[lvs-users] L3DSR like behavior using LVS

Patrick Schaaf bof at bof.de
Thu Jan 9 09:55:15 GMT 2014

Am 09.01.2014 02:18 schrieb "Jamie Dahl" <jamied at meatball.net>:
> So, L3DSR is something that some companies with some larger
> implementations use to get around certain short comings in large scale L2
> networks..
> I'm curious if this has ever been explored using LVS+iptables, (where
> you'd actually have iptables set the DSCP outbound

I recently switched our LVS+Realserver setup to a very similar approach,
using DSCP marking between LVS (in NAT mode, though) and realservers to map
different external IP:443 connections to different internal
realserverip:PORTs (different internal ports on the realservers) to
separate different SSL target / certificate combinations.

On the LVS host, a single virtual server (fwmark based) switches to
realserver port 80 (destination IP+port NAT).

Up-front on the LVS host, iptables mangle/PREROUTING rules matching on
external IP+port, select both the fwmark to stear the LVS virtual server
(we did that before), _and_ set a suitable DSCP value so that different SSL
certificate contexts use a different DSCP value.

On the realservers, apache listens for ports 443. 444, 445 etc with
suitable SSL virtual host config for each port.

And also on the realservers, iptables nat/PREROUTING rules match on the
DSCP values and then use the REDIRECT target to distribute to these local
ports 443 444 445 etc.

The previous setup had multiple internal IPs on each realserver, one for
each different SSL context - now everything uses a single internal IP.
Also, the previous setup had a seperate LVS virtual server (and fwmark
value) for each different SSL context, with separate health checks - now it
is a single virtual server with a single health check per realserver.

The setup works perfectly.

In any case, the LVS code itself does not care or mess with the DSCP values
you set with iptables, so you can use them orthogonally as suitable for
your setup goals.

One thing to watch for, is to clear the DSCP field (set it to 0) up-front
on the LVS host first thing in mangle/PREROUTING, so that stray connections
do not accidentally reach the realservers with external client set DSCP

best regards

More information about the lvs-users mailing list