L3 DSR can be used in conjunction with a full proxy deployment:

  • Tier 1: L3 DSR

  • Tier 2: Full-proxy (with SNAT)

  • Supported mode: IPinIPVirtual service placement is supported in the front-end using BGP.

  • Supported load balancing algorithm: Only consistent hash is supported.

  • Deployment mode: Auto gateway and traffic enabling should be disabled for the deployment mode when Layer 7 virtual service is configured (in the deployment mode Tier-2 as shown below).

  • If the Service Engines are scaled out in the Tier-2 deployment mode, pool members are added manually once new Service Engines are added.

Packet Flow Diagram

The following diagram exhibits a packet flow diagram for Layer 3 DSR:



Note:
  • IP-in-IP tunnel is created from the load balancer to the pool members that can be a router hop(s) away.

  • The incoming packets from clients are encapsulated in IP-in-IP with source as the Service Engine’s interface IP address and destination as the back-end server IP address.

Deployment Modes

Tier-1

  • Layer 4 virtual service is connected to application servers which terminate the connections. Pool members are the application servers.

  • Servers handle the IPinIP packets. The loopback interface is configured with the corresponding virtual service IP address. The service listening on this interface receives packets and responds to the client directly in the return path.

Tier-2

  • Layer 4 virtual service is connected to the corresponding Layer 7 virtual service (which has the same virtual service IP address as Layer 4 virtual service), which terminates the tunnel.

  • Layer 4 virtual service’s pool members will be Service Engines of the corresponding Layer 7 virtual services.

  • For the Layer 7 virtual service, traffic is disabled so that it does not perform ARP.

  • Auto gateway is disabled for Layer 7 virtual service.

  • Servers are Service Engines of corresponding Layer 7 virtual service.

Packet Flow

  • IPinIP packets reach one of the Service Engines of Layer 7 virtual service. That SE will decrypt and handle the IPinIP packet and give it to the corresponding layer 7 virtual services. The virtual service sends it to the backend servers.

  • Return packets from the backend servers are received at the virtual service, and the virtual service forwards the packet directly to the client.

  • The following diagram exhibits packet flow for the tier-2 deployment in the Layer 3 mode:



The following are the observations for the above deployment as mentioned in the diagram:

  • Layer 4 virtual service is connected to the corresponding Layer 7 virtual service (which has the same virtual service IP address as Layer 4 virtual service), which terminates the tunnel.

  • Layer 4 virtual service’s pool members will be Service Engines of the corresponding Layer 7 virtual services.

  • For the Layer 7 virtual service, traffic is disabled so that it does not perform ARP.

  • Auto gateway is disabled for Layer 7 virtual service.

  • Servers are Service Engines of corresponding Layer 7 virtual service.

  • Return packets from the back end servers are received at the virtual service, and the virtual service forwards the packets directly to the client.

Creating Virtual Service and Associating it with the network profile (for Tier-2 deployment)

Navigate to Application > Virtual Services and click Create to add a new virtual service. Provide the following information as mentioned:

  • Provide the desired name for the virtual service and IP address.

  • Select the network profile created in the previous step for Tier-2 deployment from the TCP/UDP Profile drop-down menu.

  • Select the pool created for the selected virtual service.



Note:

The option for Traffic Enabled should be unchecked for Tier-2 deployment.

Configuring Server

modprobe ipip

ifconfig tunl0 <Interface ip of the server, same should be part of
pool> netmask <mask> up

ifconfig lo:0 <VIP ip> netmask 255.255.255.255 -arp up
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
echo 2 >/proc/sys/net/ipv4/conf/tunl0/rp_filter

sysctl -w net.ipv4.ip_forward=1