Configuring L3 nPath load balancing and monitoring

Topic You should consider using this procedure under the following conditions: You want to use Layer 3 (L3) nPath load balancing (also known as Direct Server Return or Asymmetric Routing). You want to monitor the origin web servers from the BIG-IP system. You have L3 client requests that need to be load balanced on the BIG-IP system, with server responses returning directly to the client. Note: The recommendations included in this article are only valid for BIG-IP 11.1.0. Beginning in BIG-IP 11.2.0, the way you create network tunnels changed. To locate the options for creating network tunnels in BIG-IP 11.2.0 and later, access the Configuration utility and then navigate to Network > Tunnels. Description L3 nPath routing enables traffic to be load balanced over a routed topology. In this deployment, the server sends its responses directly back to the client instead of the BIG-IP system, even when the servers and any intermediate routers are on different networks. This load balancing method uses IP encapsulation to create a uni-directional outbound tunnel from the server pool to the server. The origin web server unencapsulates the original client IP information, which is then used to route the return traffic directly to the client. The available encapsulation protocols are GRE and IPIP. The protocol you choose for building the encapsulation tunnel may depend on the requirements of your environment. GRE supports unicast and multicast traffic, IPv4, and IPv6. IPIP supports unicast traffic and IPv4. Prerequisites You must meet the following prerequisites to use this procedure: You have a properly configured network path from the origin web servers to clients that does not traverse the BIG-IP system. You have a system user account with Traffic Management Shell (tmsh) utility access; you cannot perform certain steps in the process from the Configuration utility. You are conversant in the following configurations for the operating system of your origin web servers: IPIP and GRE tunnel configuration Loopback interface configuration Web services configuration Procedures To use this topology, perform the following procedures and create the following objects: Configuring BIG-IP Enabling the monitor encapsulation variable Creating a load balancing pool with an encapsulation profile Creating a transparent monitor Creating a FastL4 profile Creating a virtual server Configuring an origin web server configuration Configuring a loop back IP address Configuring an encapsulation tunnel Configuring the web service Enable the monitor encapsulation variable To monitor the pool member over an encapsulated tunnel, enable the tm.monitorencap variable by performing the following procedure: Impact of procedure: Performing the following procedure should not have a negative impact on your system. Log in to the tmsh utility by entering the following command: tmsh Note: For the remainder of this article, you must be logged in to the tmsh utility. Subsequent procedures in this article assume you are logged in to the tmsh utility from this step onward. Enable the tm.monitorencap variable by entering the following command: modify sys db tm.monitorencap value enable Create a load balancing pool Create a load balancing pool that references the desired encapsulation profile and the origin web servers as pool members. Impact of procedure: Performing the following procedure should not have a negative impact on your system. To perform this procedure, enter the following command syntax: create ltm pool profiles add { } members add { :any } Use the following examples to help you perform this procedure: To create a pool named ipip_pool, referencing an IPIP profile, and using the server 10.104.5.1 as the pool member, you enter a command similar to following example: create ltm pool ipip_pool profiles add { ipip } members add { 10.104.5.1:any } Note: The pool member is the physical IP address of the server that is hosting the virtual IP that must be load balanced. To create a pool that includes multiple pool members, you enter a command similar to following example: create ltm pool ipip.pool profiles add { ipip } members add { 10.104.5.1:any 10.104.5.2:any 10.104.5.3:any } Create a transparent monitor You use a transparent monitor to monitor the virtual IP and service hosted on the loopback interface of the physical origin web server. You create the loopback server later in this article. Impact of procedure: Performing the following procedure should not have a negative impact on your system. Use the following command syntax to perform this operation: create ltm monitor defaults-from destination : send recv transparent enabled interval timeout For example, to create a monitor named ipip.mon to monitor the service at 10.200.1.100:80, you enter the following command: create ltm monitor tcp ipip.mon defaults-from tcp destination 10.200.1.100:80 send 'GET / HTTP1.1\r\nHost: \r \nConnection: Close\r\n' recv 'It works!' transparent enabled interval 5 timeout 16 Notes: This example monitor expects a receive string that contains the following example value in the HTTP response from the virtual service: "It Works!" You must change this value to match a valid string appropriate to your environment. For more information about send and receive strings, and monitor time out values, refer to the Supplemental Information section of this article. The following destination is the IP address and port for the virtual server that resides on the loopback of the origin web server: :. Create a FastL4 profile Create a FastL4 profile to disable hardware acceleration for the virtual server. Impact of procedure: Performing the following procedure should not have a negative impact on your system. Create the FastL4 profile by using the following command syntax: create ltm profile fastl4 pva-acceleration none For example, to create a profile named ipip.fastl4, you enter the following command: create ltm profile fastl4 ipip.fastl4 pva-acceleration none Create a virtual server Create a virtual server to answer client requests and forward the requests to the pool members. Impact of procedure: Performing the following procedure should not have a negative impact on your system. Create the virtual server using the following command syntax: create ltm virtual destination :any pool profiles add { } translate-address disabled ip-protocol For example, to create a virtual server with the name ipip.vip and the address 10.200.1.100:any, which references the load balancing pool and FastL4 profile created in the previous steps, you enter the following command: create ltm virtual ipip.vip destination 10.200.1.100:any pool ipip.pool profiles add { ipip.fastl4 } translate- address disabled ip-protocol tcp Note: The destination IP address of the virtual server must be the same as that of the virtual service hosted on the loopback interface of the origin web server. After you complete all the steps on the BIG-IP system, save the configuration by entering the following command: tmsh save sys config Configure a loopback IP Configure the origin web server with an IP address on the loopback interface that matches the destination IP address on the BIG-IP virtual server and the one in the BIG-IP transparent monitor. Impact of procedure: Performing the following procedure should not have a negative impact on your system. Note: The following command examples are for a web server running a generic GNU/Linux operating system. They are provided for guidance only. For more information about configuring your specific operating system, refer to your documentation. To assign the IP address 10.200.1.100 to the loopback interface, use a command similar to the following example: ip addr add 10.200.1.100 label lo:0 dev lo scope global Note: Scope must be set to global to ensure this IP address is routable. Configure an encapsulation tunnel Configure the origin web server to listen for encapsulated packets destined for the loopback IP address. Impact of procedure: Performing the following procedure should not have a negative impact on your system. Note: The following command examples are for a web server running a generic GNU/Linux operating system. They are provided for guidance only. For more information about configuring your specific operating system, refer to your documentation. To configure the origin web server for an IPIP tunnel, use a series of commands similar to the following example: sysctl -w net.ipv4.conf.all.arp_ignore=3 sysctl -w net.ipv4.conf.all.arp_announce=2 modprobe ipip ip link set tunl0 up ip addr add 10.200.1.100 scope host dev tunl0 sysctl -w net.ipv4.conf.all.rp_filter=0 sysctl -w net.ipv4.conf.tunl0.rp_filter=0 To configure the origin web server for a GRE tunnel, use a series of commands similar to the following example: sysctl -w net.ipv4.conf.all.arp_ignore=3 sysctl -w net.ipv4.conf.all.arp_announce=2 modprobe ipgre ip link set gre0 up ip addr add 10.200.1.100 scope host dev gre0 sysctl -w net.ipv4.conf.all.rp_filter=0 sysctl -w net.ipv4.conf.gre0.rp_filter=0 Configure the web service Configure the web service running on the origin web server to listen on the IP address that you just configured on the loopback interface, in the previous steps of this article. Impact of procedure: Performing the following procedure should not have a negative impact on your system. To maintain consistency with the example configuration in this article, you create the web service at: 10.200.1.100:80. For information about configuring the web service on the loopback interface of the origin web server, refer to your web server documentation.

Read More