Join other NWC readers in discussing this article.

Layer 7 routing may be intelligent and efficient, but having those smarts incurs latency. A slight pause, caused by delayed binding, occurs when the load balancer, XML switch or other content-aware device inspects traffic and decides where to route it. Say a load balancer receives a request for a specific Web page: It first determines which Web server needs to receive it, and then it forges a TCP connection with the server and "binds" the connection to the server.

These steps add a few milliseconds to response time, which may or may not be noticeable to the client. The good news is that Layer 7 devices minimize latency by routing traffic based only on a specific set of headers and the URI. However, some Layer 7 devices, such as F5 Networks' Big-IP, generate even more latency because they route traffic based on more specific information in the TCP payload, such as an HTTP header or data from an HTML form. The advantage is that these devices have more data to consult when deciding which server to use, so their routing decisions are more efficient (see "Major Changes for Big-IP").

A Layer 4 load balancer, meanwhile, does not generate this type of delay because it uses a less sophisticated decision-making process. It binds a TCP connection to the server immediately after it receives a SYN message from the client machine.

Á La Mode

You need to determine how and where a Layer 7 content networking device will fit into your network infrastructure. That entails choosing both the "mode" in which the content networking device is deployed--proxy or transparent--and the network topology.

A proxy is an intermediary between two or more devices. When a content networking device is configured in proxy mode, all requests to a Web site or service go directly to it, and the device determines how to distribute the requests. When that same device is in transparent mode, it listens and only intercepts requests for the specific applications it's been configured to handle.

Proxy mode provides a single point of entry into your Web infrastructure, and it centralizes security and consolidates network logging. It has performance advantages over transparent mode in that it can keep open multiple TCP sessions to the servers. That way there's no latency from a second TCP handshake between the proxy device and each individual server in the farm.

Armed & Ready click to enlarge

Most load balancers and XML switches offer a proxy option. NetScaler's Request Switch 9000 Series devices, however, multiplex both HTTP and TCP in proxy mode, so they can process requests for content or services using HTTP 1.1 with existing TCP connections. That spreads HTTP requests across a number of connections.

Content networking devices usually have to be in proxy mode to process SSL sessions on the Web. A load balancer either decrypts the data itself or has a third-party product do it, so it can examine the traffic and make a routing decision. It then has to re-encrypt its response to the client's request with SSL. Some devices can do this in transparent mode, but that means more latency.

In transparent mode, the load balancer or other content networking device operates like the reverse Web cache, where a router redirects requests to a specific port (usually Port 80) or a specific port/IP address combination to a caching device. This is a less intrusive configuration than proxy mode because it requires little change to the network infrastructure.

The main difference between proxy and transparent mode is that in proxy mode the content networking device terminates the session, whereas the Web server terminates the session when the content networking device is in transparent mode. In both cases, the content networking device remains responsible for determining which Web server should fulfill the client request (see graphic "To Proxy or Not To Proxy").