Skip to content

Direct Routing

Direct Routing (aka DSR/Direct Server Return) is a standard layer 4 load balancing technique that distributes packets by altering only the destination MAC address of the packet.

Requires the "ARP problem" to be solved on each Real Server - for more information, please refer to DR Mode Considerations

Layer 4 DR Mode

Layer 4 DR (Direct Routing) mode is a very high performance solution that requires little change to your existing infrastructure.

Kemp, Brocade, Barracuda & A10 Networks call this Direct Server Return and F5 call it nPath.

SCR-20240717-jzxj-2.png

  • DR mode works by changing the destination MAC address of the incoming packet to match the selected Real Server on the fly which is very fast.
  • When the packet reaches the Real Server it expects the Real Server to own the Virtual Services IP address (VIP). This means that each Real Server (and the load balanced application) must respond to both the Real Server’s own IP address and the VIP.
  • The Real Server should not respond to ARP requests for the VIP. Only the load balancer should do this. Configuring the Real Server in this way is referred to as "Solving the ARP Problem". For more information please refer to DR Mode Considerations.
  • On average, DR mode is 8 times quicker than NAT mode for HTTP and much faster for other applications such as Remote Desktop Services, streaming media and FTP.
  • The load balancer must have an interface in the same subnet as the Real Servers to ensure layer 2 connectivity which is required for DR mode to operate.
  • The VIP can be brought up on the same subnet as the Real Servers or on a different subnet provided that the load balancer has an interface in that subnet.
  • Port translation is not possible with DR mode, e.g. VIP:80 → RIP:8080 is not supported.
  • DR mode is transparent, i.e. the Real Server will see the source IP address of the client.

Considerations

Next Generation Firewalls

The method and mechanisms that Direct Routing employs to achieve its functionality contrevenes many of the safeguards that NGFW devices implement. Generally, Firewalls are placed towards the edge or perimeter of a network and this is not a problem. When a Firewall is the default gateway for networks that are connected to the load balancer appliances this can introduces complications with load balancer functionality. The issues that specifically pertain to NGFWs and Direct Routing are that requests are sent to the load balancer and responses are returned from an alternate device as far as the network is concerned. In a regular network this would be highly suspicious and is essentially the signature of a Man-In-The-Middle (MITM) attack. As a result, the NGFW prevents this from happening effectivly disabling DR mode.

Application Centric Infrastructure

To date, we have only seen this in the Cisco ACI platform. The way that ACI works is fundamentally different. Cisco Application Centric Infrastructure (ACI) optimizes network management by decoupling the control plane from the data forwarding plane. However, its advanced data-plane learning can complicate Direct Routing, directing all traffic to a single server. These issues can be mitigated by enabling GARP-based endpoint move detection and configuring L4-L7 Virtual IPs, ensuring proper failover and load balancing within the ACI fabric.

This topic is covered in greater depth on our blog.

The ARP Problem

DR mode works by changing the MAC address of the inbound packets to match the Real Server selected by the load balancing algorithm. To enable DR mode to operate:

  1. The load balanced application/service/daemon running on each Real Server must be able to accept traffic destined for the VIP address and the Real Server’s own IP address (RIP). This is because in DR mode the destination address of load balanced packets is the VIP address, whilst for other traffic such as health checks, administration traffic etc. it’s the Real Server’s own IP address (the RIP).
  2. Each Real Server must be configured so that it does not respond to ARP requests for the VIP address - only the load balancer should do this.

Configuring the Real Servers in this way is known as "Solving the ARP Problem".

Our Recommendation

Where possible we recommend that Layer 4 Direct Routing (DR) mode is used. This mode offers the best possible performance since replies go directly from the Real Servers to the client, not via the load balancer. It’s also relatively simple to implement. Ultimately, the final choice does depend on your specific requirements and infrastructure.