Command Line Interface Reference Guide > The SLB Configuration Menu
/cfg/slb/filt<filter number>/adv/redir
Redirection Advanced Menu
Notes
*When the destination port is set to RTSP (554) at /cfg/slb/filt/dport, the filter automatically works in delayed binding (dbind) mode even if the dbind option is disabled for filter redirection.
 
[Redirection Advance Menu]
fwlb - Enable/disable firewall redirect hash method
linklb - Enable/disable WAN link load balancing
vpnflood - Enable/disable two way VPN load balancing
dbind - Enable/disable delayed binding for redirection
pbind - Enable/disable persistent binding for redirection
     rtproxy - Enable/disable redirect to proxy server
     fallback – Set fallback action (group down)
     fbgoto - Set filter ID for Goto fallback action
     fbport - Set ingress port for ContinueFlow fallback action
     fbvlan - Set ingress VLAN ID for ContinueFlow fallback action
     cur - Display current redirection configuration
 
Redirection Advanced Menu Options (/cfg/slb/filt/adv/redir)  
Command Syntax and Usage
fwlb
 
Enables or disables the firewall redirect hash method. For more information on firewall load balancing, see the Alteon Command Line Interface Application Guide.
Note: Firewall load balancing requires the “by number” mode of operation to be enabled at /cfg/sys/idbynum.
linklb
 
Enables or disables WAN link load balancing. For more information on configuring inbound link load balancing, see /cfg/slb/linklb Inbound Link Load Balancing Configuration Menu.
vpnflood
 
Enables or disables two-way Virtual Private Network (VPN) load balancing. For more information on VPN load balancing, see the Alteon Command Line Interface Application Guide.
dbind <disable|forceproxy>
 
Enables or disables full proxy mode for TCP services.
Delayed binding prevents SYN denial-of-service (DoS) attacks on the server. DoS occurs when the server or Alteon cannot service the client because they are saturated with invalid traffic.
Using delayed binding, Alteon intercepts the client SYN request before it reaches the server. Alteon responds to the client with a SYN ACK that contains embedded client information. Alteon does not allocate a session until a valid SYN ACK is received from the client or the three-way handshake is complete.
The Application Service Engine is a full TCP proxy which performs delayed binding of connections, during which it can optimize TCP behavior, intercept client requests and server responses to modify them, and so on. In some cases, the proxy behavior itself may be required even without the use of any other application service. For this purpose, you can set delayed binding to force proxy mode. In this mode, the Application Service Engine performs TCP optimizations without SYN attack protection, functions as a full TCP proxy, performs persistence for HTTP cookies to reorder TCP packets which do not arrive in the correct order, and so on.
For example, when no Layer 7 application services (such as SSL offloading, caching, compression, or HTTP modifications) are in use, and when no Layer 7 requests are coming from the client, force proxy mode forces Alteon to perform a back-end TCP handshake. If the server does not respond within a configured period, Alteon moves to the next server.
When the destination port is set to RTSP (554) at /cfg/slb/filt/dport, the filter automatically works in delayed binding (dbind) mode even if the dbind option is disabled for filter redirection.
Values:
*disable — Alteon processes traffic at Layer 4 without any interference in the TCP session.
*forceproxy — Alteon processes traffic in full proxy mode using the Application Service Engine. In full proxy mode independent sessions are established to the client and to the servers. The following capabilities require full proxy mode: advanced Layer 7 content switching and modification, SSL offload, Web acceleration, AppWall and Authentication Gateway, APM, TCP optimization, and IPv6/4 gateway.
Default: disable
Note: The Application Service Engine can work in both Alteon delayed binding modes. In enabled delayed binding mode, the Application Service Engine only provides SYN attack protection. In force proxy mode, it only provides TCP optimizations.
pbind <enabled|disabled>
 
Specifies whether to enable WAN link persistence per client IP. All connections from the same client IP to the same destination IP and server port/destination port are redirected to the same server.
Persistency per client is maintained across all filters that select the same group, and not per filter.
If a server port (rport) is configured on matched filter, client persistency is preserved to the same destination IP and server port combination, otherwise it is preserved to the destination IP and destination port.
Standard HTTP and HTTPS connections from the same client IP to the same destination IP are redirected to the same server, even though destination ports are different.
Note: To prevent the possiblity of creating two P-entries pointing to different servers, disable persistent binding (pbind). In addition, use phash metric in the relevant group. (For more information about metric commands, see Server Load Balancing Metrics.) For example:
/cfg/slb/group 2
metric phash 255.255.255.255
rmetric hash
Default: disabled
rtproxy <disable|enable>
 
Specifies how to redirect traffic to a proxy server.
Values:
*enable — Alteon redirects traffic to a proxy server by replacing the destination MAC address and IP address with the proxy server MAC address and IP address.
*disable — Alteon redirects traffic to a proxy server by replacing the destination MAC address with the proxy server MAC address. The destination IP address remains unchanged.
Default: disable
fallback <d|a|g>
 
Specifies the behavior when the server group attached to this filter is unavailable.
Values:
*a — Traffic matching this filter is routed/bridged to its destination.
*d — Traffic matching this filter is dropped. For TCP traffic processed by Proxy, the TCP connection is terminated. For UDP traffic and TCP traffic that is not processed by Proxy, the packets are dropped.
*c — Traffic matching this filter is forwarded to the next hop in the flow. This action is relevant only when the filter is part of a service chain/flow (for example, SSL inspection flow). To bypass this hop and continue the flow, specify the physical port through which traffic from this hop (server group) was expected to ingress in the fbport command.
*g — Traffic matching this filter is matched with the target filter defined in the fbgoto command. If the traffic does not match the target filter, matching attempts continue from the target filter on.
Default (for new filters): deny
fbgoto <0|3-2048>
 
Specifies the target filter ID for the goto action.
Values: 0, 3 – 2048
fbport (1-2|none)
 
Specifies the physical port through which traffic from the server group attached to this filter was expected to ingress Alteon (client traffic). This allows Alteon to bypass this group when down, and continue the flow.
For groups where each server has different ingress ports, select one of them to specify.
When the ingress port is part of an LACP trunk group, Alteon load balances between the ports in the trunk even though only a single port is defined here.
fbvlan
 
Specifies the ingress VLAN ID for a “continue in the flow” fallback action.
*If the fbport is a tagged port, Alteon injects the traffic with the VLAN defined as fbvlan.
*If the fbport is tagged, but no fbvlan is defined, Alteon injects the traffic with pvid tagging.
cur
 
Displays all current redirection settings.