Deployment Issues

Applies To: Windows Server 2003 with SP1

Q. What is the AOL Proxy or Megaproxy Problem? Does NLB Fix it?

A. All connections that originate from large enterprises or megaservices such as AOL or MSN pass through client-side proxies. However, there is no guarantee that two consecutive TCP connections originating from the same client would be sent out through the same proxy. Now, lets assume that an AOL client creates an SSL session with an NLB cluster on the other side of the Internet. To ensure that the session does not break, all TCP connections originating from this client that are part of the session must be sent to the same host in the cluster. To ensure this, the NLB cluster must be configured in Single Affinity Mode.

However, it is possible that multiple TCP connections originating from the same client on the AOL network may be sent to the NLB cluster through different client-side proxies. The NLB Cluster will view these two TCP connections as connections from different clients (because they would now have different source IP addresses) even though they have actually originated from the same host. Now, since NLB load balances connection requests based on the source IP address of the connection, these connections may get handled by different hosts in the cluster even though they are part of the same session, thus breaking the session. NLB does not fix this problem, though the problem may be mitigated by choosing Class C affinity, provided the AOL Proxy happens to use source IP addresses from a single Class C address range. Note that a well designed web application will should not fail if an SSL session is broken; instead it should negotiate a new SSL session, minimizing the impact on clients.

Q. Will I Get Even Load Balancing if Most Clients Connect to the NLB Cluster Through a Client-Side Proxy?

A. When connections coming from different clients pass through the same client-side proxy, they reach the NLB Cluster bearing the same source IP Address. This makes the NLB cluster believe that these connections are coming from a single machine. So, if the cluster is configured in Single Affinity mode, NLB will use only the Source IP Address of the incoming connections to achieve load balancing and since all these connections seem to come from the same IP address, they will all end up with the same host in the cluster. However, if the cluster is configured in No Affinity mode, NLB will use both the Source IP Address and the Source Port to achieve the load balancing, and so load will be distributed amongst all of the hosts.

Q. What is the Difference Between Multicast and Unicast Modes of Operation? Which One Should I Use in My NLB Installation?

A. NLB relies on the fact that incoming packets are directed to all cluster hosts and passed up to the NLB driver for filtering. In its default unicast mode of operation, this is achieved by NLB reassigning the station (MAC) address of the network adapter for which it is enabled and all cluster hosts are assigned the same MAC (media access control) address. In multicast mode, NLB assigns a layer-2 multicast address to the cluster adapter instead of changing the adapters station address.

Both modes of operation have their pros and cons. The advantages of unicast mode are that it works seamlessly with all routers and layer-2 switches (and layer-3 switches which are configured to operate in layer-2 mode). The disadvantages are:

  • Unicast mode induces switch flooding, where all switch ports are flooded with NLB traffic, even ports to which non-NLB servers are attached;

  • Since all hosts in the cluster have the same IP Address and the same MAC Address, there is no inter-host communication possible between the hosts configured in unicast mode.

Multicast allows inter-host communication because it adds a layer two multicast address to the cluster instead of changing it and this makes inter-host communication possible as the hosts retain their original unique MAC addresses and already have unique Dedicated IP Addresses. However, in multicast mode, the ARP reply sent out by a host in the cluster, in response to an ARP request, maps the clusters unicast IP Address to its multicast MAC Address. Such a mapping in an ARP reply is rejected by some routers and so administrator must add a static ARP entry in the router mapping the Cluster IP Address to its MAC Address

Q. How do I Reduce Switch Flooding Caused by Network Load Balancing?

A. For Windows 2000, the only choice is to isolate the NLB hosts. This can be done in one of two ways. First the hosts can be homed to their own LAN or Virtual LAN. This will work for either unicast or multicast modes. Second, for the multicast mode, the switch ports to which the hosts are attached can mapped to the cluster MAC address via static entries in the switchs Content-Addressable Memory (CAM) table.

Windows Server 2003 introduces a new feature, called IGMP multicast, as an additional means of limiting switch flooding. This mode can be used if the switch supports IGMP snooping. Note however, that this mode requires the cluster to be configured in multicast mode.

Q. Does NLB Require Two Network Cards Per Host?

A. NLB does not require more than one network card per host. However, there are several scenarios in which a user may prefer to add another network card:

  • Inter-host communication in unicast mode

    In unicast mode, each host in the cluster has the same IP Address and the same MAC Address making them look identical from a networking perspective. So, unicast mode has the side effect of disabling communication among the hosts of the cluster.

  • Separating the front-end traffic from the back-end traffic

    The network adapter that has NLB bound to it can be used to handle incoming connections and connections to a bank-end database, for example, can be made from a separate back-end network adapter.

Q. Can NLB be used with network interface card teaming adapters?

A. Network interface card teaming solutions are offered by most major network adapter vendors and provide adapter fault tolerance (AFT). Network interface card teaming permits grouping network adapter ports for a connection to a single physical segment. If connectivity through one port is not working, another port is activated automatically. This operation is transparent to the operating system and other devices on the network.

NLB can be used with certain teamed adapters, however, this requires careful coordination between NLB and the teamed adapter configuration software. Refer to Knowledge Base article INFO: Using NIC Teaming Adapters with Network Load Balancing May Cause Network Problems (, for details.

Q. Can NLB be used instead of network interface card teaming software to provide adapter fault tolerance or increase throughput?

A. No, NLB cannot be used to team adapters (grouping adapter ports together). NLB is used strictly to load balance traffic among multiple hosts in a load-balanced cluster

Q. How Do I Configure NLB with Layer 2 Switches?

A. If you are connecting NLB hosts to a switch rather than a hub, you need to make sure that the switch does not associate the cluster MAC address with a particular switch port. Knowledge Base article Configuration Options for WLBS Hosts Connected to a Layer 2 Switches ( explains how to configure NLB with Layer 2 switches.

Q. How Do I Configure NLB with Layer 3 Switches?

A. Layer 3 switches need to be specially configured to work with NLB. A VLAN must be established for the hosts in the cluster, and this VLAN must be configured to operate in Layer 2 mode. All Layer 3 switches may not support this capability, and when they do, the mechanism to setup the Layer-2 VLAN is specific to the particular make and model. Consult the documentation for the switch before attempting to configure such a system.

Q. How Do I Remove the Switch as a Single Point-of-Failure?

A. Create a subnet that spans two switches and home half of the NLB cluster to each switch. The objective is typically to create a LAN with no single points of failure. To this end you will also need two router uplinks and have one switch uplink to one router. You also need to run a redundant routing protocol such as HSRP for failover of the router links. Finally you will need two cross-over links between the switches (otherwise the cross-over cable is a single point of failure). Each switch has two paths off the network: one via the router it is linked to (which is used by default) and one through the other switch. In this configuration, the loss of a router (or link to a router) causes the affected switch to use the cross link to ship its traffic off the LAN. The loss of a switch cuts the cluster capacity in half.

Q. I Have Two Network Adapters on Each Server in My NLB Cluster. How Do I Ensure That All Outbound Traffic Goes Through Non-Load-Balanced Network Adapters?

A. Sometimes it is desirable for performance or other reasons to direct all outgoing traffic through a different network adapter that the one that is being load balanced with NLB. This implies that there is more than one network adapter on each host in a cluster: NLB is bound to one network adapter called cluster network interface card, and the other network adapter does not have NLB bound to it. To make sure that the outbound traffic leaves each host through the non-cluster network adapter, do the following:

Set the metric on the cluster network adapter to a higher value than the non-cluster network adapter. For example, if you have two network adapters on each host, set the non-cluster network adapter metric to 1 and cluster network adapter metric to 2. The network adapter with a higher metric means it is more expensive to use than the other one with a lower metric. That will ensure that the outbound traffic will be routed out of the non-cluster network adapter.

If you want to use default gateways on both cluster and non-cluster network adapters, make sure the metric of the default gateway on the cluster network adapter has a higher value than the one on the non-cluster network adapter. If you do not want to route any outgoing traffic out of the cluster network adapter, you should not specify the default gateway for it at all.

Q. Can I Have Part of the Cluster Operate in Multicast Mode and the Other in Unicast Mode?

A. No, the entire cluster has to be in one mode of operation.

Q. Does NLB Support Multiple Virtual IP Addresses?

A. Yes, NLB supports multiple, virtual IP addresses. For more details please refer to KB article How to Configure WLBS with Multiple Virtual IP Addresses, (

Q. Is it Possible to Specify Different Port Rules for Different Virtual IP Addresses (VIPs) On the Same Set of Hosts?

A. Windows 2000: No, port rules cover all VIPs that are configured. In addition, all of the hosts must have the same VIPs on them, see the KB article How to Configure WLBS with Multiple Virtual IP Addresses, (

Windows Server 2003: Virtual Clusters provide per-IP Port Rules capability. Now, it is possible to have different ports rules for different VIPs on the same set of machines.

Q. Will NLB Work if Multiple VIPs on the Same Set of Hosts are Added on Different Subnet?

A. Yes.

Q. Is it Possible to Mix Windows NT 4.0 WLBS, Windows 2000 WLBS and Windows Server 2003 in the Same Cluster?

A. Yes, mixing Windows NT 4.0 WLBS, Windows 2000 NLB and Windows Server 2003 is supported. There is no additional work needed and the heartbeat packets from NLB in Windows Server 2003 are backward compatible with WLBS on Windows NT 4.0 and Windows 2000 NLB.


In mixed mode, you cannot use new features of Windows Server 2003 NLB. For a list of new features of Windows Server 2003 NLB refer to the following document: What’s New in Clustering Technologies, (

You cannot use Network Load Balancing manager to manage mixed-mode clusters.

Q. Is it Possible to Bind NLB to Multiple Interfaces?

A. NLB may be bound to multiple interfaces only in Windows Server 2003. The interfaces may not be joined to the same cluster.

Q. Can I Have Two NLB Clusters on the Same Subnet?

A. Yes. In a switched environment, the clusters will compete for the inbound bandwidth because inbound traffic is flooded to all hosts on the LAN. It is important to keep an eye on the aggregate amount of consumed inbound bandwidth to ensure that the network does not become a bottleneck. Other than that, there is no reason why multiple clusters can't reside on the same subnet.

Q. We Need to Span a Cluster Across Buildings. Can We Use NLB to Load-Balance Them?

A. Yes, if hosts are part of the same subnet.

Q. Does NLB Support Token Ring Networks?

A. No. Token Ring networks do not allow multiple hosts to share a common MAC address, which is a fundamental requirement of the NLB algorithm.