Am 09.01.2014 02:18 schrieb "Jamie Dahl" <jam...@meatball.net>: > > > So, L3DSR is something that some companies with some larger > implementations use to get around certain short comings in large scale L2 > networks.. > http://www.slideshare.net/jschauma/l3dsr-overcoming-layer-2-limitations-of-direct-server-return-load-balancing > > I'm curious if this has ever been explored using LVS+iptables, (where > you'd actually have iptables set the DSCP outbound
I recently switched our LVS+Realserver setup to a very similar approach, using DSCP marking between LVS (in NAT mode, though) and realservers to map different external IP:443 connections to different internal realserverip:PORTs (different internal ports on the realservers) to separate different SSL target / certificate combinations. On the LVS host, a single virtual server (fwmark based) switches to realserver port 80 (destination IP+port NAT). Up-front on the LVS host, iptables mangle/PREROUTING rules matching on external IP+port, select both the fwmark to stear the LVS virtual server (we did that before), _and_ set a suitable DSCP value so that different SSL certificate contexts use a different DSCP value. On the realservers, apache listens for ports 443. 444, 445 etc with suitable SSL virtual host config for each port. And also on the realservers, iptables nat/PREROUTING rules match on the DSCP values and then use the REDIRECT target to distribute to these local ports 443 444 445 etc. The previous setup had multiple internal IPs on each realserver, one for each different SSL context - now everything uses a single internal IP. Also, the previous setup had a seperate LVS virtual server (and fwmark value) for each different SSL context, with separate health checks - now it is a single virtual server with a single health check per realserver. The setup works perfectly. In any case, the LVS code itself does not care or mess with the DSCP values you set with iptables, so you can use them orthogonally as suitable for your setup goals. One thing to watch for, is to clear the DSCP field (set it to 0) up-front on the LVS host first thing in mangle/PREROUTING, so that stray connections do not accidentally reach the realservers with external client set DSCP values. best regards Patrick _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org Send requests to lvs-users-requ...@linuxvirtualserver.org or go to http://lists.graemef.net/mailman/listinfo/lvs-users