IBM Support

Loopback Aliasing Alternatives when using MAC Forwarding for WebSphere® Edge Load Balancer on Linux™

Troubleshooting


Problem

The Load Balancer's MAC and encapsulated MAC forwarding methods require aliasing the cluster address on loopback interface of the back-end servers. The loopback interface is a special interface that is used for communication within the server and is not used to transmit data on the network. The default installation of Linux™ advertises all addresses, even locally scoped addresses on interfaces that do not transmit data. If these settings are not changed, client traffic is routed directly to the server, by-passing the Load Balancer.
MAC forwarding requires extra configuration on Linux servers.

Symptom

  • Cluster traffic is routed to a single back-end server.
  • The Load Balancer packet-forwarded statistics do not increase. 
  • Traffic not routed to all available servers.

Cause

Why is configuring MAC and encapsulated MAC forwarding for WebSphere® Edge Load Balancer different on Linux™?

The Linux™ operating system employs a host-based model of advertising hardware addresses to IP addresses with the Address Resolution Protocol (ARP). This model is incompatible with the back-end server or collocated server requirements for Load Balancer's Media Access Control (MAC) forwarding method.

When the MAC forwarding method is configured with WebSphere® Edge Load Balancer, you must ensure that cluster-addressed traffic can be accepted by the stacks of the back-end servers. To allow this behavior, the cluster address is added to the loopback device on the back-end servers as shown:



Servers on the same machine as a Load Balancer are called collocated servers. Collocated servers are not recommended. The collocated server and the Load Balancer compete for resources and cause degraded performance and response time. However, if a collocated server is defined, the Load Balancer creates a special tunnel interface named ibmulb.  The cluster address is added to the tunnel interface.

In the default Linux™ environment, all configured IP addresses, including the cluster address that is aliased on the loopback or ibmulb interface, is advertised to neighboring systems. Any ARP requests for the cluster address location are answered by these interfaces. All cluster traffic is routed to the back-end server, by-passing the Load Balancer.
To prevent by-passing the Load Balancer, extra configuration steps are necessary on the backend server.

Resolving The Problem

To configure Linux servers to process MAC or encapsulated MAC forwarded traffic, you must add the cluster address as an alias on the loopback adapter, suppress advertisement of the cluster address, and modify reverse path filtering. Users with Linux for System z must review this material.

Avoid Trouble: Make the server configuration changes persistent such that changes are retained when the system is rebooted. Consult your operating system documentation for administering persistent settings. A common method is to add the sysctl commands to the /etc/sysctl.conf file.

After the configuration changes are made, if the expected behavior is not observed, review your specific operating system manual.

Required configuration

Operating system configuration changes are required for all Linux servers defined to receive MAC-forwarded or encapsulated MAC-forwarded traffic.

The loopback interface is a special interface that allows local socket communication. The loopback interface is a virtual interface that is always present and cannot transmit data on the network. A special address of 127.0.0.1 is always assigned to the loopback interface. This address is reserved to represent the local machine.

The servers receive network traffic for any address configured on the server. Aliasing the cluster IP on the loopback interface allows the server to receive forwarded packets. The server transmits responses from an ethernet interface with the cluster address as the source address. Responses are routed directly back to the client and do not flow through the Load Balancer.

Linux, by default, advertises addresses configured on all interfaces, including the loopback. If the server advertises the cluster address, the server receives all the cluster traffic. The Load Balancer no longer distributes connections for the cluster. ARP settings must be modified to prevent loopback address advertisement. The default loopback address, 127.0.0.1, is never advertised since it is reserved for the local machine.

The reverse path filtering setting controls the addresses allowed to send traffic on the network. Servers are configured with a strict routing policy by default. With strict routing, traffic must use an address assigned to the sending interface, otherwise, the traffic is discarded. The cluster address is not configured on the ethernet interface so responses from the server to the client are discarded. Recall that the cluster address must be assigned to the loopback to prevent conflicts with the Load Balancer and the loopback interface cannot transmit packets on the network.

When Load Balancer’s MAC forwarding or encapsulated MAC forwarding is used, the following configuration steps must be taken on each Linux server:

  • Prevent cluster advertisement (ARP suppression).

    Modify the arp_ignore setting to 3 so ARP responses are not generated for host-scoped addresses. Modify arp_announce to 2 to prevent addresses on the loopback interface from being announced on the network. 

    sysctl -w net.ipv4.conf.all.arp_ignore=3
sysctl -w net.ipv4.conf.all.arp_announce=2
  • The Reverse path filtering setting is enabled for strict routing by default. With strict routing, cluster responses are discarded by the server. Modify the reverse path filtering setting to use loose routing (2) or disable reverse path filtering.

    The operating system recommends loose routing rather than disabling reverse path filtering. Loose routing allows responses from any address aliased on the server. Disabling the reverse path filtering setting disables source address verification.

    Avoid trouble: If collocated servers are defined, define loose routing for the reverse path filtering setting.

    Loose routing (recommended): 

    sysctl -w net.ipv4.conf.all.rp_filter=2

    Or

    Disabling reverse path filtering (alternative): 

    sysctl -w net.ipv4.conf.default.rp_filter=0
sysctl -w net.ipv4.conf.lo.rp_filter=0
--Repeat for each interface. Replace $INTERFACE with actual interface name:
sysctl -w net.ipv4.conf.$INTERFACE.rp_filter=0
  • Alias the cluster addresses on the correct interface. Determining the correct interface depends on the server's relationship to the Load Balancer.

    A server is either a stand-alone server or a collocated server.

    • A stand-alone server is a server that is not installed on a Load Balancer machine. See the stand-alone server configuration section for further details.
    • A collocated server is a server that is installed on a Load Balancer machine. Review the collocated server configuration section for detailed information.
    • When the Load Balancer's high availability feature is enabled, a server is both a stand-alone and collocated server, based on the Load Balancer high availability state. The server is a collocated server when the Load Balancer is in the active high-availability state. The server is a stand-alone server when the Load Balancer is in the backup high availability state.

      When high availability and collocated servers are defined, Load Balancer "go" scripts must be configured. Review the collocated server with high availability configuration section for detailed information about this configuration.

Stand-alone server configuration

A stand-alone server is a server that is not installed on the same machine as the Load Balancer software. The following configuration steps are necessary on a stand-alone server.

  1. Ensure that ARP suppression and reverse path filtering settings are set correctly. 
    sysctl -w net.ipv4.conf.all.arp_ignore=3
sysctl -w net.ipv4.conf.all.arp_announce=2
sysctl -w net.ipv4.conf.all.rp_filter=2
  2. The cluster address must be aliased to the loopback interface for stand-alone servers. A mask of 255.255.255.255 or a prefix of 32 must be used for ipv4 addresses. A prefix of 128 must be used for ipv6 addresses. The 'ifconfig' or the 'ip' operating system commands can be used to alias the cluster.

    The 'ip' command (recommended): 

    ip addr add $CLUSTER_ADDRESS/32 scope host dev lo

    Or

    The 'ifconfig' command (alternative): 

    ifconfig lo:1 $CLUSTER_ADDRESS netmask 255.255.255.255 up

    Note: The alias number (:1) shown after the interface must be unique. If multiple clusters must be configured, ensure unique alias numbers (:1) are used for each alias.

    Avoid trouble: Ensure that the alias persists when the system is rebooted. Consult your operating system documentation for necessary procedures. A common method is to add the cluster alias to the /etc/sysconfig/network-scripts/ifcfg-lo file. 

    DEVICE=lo
IPADDR=127.0.0.1
NETMASK=255.0.0.0
NETWORK=127.0.0.0
IPADDR2=$CLUSTER_ADDRESS
NETMASK2=255.255.255.255

Collocated server configuration

A collocated server is a server that is installed on the same machine as the Load Balancer software. Collocated servers are not recommended but can be configured.

When the server definition is set as collocated, the Load Balancer creates a virtual interface named ibmulb. Packets the Load Balancer forwarded to this server are not transmitted on the ethernet interface. Instead, the packets are directed to the ibmulb interface. When the Load Balancer's executor is stopped, the ibmulb interface is deleted.

The cluster address must be aliased on the ibmulb interface not the loopback interface.

Since the cluster address is aliased on an operating system interface, the operating system receives a copy of all inbound cluster packets. A filter must be added to block the operating system from receiving copies of cluster packets. If a filter is not added, connections forwarded to stand-alone servers fail because the clients two different responses, one from the collocated server and one from the stand-alone server. To create the necessary filter, firewall software must present.

Steps to configure a collocated server:

  1. Ensure correct ARP suppression settings. Define loose routing for the reverse path filtering setting. 
    sysctl -w net.ipv4.conf.all.arp_ignore=3
sysctl -w net.ipv4.conf.all.arp_announce=2
sysctl -w net.ipv4.conf.all.rp_filter=2
  2. Install and load firewall software (if necessary):

    Installation (if necessary):
    Ubuntu: 

    sudo apt-get install iptables
    Red Hat: 
    dnf install iptables-services

    Load the module: 
    modprobe ip_tables

  3. Create a filter to block cluster traffic on the ethernet interface. If cluster traffic can be received on multiple interfaces, all interfaces that can receive cluster traffic must filter the traffic. Existing filters can affect the placement of the new filter. The examples provided append the rule to filter cluster traffic to the end of existing filters. Examine your current filters to determine correct placement. Filter management can be performed by using operating system tools such as iptables, iptables6, firewalld, nft, netfilter, or other firewall software. Examples are provided for the iptables and nft software.

    iptables:
    Display the current filters:

    # iptables -L INPUT
Chain INPUT (policy ACCEPT)
prot opt source          destination
    Append the cluster filter: 
    # iptables -A INPUT -i $INTERFACE -d $CLUSTER/32 -j DROP

# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere
    nft:
    Display the current filters: 
    # nft list table inet filter
table inet filter {
  chain input {
     type filter hook input priority 0; policy accept;
  }

  chain forward {
     type filter hook forward priority 0; policy accept;
  }

  chain output {
     type filter hook output priority 0; policy accept;
  }
}
    Append the cluster filter: 
    # nft add rule inet filter input iifname "$INTERFACE" ip daddr $CLUSTER counter drop

# nft list table inet filter
table inet filter {
  chain input {
     type filter hook input priority 0; policy accept;
     iifname "$INTERFACE" ip daddr $CLUSTER counter packets 0 bytes 0 drop
  }

  chain forward {
     type filter hook forward priority 0; policy accept;
  }

  chain output {
    type filter hook output priority 0; policy accept;
  }
}

  4. Define the collocated server to the Load Balancer and set the collocation flag: 
    dscontrol server add $CLUSTER@$PORT@$SERVER
dscontrol server set $CLUSTER@$PORT@$SERVER collocated yes
  5. Alias the cluster address on the ibmulb interface and set the interface UP:

    The ip command (recommended): 

    ip addr add $CLUSTER/32 dev ibmulb scope host
ip link set dev ibmulb up

    Or

    The ifconfig command (alternative): 

    ifconfig ibmulb:1 $CLUSTER netmask 255.255.255.255 up

    Note: The alias number (:1) shown after the interface must be unique. If multiple clusters must be configured, ensure that each cluster alias has a unique alias number.

  6. If the reverse path filtering setting was disabled instead of set to loose routing, you must disable the reverse path filtering setting on the new ibmulb interface: 
    sysctl -w net.ipv4.conf.ibmulb.rp_filter=0

Collocated server and Load Balancer's high availability

The collocated server configuration changes based on the Load Balancer high availability state. When the Load Balancer is actively forwarding traffic, the server must be configured as a collocated server. However, when the Load Balancer is in the backup state, the collocated server must be configured as a stand-alone server. The Load Balancer provides user exits that are invoked during high availability state changes to make the necessary configuration changes.

Servers must be defined before high availability is defined. The Load Balancer 'go' scripts execute after high availability state changes. If high availability is defined before the server is defined, the ibmulb tunnel does not exist when the state changes. After the tunnel is created, necessary configuration is not performed.

The user exits must be named goActive, goStandby, and goInOp.  Samples are provided in the /opt/IBM/WebSphere/Edge/ULB/servers/samples directory. These files must be edited to use the correct interface and cluster addresses. The user exits are invoked in the /opt/IBM/WebSphere/Edge/ULB/servers/bin directory with execute permission set for the Load Balancer user.

  1. Ensure that ARP suppression settings are correct and reverse path filtering is set for loose routing. 
    sysctl -w net.ipv4.conf.all.arp_ignore=3
sysctl -w net.ipv4.conf.all.arp_announce=2
sysctl -w net.ipv4.conf.all.rp_filter=2
  2. Customize the goActive, goStandby, and goInOp scripts. Place your customized scripts in the /opt/IBM/WebSphere/Edge/ULB/servers/bin directory and set execute permission on the files.  

    Avoid trouble: The file names must use the exact uppercase and lowercase lettering in the file name. The scripts have no file extension in the name. Cluster traffic must be filtered and dropped by the ethernet interface.

    goActive:
    When the Load Balancer enters the active forwarding state, the goActive script is invoked. The server on the Load Balancer machine must be configured as a collocated server when the Load Balancer is actively forwarding traffic. Remove the cluster address from the loopback interface and alias the cluster to the ibmulb tunnel. Add a filter to block the ethernet interface from receiving cluster traffic.

    Sample goActive script: 

    # Modify CLUSTER and INTERFACE to match your environment

CLUSTER=4.3.2.1
INTERFACE=eth0

# Add filter to block OS from receiving cluster traffic
iptables -A INPUT -i $INTERFACE -d $CLUSTER/32 -j DROP

# Remove cluster alias from loopback
ip addr del $CLUSTER/32 scope host dev lo

# Add cluster alias to tunnel
ip addr add $CLUSTER/32 dev ibmulb scope host

# Set tunnel up
ip link set ibmulb up

    goStandby:
    When the Load Balancer enters the standby state, the goStandby script is invoked. The Load Balancer does not forward traffic in the standby state. The partner Load Balancer is forwarding traffic. As such, the server must be configured as a stand-alone server when the collocated Load Balancer is in the standby state. Remove the filter to block cluster traffic on the ethernet interface. Remove the cluster alias from the ibmulb interface and add the cluster alias to the ethernet interface.

    Note: Do not modify the server definition on the Load Balancer machine. The definition on the standby Load Balancer does not change and the server remains marked as collocated.

    Sample goStandby script: 

    # Modify CLUSTER and INTERFACE to match your environment
CLUSTER=4.3.2.1
INTERFACE=eth0

# Remove filter which blocks cluster traffic to OS
iptables -D INPUT -i $INTERFACE -d $CLUSTER/32 -j DROP

# Set collocated tunnel down
ip link set ibmulb down

# Remove cluster alias from tunnel
ip addr del $CLUSTER/32 dev ibmulb scope host

# Add cluster alias to loopback
ip addr add $CLUSTER/32 scope host dev lo

    goInOp:
    When the Load Balancer's executor stops, the goInOp script is invoked. The Load Balancer is no longer forwarding traffic. The only traffic that the server receives is from the partner Load Balancer. The server must be configured as a stand-alone server.

    Sample goInOp script: 

    # Modify CLUSTER and INTERFACE to match your environment
CLUSTER=4.3.2.1
INTERFACE=eth0

# Remove filter which blocks cluster traffic to OS
iptables -D INPUT -i $INTERFACE -d $CLUSTER/32 -j DROP

# Set collocated tunnel down
ip link set ibmulb down

# Remove cluster alias from tunnel
ip addr del $CLUSTER/32 dev ibmulb scope host

# Add cluster alias to loopback
ip addr add $CLUSTER/32 scope host dev lo
  3. Add the collocated server before high availability is defined. Set the collocated flag on the servers. 
    dscontrol server add <cluster>@<port>@<server>
dscontrol server set <cluster>@<port>@<server> collocated yes
. . .
dscontrol high availability add...

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m50000000CdIqAAK","label":"Edge LoadBalancer"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"8.5.5;9.0.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Historical Number

207567

Document Information

Modified date:
15 June 2023

UID

swg21177105

Page Feedback