Citrix ADC

Use case 7: Configure load balancing in DSR mode by using IP Over IP

You can configure your Citrix ADC appliance to use direct server return (DSR) mode across Layer 3 networks by using IP tunneling, also called IP over IP configuration. As with standard load balancing configurations for DSR mode, this allows servers to respond to clients directly instead of using a return path through the Citrix ADC appliance, improving response times and throughput. As with standard DSR mode, the Citrix ADC appliance monitors the servers and performs health checks on the application ports.

With IP over IP configuration, the Citrix ADC appliance and the servers do not need to be on the same Layer 2 subnet. Instead, the Citrix ADC appliance encapsulates the packets before sending them to the destination server. After the destination server receives the packets, it decapsulates the packets, and then sends its responses directly to the client.

To configure IP over IP DSR mode on your Citrix ADC appliance, you must do the following:

Configure a load balancing virtual server

Configure a virtual server to handle requests to your applications. Assign a service type of ANY and set the forwarding method to IPTUNNEL. Optionally, configure the virtual server to operate in sessionless mode. You can configure any load balancing method that you want to use.

To create and configure a load balancing virtual server for IP over IP DSR by using the command line interface

At the command prompt type the following command to configure a load balancing virtual server for IP over IP DSR and verify the configuration:

add lb vserver <name> serviceType <serviceType> IPAddress <ip> Port <port> -lbMethod <method> -m <ipTunnelTag> -sessionless <sessionless>

show lb vserver <name>

Example:

In the following example, we have selected the load balancing method as sourceIPhash and configured sessionless load balancing.

add lb vserver Vserver-LB-1 ANY 10.102.29.60 * -lbMethod SourceIPHash -m IPTUNNEL -sessionless enabled

To create and configure a load balancing virtual server for IP over IP DSR by using the configuration utility

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers.
  2. Create a virtual server, and specify Redirection Mode as IP Tunnel Based.

Configure services for IP over IP DSR

After creating your load-balanced server, You must configure one service for each of your applications. The service handles traffic from the Citrix ADC appliance to those applications, and allows the Citrix ADC appliance to monitor the health of each application.

You assign a service type of ANY and configure it for USIP mode. Optionally, you can also bind a monitor of type IPTUNNEL to the service for tunnel-based monitoring.

To create and configure a service for IP over IP DSR by using the command line interface

At the command prompt, type the following commands to create a service and optionally, create a monitor and bind it to the service:

add service <serviceName> <serverName> <serviceType> <port> -usip <usip>

add monitor <monitorName> <monitorType> -destip <ip> -iptunnel <iptunnel>

bind service <serviceName> -monitorName <monitorName>

Example:

In the following example, we are creating a monitor of type IPTUNNEL:

add monitor mon-1 PING -destip 10.102.29.60 -iptunnel yes
add service Service-DSR-1 10.102.30.5 ANY * -usip yes
bind service Service-DSR-1 -monitorName mon-1

To configure a monitor by using the configuration utility

  1. Navigate to Traffic Management > Load Balancing > Monitors.
  2. Create a monitor, and select IP Tunnel.

To create and configure a service for IP over IP DSR by using the configuration utility

  1. Navigate to Traffic Management > Load Balancing > Services.
  2. Create a service and, in Settings, select Use Source IP Address.

To bind a service to a load balancing virtual server by using the command line interface

At the command prompt type the following command:

bind lb vserver <name> <serviceName>

Example:

bind lb vserver Vserver-LB-1 Service-DSR-1

To bind a service to a load balancing virtual server by using the configuration utility

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers.
  2. Open a virtual server, and click in the Services section to bind a service to the virtual server.

Using the Client IP address in the Outer Header of Tunnel Packets

The Citrix ADC supports using the client IP address as the source IP address in the outer header of tunnel packets related to direct server return mode using IP tunneling. This feature is supported for DSR with IPv4 and DSR with IPv6 tunneling modes. For enabling this feature, enable the use client source IP address parameter for IPv4 or IPv6. This setting is applied globally to all the DSR configurations that use IP tunneling.

To use client IP address as the source IP address on outer header of IPv4 tunnel packets by using the CLI

At the command prompt, type:

  • set iptunnelparam -useclientsourceip [YES   NO]
  • show iptunnelparam

To use client IP address as the source IP address on outer header of IPv4 tunnel packets by using the GUI

  1. Navigate to System > Network.
  2. In Settings tab, click IPv4 Tunnel Global Settings.
  3. In the Configure IPv4 Tunnel Global Parameters page, select Use Client Source IP check box.
  4. Click OK.

To use client source IP address as the source IP address on outer header of IPv6 tunnel packets by using the CLI

At the command prompt, type:

  • set ip6tunnelparam -useclientsourceip [YES NO]
  • show ip6tunnelparam

To use client IP address as the source IP address on outer header of IPv6 tunnel packets by using the GUI

  1. Navigate to System > Network.
  2. In Settings tab, click IPv6 Tunnel Global Settings.
  3. In the Configure IPv6 Tunnel Global Parameters page, select Use Client Source IP check box.
  4. Click OK.

Following is a sample load balancing configuration in DSR mode using IPv4 tunneling.   LBVS-IPIP-1 is the load balancing virtual server, and services SERVICE-DSR-IPIP-1 and SERVICE-DSR-IPIP-2 are bound to LBVS-IPIP-1.

    > set iptunnelparam -useclientsourceip YES


    Done

    >add service SERVICE-DSR-IPIP-1 192.0.2.91 ANY * -usip yes


    Done

    > add service SERVICE-DSR-IPIP-2 192.0.2.92 ANY * -usip yes


    Done

    >add lb vserver LBVS-IPIP-1 ANY 203.0.113.9 * -m IPTUNNEL


    Done

    >bind lb vserver LBVS-IPIP-1 Service-DSR-1


    Done

    >bind lb vserver LBVS-IPIP-1 Service-DSR-2


    Done

Decapsulator configuration

  • When a Citrix ADC appliance is used as a decapsulator, an IP tunnel must be created in the Citrix ADC appliance. For details, see Configuring IP Tunnels.

    Example configuration:

     add lb vserver v1 any 1.1.1.1 * -m IPTUNNEL
    
     add service s1 2.2.2.2 ANY *
    
     bind lb vserver v1 s1
    
     add iptunnel tun1 <snip_in_encap> netmask *
    
     add ns ip 1.1.1.1 255.255.255.255 –type vip –arp disabled
    
     add lb vserver v1 any 1.1.1.1 *
    
     add service s1 <actualserverip> ANY *
    
     bind lb vserver v1 s1
    
  • When a back-end server is used as a decapsulator, the back-end configuration varies depending on the server type. The steps involved in configuring a back-end server as a decapsulator are;

  1. Configure a loop back interface.
  2. Add a route through tunnel interface.

Note: Make sure that the tunnel modules are installed in the system.

Example configuration:

In this example, 1.1.1.1 is the Citrix ADC virtual IP (VIP) address and 2.2.2.2 is the back end server IP address.

The VIP address is configured in the loopback interface and a route is added through the tunnel interface. The modprobe ipip command is used for enabling the tunnel interface.

    add lb vserver v1 ANY 1.1.1.1 80 -m IPTUNNEL

    add service svc1 2.2.2.2 ANY 80 -usip YES -useproxyport NO

    bind lb vserver v1 svc1

    ifconfig lo inet 1.1.1.1 netmask 255.255.255.255

    modprobe ipip

    echo 1 > /proc/sys/net/ipv4/conf/tunl0/arp_ignore

    echo 2 > /proc/sys/net/ipv4/conf/tunl0/arp_announce

    ifconfig tunl0 1.1.1.1 netmask 255.255.255.255 up

    route add -host 1.1.1.1 dev tunl0
Use case 7: Configure load balancing in DSR mode by using IP Over IP