The Network section within the Library allows the configuration of the ADC’s network interfaces and their behavior.
IMPORTANT
Managing Virtual Network Interfaces in a Virtual Environment
When deploying VMs within a virtualized environment such as ESXi, network interfaces (e.g., eth0, eth1) are automatically created and mapped to host configuration network adapters (e.g., Network Adapter 1, Network Adapter 2). However, these mappings may not always align consistently due to operating system rules that bind interfaces to specific MAC addresses. This section outlines steps to manage network interfaces on the host to prevent disruptions to services when the user cannot access the VM.
Key Considerations
1. MAC Address Persistence:
a. The operating system assigns interface names (e.g., eth0, eth1) based on rules that associate a name with a specific MAC address.
b. Deleting and recreating a VM network interface without reusing the original MAC address can result in an inconsistent or non-functional network configuration.
2. Internal Mappings in ADC (EdgeOS):
a. Virtual network interfaces are automatically recognized by the ADC (Application Delivery Controller) and mapped internally.
b. Removing a network interface from the VM host can leave stale mappings in the ADC, potentially disrupting management access or network services.
Recommended Steps for Host Configuration
1. Before Removing a NIC:
a. Record the MAC address of the interface you intend to remove. This can be viewed in the VM’s settings in the ESXi host.
2. When Adding a Replacement NIC:
a. Assign the previously recorded MAC address to the new network adapter to ensure the VM’s interface mappings remain consistent.
3. Prevent Accidental Deletion of Critical NICs:
a. Identify which NICs are mapped to critical ADC interfaces (e.g., ETH0 (Greenside) for management access). Avoid removing these NICs unless absolutely necessary.
4. Verify MAC Address Consistency:
a. Ensure that the MAC addresses assigned to the VM’s network interfaces match the expected configuration within the ADC. Use ESXi host tools to confirm this mapping.
5. Coordinate with VM Administrators:
a. If changes are necessary that might affect the internal VM configuration, inform the VM administrators to prepare for potential disruptions and ensure proper mappings are maintained.
Example Scenario
1. Initial Setup:
a. ADC VM has two NICs: NIC1 (MAC: 00:11:22:33:44:55) and NIC2 (MAC: 00:11:22:33:44:66).
2. Action: Remove NIC1 and add a new NIC (NIC3).
a. Assign the original MAC address (00:11:22:33:44:55) to NIC3 during creation on the ESXi host.
3. Impact Avoidance:
a. By reusing the original MAC address, the ADC’s internal mappings (e.g., ETH0) remain consistent, avoiding any disruption to management access or network services.
When managing network interfaces in a virtualized environment, it is crucial to maintain consistency in MAC address assignments. If access to the VM is unavailable, all necessary steps must be completed on the host side to ensure seamless operation and prevent service interruptions. Always coordinate with the relevant administrators to address potential impacts effectively.
Avoiding Frequent vMotion for Critical Appliances
vMotion is a powerful VMware feature that enables live migration of virtual machines (VMs) between ESXi hosts without downtime. However, while vMotion is highly useful in maintaining infrastructure flexibility and availability, it is not recommended to frequently migrate critical appliances, such as load balancers, especially when they are actively managing a high volume of connections.
There may be other technologies that are similar and provided by other vendors, but for this section, we will work on the basis it is VMware.
Why Frequent vMotion is Not Recommended
1. Session Disruptions:
a. Load balancers manage active sessions between clients and backend servers. During a vMotion operation, there is a brief period where the network state is reinitialized, potentially disrupting these sessions.
b. The disruption may cause connection drops, requiring clients to re-establish their sessions, which could degrade user experience.
2. Latency and Packet Loss:
a. The process of migrating a VM involves temporarily pausing and synchronizing its memory and state. For appliances handling real-time traffic, this pause can introduce latency or even packet loss.
b. Applications relying on low-latency responses may experience degraded performance or timeouts.
3. Increased Resource Utilization:
a. vMotion requires CPU, memory, and network bandwidth resources for data synchronization between the source and destination hosts.
b. Frequent migrations can strain infrastructure resources, potentially impacting other VMs and services hosted on the same environment.
4. Impact on High-Availability Configurations:
a. In environments with high-availability (HA) configurations, frequent vMotion may conflict with failover mechanisms, leading to unexpected behavior or delays in failover actions.
5. Operational Complexity:
a. Constantly moving critical VMs increases the complexity of network configurations, including VLAN mappings and firewall rules, which can introduce configuration errors.
Recommendations for Managing Critical Appliances
1. Plan vMotion Operations During Maintenance Windows:
a. Schedule migrations during periods of low traffic to minimize the impact on active sessions.
2. Implement Load Balancer Clustering:
a. Use clustering or high-availability configurations for load balancers to ensure redundancy. This allows traffic to be seamlessly redirected to another node during vMotion operations.
3. Monitor Infrastructure Resources:
a. Ensure sufficient CPU, memory, and network bandwidth are available before initiating vMotion to prevent resource contention.
4. Minimize Migration Frequency:
a. Limit vMotion of critical appliances to scenarios where it is absolutely necessary, such as host maintenance or failure recovery.
5. Test Before Production:
a. Test vMotion operations in a staging environment to understand their impact on active sessions and ensure configurations are optimized.
While vMotion is an invaluable tool for VM management, it should be used judiciously for critical appliances like load balancers. Frequent migrations can disrupt services, increase latency, and strain resources. By carefully planning vMotion operations and employing strategies like clustering and maintenance scheduling, you can ensure reliable service delivery and minimize the risk of disruptions.
Basic Setup
ALB Name
Specify a name for your ADC appliance. Please note that this cannot be changed if there is more than one member in the cluster. Please see the section on Clustering.
IPv4 Gateway
Specify the IPv4 Gateway address. This address will need to be in the same subnet as an existing adapter. If you add in Gateway incorrectly, you will see a White Cross in a red circle. When you add a correct gateway, you will see a green success banner at the bottom of the page and a white tick in a green circle next to the IP address.
IPv6 Gateway
Specify the IPv6 Gateway address. This address will need to be in the same subnet as an existing adapter. If you add in Gateway incorrectly, you will see a White Cross in a red circle. When you add a correct gateway, you will see a green success banner at the bottom of the page and a white tick in a green circle next to the IP address.
DNS Server 1 & DNS Server 2
Add in the IPv4 address of your first and second (optional) DNS server.
Adapter Details
This section of the Network panel shows the network interfaces that are installed in your ADC appliance. You can add and remove adapters as needed.
Column
|
Description
|
Adapter
|
This column displays the physical adapters installed on your appliance. Choose an adapter from the list of available adapters by clicking on it – a double-click will place the listing line into edit mode.
|
VLAN
|
Double click to add the VLAN ID for the adapter. A VLAN is a Virtual Local Area Network which creates a distinct broadcast domain. A VLAN has the same attributes as physical LAN but it allows for end stations to be grouped together more easily if they are not on the same network switch
|
IP Address
|
Double click to add the IP address associated with the adapter interface. You can add multiple IP addresses to the same interface. This should be an IPv4 32-bit number in quad dotted decimal notation. Example 192.168.101.2
|
Subnet Mask
|
Double click to add the subnet mask assigned to the adapter interface. This should be an IPv4 32-bit number in quad dotted decimal notation. Example 255.255.255.0
|
Gateway
|
Add a gateway for the interface. When this is added the ADC will set-up a simple policy that will allow connections initiated from this interface to be returned via this interface to the gateway router specified. This allows the ADC to be installed in more complex networking environments without the trouble of manually configuring complex policy based routing.
|
Description
|
Double click to add a description for your adapter. Example Public Interface.
Note: The ADC will automatically name the first interface Green Side, the second interface Red Side and the third interface Side 3 etc.
Please feel free to change these naming conventions to your own choice.
|
Web Console
|
Double click the column then tick the box to assign the interface as the management address for the Graphical User Interface Web Console. Please be very careful when changing the interface that Web Console will listen on. You will need to have the correct routing set up or be in the same subnet as the new interface in order to reach the Web Console after the change. The only way to change this back is to access the command line and issue the set greenside command. This will delete all interfaces except for eth0.
|
Interfaces
The Interfaces section within the Network panel allows the configuration of certain elements pertaining to the network interface. You can also remove a network interface from the listing by clicking the Remove button. When using a virtual appliance, the interfaces you see here are limited by the underlying virtualization framework.
Column
|
Description
|
ETH Type
|
This value indicates the internal OS reference to the network interface. This field cannot be customized. Values begin with ETH0 and continue in sequence depending on the number of network interfaces.
|
Status
|
This graphical indication shows the current status of the network interface. A Green status shows that the interface is connected and up. Other status indicators are shown below.
|
Adapter UP
|
|
Adapter Down
|
|
Adapter Unplugged
|
|
Adapter Missing
|
|
Speed
|
By default, this value is set to auto-negotiate the speed. But you can change the network speed of the interface to any value available in the drop-down (10/100/1000/AUTO).
|
Duplex
|
The value of this field is customizable, and you can choose between Auto (default), Full-Duplex, and Half-Duplex.
|
Bonding
|
You can choose one of the bonding types that you have defined. See the section on Bonding for more details.
|
Bonding
Many names are used to title network interface bonding: Port Trunking, Channel Bonding, Link Aggregation, NIC teaming, and others. Bonding combines or aggregates multiple network connections into a single channel bonded interface. Bonding allows two or more network interfaces to act as one, increase throughput, and provide redundancy or failover.
The ADC’s kernel has a built-in Bonding driver for aggregating multiple physical network interfaces into a single logical interface (for example, aggregating eth0 and eth1 into bond0). For each bonded interface, you can define the mode and the link monitoring options. There are seven different mode options, each providing specific load balancing and fault tolerance characteristics. These are shown in the image below.
Note: Bonding can only be configured for hardware-based ADC appliances.
Creating a Bonding profile
· Click on Add button to add a new Bond
· Provide a name for the bonding configuration
· Choose which bonding mode you wish to use
Then from the Interfaces section, select the Bonding mode you wish to use from the Bond drop-down field for the network interface.
In the example below, eth0, eth1, and eth2 are now part of bond0. While Eth0 remains on its own as the management interface.
Bonding Modes
Bonding Mode
|
Description
|
balance-rr:
|
Packets are sequentially transmitted/received through each interface one by one.
|
active-backup:
|
In this mode, one interface will be active, and the second interface will be on standby. This secondary interface only becomes active if the active connection on the first interface fails.
|
balance-xor:
|
Transmits based on source MAC address XOR’d with destination MAC address. This option selects the same slave for each destination Mac address.
|
broadcast:
|
This mode will transmit all data on all slave interfaces.
|
802.3ad:
|
Creates aggregation groups that share the same speed and duplex settings and utilizes all the slaves in the active aggregator following the 802.3ad specification.
|
balance-tlb:
|
The Adaptive transmit load balancing bonding mode: Provides channel bonding that does not require any special switch support. The outgoing traffic is distributed according to the current load (computed relative to the speed) on each slave. The current slave receives incoming traffic. If the receiving slave fails, another slave takes over the MAC address of the failed receiving slave.
|
balance-alb:
|
The Adaptive load balancing bonding mode: also includes balance-tlb plus receive load balancing (rlb) for IPV4 traffic and does not require any special switch support. The receive load balancing is achieved by ARP negotiation. The bonding driver intercepts the ARP Replies sent by the local system on their way out and overwrites the source hardware address with the unique hardware address of one of the slaves in the bond, such that different peers use different hardware addresses for the server.
|
Static Route
There will be times when you need to create static routes for specific subnets within your network. The ADC provides you with the ability to do this using the Static Routes module.
Adding a Static Route
· Click the Add Route button
· Fill in the field using the details in the table below as guidance.
· Click the Update button when done.
Field
|
Description
|
Destination
|
Enter the destination network address in decimal dotted notation. Example 123.123.123.5
|
Gateway
|
Enter the gateway IPv4 address in decimal dotted notation. Example 10.4.8.1
|
Mask
|
Enter the destination subnet mask in decimal dotted notation. Example 255.255.255.0
|
Adapter
|
Enter the adapter that the gateway can be reached on. Example eth1.
|
Active
|
A green tick box will indicate that the gateway can be reached. A red cross will indicate that the gateway cannot be reached on that interface. Please make sure you have set up an interface and IP address on the same network as the gateway
|
Static Route Details
This section will provide information about all the routes configured on the ADC.
Advanced Network Settings
What is Nagle?
Nagle's algorithm improves the efficiency of TCP/IP networks by reducing the number of packets that need to be sent over the network. See Wikipedia Article on Nagle
Server Nagle
Tick this box to enable the Server Nagle setting. The Server Nagle is a means of improving the efficiency of TCP/IP networks by reducing the number of packets that need to be sent over the network. This setting is applied to the Server side of the transaction. Care must be taken with the server settings as Nagle and delayed ACK may severely impact performance.
Client Nagle
Tick the box to enable the Client Nagle setting. As above but applied to the Client side of the transaction.
SNAT
SNAT stands for Source Network Address Translation, and different vendors have slight variations in the implementation of SNAT. A simple explanation of the EdgeADC SNAT would be as follows.
Under normal circumstances, inbound requests would be directed to the VIP that would see the source IP of the request. So, for example, if a browser endpoint had an IP address of 81.71.61.51, this would be visible to the VIP.
When SNAT is in force, the original source IP of the request will be hidden from the VIP, and instead, it will see the IP address as provided in the SNAT rule. Thus, SNAT can be used in Layer 4 and Layer 7 load balancing modes.
Field
|
Description
|
Source IP
|
The Source IP address is optional, and it can be either a network IP address (with /mask) or a plain IP address. The mask can be either a network mask or a plain number, specifying the number of 1’s at the left side of the network mask. Thus, a mask of /24 is equivalent to 255.255.255.0.
|
Destination IP
|
The Destination IP address is optional, and it can be either a network IP address (with /mask) or a plain IP address. The mask can be either a network mask or a plain number, specifying the number of 1’s at the left side of the network mask. Thus, a mask of /24 is equivalent to 255.255.255.0.
|
Source Port
|
The source port is optional, it can be a single number, in which case it specifies only that port, or it can include a colon, which specifies a range of ports. Examples: 80 or 5900:5905.
|
Destination Port
|
The destination port is optional, it can be a single number, in which case it specifies only that port, or it can include a colon, which specifies a range of ports. Examples: 80 or 5900:5905.
|
Protocol
|
You can choose whether to use SNAT on a single protocol or all the protocols. We suggest being specific to be more precise.
|
SNAT to IP
|
SNAT to IP is a mandatory IP address or a range of IP addresses. Examples: 10.0.0.1 or 10.0.0.1-10.0.0.3.
|
SNAT to Port
|
The SNAT to Port is optional, it can be a single number, in which case it specifies only that port, or it can include a dash, which specifies a range of ports. Examples: 80 or 5900-5905.
|
Notes
|
Use this to put a friendly name to remind yourself why the rules exist. This is also useful for debugging in the Syslog.
|