Direct Server Return uses a flat network topology at the Layer 2 (Switching) and Layer 3 (IP) levels, which means that the Barracuda Load Balancer, all VIPs, and all Real Servers all must be within the same IP network and connected on the same switch. Figure 2.6 above shows this topology. Each Real Server must be one hop away from the Barracuda Load Balancer, but they use the WAN port. This means their switch must be directly connected into the WAN port of the Load Balancer, or connected to a series of switches that eventually reach the WAN port of the Load Balancer without going through any other networking devices.
If you specify Route-Path deployment for the Barracuda Load Balancer, but only use Real Servers with Direct Server Return enabled, the physical LAN port is not used by the Barracuda Load Balancer.
On the Basic > Services page, each Real Server listed under each Service must individually be configured for Direct Server Return mode. Edit each Real Server and select Enable for the Direct Server Return option.
Deployment Notes
When deploying Real Servers in Direct Server Return mode, note the following:
• The Barracuda Load Balancer needs to have the WAN adapter plugged into the same switch or VLAN as all of the Real Servers.
• The WAN IP, all VIPs, and all of the Real Servers that use Direct Server Return must be on the same IP subnet.
• Each Real Server needs to recognize the VIP as a local address. This requires enabling of a non-ARPing virtual adapter such as a loopback adapter and binding it to the VIP address of the load-balanced Service. Because this is not a true adapter, there should be no gateway defined in the TCP/IP settings for this adapter.
• Real Servers accepting traffic from multiple VIPs must have a loopback adapter enabled for each VIP. Additionally, the applications on each Real Server must be aware of both the Virtual IP address as well as the real IP addresses.
Deployment in a Linux Environment
To add a non-ARPing adapter to a Real Server running Linux, add an alias to the lo (loopback) adapter. The following commands are examples of how to do this for some versions of Linux. Consult your operating system vendor if you need more details about how to add a non-ARPing loopback adapter.
1. Edit your rc.local file (usually located at /etc/rc.d/rc.local) 2. Add the following to your rc.local file:
sysctl -w net.ipv4.conf.lo.arp_ignore=1
<interface_name> is lo:<number> (e.g. lo:0, lo:1, lo:2)
<ip_address> is the Virtual IP Address for the Service For example:
ifconfig lo:1 192.168.4.217 netmask 255.255.255.255 -arp up
3. httpd.conf must have a VirtualHost entry for the VIPs. Edit the file to add these two lines:
listen <virtual_ip_address>:80 listen <real_ip_address>:80
where:
<virtual_ip_address> is the Virtual IP Address for the Service
<real_ip_address> is the actual IP Address for the Real Server
4. To check if the loopback adapter is working, make sure the Real Server is bound to the loopback adapter’s IP address. Output from the ifconfig command should show the presence of the loopback adapter.
Deployment in a Windows/XP Environment
For information on how to add a non-ARPing adapter in a Windows/XP environment, refer to http://support.microsoft.com/kb/839013. Or, check the Microsoft Support Site for your operating system.
Applications running on Microsoft Real Servers must be configured to accept traffic received on the VIP addresses (the loopback IP addresses). To do this, add the VIP addresses to IIS (Internet Information Services) on each Real Server. The VIP addresses must be listed above the real IP address of the Real Server. Associate the Web site or application with the VIP addresses.
Deployment in a Microsoft Windows Server 2003 or 2008 Environment
To make servers that are running Microsoft Windows Server 2003 and Windows Server 2008 ready for DSR, there are several steps that you need to do on each server.
Table 2.2: Steps to make Microsoft Windows Server 2003 and 2008 ready for DSR
DSR in a Microsoft Windows Server 2003 or 2008 Environment
Disable the Windows firewall. Enable traffic to the loopback adapter.
Install the loopback adapter.
Configure the loopback adapter. In particular, stop the loopback adapter from responding to ARP requests. Remember that the loopback adapter has the same IP address as the VIP address.
Make the Windows networking stack use the weak host model. This step is required to allow the modified packet to be accepted by Windows Server 2008 servers.
If you are using IIS, add the loopback adapter to your site bindings. You need to ensure that the IP address for the loopback adapter is included in the site bindings in IIS.
These detailed instructions describe how to deploy DSR in a Windows Server 2003 or 2008 environment. Perform these steps for each server.
1. Disable the Windows firewall.
For Microsoft Windows Server 2003 and Windows Server 2008 you need to disable the built in firewall or manually change the rules to enable traffic to and from the loopback adapter. By default, the Windows firewall blocks all connections to the loopback adapter.
2. Install the loopback adapter.
2a. For Windows Server 2003: to install the Microsoft loopback adapter refer to
http://support.microsoft.com/kb/842561. This note describes how to install the loopback adapter. Follow the instructions in Method 1. When done, proceed to step 3.
2b. For Windows Server 2008 or Windows Server 2008 R2, follow these instructions to install a loopback adapter on one server:
1. Open Device Manager. On the Start menu, click Run… and type devmgmt.msc at the prompt.
2. Right-click on the server name and click Add legacy hardware.
3. When prompted by the wizard, choose to Install the hardware that I manually select from a list (Advanced).
4. Find Network Adapter in the list and click Next.
5. From the listed manufacturers select Microsoft and then Microsoft Loopback Adapter. See Figure 2.7.
Figure 2.7: Adding a loopback adapter in Windows Server 2008
6. This will add a new network interface to your server.
3. Configure the loopback adapter.
After the loopback adapter is installed, follow these steps to configure it:
3a. In Control Panel, double-click Network and Dial up Connections. 3b. Right-click the newly installed loopback adapter and click Properties. 3c. Click to clear the Client for Microsoft Networks check box.
3d. Click to clear the File and Printer Sharing for Microsoft Networks check box.
3e. Click TCP/IP properties.
3f. Enter the VIP address and the subnet mask.
3g. Click Advanced.
3h. Change the Interface Metric to 254. This stops the adapter from responding to ARP requests.
3i. Click OK.
4. Make the Windows networking stack use the weak host model.
If you are using Windows Server 2003, you can skip to the next step. If you are using Windows Server 2008 or Windows Server 2008 R2, this step tells you how to make the Windows networking stack use the weak host model (which is the same model used in Windows Server 2003).
DSR works by modifying the destination MAC address of the incoming traffic to one of the Real Servers behind your VIP. In versions of Windows prior to 2008, the Windows networking stack used a weak host model which allowed the host to receive packets on an interface not assigned as the destination IP address of the packet being received. With Windows Server 2008, Microsoft has implemented a strong host model which breaks the method that DSR uses.
Open a command prompt with elevated permissions. To determine the interface ID for both the loopback adapter and the main NIC on the server, type:
netsh interface ipv4 show interface
Note the IDX for both the main network interface and the loopback adapter you created. If you have not changed the interface names for this server then usually the main NIC will display as Local Area Connection and the loopback adapter will be named Local Area Connection 2.
An entry will be displayed that includes the IDX numbers for both your loopback adapter and your Internet facing NIC. For each of these adapters enter these three commands:
netsh interface ipv4 set interface <IDX number for Server NIC>
weakhostsend=enabled
netsh interface ipv4 set interface <IDX number for loopback>
weakhostreceive=enabled
netsh interface ipv4 set interface <IDX number for loopback>
weakhostsend=enabled
For example:
netsh interface ipv4 set interface 23 weakhostsend=enabled netsh interface ipv4 set interface 24 weakhostreceive=enabled netsh interface ipv4 set interface 24 weakhostsend=enabled
To enable these changes, either restart the server or restart the Windows Firewall service on the server.
5. If you are using IIS, add the loopback adapter to your site bindings.
By default, IIS includes all interfaces, however, if you have configured a site to be bound to an individual IP address, you need to ensure that the IP address for the loopback adapter (your VIP address) is also included in the site bindings in IIS.
Follow these steps to bind the loopback adapter, referring to Figure 2.8:
5a. Open the Internet Information Services (IIS) Manager.
5b. Expand the Sites Folder.
5c. Click Default Web Site or the name of the site you are modifying.
5d. Click Bindings… on the Actions panel.
5e. Click Add... and click HTTP or HTTPS in the Type list. Enter the IP address of your loopback adapter and the port. Click OK.
5f. On the Actions panel click Restart under Manage Web Site to ensure the new bindings take effect.
Figure 2.8: Add Site Binding using IIS
Verifying DSR Deployment
When you are done adding the loopback adapters, try to ping the Real Servers and the VIP, and telnet to the Real Servers. If the ping doesn’t work or if in response to the telnet you get a connection refused from the VIP, then the loopback adapter has not been configured correctly.
Try to verify that the loopback adapters are non-ARPing. On either Linux or Windows systems, use the arp -a command. Also, check the systems event logs to check for IP address conflicts.
If, later, once the Service is set up, the client tries to connect but is unable to access the application, then the IIS (Windows) or application has not been associated with the real IP address and the VIP.
Chapter 3 Getting Started
This chapter provides instructions for installing the Barracuda Load Balancer. It includes the following topics:
Initial Setup ... 36 A similar process is described in the Barracuda Load Balancer Quick Start Guide