Global Settings for L4xNAT Farm Profile
The L4xNAT farm profile allows to create a LSLB farm at layer 4 with a very high performance and much more concurrent connections than load balancer cores in layer 7 like HTTP farm profile. That layer 4 performance improvement counteracts the advanced content handling that the layer 7 farm profile could manage.
Additionally, L4xNAT farm profile could bind a range of ports, not only one virtual port as is used with other layer 7 farm profile. In order to be able to select a range of virtual ports or a specific virtual port in L4xNAT farm profile, it’s mandatory to select a protocol type. In other case, the farm will be listening on all ports from the virtual IP ( set with a character ‘*’ ). Once a TCP or UDP protocol is selected, it will be available to specify a port, several ports between ‘,’ , ports range between ‘:’ or all ports with ‘*’. A combination of all of them will be valid as well.
The specific options to be able to configure a L4xNAT farm profile is detailed in the current section. It is recommended to use Farm Guardian with this profile because there is not default health check to the backends in this profile.
The Status is shown by mean the color bullets as follow:
- Green: Means UP. Farm is running and all backends are UP or the redirect is configured.
- Red: Means DOWN. Farm is stoped.
- Orange: Means RESTART NEEDED. There are recent changes that need a farm restart to be applied.
- Black: Means CRITICAL. The farm is UP but there is not backend available or they are in maintenance mode
- Blue: Means PROBLEM. Farm is running but at least one backend is down.
- Yellow: Means MAINTENANCE. Farm is running but at least one backend is in maintenance mode.
Those color codes are the same all over the graphical user interface. You could see them better explained in the LSLB Farms Section
The parameters for basic L4xNAT farms profile are the following:
Name. It’s the identification field and a description for the farm service. In order to change this value you’ve to stop the farm in first place. Ensure that the new farm name isn’t already in use or an error message will appear.
Virtual IP and PORT. These are the virtual IP address and/or virtual PORT in which the farm will be binded and listening in the load balancer system. To make changes in these fields, ensure that the new virtual IP and virtual PORT are not in use. In order to apply the changes the farm service will be restarted automatically.
Protocol Type. This field specifies the protocol to be balanced at layer 4. By default, the farm will be available for all layer 4 protocols.
- ALL. The farm will be listening for incoming connections to the current virtual IP and port(s) over all protocols. If you selected this option, the virtual port will be change to ‘*’ value by deafult, and not is possible edit it, so the farm will be listening for all ports.
- TCP. Enabling this option, the farm will be listening for incoming TCP connections to the current virtual IP and port(s).
- UDP. Enabling this option, the farm will be listening for incoming UDP connections to the current virtual IP and port(s).
- SIP. Enabling this option, the farm will be listening for incoming UDP connections to the current virtual IP and port 5060 by default, and then will parse the SIP headers for each packet in order to be managed correctly to the backends.
- FTP. Enabling this option, the farm will be listening for incoming TCP connections to the current virtual IP and port 21 by default, and then will parse the FTP headers for each packet in order to be managed correctly to the backends. Two modes supported: active and passive.
- TFTP. Enabling this option, the farm will be listening for incoming UDP connections to the current virtual IP and port 69 by default, and then will parse the TFTP headers for each packet in order to be managed correctly to the backends.
NAT Type. This field indicates the NAT type which means how the layer 4 topology is going to operate. In order to select the option that better fits with your service and infrastructure will depend on the network architecture defined. By default, the farm will operate in NAT mode.
- NAT. The NAT mode or commonly named SNAT (source NAT) uses the load balancer IP as the backend connection source IP address, therefore the backend doesn’t know the client IP address at TCP, UDP or any other layer 4 protocol. By this way, the backend responds to the load balancer in order to send the response to the request. This topology permits to deploy a one-armed load balancer (load balancing with just 1 network interface).
- DNAT. The DNAT (Destination NAT) mode uses the client IP address as the backend connection source IP address, therefore the backend will respond directly to the client IP. In this case, the load balancer IP needs to be configured as the backend default gateway and isolate the backends network from the client service network. This topology is used to perform transparency between clients and backends.
Logs. To save the connections received on the farm enable the logging option. This is only recommended for debugging or monitoring purposes , because it will slow down the amount of traffic that can be balanced.
Services for L4xNAT Farm Profile
The service created in L4 layer provides the following options to be configured in order to manage the data path and connections behavior.
Load Balance Algorithm. This field specifies the load balancing algorithm to be used in order to determine the backend server. By default, weight algorithm will be the default selected algorithm.
- Weight: connection linear dispatching by weight. Balance connections depending on the weight value that has been assigned to every backend. The requests are delivered using a probabilistic algorithm using the weight defined.
- Priority: connections always to the most prio available. Balance all connections to the same highest priority server. If the first server is down, the connections will switch to the next most priority server. With this algorithm you can build an active-passive cluster service with the real servers.
- Least Connections: connection always to the least connection server. It selects the backend with the least number of active connections to ensure that the traffic load of the active requests are balanced to the most connections available real server.
The Persistence options are the following.
Persistence Mode. This field determines if any persistence is used in the configured farm. By default, no persistence is used.
- No persistence. The farm will not use any kind of persistence between the client and the backend.
- IP persistence. Enabling this option, the farm will assign the same backend for every connection regarding the client source IP address.
Persistence Session Time to Live. If any persistence is selected, this field value indicates the number of seconds that the persistence between the client source and the backend is being assigned.
L4xNAT farms don’t provide an intrinsic health check to the backends so the Farm Guardian configuration is required for this kind of virtual services.
Some built-in or customized advanced health checks can be assigned to this service from the already created farm guardians checks.
For further information about Farm Guardian go to the Monitoring >> Farm Guardian section.
Finally, in order to apply these changes, it’s needed to click on the green Update button and a confirmation message will appear at the left bottom corner of the browser.
In regards to the Backends section, the L4xNAT farm profile allows to configure the following real servers properties:
All the backends must be IPv4 or IPv6, with the same IP version as the Farm VIP.
ID. It’s the index that references the backend in the farm configuration.
ALIAS. Backend alias if any alias was defined for the backend.
IP. The IP address of the given backend, if you has selected any alias, this field will be not editable, you should change the alias field. If you has selected ‘Custom IP’ in the alias field, it will be editable for the desired IP.
PORT. It’s the port value for the current real server. If blank value or ‘*’ value is set, connections will be redirected to the same port that was received.
MAX. CONNS. This value will be the maximum number of flows or established connections to a certain backend. If the limit of clients connected to a given backend has been reached then it’ll be refused and the client must to reconnect to another suitable backend. Default value is 0, unlimited.
WEIGHT. It’s the weight value for the current real server which is only useful if the Weight Algorithm is enabled. More weight value indicates more connections delivered to the current backend. By default a weight value of 1 will be set. The values range available are from 1 to 9.
PRIORITY. It’s the priority value for the current real server which is only useful if the Priority Algorithm is enabled. The priority value accepted is between 0 and 9, less value indicates more priority to the current real server. By default a priority value of 1 will be set. The values range available are from 1 to 9.
ACTION. The available actions per backend are:
- Enable Maintenance. This action is available if the backend is started. To put a certain real server in maintenance mode, so no new connections will be redirected to it. There is two different methods to enable the maintenance mode:
- Drain Mode. Keeps established connections and persistence if enabled, but will not admit new conections.
- Cut Mode. Directly drops all active connections against the backend
- Disable Maintenance. This action is available if the backend is maintenance. Enable new connections to the real server again after the enabled maintenance.
- Delete. Delete the given real server of the virtual service. The alias is not deleted.
- Save. Save the new real server entry in the given service and start using it.
- Cancel. Cancel the new real server entry.
Through the Actions menu button the following actions are available for the selected backends:
- Add Backend. This option open the backend addition form.
- The actions mentioned above: Enable maintenance (Drain and cut mode), Disable maintenance and Delete
In addition, you can modify a previously added backend, if you put the mouse pointer over the fields you can see which fields are editable and edit it clicking over it. The modify will be send when you press the enter key or when the field lose the focus.
IPDS Rules for L4xNAT farms
This section let you enable IPDS rules. The list shows different types of protection and a select box to enable them. For further information please go to the IPDS >> Black List, IPDS >> DoS or IPDS >> RBL specific documentation.
For each of the three types of IPDS rules, Blacklist, DoS and RBL, there is a summary table which shows the following values fields:
- RULE NAME. Name of your rule
- STATUS. It shows if the rule is active (up) or not (stopped)
- ACTIONS. This button let you interact with your rules. Possible actions are explained ahead.
The available Actions to be applied by the IPDS rules to the farm are:
- Add rule. Create and assign a new rule to the farm.
- Unset. Unassign IPDS rule of the farm.
- Enable Rules. Activate the selected IPDS rules for the given farm.
- Disable Rules. Deactivate the selected IPDS rules for the given farm.
Once you add a new IPDS rule you should select from the list the rule(s) (multiple selection) you would like to apply. Please have a look to the next picture:
After selecting the rule to be applied you will see a screen like next one. There it will appear your new rule associated to a certain farm. Initially the rule Status is Down. In order to activate the rule you need to press the green play icon under Actions column. It will prompt a message announcing the rule is activated.