Use case 5: Configure DSR mode when using TOS

Differentiated services (DS), also known as TOS (Type of Service), is a field that is part of the TCP packet header. TOS is used by upper layer protocols for optimizing the path for a packet. The TOS information encodes the NetScaler appliance virtual IP address (VIP), and the load balanced servers extract the VIP from it.

In the following scenario, the appliance adds the VIP to the TOS field in the packet and then forwards the packet to the load balanced server. The load balanced server then responds directly to the client, bypassing the appliance, as illustrated in the following diagram.

Figure 1. The NetScaler appliance in DSR mode with TOS

dsrwithtos

The TOS feature is specifically customized for a controlled environment, as described below:

  • The environment must not have any stateful devices, such as stateful firewall and TCP gateways, in the path between the appliance and the load balanced servers.
  • Routers at all the entry points to the network must remove the TOS field from all incoming packets to make sure that the load balanced server does not confuse another TOS field with that added by the appliance.
  • Each server can have only 63 VIPs.
  • The intermediate router must not send out ICMP error messages regarding fragmentation. The client will not understand the message, as the source IP address will be the IP address of the load balanced server and not the NetScaler VIP.
  • TOS is valid only for IP-based services. You cannot use domain name based services with TOS.

In the example, Service-ANY-1 is created and bound to the virtual server Vserver-LB-1. The virtual server load balances the client request to the service, and the service responds to clients directly, bypassing the appliance. The following table lists the names and values of the entities configured on the appliance in DSR mode.

Entity Type Name IP Address Protocol
Virtual server Vserver-LB-1 10.102.33.91 ANY
Services Service-ANY-1 10.102.100.44 ANY
Monitors PING None None

DSR with TOS requires that load balancing be set up on layer 3. To configure a basic load balancing setup for Layer 3, see Setting Up Basic Load Balancing. Name the entities and set the parameters using the values described in the previous table.

After you configure the load balancing setup, you must customize the load balancing setup for DSR mode by configuring the redirection mode to allow the server to decapsulate the data packet and then respond directly to the client and bypass the appliance.

After specifying the redirection mode, you can optionally enable the appliance to transparently monitor the server. This enables the appliance to transparently monitor the load balanced servers.

To configure the redirection mode for the virtual server by using the command line interface

At the command prompt, type:

set lb vserver <vServerName> -m <Value> -tosId <Value>

Example:

set lb vserver Vserver-LB-1 -m TOS -tosId 3

To configure the redirection mode for the virtual server by using the configuration utility

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers.
  2. Open a virtual server, and in Redirect Mode, select TOS ID.

To configure the transparent monitor for TOS by using the command line interface

At the command prompt, type:

add monitor <MonitorName> <Type> -destip <DestinationIP> -tos <Value> -tosId <Value>

Example:

add monitor mon1 PING -destip 10.102.33.91 -tos Yes  -tosId 3

To create the transparent monitor for TOS by using the configuration utility

  1. Navigate to Traffic Management > Load Balancing > Monitors.
  2. Create a monitor, select TOS, and type the TOS ID that you specified for the virtual server.

Wildcard TOS Monitors

In a load balancing configuration in DSR mode using TOS field, monitoring its services requires a TOS monitor to be created and bound to these services. A separate TOS monitor is required for each load balancing configuration in DSR mode using TOS field, because a TOS monitor requires the VIP address and the TOS ID to create an encoded value of the VIP address. The monitor creates probe packets in which the TOS field is set to the encoded value of the VIP address. It then sends the probe packets to the servers represented by the services of a load balancing configuration.

With a large number of load balancing configurations, creating a separate custom TOS monitor for each configuration is a big, cumbersome task. Managing these TOS monitors is also a big task. Now, you can create wildcard TOS monitors. You need to create only one wildcard TOS monitor for all load balancing configurations that use the same protocol (for example, TCP or UDP).

A wildcard TOS monitor has the following mandatory settings:

  • Type = <protocol>
  • TOS = Yes

The following parameters can be set to a value or can be left blank:

  • Destination IP
  • Destination Port
  • TOS ID

A wildcard TOS monitor (with destination IP, Destination port, and TOS ID not set) bound to a DSR service automatically learns the TOS ID and the VIP address of the load balancing virtual server. The monitor creates probe packets with TOS field set to the encoded VIP address and then sends the probe packets to the server represented by the DSR service.

To create a wildcard TOS monitor by using the CLI

At the command prompt, type:

add lb monitor <monitorName> <Type> -tos YES

show lb monitor <monitorName>

To bind a wildcard TOS monitor to a service by using the CLI

At the command prompt, type:

bind lb monitor <monitorName> <serviceName>

show lb monitor <monitorName>

To create a wildcard TOS monitor by using the GUI

  1. Navigate to Traffic Management > Load Balancing > Monitors.
  2. Add a monitor with the following parameter settings:
    • Type = <protocol>
    • TOS = YES

To bind a wildcard TOS monitor to a service by using the GUI

  1. Navigate to Traffic Management > Load BalancingServices.
  2. Open a service and bind a wildcard TOS monitor to it.

In the following sample configuration, V1, V2, and V3 are load balancing virtual servers of type ANY and has TOS ID set to 1, 2, and 3 respectively. S1, S2,S3, S4, and S5 are services of type ANY.  S1 and S2 are bound to both V1 and V2.  S3, S4 and S5 and bound to both V1 and V3. WLCD-TOS-MON is a wildcard TOS monitor with type TCP and is bound to S1, S2, S3, S4 and S5.

WLCD-TOS-MON automatically learns the TOD ID and VIP address of virtual servers bound to S1, S2, S3, S4, and S5.

Because S1 is bound to V1 and V2,  WLCD-TOS-MON creates two types of probe packets for S1, one with TOS field set to the encoded VIP address (203.0.113.1) of V1 and and the other with the VIP address (203.0.113.2) of V2. The NetScaler then sends these probe packets to the server represented by S1.  Similarly, WLCD-TOS-MON creates probe packets for S2, S3, S4, and S5.

add lb monitor WLCD-TOS-MON  TCP -tos YES  

Done

add lb vserver V1 ANY 203.0.113.1 * -m TOS –tosID 1

Done

add lb vserver V2 ANY 203.0.113.2 * -m TOS –tosID 2

Done

add lb vserver V3 ANY 203.0.113.3 * -m TOS –tosID 3

Done

add service S1 198.51.100.1 ANY *

Done

add service S2 198.51.100.2 ANY *

Done

add service S3 198.51.100.3 ANY *

Done

add service S4 198.51.100.4 ANY *

Done

add service S5 198.51.100.5 ANY *

Done

bind lb monitor WLCD-TOS-MON S1

Done

bind lb monitor WLCD-TOS-MON S2

Done

bind lb monitor WLCD-TOS-MON S3

Done

bind lb monitor WLCD-TOS-MON S4

Done

bind lb monitor WLCD-TOS-MON S5

Done

bind lb vserver V1 S1, S2, S3, S4, S5

Done

bind lb vserver V2, S1, S2

Done

bind lb vserver V3 S3, S4, S5

Done