Mailing List Archive: [lvs-users] L3DSR like behavior using LVS

So, L3DSR is something that some companies with some larger
implementations use to get around certain short comings in large scale L2
networks..
http://www.slideshare.net/jschauma/l3dsr-overcoming-layer-2-limitations-of-direct-server-return-load-balancing

I'm curious if this has ever been explored using LVS+iptables, (where
you'd actually have iptables set the DSCP outbound, or if you have found
the smarter way to handle from an open source type level is an
LVS+HAProxy, or LVS+NGINX type setup.

Could probably throw some CARP in there too?

anyway mostly looking to see what folks in the opensource community have
done along those lines.

Thanks

--
Jamie Dahl

"Thousands of tired, nerve-shaken, over-civilized people are beginning to
find out that going to the mountains is going home; that wilderness is a
necessity; and that mountain parks and reservations are useful not only as
fountains of timber and irrigating rivers, but as fountains of life."
--John Muir

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Am 09.01.2014 02:18 schrieb "Jamie Dahl" <jamied@meatball.net>:
>
>
> So, L3DSR is something that some companies with some larger
> implementations use to get around certain short comings in large scale L2
> networks..
>
http://www.slideshare.net/jschauma/l3dsr-overcoming-layer-2-limitations-of-direct-server-return-load-balancing
>
> I'm curious if this has ever been explored using LVS+iptables, (where
> you'd actually have iptables set the DSCP outbound

I recently switched our LVS+Realserver setup to a very similar approach,
using DSCP marking between LVS (in NAT mode, though) and realservers to map
different external IP:443 connections to different internal
realserverip:PORTs (different internal ports on the realservers) to
separate different SSL target / certificate combinations.

On the LVS host, a single virtual server (fwmark based) switches to
realserver port 80 (destination IP+port NAT).

Up-front on the LVS host, iptables mangle/PREROUTING rules matching on
external IP+port, select both the fwmark to stear the LVS virtual server
(we did that before), _and_ set a suitable DSCP value so that different SSL
certificate contexts use a different DSCP value.

On the realservers, apache listens for ports 443. 444, 445 etc with
suitable SSL virtual host config for each port.

And also on the realservers, iptables nat/PREROUTING rules match on the
DSCP values and then use the REDIRECT target to distribute to these local
ports 443 444 445 etc.

The previous setup had multiple internal IPs on each realserver, one for
each different SSL context - now everything uses a single internal IP.
Also, the previous setup had a seperate LVS virtual server (and fwmark
value) for each different SSL context, with separate health checks - now it
is a single virtual server with a single health check per realserver.

The setup works perfectly.

In any case, the LVS code itself does not care or mess with the DSCP values
you set with iptables, so you can use them orthogonally as suitable for
your setup goals.

One thing to watch for, is to clear the DSCP field (set it to 0) up-front
on the LVS host first thing in mangle/PREROUTING, so that stray connections
do not accidentally reach the realservers with external client set DSCP
values.

best regards
Patrick
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users