Manual Chapter :
Configuring nPath Routing
Applies To:
Show VersionsBIG-IP APM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0
BIG-IP Link Controller
- 17.1.2, 17.1.1, 17.1.0, 17.0.0
BIG-IP Analytics
- 17.1.2, 17.1.1, 17.1.0, 17.0.0
BIG-IP LTM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0
BIG-IP AFM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0
BIG-IP PEM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0
BIG-IP DNS
- 17.1.2, 17.1.1, 17.1.0, 17.0.0
BIG-IP ASM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0
Configuring nPath Routing
Overview: Layer 2 nPath routing
With the Layer 2 nPath routing configuration, you can route outgoing server traffic around the BIG-IP system directly to an outbound router. This method of traffic management increases outbound throughput because packets do not need to be transmitted to the BIG-IP system for translation and then forwarded to the next hop.
The type of virtual server that processes the incoming traffic must be a transparent, non-translating type of virtual server.
In bypassing the BIG-IP system on the return path, Layer 2 nPath routing departs significantly from a typical load-balancing configuration. In a typical load-balancing configuration, the destination address of the incoming packet is translated from that of the virtual server to that of the server being load balanced to, which then becomes the source address of the returning packet. A default route set to the BIG-IP system then sees to it that packets returning to the originating client return through the BIG-IP system, which translates the source address back to that of the virtual server.
Do not attempt to use nPath routing for Layer 7 traffic. Certain traffic features do not work properly if Layer 7 traffic bypasses the BIG-IP system on the return path.
About Layer 2 nPath
routing configuration
The Layer 2 nPath routing configuration differs from the typical BIG-IP load balancing configuration in the following
ways:
- The default route on the content servers must be set to the router's internal address (10.1.1.1in the illustration) rather than to the BIG-IP system's floating self IP address (10.1.1.10). This causes the return packet to bypass the BIG-IP system.
- If you plan to use an nPath configuration for TCP traffic, you must create a Fast L4 profile with the following custom settings:
- Enable theLoose Closesetting. When you enable this setting, the TCP protocol flow expires more quickly, after a TCP FIN packet is seen. (A FIN packet indicates the tearing down of a previous connection.)
- Set theTCP Close Timeoutsetting to the same value as the profile idle timeout if you expect half closes. If not, you can set this value to 5 seconds.
- Because address translation and port translation have been disabled, when the incoming packet arrives at the pool member it is load balanced to the virtual server address (176.16.1.1in the illustration), not to the address of the server. For the server to respond to that address, that address must be configured on the loopback interface of the server and configured for use with the server software.
Guidelines for UDP timeouts
When you configure nPath for UDP traffic, the BIG-IP system tracks
packets sent between the same source and destination address to the same destination port as a
connection. This is necessary to ensure the client requests that are part of a session always go
to the same server. Therefore, a UDP connection is really a form of persistence, because UDP is a
connectionless protocol.
To calculate the timeout for UDP, estimate the
maximum amount of time that a server transmits UDP packets before a
packet is sent by the client. In some cases, the server might transmit
hundreds of packets over several minutes before ending the session or
waiting for a client response.
Guidelines for TCP timeouts
When you configure nPath for TCP traffic, the BIG-IP system recognizes
only the client side of the connection. For example, in the TCP three-way handshake, the BIG-IP
system sees the SYN from the client to the server, and does not see the SYN acknowledgment from
the server to the client, but does see the acknowledgment of the acknowledgment from the client
to the server. The timeout for the connection should match the combined TCP retransmission
timeout (RTO) of the client and the node as closely as possible to ensure that all connections
are successful.
The maximum initial RTO observed on most UNIX and Windows systems is
approximately 25 seconds. Therefore, a timeout of 51 seconds should adequately cover the worst
case. When a TCP session is established, an adaptive timeout is used. In most cases, this results
in a faster timeout on the client and node. Only in the event that your clients are on slow,
lossy networks would you ever require a higher TCP timeout for established connections.
Creating a Fast L4 profile
You can create a custom Fast L4 profile to manage Layer 4 traffic more
efficiently.
- On the Main tab, click.The Fast L4 screen opens.
- ClickCreate.The New Fast L4 profile screen opens.
- In theNamefield, type a unique name for the profile.
- Select theCustomcheck box.
- Select theLoose Closecheck box only for a one-arm virtual server configuration.
- Set theTCP Close Timeoutsetting, according to the type of traffic that the virtual server will process.
- ClickFinished.
The custom Fast L4 profile appears in the list of Fast L4 profiles.
Creating a server pool for nPath routing
After you create a custom Fast L4 profile, you need to create a server pool.
- On the Main tab, click.The Pool List screen opens.
- ClickCreate.The New Pool screen opens.
- In theNamefield, type a unique name for the pool.
- For theHealth Monitorssetting, in theAvailablelist, select a monitor type, and click<<to move the monitor to theActivelist.Hold the Shift or Ctrl key to select more than one monitor at a time.
- Using theNew Memberssetting, add each resource that you want to include in the pool:
- (Optional) In theNode Namefield, type a name for the node portion of the pool member.
- In theAddressfield, type an IP address.
- In theService Portfield, type a port number, or select a service name from the list.
- (Optional) In thePriorityfield, type a priority number.
- ClickAdd.
- ClickFinished.
Creating a virtual server for Layer 2 nPath routing
After you create a server pool, you need to create a virtual server that
references the profile and pool you created.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- For theDestination Address/Masksetting, confirm that theHostbutton is selected, and type the IP address in CIDR format.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.The IP address you type must be available and not in the loopback network.
- From theConfigurationlist, selectAdvanced.
- From theTypelist, selectPerformance (Layer 4).
- From theProtocollist, select one of the following:
- UDP
- TCP
- *All Protocols
- From theProtocol Profile (Client)list, select a predefined or user-defined Fast L4 profile.
- For theAddress Translationsetting, clear theEnabledcheck box.
- For thePort Translationsetting, clear theEnabledcheck box.
- In the Resources area of the screen, from theDefault Poollist, select the relevant pool name.
- ClickFinished.
Configuring the virtual address on the server loopback interface
You must place the IP address of the virtual server
(
176.16.1.1
in the illustration) on the loopback interface of
each server. Most UNIX variants have a loopback interface named
lo0
. Consult your server operating system documentation for
information about configuring an IP address on the loopback interface. The loopback
interface is ideal for the nPath configuration because it does not participate in the
ARP protocol. Setting the route for inbound traffic
For inbound traffic, you must define a route through the BIG-IP
system self IP address to the virtual server. In the example, this route is
176.16.1.1
, with the external self IP address
10.1.1.10
as the gateway.You need to
set this route only if the virtual server is on a different subnet than the
router.
For information about how to define this route, please refer to the documentation
provided with your router.