DSR

From LB Wiki

Revision as of 03:43, 19 June 2008 by Tony (Talk | contribs)
(diff) ←Older revision | Current revision (diff) | Newer revision→ (diff)
Jump to: navigation, search

Direct Server Return, or DSR as it's widely known, is a method whereby a server in a load balancing configuration responds directly to the client, bypassing the load balancer on the way out. Most load balancers support this configuration. It works by using a process known as MAT (MAC Address Translation).

How It Works

In the diagram below, you can see the basic traffic flow of a DSR load balanced connection.

Diagram 1: DSR Traffic Path

Note that both the server and the load balancer have the IP address of 2.2.2.2. One of the first things you probably learned about networking is that two systems can't have the same IP address on Layer-2 network. Load balancing is normally a 4-step process. With DSR, it's shortened to 3-steps.

  • Step 1: Client to load balancer
  • Step 2: Load balancer to client
  • Step 3: Client to server

Here is how the NAT/MAC address translation works out:


DSR NAT Table
Step Process Source IP Destination IP Destination MAC
Step 1 Client to load balancer 1.1.1.1 2.2.2.2 AAAA
Step 2 Load balancer to server 1.1.1.1 2.2.2.2 BBBB
Step 3 Server to client 2.2.2.2 1.1.1.1 (default gateway's MAC)


So how do we get this to work? Let's take a look at the two primary issues.

You Can't Have Two Systems With the Same IP Address

This is true, you can't have two systems with the same IP address on a Layer-2 network. However, you'll notice that the address of 2.2.2.2 is on the loopback interface of the server. The loopback interface doesn't actually sit on any physical networks, so it doesn't ARP, meaning it doesn't announce its presence. It's kind of like a kid in class who doesn't respond with "here" during roll-call. So by putting this 2.2.2.2 VIP address on the server's loopback interface, we don't violate any rules or RFCs.

How Does the Server Respond to Traffic If the IP Address Isn't Even on the Physical Interface?

One of the basics of networking is that the OSI layers operate independently of each other. So Layer-2 switches aren't aware of Layer-3 information. In step 2 of the 3-step DSR process, we change the MAC address to that of the server's MAC address, while still leaving the Layer 3 information the same. Because Layer 2 operates independently, it doesn't matter what the IP addressing is at this point, the Ethernet frame still gets delivered to the server.

The server sees the frame, and because the destination MAC address is correct, it accepts the frame and unwraps revealing the IP packet, and then hands it to the TCP/IP stack. The TCP/IP stack looks at the IP packet, and sees that the destination IP address (2.2.2.2) is one that exists on the server. The web server, listening on 2.2.2.2, responds, sending the packet back out to the network.

Tricking The Web Server

And voila, we've tricked the server into doing the NAT for us. The server responds with a source address of 2.2.2.2, and the so the packets can go directly to the client without the load balancer needing to NAT on the way out.

Advantages

  • Performance: Because the load balancer handles perhaps one packet in for every eight packets out, depending on the traffic profile, the load balancer does substantially less work. This is even more dramatic for streaming media, where the load balancer deals with one packet in for every 100, 1,000, or more packets outbound. You could then have a site pushing a Gigabit of traffic, and the load balancer only deals with about a megabit per second of traffic.

Disadvantages

  • You can only perform Layer 4 load balancing with this method. Layer 7 requires the ability to proxy a connection. Layer 7 load balancing, such as URL parsing and cookie persistence, will not work.
  • DSR requires some very specific configuration on the servers to work. They must "spoof" the source address of an IP that exists on another system. It must have that IP address configured, but it cannot broadcast that IP on the network. This can be done by two ways:
    • Configuring the IP address on the loopback interface
    • Configuring the IP address as an alias IP on an Ethernet interface, but making that IP administratively down (this is rare)




Retrieved from "http://lbwiki.com/index.php/DSR"
Advertisements