Ability to disable ARP response for VIPs configured on a HTTP/TCP LB advertised on a CE

This is to support a direct server return design, where a L4 loadbalancer is in front of 1 or more CEs, and load balances traffic to the CEs without changing the source IP of the packet. The return traffic goes from CE back to the client, bypassing L4 LB. This requires both VIPs to be configured on the L4 LB and the CE, and both responding to an ARP request for the VIP will cause L2 switching issues.


We have suggested using XFF headers, but that requires the LB to terminate the connection at L7 and hosting the TLS certs there, which is not ideal as the LB is managed by another team in their org.

  • Leon Seng
  • Mar 26 2024
  • Attach files
  • Kayvan Farzaneh commented
    28 Mar 05:21am

    And more importantly I think we should support a wildcard VIP, meaning that the LB listens to any IP and will be matched with SNI/Host header.