Layer 4 Switching

Layer 4 switching is a term that has almost as many meanings as it has people using the term. In the context of this paper it refers to the ability to multiplex connections received from end-users to back-end servers. This can be implemented in an ethernet switch such as the Alteon Networks ACESwitch. It can also be done in a host such as the Linux Virtual Server, Cisco LocalDirector, F5 BIG/ip and an element of IBM WebSphere¹³.

A Virtual Service is the point of contact for by end-users and is typically advertised through DNS. A virtual server is defined by: the IP address that clients will use to access the service; the port that clients will connect to and a protocol, either UDP/IP or TCP/IP. The virtual service is assigned a scheduling algorithm which allocates incoming connections to the back-end servers. The scheduling algorithms available will depend on the implementation. In the case of TCP/IP all packets for the life of the connection will be forwarded to the same back-end server so the integrity of the connection between the client and the back-end server is maintained. Many implementations have a feature that allows subsequent TCP/IP connections or UDP/IP datagrams from a host or network to be forwarded to the same back-end server. This is useful for applications such as HTTPS where the encryption used relies on the integrity of a handshake made between the client and a server, hence, clients need to consistently hit the same back-end server.

When a packet is to be forwarded to a back-end server several mechanisms are commonly employed. As a guide the mechanisms implemented by the Linux Virtual Server Project are detailed here.

• Direct Routing: Packets from clients are forwarded directly to the back-end server. The IP packet is not modified, so the back-end servers must be configured to accept traffic for the virtual server's IP address. This can be done using a dummy interface, or packet filtering to redirect traffic addressed to the virtual server's IP address to a local port. The back-end server may send replies directly back to the client. That is if a host based layer 4 switch is used, it may not be in the return path.

• IP-IP Encapsulation: IP-IP Encapsulation or Tunnelling enables packets addressed to an IP address to be redirected to another address, possibly on a different network. In the context of layer 4 switching the behaviour is very similar to that of direct routing, except that when packets are forwarded they are encapsulated in an IP packet, rather than just manipulating the ethernet frame. The main advantage of using tunnelling is that back-end servers can be on a different networks.

• Network Address Translation: Network Address Translation or NAT is a method of manipulating the source and/or destination port and/or address of a packet to map networks. The most common use of this is IP Masquerading that is often used to enable RFC 1918[8] private networks to access the internet. In the context of layer 4 switching, packets are received from clients and the destination port and IP address are changed to that of the chosen back-end server. Return packets pass through the layer 4 switching device at which time the mapping is undone so the client sees replies from the expected source.