Symmetric Load Balancing

Symmetric load balancing is a mechanism of interchanging the source and destination addresses to ensure that bidirectional traffic specific to a particular source and destination address pair flows out of the same member of a trunk group.

Note: Symmetric load balancing is not supported on non-IP data traffic.

For many monitoring and security applications, bidirectional conversations flowing through the system must be carried on the same port of a LAG. For network telemetry applications, network traffic is tapped and sent to a RUCKUS ICX device, which can send hash-selected traffic to the application servers' downstream. Each server analyzes the bidirectional conversations. Therefore, the devices must enable symmetric load balancing to accomplish bidirectional conversations. In addition, the firewall between the RUCKUS ICX devices can be configured to allow the bidirectional conversations per link of the LAG. These network telemetry applications also require symmetric load balancing on the LAGs between the devices.

Note: Symmetric load balancing is supported on RUCKUS ICX 7850, RUCKUS ICX 7450, and RUCKUS ICX 7250.
Figure 1. Symmetric load balancing

Note: Symmetric load balancing can also be used in case of Equal-cost multi-path routing (ECMP) where the same next hop is selected for bidirectional conversation.

You can enable symmetric load balancing for IPv4 and IPv6 data traffic on RUCKUS ICX devices using the load-balance symmetric command.

To confirm whether symmetric load balancing is enabled, use the show running-config command.

Note: Symmetric load balancing is a system-level configuration and may affect load sharing among LAG members as compared to non-symmetric load balancing and the ECMP next hop load sharing by not fairly utilizing all the LAG links. It might also affect load sharing within a stack trunk in case of broadcast, unknown unicast, and multicast (BUM) traffic where the user may not see all the stack trunk member links getting fairly utilized.
Table 1. Fields Used for Hash Calculation Based on Packet Types
Packet Type Hashing Field Is Symmetric Load Balancing Supported on RUCKUS ICX 7xxx Platforms?
Non-IP packets Source MAC address and destination MAC address No
IPv4/IPv6 packets SIP, DIP, protocol type, and Layer 4 source or destination ports (only if non-fragmented packet) Yes
TCP/UDP packets SIP, DIP, protocol type, and Layer 4 source or destination ports (only if non-fragmented packet) Yes
IP-in-IP tunnel/GRE packets Layer 4 source or destination ports (only if non-fragmented packet), SIP, DIP, and protocol type from the inner IP payload Yes

Use Case: Deploying RUCKUS ICX 7850 as a Traffic Splitter in a DPI Solution

Figure 2. Symmetric load balancing in RUCKUS ICX 7850

Production network: Traffic flowing in the production network is mirrored onto a few ports that connect to the monitoring network.

Monitoring network: In the monitoring network, the RUCKUS ICX 7850 is deployed as a traffic splitter. There are multiple servers hosting the DPI application and connected to RUCKUS ICX 7850. All monitored traffic is transparently flooded onto the VLAN and is load-balanced among the outgoing ports connected to the DPI pool.
Note:

The use case assumes that the bidirectional traffic pertaining to the same SIP-DIP pair and the same Layer 4 source-destination pair goes to the same DPI (connected to one of the LAG ports).

After enabling symmetric load balancing, Flow X upstream traffic (with SIP as 1.1.1.1, DIP as 2.2.2.2, Layer 4 source port as 3927, and Layer 4 destination port as 80) and Flow X downstream traffic (with SIP as 2.2.2.2, DIP as 1.1.1.1, Layer 4 source port as 80, and Layer 4 destination port as 3927) will hash to the same member link of the LAG, resulting in the bidirectional conversation going to the same DPI pool.