SLBC with two FortiControllers can operate in active-passive mode or dual mode. In active-passive mode, if the active FortiController fails traffic is transferred to the secondary FortiController. In dual mode both FortiControllers load balance traffic and twice as many network interfaces are available.

As a session-aware load balancer, the FortiController includes DP processors that maintain state information for all TCP and UDP sessions. The DP processors are capable of directing any TCP or UDP session to any worker installed in the same chassis. This session-awareness means that all TCP and UDP traffic being processed by a specific worker continues to be processed by the same worker. Session-awareness also means that more complex networking features such as network address translation (NAT), fragmented packets, complex UDP protocols, and complex protocols such as SIP that use pinholes, can be load balanced by the cluster.

SLBC does not support session sync between workers in the same chassis. The FortiControllers in a cluster keep track of the status of the workers in their chassis and load balance sessions to the workers. If a worker fails the FortiController detects the failure and stops load balancing sessions to that worker. The sessions that the worker is processing when it fails are lost.

Licensing consideration for SLBC includes to register and apply licenses to each worker before adding the worker to the SLBC cluster. This includes Technical Support, FortiClient, FortiCloud activation, FortiClient licensing, and entering a license key if you purchased more than 10 Virtual Domains (VDOMS). FortiToken licenses can be added at any time because they are synchronized to all workers.

Lets see how a high level configuration for SLBC

This section contains some high-level steps that guide you through the basics of setting up an example SLBC cluster consisting of a single FortiController and 3 workers installed in a FortiGate-5000 chassis.

  1. Install the FortiGate-5000 series chassis and connect it to power.
  2. Install the FortiController in chassis slot 1.
  3. Install the workers in chassis slots 3, 4, and 5.
  4. Power on the chassis.
  5. Check the chassis, FortiController and worker LEDs to verify that all components are operating normally.
  6. Log into the CLI of each of the workers and use the following command to set them to FortiController mode:

config system elbc
   set mode forticontroller
end

7. From the FortiController GUI Dashboard System Information widget, beside HA Status select Configure.

8. Set Mode to Active-Passive, change the Group ID, and move the b1 and b2 interfaces to the Selected column and select OK.

Or from the CLI enter the following command:

config system ha
   set mode a-p
   set groupid 4
   set hbdev b1 b2
end

9. You can optionally configure other HA settings. If we have more than one cluster on the same network, each cluster should have a different Group ID. Changing the Group ID changes the cluster interface MAC addresses. It’s possible that a group ID setting will cause a MAC address conflict. If this happens select a different Group ID. The default Group ID of 0 is not a good choice and usually should be change.

10. Go to Load Balance > Config add the workers to the cluster by selecting Edit and moving the slots that contain workers to the Members list.

11. Configure the cluster external management interface so that you can manage the worker configuration.

From the FortiController GUI go to Load Balance > Config and edit the External Management IP/Netmask and change it to an IP address and netmask for the network that the mgmt interfaces of the FortiController and the workers are connected to. The External Management IP/Netmask must be on the same subnet as the FortiController management IP address.

12. Connect FortiController front panel interface 1 (F1 on some models) to the Internet and front panel interface 3 (F3 on some models) to the internal network.

The workers see these interfaces as fctrl/f1 and fctrl/f3.

Do not use the worker front panel interfaces for data or management connections.

13. Log into the workers using the External Management IP/Netmask and configure the workers to process traffic between fctrl/f1 and fctrl/f3.

If you need to add a default route to connect to the External Management IP/Netmask, log into the FortiController CLI and enter the following command:

config route static
   edit route 1
   set gateway <gateway-ip>
end

We can also change the heartbeat VLAN ID from the FortiController CLI. For example, to change the heartbeat VLAN ID to 333, enter the following:

config system ha
   set hbdev-vlan-id 333
end

To add the mgmt interface to the list of heartbeat interfaces used, on the FortiController-5103B, enter the following:

config system ha
   set hbdev b1 b2 mgmt
end

To simultaneously use all heartbeat interfaces for heartbeat traffic, enter the following command:

config load-balance-setting
   set base-mgmt-interface-mode active-active
end

Note: Some FortiController hardware and software features that affect SLBC configurations that we should know.

 

FortiController-5103B

FortiController-5903C

FortiController-5913C

Network interfaces

Eight front panel 10Gbps SFP+ FortiGate interfaces (F1 to F8) .

Four front panel 40Gbps QSFP+ fabric channel interfaces (F1 to F4).

Two front panel 100Gbps CFP2 fabric channel interfaces (F1 and F2).

Speed can be changed to 1Gbps.

Can be split into four 4x10G SFP+ interfaces.

Can be split into two 10x10G SFP+ interfaces.

MTU size 9000 bytes.

MTU size 9000 bytes.

MTU size 9000 bytes.

Base channel interfaces

Two front panel base backplane 1Gbps SFP+ interfaces (B1 and B2).

Two front panel 10Gbps SFP+ base channel interfaces (B1 and B2).

Two front panel 10Gbps SFP+ base channel interfaces (B1 and B2).

Speed can be changed to 1Gbps.

Speed can be changed to 1Gbps.

Fabric backplane interfaces

10Gbps

40Gbps

40Gbps

Speed can be changed to 1Gbps.

Speed can be changed to 10- or 1Gbps.

Speed can be changed to 10- or 1Gbps.

Base backplane interfaces

1Gbps

1Gbps

1Gbps

Chassis supported

FortiGate-5144C (14 slots)

FortiGate-5144C (14 slots)

FortiGate-5144C (14 slots)

FortiGate-5140B (14 slots)

FortiGate-5060 (6 slots)

Heartbeat between FortiControllers

B1, B2, and Mgmt (optional)

B1 and B2

B1 and B2

Default VLAN 999

Default VLAN 999

default VLAN 999

Base control between chassis

B1, B2, and mgmt (optional)

B1 and B2

B1 and B2

Default VLAN 301

Default VLAN 301

Default VLAN 301

Base management between chassis

B1, B2, and mgmt (optional)

B1 and B2

B1 and B2

Default VLAN 101

Default VLAN 101

Default VLAN 101

Session sync

One of F1 to F8

B1 and B2

B1 and B2

VLAN 2000 (VLAN cannot be changed)

VLAN 1900 and 1901 (cannot be changed)

VLAN 1900 and 1901 (cannot be changed)

 

We have also covered few other fortigate HA solutions listed in another blogs categorically and detailed How-To steps.

Basics

FortiGate Cluster Protocol (FGCP)

FortiGate Session Life Support Protocol (FGSP)

Session-Aware Load Balancing Clustering (SLBC)

Content Clustering

VRRP

 

 

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *