1.7 Handling Large Environments by Clustering
PacketiX VPN Server supports the clustering function, which enables
multiple VPN Servers to be administered as a single VPN Server and
realize load balancing and fault tolerance among the various VPN
Servers. The clustering function can be used with the Enterprise Edition
and Carrier Edition of PacketiX VPN Server 2.0.
For a more detailed description of the clustering functions, see
「3.9 Clustering」.
1.7.1 Necessity of Clustering
PacketiX VPN Server is VPN server software equipped with superior
performance and functions. Throughput and number of simultaneous
connections that can be supported by a single VPN Server differ
according to the hardware performance of the computer running VPN
Server, but the power a single computer can exhibit by hardware resource
is always limited. No matter how much server hardware is optimized and
speeded up, hardware performance limitations ultimately exist, and more
processing cannot be executed on a single computer.
Using the clustering function of PacketiX VPN Server enables you to
consolidate multiple VPN Servers as a single cluster. VPN connection
source computers that attempt to connect to the cluster (usually
connection from VPN Client, but there may also be cascade connection
from VPN Server / Bridge, etc., in some cases) are automatically
connected to one of the VPN Servers in the cluster by cluster
controller. At this time, the cluster controller decides the load
balancing algorithm by operation mode of connection destination Virtual
HUB.
Fig. 1-7-1 Processing large amounts of VPN connections by
clustering |
If one of the computers operating in the cluster experiences trouble
such as fault and stops running, connection is directed to other cluster
computers participating in the cluster and VPN communication processing
continues. At this time it appears the VPN communication from VPN
connection source has stopped instantaneously but is restored right
away, because processing of Virtual HUB that had conducted by VPN Server
up to that point is executed, communication continues by automatically
avoiding the trouble without the VPN Server administrator or VPN users
performing any special processing at all.
In the case where processing cannot be carried out with a single
PacketiX VPN Server using these features, in the case where large amount
of simultaneous connections that decreases throughput dramatically can
be processed in parallel by properly balancing the load or in the case a
server in the cluster stops, processing can be taken over by another
server, so it can be used effectively in large scale environments or
environments demanding high reliability.
Fig. 1-7-2 Load balancing |
Two types of computers that participate in PacketiX VPN Server
clusters: cluster controllers and cluster member servers.
Cluster Controller
A cluster controller is a special computer. Each cluster of servers
required one cluster controller only. The cluster controller manages all
other computers participating in the cluster (cluster member servers)
and conducts important processing to maintain compatibility among the
various servers.
If constructing a cluster of VPN Servers using PacketiX VPN Server,
first one of the server computers is set as the cluster controller and
other server computers are connected to the cluster controller.
Cluster Member Server
All computers participating in the cluster other than the cluster
controller are cluster member servers. Cluster member servers cannot
operate on their own, but by executing cluster control connection to the
cluster controller the PacketiX VPN Server cluster begins to operate as
a single unit based on the connection destination cluster controller.
Fig. 1-7-3 Cluster controller and cluster member servers |
1.7.2 Applications of Clustering
The cluster function of PacketiX VPN Server operates optimally with
primarily two applications: large scale remote access VPN Server and
large scale Virtual HUB hosting VPN Server. It also functions correctly
if it is necessary to use the two applications combined.
1.7.3 Large Scale Remote Access VPN Server
The PacketiX VPN Server clustering function is used when constructing
a remote access VPN server using PacketiX VPN Server to connect
computers at a remote location to company LAN and there is expected to
be an extremely large number of connections or if high reliability is
required and you want to shorten stop time as much as possible for
remote access VPN server hardware fault, etc.
A cluster of VPN Servers is constructed, a static Virtual HUB is
established within for instance of static Virtual HUB generated by VPN
server, load balancing is automatically carried out for large quantities
of users that attempt remote access to the network and are connected to
the proper VPN Server computer in the cluster by bridge connection of
network such as physical company LAN. At this time the user does not
have to be aware that he is connected to the cluster and no special
operation is required. Also, as a result of load balancing, the same
communication can be carried out as when connected to any VPN Server
computer. In case hardware fault occurs for the connection destination
VPN Server computer or if the server needs to be temporarily shut off or
restarted for adding hardware or updating the operating system, that
computer is already connected and when reconnected the VPN session is
automatically switched to another VPN Server so communication can
continue.
This secures scalability and fault tolerance for remote access VPN
Server.
Also, if there are multiple physical LANs to be remote accessed, you
can create multiple static Virtual HUBs and can connect each respective
Virtual HUB to the physical LAN by local bridge connection.
For application examples of the clustering function of large scale
remote access VPN servers, see 「10.8 Setting Up a Large Scale Remote Access VPN Service」.
Fig. 1-7-4 Large scale remote access VPN Server |
1.7.4 Large Scale Virtual HUB Hosting VPN Server
You can effectively use the clustering function when using a large
amount of Virtual HUBs for hosting with PacketiX VPN Server. The
clustering function of PacketiX VPN Server is used if Internet Service
Providers or the IT department of large corporations offer Virtual HUB
function for customers or users, if there are many Virtual HUBs, or if
there are many VPN sessions to be simultaneously connected.
A cluster can be of multiple VPN Servers can be constructed and the
exact amount of dynamic Virtual HUBs can be created within it. In the
case of such a configuration, if VPN Client or VPN Bridge in a remote
location connects to VPN Server by VPN connection or cascade connection,
the connection destination Virtual HUB creates an instance for one of
the VPN Servers operating in the cluster and communication within that
Virtual HUB is possible. Load is automatically balanced for Virtual HUB
or VPN connection session for the Virtual HUB. At this time the user
does not have to be aware that he is connected to the cluster and no
special operation is required. In case hardware fault occurs for the
connection destination VPN Server computer or if the server needs to be
temporarily shut off or restarted for adding hardware or updating the
operating system, that computer is already connected and when
reconnected the VPN session is automatically switched to another VPN
Server so communication can continue (at this time, Virtual HUB instance
is also automatically switched to another server). Just as with a
conventional Virtual HUB, because no communication at all is carried out
among Virtual HUBs individually, independence of Virtual HUBs is
maintained. Also, administrator authority for each Virtual HUB can be
transferred to the customer or user.
For application examples of the clustering function of large scale
Virtual HUB hosting VPN servers, see 「10.9 Setting Up a Large Scale Virtual HUB Hosting Service」.
Fig. 1-7-5 Large scale Virtual HUB hosting VPN Server |
1.7.5 Product License and Connection License when Clustering
If using the clustering function of PacketiX VPN Server, each
PacketiX VPN Server that participates in the cluster requires a product
license and a PacketiX VPN Server 2.0 Enterprise Edition License or
PacketiX VPN Server 2.0 Carrier Edition License.
Connection licenses (client connection license and bridge connection
license) are administered by the cluster as a whole. Consequently the
exact amount of connection licenses is obtained by estimating the
possible number of simultaneous connections for the entire cluster and
connection license registration is completed by just registering the
licenses for the cluster controller. There is no need to purchase a
connection license for each VPN Server. Compared to the case where load
is distributed manually for each individual VPN Server, by processing a
large number of simultaneously connected users as a cluster, in some
cases the number of connection licenses required can be dramatically
reduced.
Fig. 1-7-6 Product license and connection license when
clustering |
|