Use encapsulation forwarding to forward traffic across network segments

Use encapsulation forwarding when the back-end server is not located on the same network segment or if you are using virtualization technology and need to forward packets that are otherwise unable to be forwarded.

Before you begin

Encapsulation forwarding is only valid for IPv4. If you try to define an IPv6 server with encapsulation forwarding, an error is displayed.

About this task

In a typical configuration, Load Balancer receives a packet, P, and forwards it as packet P', where only the time-to-live (TTL) has been decremented. When you enable encapsulation, Load Balancer receives a packet P, and forwards it as E(P'), where the encapsulated packet E contains P'. The outer packet E has a unique IP header, which permits Load Balancer to forward packets across routers and across some types of virtualization technology that you could not otherwise forward packets across.

Encapsulation forwarding:
  • Is implemented like MAC forwarding:
    • Packets from server to client do not go through the load balancer
    • Alias the loopback device to cluster address on back-end server
  • Requires that you configure an IPIP or GRE tunnel only on the back-end server.
  • Does not require you to add routes while configuring the tunnel.
Load Balancer will act as the tunnel on the other end.
Encapsulation forwarding

Additionally, this functionality allows you to forward packets to Solaris zones or AIX® workload partitions that are on the same host, since Load Balancer can use the existing stack configuration instead of bypassing it entirely.

Procedure

  1. On the Load Balancer machine, add a server with encapsulation enabled.
    When this server is selected to forward the packet, it is encapsulated.
    Use the dscontrol server command: 
    dscontrol server set encap_source_IP encapforward [yes/no] encaptype [ipip/gre] encapcond [auto/always]
    For example, you can type the following at the prompt:
    dscontrol server set 1.2.3.4@80@1.2.3.5 encapforward yes encaptype ipip encapcond always
  2. Configure the IPIP or GRE tunnel on the back-end server for network traffic.
    For example, you can type the following:
    • [AIX] 
      ifconfig gre0 tunnel 9.184.119.242  9.184.118.200 # The IP address of the server and Load Balancer
ifconfig gre0  inet 9.184.114.25      # Some IP address on this subnet
### loopback...
ifconfig lo0 alias 9.184.114.24 netmask 255.255.255.255
    • [Linux]To set up a GRE tunnel, use the following:
      sysctl -w net.ipv4.conf.all.arp_ignore=3 net.ipv4.conf.all.arp_announce=2

# for gre
modprobe ipgre
ip link set gre0 up
ip addr add <cluster_ip> scope host dev gre0
sysctl -w net.ipv4.conf.all.rp_filter=0
sysctl -w net.ipv4.conf.gre0.rp_filter=0
      To set up an IPIP tunnel, use the following:
      sysctl -w net.ipv4.conf.all.arp_ignore=3 net.ipv4.conf.all.arp_announce=2
modprobe ipip
ip link set tunl0 up
ip addr add <cluster_ip> scope host dev tunl0
sysctl -w net.ipv4.conf.all.rp_filter=0
sysctl -w net.ipv4.conf.tunl0.rp_filter=0
    • [Solaris] 
      /sbin/ifconfig ip.tun0 plumb 9.184.114.25 netmask 255.255.255.255 up  #  Some free IP address on this subnet
/sbin/ifconfig ip.tun0 9.184.114.25  9.184.114.222 up   #  Some free IP address on this subnet
/sbin/ifconfig ip.tun0 up /sbin/ifconfig ip.tun0 tsrc 9.184.112.183 tdst 9.184.118.203  # The IP address of this machine and that of the server.
### loopback...
ifconfig lo0:1 plumb 9.184.114.24 netmask 255.0.0.0 up
      Avoid trouble: You might need to disable reverse path filtering on the backend servers so encapsulation forwarding will function properly. Use the following command to disable reverse path filtering on linux systems:
      sysctl -w net.ipv4.conf.all.rp_filter=0
    • [Windows]Tunneling is not supported on Windows operating systems.