SlideShare une entreprise Scribd logo

L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load Balancing

Jan Schaumann
Jan Schaumann

A presentation given at NANOG 51 in Miami, January 2011. See https://github.com/yahoo/l3dsr for more details.

Technologie
1  sur  33
Télécharger pour lire hors ligne
L3DSR – Overcoming Layer 2 Limitations of Direct Server Return Load Balancing Jan Schaumann, Systems Architect <jschauma@yahoo-inc.com>! E2A7 437A 7AB8 6EA1 7E1D! F6DC BF09 CDC9 E157 FAB8!
Traditional or L2 DSR   "Direct Server Return" also known as: ›  "Direct Routing" ›  "SwitchBack" (Foundry/Brocade) ›  "nPath" (F5)   General packet flow: ›  clients send requests to a Virtual IP (VIP) served by the LoadBalancer ›  LB determines real server to forward the request to ›  LB performs MAC Address Translation (MAT) ›  server responds directly to client, bypassing the LB NANOG 51, Miami 2 January 30, 2011
Traditional or L2 DSR   Client to LB: ›  Source IP: 1.1.1.1 ›  Destination IP: 2.2.2.2 ›  Destination MAC: AAAA   LB to Server: ›  Source IP: 1.1.1.1 ›  Destination IP: 2.2.2.2 ›  Destination MAC: BBBB   Server to Client: ›  Source IP: 2.2.2.2 ›  Destination IP: 1.1.1.1 ›  Destination MAC: default gateway's MAC NANOG 51, Miami 3 January 30, 2011
Traditional or L2 DSR   Layers are independent (L2 does not care about L3 information)   LB and server both have VIP configured   server must not answer ARP for VIP   service must bind to VIP ›  service may also have to bind to real IP for health checking   LB and server need to be on the same L2 network segment NANOG 51, Miami 4 January 30, 2011
Advantages of L2 DSR   Clients' source addresses are preserved ›  Yahoo! is very interested in knowing the source address of any incoming requests ›  SNAT loses the clients' addresses   Performance ›  LB only handles inbound packets ›  typical inbound traffic is much smaller than outbound traffic (about 1:8 for typical Yahoo! traffic) ›  normal DSR LBs at Y! can have hundreds of VIPs across hundreds of real servers, handling multiple Gbps of inbound traffic (tens of Gbps of outbound traffic) ›  SNAT forces all traffic through the LB NANOG 51, Miami 5 January 30, 2011
Limitations of L2 DSR   server cannot directly respond to ARP requests for VIP ›  configuration of loopback aliases (or alias on interface marked as "down")   health checking requires additional configuration ›  service on VIP on loopback alias ›  service on VIP for health check (some models)   Port translation not possible ›  port selection is protocol dependent, so does not happen on Layer 2   LB and all servers need to be on the same L2 network segment ›  physical location of servers behind VIP restricted ›  flexibility within datacenter limited NANOG 51, Miami 6 January 30, 2011
What's "wrong" with L2 anyway?   instability on very large (10K+ hosts) networks   STP designs require an active/backup design for rack uplinks – we wanted active/active for any single rack switch   if we require multiple L2 domains (for stability), hosts in different L2 domains cannot participate in the same VIP ›  physical location of servers behind VIP restricted ›  flexibility within datacenter limited NANOG 51, Miami 7 January 30, 2011
How do we get from L2 to L3?   Server needs to know ›  client source address ›  VIP address for which the request was made   LB needs to ›  tell the server behind the VIP the source address of the client ›  send request to an IP different from the VIP ›  tell the server the original destination address (ie the VIP to serve) NANOG 51, Miami 8 January 30, 2011
A simple matter of communication...   Where can we put extra information?   Options considered: ›  Generic Routing Encapsulation (GRE) ›  IP-in-IP tunnelling (RFC1853)   Main Issues: Path MTU Discovery ›  IP/IP and GRE add 24 bytes overhead ›  largest packet in tunnel would be 1476 bytes => PMTUD issues from client to LB ›  changing server side MTU to 1524 impacts all traffic on that host, may cause PMTUD issues from server to client NANOG 51, Miami 9 January 30, 2011
A simple matter of communication...   Where can we put extra information?   Options considered: ›  Generic Routing Encapsulation (GRE) ›  IP-in-IP tunnelling (RFC1853) NANOG 51, Miami 10 January 30, 2011
Something-something of Service   TOS, QoS, COS – none used in Yahoo!'s environment => we have 6 completely unused bits   we don't have to send the full address ›  server just needs to derive the full address from the information we relay   map these bits to VIPs: ›  "DSCP 010001 means original destination address was 1.1.1.2" ›  010001 => 1.1.1.2 ›  ...   let's reserve a few just in case...   use of bits 010XXX – 101XXX yields 40 values (per LB) NANOG 51, Miami 11 January 30, 2011
L3DSR Packet Flow   LB and servers need to agree on DSCP <=> VIP mapping   LB sets DSCP bit according to known mapping   LB changes destination address to the server's (real) IP, keeps client's source address   Server checks DSCP bit   Server rewrites destination address according to known mapping to appropriate VIP   VIP configured on loopback alias as with L2DSR   Server responds to client's source address from VIP NANOG 51, Miami 12 January 30, 2011
L3DSR Packet Flow   Incoming: ›  Client Source IP: 144.100.10.1! ›  Client Destination IP: 198.18.0.250! ›  DSCP: 0x0 (explicitly cleared)   LB to Server: ›  Source IP: 144.100.10.1! ›  Destination IP: 74.80.1.1! ›  DSCP: 0x4!   Server to Client: ›  Source IP: 198.18.0.250! ›  Destination IP: 144.100.10.1! NANOG 51, Miami 13 January 30, 2011
Hardware Vendor Support   A10 AX3200 >= 2.2.5   Brocade ADX Series >= 12.1d   Brocade/Foundry ServerIron 450 ›  M7 and JetCore blades ›  >= 10.2.01p   Citrix Netscaler running 8.x, 9.x NANOG 51, Miami 14 January 30, 2011
Hardware Vendor Support – A10 slb template port dscp_port_7! dscp 7! !! slb server hostname.yahoo.com 10.128.9.31! port 80 tcp! template port dscp_port_7! !! slb service-group vip1.yahoo.com:80 tcp! health-check status.html! member hostname.yahoo.com:80! !! slb virtual-server vip1.yahoo.com 10.128.8.45! port 80 tcp! service-group vip1.yahoo.com:80! no-dest-nat! NANOG 51, Miami 15 January 30, 2011
Hardware Vendor Support – Brocade server remote-name hostname.yahoo.com 10.128.9.35 ! port default disable! port http! port http url "GET /index.html"! !! server virtual vip1.yahoo.com 10.1.128.49! tos-marking 7 hc-l3-dsr! port default disable! port http! bind http hostname.yahoo.com http! ! ! NANOG 51, Miami 16 January 30, 2011
Hardware Vendor Support – Citrix add lb monitor index.html HTTP -respCode 200 !! -httpRequest "GET /index.html" -interval 7 !! -retries 2! add server hostname.yahoo.com 10.128.9.35! add service hostname.yahoo.com-80 !! hostname.yahoo.com ANY 80 !! -usip YES -cip DISABLED! bind lb monitor index.html hostname.yahoo.com-80! add lb vserver vip1.yahoo.com-80 ANY !! 10.128.8.44 80 -lbmethod ROUNDROBIN ! !! -m TOS -tosId 7! bind lb vserver vip1.yahoo.com-80 !! hostname.yahoo.com-80! NANOG 51, Miami 17 January 30, 2011
Server OS Support – FreeBSD   Yahoo! developed kernel module providing a simple single-purpose packet filter   enable destination-address rewriting via sysctl(8)!   originally written by John Baldwin, now maintained by Jan Schaumann   a whooping 256 lines of code (including comments etc.)   support version 6 and above (i386/amd64) NANOG 51, Miami 18 January 30, 2011
Server OS Support – FreeBSD $ sudo /sbin/kldload dscp_rewrite! $ /sbin/kldstat | grep dscp! 5 1 0xffffff8000be9000 106000 dscp_rewrite.ko! $ sudo sysctl -w net.inet.ip.dscp_rewrite.enabled=1! net.inet.ip.dscp_rewrite.enabled: 0 -> 1! $ sudo sysctl -w net.inet.ip.dscp_rewrite.7=10.1.128.49! net.inet.ip.dscp_rewrite.7: 0.0.0.0 -> 10.1.128.49! $ sudo /sbin/ifconfig lo0 10.1.128.49 netmask 0xffffffff alias! $ ifconfig -a! bce0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500! options=1bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4>! ether 00:15:c5:e5:4c:69! inet 10.128.9.35 netmask 0xffffff00 broadcast 10.128.9.255! media: Ethernet 1000baseTX <full-duplex>! status: active! lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384! inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5! inet6 ::1 prefixlen 128! inet 127.0.0.1 netmask 0xff000000! inet 10.1.128.49 netmask 0xffffffff! NANOG 51, Miami 19 January 30, 2011
Server OS Support – FreeBSD $ ping -c 3 -z 28 10.128.9.35 ! PING 10.128.9.35 (10.128.9.35): 56 data bytes! 64 bytes from 10.1.128.49: icmp_seq=0 ttl=64 time=0.035 ms! 64 bytes from 10.1.128.49: icmp_seq=1 ttl=64 time=0.046 ms! 64 bytes from 10.1.128.49: icmp_seq=2 ttl=64 time=0.045 ms! --- 10.128.9.35 ping statistics ---! 3 packets transmitted, 3 packets received, 0.0% packet loss! round-trip min/avg/max/stddev = 0.035/0.042/0.046/0.005 ms! 15:25:59.822743 IP (tos 0x1c, ttl 64, id 11612, offset 0, flags [none], proto ICMP (1), length 84) 10.128.9.35 > 10.128.9.35: ICMP echo request, id 22133, seq 0, length 64! 15:25:59.822759 IP (tos 0x1c, ttl 64, id 11613, offset 0, flags [none], proto ICMP (1), length 84) 10.1.128.49 > 10.128.9.35: ICMP echo reply, id 22133, seq 0, length 64! 15:26:00.823815 IP (tos 0x1c, ttl 64, id 11617, offset 0, flags [none], proto ICMP (1), length 84) 10.128.9.35 > 10.128.9.35: ICMP echo request, id 22133, seq 1, length 64! 15:26:00.823831 IP (tos 0x1c, ttl 64, id 11618, offset 0, flags [none], proto ICMP (1), length 84) 10.1.128.49 > 10.128.9.35: ICMP echo reply, id 22133, seq 1, length 64! 15:26:01.835959 IP (tos 0x1c, ttl 64, id 11621, offset 0, flags [none], proto ICMP (1), length 84) 10.128.9.35 > 10.128.9.35: ICMP echo request, id 22133, seq 2, length 64! NANOG 51, Miami 20 January 30, 2011
Server OS Support – RHEL   Yahoo! developed kernel module and iptables(8) plugin to allow mangling of the DSCP field   enable destination-address rewriting via iptables(8)!   originally written and now maintained by Quentin Barnes   another whooping ~200 lines of code or so   supports RHEL 4, 5 (i386/amd64; xenU) NANOG 51, Miami 21 January 30, 2011
Server OS Support – RHEL $ sudo iptables -t mangle -A PREROUTING -m dscp –dscp 7 -j DADDR --set-daddr=10.128.8.46 ! $ lsmod | grep ipt! iptable_mangle 4545 1! ipt_DADDR 4352 5! ipt_dscp 3137 5! ip_tables 21825 3 iptable_mangle,ipt_DADDR,ipt_dscp! $!sudo iptables -t mangle -L! $ Chain PREROUTING (policy ACCEPT)! target prot opt source destination! DADDR all -- anywhere anywhere DSCP match 0x1c DADDR set 10.128.8.46! [...]! $ sudo ifconfig lo:1 10.128.8.46 netmask 255.255.255.255! $ ifconfig -a | more! eth0 Link encap:Ethernet HWaddr 00:11:43:E1:DA:F0! inet addr:10.128.9.31 Bcast:10.128.9.255 Mask:255.255.255.0! UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1! lo:1 Link encap:Local Loopback! inet addr:10.128.8.46 Mask:255.255.255.255! UP LOOPBACK RUNNING MTU:16436 Metric:1! NANOG 51, Miami 22 January 30, 2011
Server OS Support – RHEL $ ping -c 3 –Q 28 10.128.9.31! PING 10.128.9.31 (10.128.9.31) 56(84) bytes of data.! 64 bytes from 10.128.8.46: icmp_seq=0 ttl=64 time=0.084 ms! 64 bytes from 10.128.8.46: icmp_seq=1 ttl=64 time=0.106 ms! 64 bytes from 10.128.8.46: icmp_seq=2 ttl=64 time=0.112 ms! --- 10.128.9.31 ping statistics ---! 3 packets transmitted, 3 received, 0% packet loss, time 2000ms! rtt min/avg/max/mdev = 0.084/0.100/0.112/0.016 ms, pipe 2! 07:57:27.121040 IP (tos 0x1c, ttl 64, id 0, offset 0, flags [DF], proto 1, length: 84) 10.128.9.32 > 10.128.9.31: icmp 64: echo request seq 0! 07:57:27.121049 IP (tos 0x1c, ttl 64, id 7562, offset 0, flags [none], proto 1, length: 84) 10.128.8.46 > 10.128.9.32: icmp 64: echo reply seq 0! 07:57:28.120800 IP (tos 0x1c, ttl 64, id 0, offset 0, flags [DF], proto 1, length: 84) 10.128.9.32 > 10.128.9.31: icmp 64: echo request seq 1! 07:57:28.120807 IP (tos 0x1c, ttl 64, id 7563, offset 0, flags [none], proto 1, length: 84) 10.128.8.46 > 10.128.9.32: icmp 64: echo reply seq 1! 07:57:29.120608 IP (tos 0x1c, ttl 64, id 0, offset 0, flags [DF], proto 1, length: 84) 10.128.9.32 > 10.128.9.31: icmp 64: echo request seq 2! 07:57:29.120616 IP (tos 0x1c, ttl 64, id 7564, offset 0, flags [none], proto 1, length: 84) 10.128.8.46 > 10.128.9.32: icmp 64: echo reply seq 2! NANOG 51, Miami 23 January 30, 2011
L3DSR Health Checking   need to be able to check to see if the iptables plugin/kernel module is in place and working correctly – otherwise traffic may get blackholed   LB sends: ›  Source IP: <LB IP> Dest IP: <Server IP> ›  Healthcheck URL "GET /index.html" ›  DSCP: 7   Server replies: ›  Source IP: <VIP IP> Dest IP: <LB IP> ›  Status code "200 OK"   due to destination address rewriting, source/destination on the LB do not match NANOG 51, Miami 24 January 30, 2011
L3DSR Benefits   Location Independence of servers within the datacenter ›  we can physically move hosts across different Layer 2 segments ›  we can rebuild a host on a different Layer 2 segment, then use it to replace broken hosts ›  we can deploy new hosts to add to existing VIPs without concern for the physical location / IP allocation within same Layer 2 segment   Preservation of clients' source address   DSR Performance ›  up to 8x the number of VIPs per LB compared to other L3 techniques NANOG 51, Miami 25 January 30, 2011
L3DSR Drawbacks   use of DSCP bits reserved for L3DSR cannot simultaneously be used for QoS   need to keep track of the DSCP <=> VIP mappings ›  extend the database storing VIP settings ›  update any tools used to turn centrally stored values into host configuration   increased complexity ›  host configuration now requires additional kernel modules and configuration steps ›  new code and new configuration options on load balancers ›  more places where things can go wrong NANOG 51, Miami 26 January 30, 2011
L3DSR Caveats 22:43:43.855888 IP (tos 0x1c, ttl 64, id 35851, offset 0, flags [none], proto ICMP (1), length 84, bad cksum 0 (->251c)!) 10.163.162.14 > 10.163.163.17: ICMP echo request, id 6179, seq 0, length 64! 22:43:43.856092 IP (tos 0x0, ttl 64, id 16332, offset 0, flags [none], proto ICMP (1), length 84) 10.163.163.17 > 10.163.162.14: ICMP echo reply, id 6179, seq 0, length 64! 22:43:44.897346 IP (tos 0x1c, ttl 64, id 35856, offset 0, flags [none], proto ICMP (1), length 84, bad cksum 0 (->2517)!) 10.163.161.14 > 10.163.163.17: ICMP echo request, id 6179, seq 1, length 64! 22:43:43.855888 IP (tos 0x0, ttl 64, id 35851, offset 0, flags [none], proto: ICMP (1), length: 84) 10.163.162.14 > 10.163.163.17: ICMP echo request, id 6179, seq 0, length 64! 22:43:43.856092 IP (tos 0x0, ttl 64, id 16332, offset 0, flags [none], proto: ICMP (1), length: 84, bad cksum 0 (->715b)!) 10.163.163.17 > 10.163.162.14: ICMP echo reply, id 6179, seq 0, length 64! 22:43:44.897346 IP (tos 0x0, ttl 64, id 35856, offset 0, flags [none], proto: ICMP (1), length: 84) 10.163.162.14 > 10.163.163.17: ICMP echo request, id 6179, seq 1, length 64! NANOG 51, Miami 27 January 30, 2011
L3DSR Caveats A10: slb template port dscp_port_7! dscp 7! Brocade: server virtual vip1.yahoo.com 10.1.128.49! tos-marking 7 hc-l3-dsr! Citrix: add lb vserver vip1.yahoo.com-80 ANY !! 10.128.8.44 80 -lbmethod ROUNDROBIN ! !! -m TOS -tosId 7! NANOG 51, Miami 28 January 30, 2011
L3DSR Caveats $ ping -c 3 -z 28 10.128.9.35 ! PING 10.128.9.35 (10.128.9.35): 56 data bytes! 64 bytes from 10.1.128.49: icmp_seq=0 ttl=64 time=0.035 ms! 64 bytes from 10.1.128.49: icmp_seq=1 ttl=64 time=0.046 ms! DSCP = 7 (configure) 64 bytes from 10.1.128.49: icmp_seq=2 ttl=64 time=0.045 ms! TOS = 28 (check) --- 10.128.9.35 ping statistics ---! Hex = 0x1c (troubleshoot) 3 packets transmitted, 3 packets received, 0.0% packet loss! round-trip min/avg/max/stddev = 0.035/0.042/0.046/0.005 ms! $! 15:25:59.822743 IP (tos 0x1c, ttl 64, id 11612, offset 0, flags [none], proto ICMP (1), length 84) 10.128.9.35 > 10.128.9.35: ICMP echo request, id 22133, seq 0, length 64! 15:25:59.822759 IP (tos 0x1c, ttl 64, id 11613, offset 0, flags [none], proto ICMP (1), length 84) 10.1.128.49 > 10.128.9.35: ICMP echo reply, id 22133, seq 0, length 64! 15:26:00.823815 IP (tos 0x1c, ttl 64, id 11617, offset 0, flags [none], proto ICMP (1), length 84) 10.128.9.35 > 10.128.9.35: ICMP echo request, id 22133, seq 1, length 64! 15:26:00.823831 IP (tos 0x1c, ttl 64, id 11618, offset 0, flags [none], proto ICMP (1), length 84) 10.1.128.49 > 10.128.9.35: ICMP echo reply, id 22133, seq 1, length 64! 15:26:01.835959 IP (tos 0x1c, ttl 64, id 11621, offset 0, flags [none], proto ICMP (1), length 84) 10.128.9.35 > 10.128.9.35: ICMP echo request, id 22133, seq 2, length 64! NANOG 51, Miami 29 January 30, 2011
Future Enhancements   Port Translation ›  now possible – we're on Layer 3 ›  may require the server-side kernel module to also rewrite the port of the incoming packets   Revisit the Loopback Alias ›  if hosts are guaranteed to be on separate l2 segments, VIP can be aliased on the real interface •  Pro: packets don't get pushed up and down the TCP stack on entry •  Con: hosts now must be on different L2 segments; host configuration deviates (more) from other VIP configurations; LB configuration increases in complexity NANOG 51, Miami 30 January 30, 2011
Future Enhancements: IPv6   use Traffic Class field?   use Destination Options EH?   define new EH? NANOG 51, Miami 31 January 30, 2011
Open Source L3DSR   LB vendor support is already there   internal process started to open source FreeBSD and Linux kernel modules and iptables(8) extension as well as helper tools and glue scripts   preferred license: BSD ›  linux bits may require GPL   most likely to be hosted on GitHub NANOG 51, Miami 32 January 30, 2011
L3DSR at a glance   allows for Direct Server Return Load Balancing across Layer 3 ›  location independence of servers in a VIP ›  high performance ›  preservation of clients' source address   uses the DSCP field in the IPv4 header to relay information to the servers in a VIP ›  use of DSCP bits reserved for L3DSR cannot be used for QoS ›  debugging/configuration at times confusing   supported by A10, Brocade/Foundry, Citrix   server support on FreeBSD and RHEL ›  servers rewrite destination address of incoming packets based on DSCP values   future enhancements include: IPv6 support, port translation, open sourcing of kernel modules NANOG 51, Miami 33 January 30, 2011

Recommandé

Software Load Balancer for OpenFlow Complaint SDN architecture
Software Load Balancer for OpenFlow Complaint SDN architectureSoftware Load Balancer for OpenFlow Complaint SDN architecture
Software Load Balancer for OpenFlow Complaint SDN architecturePritesh Ranjan
 
Design and Implementation of a Load Balancing Algorithm for a Clustered SDN C...
Design and Implementation of a Load Balancing Algorithm for a Clustered SDN C...Design and Implementation of a Load Balancing Algorithm for a Clustered SDN C...
Design and Implementation of a Load Balancing Algorithm for a Clustered SDN C...Daniel Gheorghita
 
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)NetProtocol Xpert
 
DHCP Snooping
DHCP SnoopingDHCP Snooping
DHCP SnoopingNetProtocol Xpert
 
Integrating Active Networking and Commercial-Grade Routing Platforms
Integrating Active Networking and Commercial-Grade Routing PlatformsIntegrating Active Networking and Commercial-Grade Routing Platforms
Integrating Active Networking and Commercial-Grade Routing PlatformsTal Lavian Ph.D.
 
opendayight loadBalancer
opendayight loadBalancer opendayight loadBalancer
opendayight loadBalancer Khubaib Mahar
 
OPNFV Service Function Chaining
OPNFV Service Function ChainingOPNFV Service Function Chaining
OPNFV Service Function ChainingOPNFV
 
OTV Configuration
OTV ConfigurationOTV Configuration
OTV ConfigurationNetProtocol Xpert
 

Recommandé

Software Load Balancer for OpenFlow Complaint SDN architecture
Software Load Balancer for OpenFlow Complaint SDN architectureSoftware Load Balancer for OpenFlow Complaint SDN architecture
Software Load Balancer for OpenFlow Complaint SDN architecturePritesh Ranjan
 
Design and Implementation of a Load Balancing Algorithm for a Clustered SDN C...
Design and Implementation of a Load Balancing Algorithm for a Clustered SDN C...Design and Implementation of a Load Balancing Algorithm for a Clustered SDN C...
Design and Implementation of a Load Balancing Algorithm for a Clustered SDN C...Daniel Gheorghita
 
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)NetProtocol Xpert
 
DHCP Snooping
DHCP SnoopingDHCP Snooping
DHCP SnoopingNetProtocol Xpert
 
Integrating Active Networking and Commercial-Grade Routing Platforms
Integrating Active Networking and Commercial-Grade Routing PlatformsIntegrating Active Networking and Commercial-Grade Routing Platforms
Integrating Active Networking and Commercial-Grade Routing PlatformsTal Lavian Ph.D.
 
opendayight loadBalancer
opendayight loadBalancer opendayight loadBalancer
opendayight loadBalancer Khubaib Mahar
 
OPNFV Service Function Chaining
OPNFV Service Function ChainingOPNFV Service Function Chaining
OPNFV Service Function ChainingOPNFV
 
OTV Configuration
OTV ConfigurationOTV Configuration
OTV ConfigurationNetProtocol Xpert
 
Openlab.2014 02-13.major.vi sion
Openlab.2014 02-13.major.vi sionOpenlab.2014 02-13.major.vi sion
Openlab.2014 02-13.major.vi sionCcie Light
 
DevOops - Lessons Learned from an OpenStack Network Architect
DevOops - Lessons Learned from an OpenStack Network ArchitectDevOops - Lessons Learned from an OpenStack Network Architect
DevOops - Lessons Learned from an OpenStack Network ArchitectJames Denton
 
Pushing Packets - How do the ML2 Mechanism Drivers Stack Up
Pushing Packets - How do the ML2 Mechanism Drivers Stack UpPushing Packets - How do the ML2 Mechanism Drivers Stack Up
Pushing Packets - How do the ML2 Mechanism Drivers Stack UpJames Denton
 
LISP and NSH in Open vSwitch
LISP and NSH in Open vSwitchLISP and NSH in Open vSwitch
LISP and NSH in Open vSwitchmestery
 
Software Define Network (SDN) and Openflow
Software Define Network (SDN) and OpenflowSoftware Define Network (SDN) and Openflow
Software Define Network (SDN) and OpenflowKHNOG
 
Securing management, control & data plane
Securing management, control & data planeSecuring management, control & data plane
Securing management, control & data planeNetProtocol Xpert
 
Barak Perlman, ConteXtream - SFC (Service Function Chaining) Using Openstack ...
Barak Perlman, ConteXtream - SFC (Service Function Chaining) Using Openstack ...Barak Perlman, ConteXtream - SFC (Service Function Chaining) Using Openstack ...
Barak Perlman, ConteXtream - SFC (Service Function Chaining) Using Openstack ...Cloud Native Day Tel Aviv
 
DEVNET-1175 OpenDaylight Service Function Chaining
DEVNET-1175 OpenDaylight Service Function ChainingDEVNET-1175 OpenDaylight Service Function Chaining
DEVNET-1175 OpenDaylight Service Function ChainingCisco DevNet
 
Opensample: A Low-latency, Sampling-based Measurement Platform for Software D...
Opensample: A Low-latency, Sampling-based Measurement Platform for Software D...Opensample: A Low-latency, Sampling-based Measurement Platform for Software D...
Opensample: A Low-latency, Sampling-based Measurement Platform for Software D...Junho Suh
 
TCLSH and Macro Ping Test on Cisco Routers and Switches
TCLSH and Macro Ping Test on Cisco Routers and SwitchesTCLSH and Macro Ping Test on Cisco Routers and Switches
TCLSH and Macro Ping Test on Cisco Routers and SwitchesNetProtocol Xpert
 
Tech Talk: ONOS- A Distributed SDN Network Operating System
Tech Talk: ONOS- A Distributed SDN Network Operating SystemTech Talk: ONOS- A Distributed SDN Network Operating System
Tech Talk: ONOS- A Distributed SDN Network Operating Systemnvirters
 
Network Node is Not Needed Anymore - Completed Distributed Virtual Router / F...
Network Node is Not Needed Anymore - Completed Distributed Virtual Router / F...Network Node is Not Needed Anymore - Completed Distributed Virtual Router / F...
Network Node is Not Needed Anymore - Completed Distributed Virtual Router / F...Takanori Miyagishi
 
IP Source Guard
IP Source Guard IP Source Guard
IP Source Guard NetProtocol Xpert
 
Open Flow Tutorial Series - Set 1
Open Flow Tutorial Series - Set 1Open Flow Tutorial Series - Set 1
Open Flow Tutorial Series - Set 1Radhika Hirannaiah
 
OpenFlow Extensions
OpenFlow ExtensionsOpenFlow Extensions
OpenFlow ExtensionsUS-Ignite
 
EMEA Airheads- ArubaOS - High availability with AP Fast Failover
EMEA Airheads- ArubaOS - High availability with AP Fast FailoverEMEA Airheads- ArubaOS - High availability with AP Fast Failover
EMEA Airheads- ArubaOS - High availability with AP Fast FailoverAruba, a Hewlett Packard Enterprise company
 
SEGMENT Routing
SEGMENT RoutingSEGMENT Routing
SEGMENT RoutingBangladesh Network Operators Group
 
EMEA Airheads_ Aruba AppRF – AOS 6.x & 8.x
EMEA Airheads_ Aruba AppRF – AOS 6.x & 8.xEMEA Airheads_ Aruba AppRF – AOS 6.x & 8.x
EMEA Airheads_ Aruba AppRF – AOS 6.x & 8.xAruba, a Hewlett Packard Enterprise company
 
Tech Talk by John Casey (CTO) CPLANE_NETWORKS : High Performance OpenStack Ne...
Tech Talk by John Casey (CTO) CPLANE_NETWORKS : High Performance OpenStack Ne...Tech Talk by John Casey (CTO) CPLANE_NETWORKS : High Performance OpenStack Ne...
Tech Talk by John Casey (CTO) CPLANE_NETWORKS : High Performance OpenStack Ne...nvirters
 
Software defined networks and openflow protocol
Software defined networks and openflow protocolSoftware defined networks and openflow protocol
Software defined networks and openflow protocolMahesh Mohan
 
SDN/OpenFlow #lspe
SDN/OpenFlow #lspeSDN/OpenFlow #lspe
SDN/OpenFlow #lspeChris Westin
 
OpenStack Scale-out Networking Architecture
OpenStack Scale-out Networking ArchitectureOpenStack Scale-out Networking Architecture
OpenStack Scale-out Networking ArchitectureRandy Bias
 

Contenu connexe

Tendances

Openlab.2014 02-13.major.vi sion
Openlab.2014 02-13.major.vi sionOpenlab.2014 02-13.major.vi sion
Openlab.2014 02-13.major.vi sionCcie Light
 
DevOops - Lessons Learned from an OpenStack Network Architect
DevOops - Lessons Learned from an OpenStack Network ArchitectDevOops - Lessons Learned from an OpenStack Network Architect
DevOops - Lessons Learned from an OpenStack Network ArchitectJames Denton
 
Pushing Packets - How do the ML2 Mechanism Drivers Stack Up
Pushing Packets - How do the ML2 Mechanism Drivers Stack UpPushing Packets - How do the ML2 Mechanism Drivers Stack Up
Pushing Packets - How do the ML2 Mechanism Drivers Stack UpJames Denton
 
LISP and NSH in Open vSwitch
LISP and NSH in Open vSwitchLISP and NSH in Open vSwitch
LISP and NSH in Open vSwitchmestery
 
Software Define Network (SDN) and Openflow
Software Define Network (SDN) and OpenflowSoftware Define Network (SDN) and Openflow
Software Define Network (SDN) and OpenflowKHNOG
 
Securing management, control & data plane
Securing management, control & data planeSecuring management, control & data plane
Securing management, control & data planeNetProtocol Xpert
 
Barak Perlman, ConteXtream - SFC (Service Function Chaining) Using Openstack ...
Barak Perlman, ConteXtream - SFC (Service Function Chaining) Using Openstack ...Barak Perlman, ConteXtream - SFC (Service Function Chaining) Using Openstack ...
Barak Perlman, ConteXtream - SFC (Service Function Chaining) Using Openstack ...Cloud Native Day Tel Aviv
 
DEVNET-1175 OpenDaylight Service Function Chaining
DEVNET-1175 OpenDaylight Service Function ChainingDEVNET-1175 OpenDaylight Service Function Chaining
DEVNET-1175 OpenDaylight Service Function ChainingCisco DevNet
 
Opensample: A Low-latency, Sampling-based Measurement Platform for Software D...
Opensample: A Low-latency, Sampling-based Measurement Platform for Software D...Opensample: A Low-latency, Sampling-based Measurement Platform for Software D...
Opensample: A Low-latency, Sampling-based Measurement Platform for Software D...Junho Suh
 
TCLSH and Macro Ping Test on Cisco Routers and Switches
TCLSH and Macro Ping Test on Cisco Routers and SwitchesTCLSH and Macro Ping Test on Cisco Routers and Switches
TCLSH and Macro Ping Test on Cisco Routers and SwitchesNetProtocol Xpert
 
Tech Talk: ONOS- A Distributed SDN Network Operating System
Tech Talk: ONOS- A Distributed SDN Network Operating SystemTech Talk: ONOS- A Distributed SDN Network Operating System
Tech Talk: ONOS- A Distributed SDN Network Operating Systemnvirters
 
Network Node is Not Needed Anymore - Completed Distributed Virtual Router / F...
Network Node is Not Needed Anymore - Completed Distributed Virtual Router / F...Network Node is Not Needed Anymore - Completed Distributed Virtual Router / F...
Network Node is Not Needed Anymore - Completed Distributed Virtual Router / F...Takanori Miyagishi
 
Open Flow Tutorial Series - Set 1
Open Flow Tutorial Series - Set 1Open Flow Tutorial Series - Set 1
Open Flow Tutorial Series - Set 1Radhika Hirannaiah
 
OpenFlow Extensions
OpenFlow ExtensionsOpenFlow Extensions
OpenFlow ExtensionsUS-Ignite
 
Tech Talk by John Casey (CTO) CPLANE_NETWORKS : High Performance OpenStack Ne...
Tech Talk by John Casey (CTO) CPLANE_NETWORKS : High Performance OpenStack Ne...Tech Talk by John Casey (CTO) CPLANE_NETWORKS : High Performance OpenStack Ne...
Tech Talk by John Casey (CTO) CPLANE_NETWORKS : High Performance OpenStack Ne...nvirters
 
Software defined networks and openflow protocol
Software defined networks and openflow protocolSoftware defined networks and openflow protocol
Software defined networks and openflow protocolMahesh Mohan
 

Tendances (20)

Openlab.2014 02-13.major.vi sion
Openlab.2014 02-13.major.vi sionOpenlab.2014 02-13.major.vi sion
Openlab.2014 02-13.major.vi sion
 
DevOops - Lessons Learned from an OpenStack Network Architect
DevOops - Lessons Learned from an OpenStack Network ArchitectDevOops - Lessons Learned from an OpenStack Network Architect
DevOops - Lessons Learned from an OpenStack Network Architect
 
Pushing Packets - How do the ML2 Mechanism Drivers Stack Up
Pushing Packets - How do the ML2 Mechanism Drivers Stack UpPushing Packets - How do the ML2 Mechanism Drivers Stack Up
Pushing Packets - How do the ML2 Mechanism Drivers Stack Up
 
LISP and NSH in Open vSwitch
LISP and NSH in Open vSwitchLISP and NSH in Open vSwitch
LISP and NSH in Open vSwitch
 
Software Define Network (SDN) and Openflow
Software Define Network (SDN) and OpenflowSoftware Define Network (SDN) and Openflow
Software Define Network (SDN) and Openflow
 
Securing management, control & data plane
Securing management, control & data planeSecuring management, control & data plane
Securing management, control & data plane
 
Barak Perlman, ConteXtream - SFC (Service Function Chaining) Using Openstack ...
Barak Perlman, ConteXtream - SFC (Service Function Chaining) Using Openstack ...Barak Perlman, ConteXtream - SFC (Service Function Chaining) Using Openstack ...
Barak Perlman, ConteXtream - SFC (Service Function Chaining) Using Openstack ...
 
DEVNET-1175 OpenDaylight Service Function Chaining
DEVNET-1175 OpenDaylight Service Function ChainingDEVNET-1175 OpenDaylight Service Function Chaining
DEVNET-1175 OpenDaylight Service Function Chaining
 
Opensample: A Low-latency, Sampling-based Measurement Platform for Software D...
Opensample: A Low-latency, Sampling-based Measurement Platform for Software D...Opensample: A Low-latency, Sampling-based Measurement Platform for Software D...
Opensample: A Low-latency, Sampling-based Measurement Platform for Software D...
 
TCLSH and Macro Ping Test on Cisco Routers and Switches
TCLSH and Macro Ping Test on Cisco Routers and SwitchesTCLSH and Macro Ping Test on Cisco Routers and Switches
TCLSH and Macro Ping Test on Cisco Routers and Switches
 
Tech Talk: ONOS- A Distributed SDN Network Operating System
Tech Talk: ONOS- A Distributed SDN Network Operating SystemTech Talk: ONOS- A Distributed SDN Network Operating System
Tech Talk: ONOS- A Distributed SDN Network Operating System
 
Network Node is Not Needed Anymore - Completed Distributed Virtual Router / F...
Network Node is Not Needed Anymore - Completed Distributed Virtual Router / F...Network Node is Not Needed Anymore - Completed Distributed Virtual Router / F...
Network Node is Not Needed Anymore - Completed Distributed Virtual Router / F...
 
IP Source Guard
IP Source Guard IP Source Guard
IP Source Guard
 
Open Flow Tutorial Series - Set 1
Open Flow Tutorial Series - Set 1Open Flow Tutorial Series - Set 1
Open Flow Tutorial Series - Set 1
 
OpenFlow Extensions
OpenFlow ExtensionsOpenFlow Extensions
OpenFlow Extensions
 
EMEA Airheads- ArubaOS - High availability with AP Fast Failover
EMEA Airheads- ArubaOS - High availability with AP Fast FailoverEMEA Airheads- ArubaOS - High availability with AP Fast Failover
EMEA Airheads- ArubaOS - High availability with AP Fast Failover
 
SEGMENT Routing
SEGMENT RoutingSEGMENT Routing
SEGMENT Routing
 
EMEA Airheads_ Aruba AppRF – AOS 6.x & 8.x
EMEA Airheads_ Aruba AppRF – AOS 6.x & 8.xEMEA Airheads_ Aruba AppRF – AOS 6.x & 8.x
EMEA Airheads_ Aruba AppRF – AOS 6.x & 8.x
 
Tech Talk by John Casey (CTO) CPLANE_NETWORKS : High Performance OpenStack Ne...
Tech Talk by John Casey (CTO) CPLANE_NETWORKS : High Performance OpenStack Ne...Tech Talk by John Casey (CTO) CPLANE_NETWORKS : High Performance OpenStack Ne...
Tech Talk by John Casey (CTO) CPLANE_NETWORKS : High Performance OpenStack Ne...
 
Software defined networks and openflow protocol
Software defined networks and openflow protocolSoftware defined networks and openflow protocol
Software defined networks and openflow protocol
 

Similaire à L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load Balancing

SDN/OpenFlow #lspe
SDN/OpenFlow #lspeSDN/OpenFlow #lspe
SDN/OpenFlow #lspeChris Westin
 
OpenStack Scale-out Networking Architecture
OpenStack Scale-out Networking ArchitectureOpenStack Scale-out Networking Architecture
OpenStack Scale-out Networking ArchitectureRandy Bias
 
Anton Moldovan "Building an efficient replication system for thousands of ter...
Anton Moldovan "Building an efficient replication system for thousands of ter...Anton Moldovan "Building an efficient replication system for thousands of ter...
Anton Moldovan "Building an efficient replication system for thousands of ter...Fwdays
 
Design of a campus network
Design of a campus networkDesign of a campus network
Design of a campus networkAalap Tripathy
 
Ccna 4 Final 4 Version 4.0 Answers
Ccna 4 Final 4 Version 4.0 AnswersCcna 4 Final 4 Version 4.0 Answers
Ccna 4 Final 4 Version 4.0 AnswersCCNA4Answers
 
Ubuntu server wireless access point (eng)
Ubuntu server wireless access point (eng)Ubuntu server wireless access point (eng)
Ubuntu server wireless access point (eng)Anatoliy Okhotnikov
 
New idc architecture
New idc architectureNew idc architecture
New idc architectureMason Mei
 
The End of IPv4: What It Means for Incident Responders
The End of IPv4: What It Means for Incident RespondersThe End of IPv4: What It Means for Incident Responders
The End of IPv4: What It Means for Incident RespondersCarlos Martinez Cagnazzo
 
Hungary Usergroup - Midonet overlay programming
Hungary Usergroup - Midonet overlay programmingHungary Usergroup - Midonet overlay programming
Hungary Usergroup - Midonet overlay programmingMarton Kiss
 
SAS (Secure Active Switch)
SAS (Secure Active Switch)SAS (Secure Active Switch)
SAS (Secure Active Switch)Security Date
 
Intel ESB2 ASF Firmware Update
Intel ESB2 ASF Firmware UpdateIntel ESB2 ASF Firmware Update
Intel ESB2 ASF Firmware Updatewebhostingguy
 
Tutorial: Network State Awareness Troubleshooting
Tutorial: Network State Awareness TroubleshootingTutorial: Network State Awareness Troubleshooting
Tutorial: Network State Awareness TroubleshootingAPNIC
 
Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1Yongyoon Shin
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...idsecconf
 
FlowER Erlang Openflow Controller
FlowER Erlang Openflow ControllerFlowER Erlang Openflow Controller
FlowER Erlang Openflow ControllerHolger Winkelmann
 

Similaire à L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load Balancing (20)

SDN/OpenFlow #lspe
SDN/OpenFlow #lspeSDN/OpenFlow #lspe
SDN/OpenFlow #lspe
 
OpenStack Scale-out Networking Architecture
OpenStack Scale-out Networking ArchitectureOpenStack Scale-out Networking Architecture
OpenStack Scale-out Networking Architecture
 
Anton Moldovan "Building an efficient replication system for thousands of ter...
Anton Moldovan "Building an efficient replication system for thousands of ter...Anton Moldovan "Building an efficient replication system for thousands of ter...
Anton Moldovan "Building an efficient replication system for thousands of ter...
 
Design of a campus network
Design of a campus networkDesign of a campus network
Design of a campus network
 
Ccna 4 Final 4 Version 4.0 Answers
Ccna 4 Final 4 Version 4.0 AnswersCcna 4 Final 4 Version 4.0 Answers
Ccna 4 Final 4 Version 4.0 Answers
 
Ubuntu server wireless access point (eng)
Ubuntu server wireless access point (eng)Ubuntu server wireless access point (eng)
Ubuntu server wireless access point (eng)
 
Elliptics
EllipticsElliptics
Elliptics
 
IPV6 IPv6 Routing Lab By Rob Hamm
IPV6 IPv6 Routing Lab By Rob HammIPV6 IPv6 Routing Lab By Rob Hamm
IPV6 IPv6 Routing Lab By Rob Hamm
 
New idc architecture
New idc architectureNew idc architecture
New idc architecture
 
The End of IPv4: What It Means for Incident Responders
The End of IPv4: What It Means for Incident RespondersThe End of IPv4: What It Means for Incident Responders
The End of IPv4: What It Means for Incident Responders
 
Hungary Usergroup - Midonet overlay programming
Hungary Usergroup - Midonet overlay programmingHungary Usergroup - Midonet overlay programming
Hungary Usergroup - Midonet overlay programming
 
Fedv6tf-fhs
Fedv6tf-fhsFedv6tf-fhs
Fedv6tf-fhs
 
SAS (Secure Active Switch)
SAS (Secure Active Switch)SAS (Secure Active Switch)
SAS (Secure Active Switch)
 
Intel ESB2 ASF Firmware Update
Intel ESB2 ASF Firmware UpdateIntel ESB2 ASF Firmware Update
Intel ESB2 ASF Firmware Update
 
Tutorial: Network State Awareness Troubleshooting
Tutorial: Network State Awareness TroubleshootingTutorial: Network State Awareness Troubleshooting
Tutorial: Network State Awareness Troubleshooting
 
Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
 
FlowER Erlang Openflow Controller
FlowER Erlang Openflow ControllerFlowER Erlang Openflow Controller
FlowER Erlang Openflow Controller
 
Software Defined Networking: Primer
Software Defined Networking: Primer Software Defined Networking: Primer
Software Defined Networking: Primer
 
IPAddressing .pptx
IPAddressing .pptxIPAddressing .pptx
IPAddressing .pptx
 

Plus de Jan Schaumann

The Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageThe Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageJan Schaumann
 
Know Your Enemy - An Introduction to Threat Modeling
Know Your Enemy - An Introduction to Threat ModelingKnow Your Enemy - An Introduction to Threat Modeling
Know Your Enemy - An Introduction to Threat ModelingJan Schaumann
 
Crazy Like A Fox - #Infosec Ideas That Just Might Work
Crazy Like A Fox - #Infosec Ideas That Just Might WorkCrazy Like A Fox - #Infosec Ideas That Just Might Work
Crazy Like A Fox - #Infosec Ideas That Just Might WorkJan Schaumann
 
It's the people, stupid.
It's the people, stupid.It's the people, stupid.
It's the people, stupid.Jan Schaumann
 
Semper Ubi Sub Ubi - Things They Don't Teach You In School
Semper Ubi Sub Ubi - Things They Don't Teach You In SchoolSemper Ubi Sub Ubi - Things They Don't Teach You In School
Semper Ubi Sub Ubi - Things They Don't Teach You In SchoolJan Schaumann
 
Everything is Awful (And You're Not Helping)
Everything is Awful (And You're Not Helping)Everything is Awful (And You're Not Helping)
Everything is Awful (And You're Not Helping)Jan Schaumann
 
Primum non nocere - Ethical Obligations in Internet Operations
Primum non nocere - Ethical Obligations in Internet OperationsPrimum non nocere - Ethical Obligations in Internet Operations
Primum non nocere - Ethical Obligations in Internet OperationsJan Schaumann
 
Protecting Data in Untrusted Locations
Protecting Data in Untrusted LocationsProtecting Data in Untrusted Locations
Protecting Data in Untrusted LocationsJan Schaumann
 
Headless Host Scanning
Headless Host ScanningHeadless Host Scanning
Headless Host ScanningJan Schaumann
 
Safely Drinking from the Data Waterhose
Safely Drinking from the Data WaterhoseSafely Drinking from the Data Waterhose
Safely Drinking from the Data WaterhoseJan Schaumann
 
Building better tools
Building better toolsBuilding better tools
Building better toolsJan Schaumann
 

Plus de Jan Schaumann (18)

The Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageThe Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS Baggage
 
OpSec101
OpSec101OpSec101
OpSec101
 
Know Your Enemy - An Introduction to Threat Modeling
Know Your Enemy - An Introduction to Threat ModelingKnow Your Enemy - An Introduction to Threat Modeling
Know Your Enemy - An Introduction to Threat Modeling
 
Crazy Like A Fox - #Infosec Ideas That Just Might Work
Crazy Like A Fox - #Infosec Ideas That Just Might WorkCrazy Like A Fox - #Infosec Ideas That Just Might Work
Crazy Like A Fox - #Infosec Ideas That Just Might Work
 
It's the people, stupid.
It's the people, stupid.It's the people, stupid.
It's the people, stupid.
 
Semper Ubi Sub Ubi - Things They Don't Teach You In School
Semper Ubi Sub Ubi - Things They Don't Teach You In SchoolSemper Ubi Sub Ubi - Things They Don't Teach You In School
Semper Ubi Sub Ubi - Things They Don't Teach You In School
 
Everything is Awful (And You're Not Helping)
Everything is Awful (And You're Not Helping)Everything is Awful (And You're Not Helping)
Everything is Awful (And You're Not Helping)
 
Defense at Scale
Defense at ScaleDefense at Scale
Defense at Scale
 
Primum non nocere - Ethical Obligations in Internet Operations
Primum non nocere - Ethical Obligations in Internet OperationsPrimum non nocere - Ethical Obligations in Internet Operations
Primum non nocere - Ethical Obligations in Internet Operations
 
Protecting Data in Untrusted Locations
Protecting Data in Untrusted LocationsProtecting Data in Untrusted Locations
Protecting Data in Untrusted Locations
 
Headless Host Scanning
Headless Host ScanningHeadless Host Scanning
Headless Host Scanning
 
Safely Drinking from the Data Waterhose
Safely Drinking from the Data WaterhoseSafely Drinking from the Data Waterhose
Safely Drinking from the Data Waterhose
 
PGP for Smarties
PGP for SmartiesPGP for Smarties
PGP for Smarties
 
Fancy pants
Fancy pantsFancy pants
Fancy pants
 
Ipv6 basics
Ipv6 basicsIpv6 basics
Ipv6 basics
 
Building better tools
Building better toolsBuilding better tools
Building better tools
 
Useless use of *
Useless use of *Useless use of *
Useless use of *
 
DST @ Yahoo!
DST @ Yahoo!DST @ Yahoo!
DST @ Yahoo!
 

Dernier

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 

Dernier (20)

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 

L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load Balancing

  • 1. L3DSR – Overcoming Layer 2 Limitations of Direct Server Return Load Balancing Jan Schaumann, Systems Architect <jschauma@yahoo-inc.com>! E2A7 437A 7AB8 6EA1 7E1D! F6DC BF09 CDC9 E157 FAB8!
  • 2. Traditional or L2 DSR   "Direct Server Return" also known as: ›  "Direct Routing" ›  "SwitchBack" (Foundry/Brocade) ›  "nPath" (F5)   General packet flow: ›  clients send requests to a Virtual IP (VIP) served by the LoadBalancer ›  LB determines real server to forward the request to ›  LB performs MAC Address Translation (MAT) ›  server responds directly to client, bypassing the LB NANOG 51, Miami 2 January 30, 2011
  • 3. Traditional or L2 DSR   Client to LB: ›  Source IP: 1.1.1.1 ›  Destination IP: 2.2.2.2 ›  Destination MAC: AAAA   LB to Server: ›  Source IP: 1.1.1.1 ›  Destination IP: 2.2.2.2 ›  Destination MAC: BBBB   Server to Client: ›  Source IP: 2.2.2.2 ›  Destination IP: 1.1.1.1 ›  Destination MAC: default gateway's MAC NANOG 51, Miami 3 January 30, 2011
  • 4. Traditional or L2 DSR   Layers are independent (L2 does not care about L3 information)   LB and server both have VIP configured   server must not answer ARP for VIP   service must bind to VIP ›  service may also have to bind to real IP for health checking   LB and server need to be on the same L2 network segment NANOG 51, Miami 4 January 30, 2011
  • 5. Advantages of L2 DSR   Clients' source addresses are preserved ›  Yahoo! is very interested in knowing the source address of any incoming requests ›  SNAT loses the clients' addresses   Performance ›  LB only handles inbound packets ›  typical inbound traffic is much smaller than outbound traffic (about 1:8 for typical Yahoo! traffic) ›  normal DSR LBs at Y! can have hundreds of VIPs across hundreds of real servers, handling multiple Gbps of inbound traffic (tens of Gbps of outbound traffic) ›  SNAT forces all traffic through the LB NANOG 51, Miami 5 January 30, 2011
  • 6. Limitations of L2 DSR   server cannot directly respond to ARP requests for VIP ›  configuration of loopback aliases (or alias on interface marked as "down")   health checking requires additional configuration ›  service on VIP on loopback alias ›  service on VIP for health check (some models)   Port translation not possible ›  port selection is protocol dependent, so does not happen on Layer 2   LB and all servers need to be on the same L2 network segment ›  physical location of servers behind VIP restricted ›  flexibility within datacenter limited NANOG 51, Miami 6 January 30, 2011
  • 7. What's "wrong" with L2 anyway?   instability on very large (10K+ hosts) networks   STP designs require an active/backup design for rack uplinks – we wanted active/active for any single rack switch   if we require multiple L2 domains (for stability), hosts in different L2 domains cannot participate in the same VIP ›  physical location of servers behind VIP restricted ›  flexibility within datacenter limited NANOG 51, Miami 7 January 30, 2011
  • 8. How do we get from L2 to L3?   Server needs to know ›  client source address ›  VIP address for which the request was made   LB needs to ›  tell the server behind the VIP the source address of the client ›  send request to an IP different from the VIP ›  tell the server the original destination address (ie the VIP to serve) NANOG 51, Miami 8 January 30, 2011
  • 9. A simple matter of communication...   Where can we put extra information?   Options considered: ›  Generic Routing Encapsulation (GRE) ›  IP-in-IP tunnelling (RFC1853)   Main Issues: Path MTU Discovery ›  IP/IP and GRE add 24 bytes overhead ›  largest packet in tunnel would be 1476 bytes => PMTUD issues from client to LB ›  changing server side MTU to 1524 impacts all traffic on that host, may cause PMTUD issues from server to client NANOG 51, Miami 9 January 30, 2011
  • 10. A simple matter of communication...   Where can we put extra information?   Options considered: ›  Generic Routing Encapsulation (GRE) ›  IP-in-IP tunnelling (RFC1853) NANOG 51, Miami 10 January 30, 2011
  • 11. Something-something of Service   TOS, QoS, COS – none used in Yahoo!'s environment => we have 6 completely unused bits   we don't have to send the full address ›  server just needs to derive the full address from the information we relay   map these bits to VIPs: ›  "DSCP 010001 means original destination address was 1.1.1.2" ›  010001 => 1.1.1.2 ›  ...   let's reserve a few just in case...   use of bits 010XXX – 101XXX yields 40 values (per LB) NANOG 51, Miami 11 January 30, 2011
  • 12. L3DSR Packet Flow   LB and servers need to agree on DSCP <=> VIP mapping   LB sets DSCP bit according to known mapping   LB changes destination address to the server's (real) IP, keeps client's source address   Server checks DSCP bit   Server rewrites destination address according to known mapping to appropriate VIP   VIP configured on loopback alias as with L2DSR   Server responds to client's source address from VIP NANOG 51, Miami 12 January 30, 2011
  • 13. L3DSR Packet Flow   Incoming: ›  Client Source IP: 144.100.10.1! ›  Client Destination IP: 198.18.0.250! ›  DSCP: 0x0 (explicitly cleared)   LB to Server: ›  Source IP: 144.100.10.1! ›  Destination IP: 74.80.1.1! ›  DSCP: 0x4!   Server to Client: ›  Source IP: 198.18.0.250! ›  Destination IP: 144.100.10.1! NANOG 51, Miami 13 January 30, 2011
  • 14. Hardware Vendor Support   A10 AX3200 >= 2.2.5   Brocade ADX Series >= 12.1d   Brocade/Foundry ServerIron 450 ›  M7 and JetCore blades ›  >= 10.2.01p   Citrix Netscaler running 8.x, 9.x NANOG 51, Miami 14 January 30, 2011
  • 15. Hardware Vendor Support – A10 slb template port dscp_port_7! dscp 7! !! slb server hostname.yahoo.com 10.128.9.31! port 80 tcp! template port dscp_port_7! !! slb service-group vip1.yahoo.com:80 tcp! health-check status.html! member hostname.yahoo.com:80! !! slb virtual-server vip1.yahoo.com 10.128.8.45! port 80 tcp! service-group vip1.yahoo.com:80! no-dest-nat! NANOG 51, Miami 15 January 30, 2011
  • 16. Hardware Vendor Support – Brocade server remote-name hostname.yahoo.com 10.128.9.35 ! port default disable! port http! port http url "GET /index.html"! !! server virtual vip1.yahoo.com 10.1.128.49! tos-marking 7 hc-l3-dsr! port default disable! port http! bind http hostname.yahoo.com http! ! ! NANOG 51, Miami 16 January 30, 2011
  • 17. Hardware Vendor Support – Citrix add lb monitor index.html HTTP -respCode 200 !! -httpRequest "GET /index.html" -interval 7 !! -retries 2! add server hostname.yahoo.com 10.128.9.35! add service hostname.yahoo.com-80 !! hostname.yahoo.com ANY 80 !! -usip YES -cip DISABLED! bind lb monitor index.html hostname.yahoo.com-80! add lb vserver vip1.yahoo.com-80 ANY !! 10.128.8.44 80 -lbmethod ROUNDROBIN ! !! -m TOS -tosId 7! bind lb vserver vip1.yahoo.com-80 !! hostname.yahoo.com-80! NANOG 51, Miami 17 January 30, 2011
  • 18. Server OS Support – FreeBSD   Yahoo! developed kernel module providing a simple single-purpose packet filter   enable destination-address rewriting via sysctl(8)!   originally written by John Baldwin, now maintained by Jan Schaumann   a whooping 256 lines of code (including comments etc.)   support version 6 and above (i386/amd64) NANOG 51, Miami 18 January 30, 2011
  • 19. Server OS Support – FreeBSD $ sudo /sbin/kldload dscp_rewrite! $ /sbin/kldstat | grep dscp! 5 1 0xffffff8000be9000 106000 dscp_rewrite.ko! $ sudo sysctl -w net.inet.ip.dscp_rewrite.enabled=1! net.inet.ip.dscp_rewrite.enabled: 0 -> 1! $ sudo sysctl -w net.inet.ip.dscp_rewrite.7=10.1.128.49! net.inet.ip.dscp_rewrite.7: 0.0.0.0 -> 10.1.128.49! $ sudo /sbin/ifconfig lo0 10.1.128.49 netmask 0xffffffff alias! $ ifconfig -a! bce0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500! options=1bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4>! ether 00:15:c5:e5:4c:69! inet 10.128.9.35 netmask 0xffffff00 broadcast 10.128.9.255! media: Ethernet 1000baseTX <full-duplex>! status: active! lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384! inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5! inet6 ::1 prefixlen 128! inet 127.0.0.1 netmask 0xff000000! inet 10.1.128.49 netmask 0xffffffff! NANOG 51, Miami 19 January 30, 2011
  • 20. Server OS Support – FreeBSD $ ping -c 3 -z 28 10.128.9.35 ! PING 10.128.9.35 (10.128.9.35): 56 data bytes! 64 bytes from 10.1.128.49: icmp_seq=0 ttl=64 time=0.035 ms! 64 bytes from 10.1.128.49: icmp_seq=1 ttl=64 time=0.046 ms! 64 bytes from 10.1.128.49: icmp_seq=2 ttl=64 time=0.045 ms! --- 10.128.9.35 ping statistics ---! 3 packets transmitted, 3 packets received, 0.0% packet loss! round-trip min/avg/max/stddev = 0.035/0.042/0.046/0.005 ms! 15:25:59.822743 IP (tos 0x1c, ttl 64, id 11612, offset 0, flags [none], proto ICMP (1), length 84) 10.128.9.35 > 10.128.9.35: ICMP echo request, id 22133, seq 0, length 64! 15:25:59.822759 IP (tos 0x1c, ttl 64, id 11613, offset 0, flags [none], proto ICMP (1), length 84) 10.1.128.49 > 10.128.9.35: ICMP echo reply, id 22133, seq 0, length 64! 15:26:00.823815 IP (tos 0x1c, ttl 64, id 11617, offset 0, flags [none], proto ICMP (1), length 84) 10.128.9.35 > 10.128.9.35: ICMP echo request, id 22133, seq 1, length 64! 15:26:00.823831 IP (tos 0x1c, ttl 64, id 11618, offset 0, flags [none], proto ICMP (1), length 84) 10.1.128.49 > 10.128.9.35: ICMP echo reply, id 22133, seq 1, length 64! 15:26:01.835959 IP (tos 0x1c, ttl 64, id 11621, offset 0, flags [none], proto ICMP (1), length 84) 10.128.9.35 > 10.128.9.35: ICMP echo request, id 22133, seq 2, length 64! NANOG 51, Miami 20 January 30, 2011
  • 21. Server OS Support – RHEL   Yahoo! developed kernel module and iptables(8) plugin to allow mangling of the DSCP field   enable destination-address rewriting via iptables(8)!   originally written and now maintained by Quentin Barnes   another whooping ~200 lines of code or so   supports RHEL 4, 5 (i386/amd64; xenU) NANOG 51, Miami 21 January 30, 2011
  • 22. Server OS Support – RHEL $ sudo iptables -t mangle -A PREROUTING -m dscp –dscp 7 -j DADDR --set-daddr=10.128.8.46 ! $ lsmod | grep ipt! iptable_mangle 4545 1! ipt_DADDR 4352 5! ipt_dscp 3137 5! ip_tables 21825 3 iptable_mangle,ipt_DADDR,ipt_dscp! $!sudo iptables -t mangle -L! $ Chain PREROUTING (policy ACCEPT)! target prot opt source destination! DADDR all -- anywhere anywhere DSCP match 0x1c DADDR set 10.128.8.46! [...]! $ sudo ifconfig lo:1 10.128.8.46 netmask 255.255.255.255! $ ifconfig -a | more! eth0 Link encap:Ethernet HWaddr 00:11:43:E1:DA:F0! inet addr:10.128.9.31 Bcast:10.128.9.255 Mask:255.255.255.0! UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1! lo:1 Link encap:Local Loopback! inet addr:10.128.8.46 Mask:255.255.255.255! UP LOOPBACK RUNNING MTU:16436 Metric:1! NANOG 51, Miami 22 January 30, 2011
  • 23. Server OS Support – RHEL $ ping -c 3 –Q 28 10.128.9.31! PING 10.128.9.31 (10.128.9.31) 56(84) bytes of data.! 64 bytes from 10.128.8.46: icmp_seq=0 ttl=64 time=0.084 ms! 64 bytes from 10.128.8.46: icmp_seq=1 ttl=64 time=0.106 ms! 64 bytes from 10.128.8.46: icmp_seq=2 ttl=64 time=0.112 ms! --- 10.128.9.31 ping statistics ---! 3 packets transmitted, 3 received, 0% packet loss, time 2000ms! rtt min/avg/max/mdev = 0.084/0.100/0.112/0.016 ms, pipe 2! 07:57:27.121040 IP (tos 0x1c, ttl 64, id 0, offset 0, flags [DF], proto 1, length: 84) 10.128.9.32 > 10.128.9.31: icmp 64: echo request seq 0! 07:57:27.121049 IP (tos 0x1c, ttl 64, id 7562, offset 0, flags [none], proto 1, length: 84) 10.128.8.46 > 10.128.9.32: icmp 64: echo reply seq 0! 07:57:28.120800 IP (tos 0x1c, ttl 64, id 0, offset 0, flags [DF], proto 1, length: 84) 10.128.9.32 > 10.128.9.31: icmp 64: echo request seq 1! 07:57:28.120807 IP (tos 0x1c, ttl 64, id 7563, offset 0, flags [none], proto 1, length: 84) 10.128.8.46 > 10.128.9.32: icmp 64: echo reply seq 1! 07:57:29.120608 IP (tos 0x1c, ttl 64, id 0, offset 0, flags [DF], proto 1, length: 84) 10.128.9.32 > 10.128.9.31: icmp 64: echo request seq 2! 07:57:29.120616 IP (tos 0x1c, ttl 64, id 7564, offset 0, flags [none], proto 1, length: 84) 10.128.8.46 > 10.128.9.32: icmp 64: echo reply seq 2! NANOG 51, Miami 23 January 30, 2011
  • 24. L3DSR Health Checking   need to be able to check to see if the iptables plugin/kernel module is in place and working correctly – otherwise traffic may get blackholed   LB sends: ›  Source IP: <LB IP> Dest IP: <Server IP> ›  Healthcheck URL "GET /index.html" ›  DSCP: 7   Server replies: ›  Source IP: <VIP IP> Dest IP: <LB IP> ›  Status code "200 OK"   due to destination address rewriting, source/destination on the LB do not match NANOG 51, Miami 24 January 30, 2011
  • 25. L3DSR Benefits   Location Independence of servers within the datacenter ›  we can physically move hosts across different Layer 2 segments ›  we can rebuild a host on a different Layer 2 segment, then use it to replace broken hosts ›  we can deploy new hosts to add to existing VIPs without concern for the physical location / IP allocation within same Layer 2 segment   Preservation of clients' source address   DSR Performance ›  up to 8x the number of VIPs per LB compared to other L3 techniques NANOG 51, Miami 25 January 30, 2011
  • 26. L3DSR Drawbacks   use of DSCP bits reserved for L3DSR cannot simultaneously be used for QoS   need to keep track of the DSCP <=> VIP mappings ›  extend the database storing VIP settings ›  update any tools used to turn centrally stored values into host configuration   increased complexity ›  host configuration now requires additional kernel modules and configuration steps ›  new code and new configuration options on load balancers ›  more places where things can go wrong NANOG 51, Miami 26 January 30, 2011
  • 27. L3DSR Caveats 22:43:43.855888 IP (tos 0x1c, ttl 64, id 35851, offset 0, flags [none], proto ICMP (1), length 84, bad cksum 0 (->251c)!) 10.163.162.14 > 10.163.163.17: ICMP echo request, id 6179, seq 0, length 64! 22:43:43.856092 IP (tos 0x0, ttl 64, id 16332, offset 0, flags [none], proto ICMP (1), length 84) 10.163.163.17 > 10.163.162.14: ICMP echo reply, id 6179, seq 0, length 64! 22:43:44.897346 IP (tos 0x1c, ttl 64, id 35856, offset 0, flags [none], proto ICMP (1), length 84, bad cksum 0 (->2517)!) 10.163.161.14 > 10.163.163.17: ICMP echo request, id 6179, seq 1, length 64! 22:43:43.855888 IP (tos 0x0, ttl 64, id 35851, offset 0, flags [none], proto: ICMP (1), length: 84) 10.163.162.14 > 10.163.163.17: ICMP echo request, id 6179, seq 0, length 64! 22:43:43.856092 IP (tos 0x0, ttl 64, id 16332, offset 0, flags [none], proto: ICMP (1), length: 84, bad cksum 0 (->715b)!) 10.163.163.17 > 10.163.162.14: ICMP echo reply, id 6179, seq 0, length 64! 22:43:44.897346 IP (tos 0x0, ttl 64, id 35856, offset 0, flags [none], proto: ICMP (1), length: 84) 10.163.162.14 > 10.163.163.17: ICMP echo request, id 6179, seq 1, length 64! NANOG 51, Miami 27 January 30, 2011
  • 28. L3DSR Caveats A10: slb template port dscp_port_7! dscp 7! Brocade: server virtual vip1.yahoo.com 10.1.128.49! tos-marking 7 hc-l3-dsr! Citrix: add lb vserver vip1.yahoo.com-80 ANY !! 10.128.8.44 80 -lbmethod ROUNDROBIN ! !! -m TOS -tosId 7! NANOG 51, Miami 28 January 30, 2011
  • 29. L3DSR Caveats $ ping -c 3 -z 28 10.128.9.35 ! PING 10.128.9.35 (10.128.9.35): 56 data bytes! 64 bytes from 10.1.128.49: icmp_seq=0 ttl=64 time=0.035 ms! 64 bytes from 10.1.128.49: icmp_seq=1 ttl=64 time=0.046 ms! DSCP = 7 (configure) 64 bytes from 10.1.128.49: icmp_seq=2 ttl=64 time=0.045 ms! TOS = 28 (check) --- 10.128.9.35 ping statistics ---! Hex = 0x1c (troubleshoot) 3 packets transmitted, 3 packets received, 0.0% packet loss! round-trip min/avg/max/stddev = 0.035/0.042/0.046/0.005 ms! $! 15:25:59.822743 IP (tos 0x1c, ttl 64, id 11612, offset 0, flags [none], proto ICMP (1), length 84) 10.128.9.35 > 10.128.9.35: ICMP echo request, id 22133, seq 0, length 64! 15:25:59.822759 IP (tos 0x1c, ttl 64, id 11613, offset 0, flags [none], proto ICMP (1), length 84) 10.1.128.49 > 10.128.9.35: ICMP echo reply, id 22133, seq 0, length 64! 15:26:00.823815 IP (tos 0x1c, ttl 64, id 11617, offset 0, flags [none], proto ICMP (1), length 84) 10.128.9.35 > 10.128.9.35: ICMP echo request, id 22133, seq 1, length 64! 15:26:00.823831 IP (tos 0x1c, ttl 64, id 11618, offset 0, flags [none], proto ICMP (1), length 84) 10.1.128.49 > 10.128.9.35: ICMP echo reply, id 22133, seq 1, length 64! 15:26:01.835959 IP (tos 0x1c, ttl 64, id 11621, offset 0, flags [none], proto ICMP (1), length 84) 10.128.9.35 > 10.128.9.35: ICMP echo request, id 22133, seq 2, length 64! NANOG 51, Miami 29 January 30, 2011
  • 30. Future Enhancements   Port Translation ›  now possible – we're on Layer 3 ›  may require the server-side kernel module to also rewrite the port of the incoming packets   Revisit the Loopback Alias ›  if hosts are guaranteed to be on separate l2 segments, VIP can be aliased on the real interface •  Pro: packets don't get pushed up and down the TCP stack on entry •  Con: hosts now must be on different L2 segments; host configuration deviates (more) from other VIP configurations; LB configuration increases in complexity NANOG 51, Miami 30 January 30, 2011
  • 31. Future Enhancements: IPv6   use Traffic Class field?   use Destination Options EH?   define new EH? NANOG 51, Miami 31 January 30, 2011
  • 32. Open Source L3DSR   LB vendor support is already there   internal process started to open source FreeBSD and Linux kernel modules and iptables(8) extension as well as helper tools and glue scripts   preferred license: BSD ›  linux bits may require GPL   most likely to be hosted on GitHub NANOG 51, Miami 32 January 30, 2011
  • 33. L3DSR at a glance   allows for Direct Server Return Load Balancing across Layer 3 ›  location independence of servers in a VIP ›  high performance ›  preservation of clients' source address   uses the DSCP field in the IPv4 header to relay information to the servers in a VIP ›  use of DSCP bits reserved for L3DSR cannot be used for QoS ›  debugging/configuration at times confusing   supported by A10, Brocade/Foundry, Citrix   server support on FreeBSD and RHEL ›  servers rewrite destination address of incoming packets based on DSCP values   future enhancements include: IPv6 support, port translation, open sourcing of kernel modules NANOG 51, Miami 33 January 30, 2011