For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

rob_79447's avatar
rob_79447
Icon for Nimbostratus rankNimbostratus
Mar 19, 2009

Helix load balancing on LTM

Can anyone tell me if there is a sample config document that explains how to setup load balancing for a pair of Helix servers that use ports 554 and 6000-9000 ?

 

 

I'm a bit of a newbie, so please excuse any ignorance on my part in subsequent replies.

 

 

Thanks.
config
design

5 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 20, 2009
    Hi,

     

     

    Based on this doc (Click here), I would guess you could configure a single Performance Layer4 virtual server on an IP and port 0, set to allow all protocols. If the server must be able to initiate arbitrary connections back to the client you'll probably need to configure nPath routing (also called direct return routing). To do this, you configure the servers with the LTM virtual server IP address on their loopback adapter. You probably also need to also enable loose close on the FastL4 profile you associate with the LTM virtual server. SOL4268 has details on using nPath (Click here).

     

     

    Aaron
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 20, 2009
    I forgot to add, that once you get the configuration working, you can lock down the virtual server using an iRule or packet filters to limit which ports clients can make requests on. You'll probably also need to use persistence (source address?) to ensure that the client gets sent back to the same server over the course of their session.

     

     

    Aaron
  • rob_79447's avatar
    rob_79447
    Icon for Nimbostratus rankNimbostratus
    Mar 20, 2009
    Many thanks for the replies, Aaron.

     

     

    I'll review the info in the link that you've provided and see if I can work it out from there.

     

     

    I'm not too concerned about using the LTM to lockdown access to particular ports as I will be doing this at the firewall, so that shouldn't be an issue.

     

     

    Again, thanks for the help so far.

     

     

     

    Rob
  • rob_79447's avatar
    rob_79447
    Icon for Nimbostratus rankNimbostratus
    Mar 20, 2009
    Aaron,

     

     

    One more question for you based on your replies.

     

     

    The cameras will be sending in streaming video to the VIP on the LTM. This is purely a one-way thing, with the live stream being sent direct from the Helix server to a webpage or mobile device, so I don't think we need to worry about the nPath routing in this situation.

     

     

    That being the case, would we also then not need to implement the loose close that you mention ?

     

     

     

    Rob
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 20, 2009
    Hi Rob,

     

     

    You only need nPath if the server needs to initiate a connection back to the client. If you don't think this is required, you could try without nPath on the servers and without loose close on the FastL4 profile.

     

     

    If it doesn't work on the first go, try testing with one client and one server while running tcpdumps filtering on the client and server IP's (tcpdump -ni0.0 -Xs0 host CLIENT_IP or host SERVER_IP) to determine who is trying to send what on which ports. The 0.0 interface is an alias for all server ports. You can check AskF5 SOL411 for details on using/interpreting tcpdump.

     

     

    Aaron