Contents
Global Settings for L4xNAT Farm Profile
The L4xNAT farm profile allows to create a LSLB farm at layer 4 with a very high performance and much more concurrent connections than load balancer cores in layer 7 like HTTP farm profile. That layer 4 performance improvement counteracts the advanced content handling that the layer 7 farm profile could manage.
Additionally, L4xNAT farm profile could bind a range of ports, not only one virtual port as is used with other layer 7 farm profile. In order to be able to select a range of virtual ports or a specific virtual port in L4xNAT farm profile, it’s mandatory to select a protocol type. In other case, the farm will be listening on all ports from the virtual IP ( set with a character ‘*‘ ). Once a TCP or UDP protocol is selected, it will be available to specify a port, several ports between ‘,‘ , ports range between ‘:‘ or all ports with ‘*‘. A combination of all of them will be valid as well.
The specific options to be able to configure a L4xNAT farm profile is detailed in the current section. It is recommended to use Farm Guardian with this profile because there is not default health check to the backends in this profile.
Name. It’s the identification field and a description for the farm service. In order to change this value you’ve to stop the farm in first place. Ensure that the new farm name isn’t already in use or an error message will appear.
Virtual IP and PORT. These are the virtual IP address and/or virtual PORT in which the farm will be binded and listening in the load balancer system. To make changes in these fields, ensure that the new virtual IP and virtual PORT are not in use. In order to apply the changes the farm service will be restarted automatically.
Protocol Type. This field specifies the protocol to be balanced at layer 4. By default, the farm will be available for all layer 4 protocols.
- ALL. The farm will be listening for incoming connections to the current virtual IP and port(s) over all protocols.
- TCP. Enabling this option, the farm will be listening for incoming TCP connections to the current virtual IP and port(s).
- UDP. Enabling this option, the farm will be listening for incoming UDP connections to the current virtual IP and port(s).
- SIP. Enabling this option, the farm will be listening for incoming UDP connections to the current virtual IP and port 5060 by default, and then will parse the SIP headers for each packet in order to be managed correctly to the backends.
- FTP. Enabling this option, the farm will be listening for incoming TCP connections to the current virtual IP and port 21 by default, and then will parse the FTP headers for each packet in order to be managed correctly to the backends. Two modes supported: active and passive.
- TFTP. Enabling this option, the farm will be listening for incoming UDP connections to the current virtual IP and port 69 by default, and then will parse the TFTP headers for each packet in order to be managed correctly to the backends.
NAT Type. This field indicates the NAT type which means how the layer 4 topology is going to operate. In order to select the option that better fits with your service and infrastructure will depend on the network architecture defined. By default, the farm will operate in NAT mode.
- NAT. The NAT mode or commonly named SNAT (source NAT) uses the load balancer IP as the backend connection source IP address, therefore the backend doesn’t know the client IP address at TCP, UDP or any other layer 4 protocol. By this way, the backend responds to the load balancer in order to send the response to the request. This topology permits to deploy a one-armed load balancer (load balancing with just 1 network interface).
- DNAT. The DNAT (Destination NAT) mode uses the client IP address as the backend connection source IP address, therefore the backend will respond directly to the client IP. In this case, the load balancer IP needs to be configured as the backend default gateway and isolate the backends network from the client service network. This topology is used to perform transparency between clients and backends.
Services for L4xNAT Farm Profile
The service created in L4 layer provides the following options to be configured in order to manage the data path and connections behavior.
Load Balance Algorithm. This field specifies the load balancing algorithm to be used in order to determine the backend server. By default, weight algorithm will be the default selected algorithm.
- Weight: connection linear dispatching by weight. Balance connections depending on the weight value that has been assigned to every backend. The requests are delivered using a probabilistic algorithm using the weight defined.
- Priority: connections always to the most prio available. Balance all connections to the same highest priority server. If the first server is down, the connections will switch to the next most priority server. With this algorithm you can build an active-passive cluster service with the real servers.
- Least Connections: connection always to the least connection server. It selects the backend with the least number of active connections to ensure that the traffic load of the active requests are balanced to the most connections available real server.
The Persistence options are the following.
Persistence Mode. This field determines if any persistence is used in the configured farm. By default, no persistence is used.
- No persistence. The farm will not use any kind of persistence between the client and the backend.
- IP persistence. Enabling this option, the farm will assign the same backend for every connection regarding the client source IP address.
Persistence Session Time to Live. If any persistence is selected, this field value indicates the number of seconds that the persistence between the client source and the backend is being assigned.
In regards to the Farm Guardian section, the L4xNAT doesn’t provide an intrinsic health check to the backends so the Farm Guardian configuration is required for L4xNAT farm profile.
For further information of Farm Guardian section got to the Farm Guardian section.
In order to apply all these changes, it’s needed to click on the green Update button and a confirmation message will appear at the left bottom corner of the browser.
In regards to the Backends section, the L4xNAT farm profile allows to configure the following real servers properties:
ID. It’s the index that references the backend in the farm configuration.
IP. The IP address of the given backend.
PORT. It’s the port value for the current real server. If blank value or ‘*’ value is set, connections will be redirected to the same port that was received.
MAX. CONNS. This value will be the maximum number of flows or established connections to a certain backend. If the limit of clients connected to a given backend has been reached then it’ll be refused and the client must to reconnect to another suitable backend. Default value is 0, unlimited.
WEIGHT. It’s the weight value for the current real server which is only useful if the Weight Algorithm is enabled. More weight value indicates more connections delivered to the current backend. By default a weight value of 1 will be set. The values range available are from 1 to 9.
PRIORITY. It’s the priority value for the current real server which is only useful if the Priority Algorithm is enabled. The priority value accepted is between 0 and 9, less value indicates more priority to the current real server. By default a priority value of 1 will be set. The values range available are from 1 to 9.
ACTION. The available actions per backend are:
- Add Backend. Add a new real server into the farm.
- Save. Save the new real server entry in the given farm and start using it.
- Cancel. Cancel the new real server entry.
- Enable Maintenance. Put a certain real server in maintenance mode, so no new connections will be redirected to it. There is two differents methods to enable Maintenance:
- Drain Mode. Keeps stablished connections and persistence if enabled, but will not admit new conections.
- Cut Mode. Directly drops all active connections against the backend
- Start. Enable new connections to the real server again after the enabled maintenance.
- Delete. Delete the given real server of the virtual service.
- Edit. Modify a certain value of the real server.
IPDS Rules for L4xNAT farms
This section let you enable IPDS rules. The list shows different types of protection and a select box to enable them. For further information please go to the IPDS >> Black List, IPDS >> DoS or IPDS >> RBL specific documentation.
For each of the three types of IPDS rules, Blacklist, DoS and RBL, there is a summary table which shows the following values fields:
- RULE NAME. Name of your rule
- STATUS. It shows if the rule is active (up) or not (stopped)
- ACTIONS. This button let you interact with your rules. Possible actions are explained ahead.
The available Actions to be applied by the IPDS rules to the farm are:
- Add rule. Create and assign a new rule to the farm.
- Unset. Unassign IPDS rule of the farm.
- Enable Rules. Activate the selected IPDS rules for the given farm.
- Disable Rules. Deactivate the selected IPDS rules for the given farm.
Once you add a new IPDS rule you should select from the list the rule you would like to apply. Please have a look to the next picture:
After selecting the rule to be applied you will see a screen like next one. There it will appear your new rule associated to a certain farm. Initially the rule Status is Down. In order to activate the rule you need to press the green play icon under Actions column. It will prompt a message announcing the rule is activated.
Next step, use Farm Guardian for advanced health checks configuration.