Figure 27 shows an example of an AX device deployed in transparent mode, in a Direct Server Return (DSR) configuration. In a DSR configura-tion, replies from real servers do not necessarily pass through the AX device.
FIGURE 27 AX Deployment Example – DSR in Transparent Mode
In this example, the AX device is attached to the network in a “one-armed”
configuration. A single link connects the AX device to the network. The
link can be on a single Ethernet port or a trunk. This example uses a single Ethernet port.
The blue arrows show the traffic flow for client-server traffic; in this exam-ple, between clients and servers 10.10.10.3-4. Client request traffic for the virtual server IP address, 10.10.10.99, is routed to the AX device. However, server reply traffic does not pass back through the AX device.
Note: VIP redistribution is not supported for VIPs that are configured for Direct Server Return (DSR).
DSR Health Checking
Layer 3 and Layer 4-7 health checks are supported in DSR configurations.
The target of the Layer 3 health checks can be the real IP addresses of the servers, or the virtual IP address, depending on your preference.
• To send the Layer 3 health checks to the real server IP addresses, you can use the default Layer 3 health method (ICMP).
• To send the Layer 3 health checks to the virtual IP address instead:
• Configure an ICMP health method with the transparent option enabled, and with the alias address set to the virtual IP address.
• Globally enable DSR health checking.
Layer 4-7 health checks are sent to the same IP address as the Layer 3 health checks, and then addressed to the specific protocol port. You can use the default TCP and UDP health monitors or configure new health monitors.
This example uses the default TCP health monitor.
Requirements
This configuration has certain requirements:
• Requirements on the AX device:
• The AX device, virtual server, and the real servers all must be in the same subnet.
• The virtual server IP address must be configured as a loopback interface on each real server. (This is performed on the real server itself, not as part of the real server’s configuration on the AX device.)
• DSR must be enabled on the virtual service ports. (Enabling DSR is equivalent to disabling destination NAT.)
Note: In the current release, for IPv4 VIPs, DSR is supported on virtual port types (service types) TCP, UDP, FTP, and RTSP. For IPv6 VIPs, DSR is supported on virtual port types TCP, UDP, and RTSP.
• Requirements on the real server:
• A loopback interface must be configured with the virtual server IP address.
• ARP replies from the loopback interfaces must be disabled. (This applies to the loopback interfaces that have the virtual server IP address.)
Configuration Example
This section shows how to implement the configuration shown in Figure 27.
U
SINGTHEGUI
Note: This example does not include configuration of the real servers, or config-uration of the virtual server other than the steps for enabling DSR.
Specify the AX device’s IP address and default gateway 1. Select Config > Network > Interface.
2. On the menu bar, select Transparent.
3. Enter the IP address, network mask or prefix length, and default gate-way address. (In this example, use the IPv4 section and enter 10.10.10.2, 255.255.255.0, and 10.10.10.1.)
4. Click OK.
Enable Ethernet interface(s)
1. Select Config > Network > Interface.
2. On the menu bar, select LAN.
3. Click on the checkbox next to the interface number to enable (for exam-ple, “e3”).
4. Click Enable. The icon in the Status column changes to a green check-mark to indicate that the interface is enabled.
Enable DSR on virtual ports
1. Select Config > Service > Server > Virtual Server.
2. Select the virtual server or click Add to create a new one.
4. In the Virtual Server Port section, select Enabled next to Direct Server Return. Configure other settings if needed. (The other settings are not specific to DSR and depend on the application.)
5. Click OK. The virtual port list for the virtual server reappears.
6. Click OK again. The virtual server list reappears.
U
SINGTHECLI
The following commands configure the global IP address and default gate-way:
AX(config)#ip address 10.10.10.2 /24 AX(config)#ip default-gateway 10.10.10.1
The following commands enable the Ethernet interface connected to the cli-ents and server:
AX(config)#interface ethernet 3 AX(config-if:ethernet3)#enable AX(config-if:ethernet3)#exit
The following commands add the SLB configuration. (For more informa-tion about SLB commands, see the SLB configurainforma-tion chapters in this guide. Also see the AX Series CLI Reference.)
Commands to configure the real servers AX(config)#slb server rs1 10.10.10.3
Commands to configure the service group AX(config)#slb service-group sg-web tcp
AX(config-slb service group)#member rs1:80 AX(config-slb service group)#member rs2:80 AX(config-slb service group)#exit
Commands to configure the virtual server AX(config)#slb virtual-server vip1 10.10.10.99
AX(config-slb virtual server)#port 80 tcp
AX(config-slb virtual server-slb virtua...)#service-group sg-web AX(config-slb virtual server-slb virtua...)#no-dest-nat
C
ONFIGURATIONONTHER
EALS
ERVERSFor DSR to work, a loopback interface with the IP address of the virtual server must be configured on each real server, and ARP replies from the loopback address must be disabled.
Here is an example for a Unix/Linux server:
ifconfig lo:0 10.10.10.99 netmask 255.255.255.255 -arp up echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 1 > /proc/sys/net/ipv4/conf/eth0/arp_ignore echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce echo 2 > /proc/sys/net/ipv4/conf/eth0/arp_announce