Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Network deployment options on the KEMP LoadMaster

There are two deployment options; one-arm and two-arm. The distinction is made on a per-Virtual Service basis. The LoadMaster can house a combination of one-arm and two-arm Virtual Services. In fact, the LoadMaster can have a Virtual Service that is configured in both methods.

One-Arm Deployment

  • The load balancer has one physical network card connected to one subnet
  • A Single Ethernet port (eth0) is used for both inbound and outbound traffic
  • Real Servers and Virtual Services will be part of the same logical network - sometimes called flat-based - this implies that both have public IP addresses if used for services within the Internet
  • Server NAT does not make sense for one-armed configurations
  • Does not automatically imply the use of Direct Server Return (DSR) methods on the Real Servers
  • IP address transparency will function properly if clients are located on the same logical network as the LoadMaster in a DSR configuration. IP address transparency is not supported when clients are located on the same logical network as the LoadMaster in a NAT configuration.

The one armed solution can be set-up in both a single and Highly Available (HA) configuration.


 Two-Arm Deployment

  • The load balancer has two network interfaces connected to two subnets - this may be achieved by using two physical network cards or by creating VLANs on a single network interface
  • Virtual Services and Real Servers are on different subnets


In the example diagram above, the system has been configured as follows:

  • A Virtual Service has been created on the LoadMaster with an IP address of for an HTTP service
  • The Virtual Service has been configured to balance the incoming traffic across the Real Servers (server 1, 2 and 3)
  • A user requests the URL
  • The URL will be resolved by the DNS into IP address
  • The request will be routed to the LoadMaster, which offers this IP address as an IP-alias of its network interface eth0
  • The LoadMaster is connected to the server farm subnet via its network interface eth1
  • The LoadMaster knows that there are three Real Servers in this subnet that are assigned to the requested address and are able to deliver the required content
  • The LoadMaster uses the load balancing method configured, for example weighted round robin, to send the request on to one of the three Real Servers
  • Other items to note regarding the two-armed configuration are:
    • Both eth0 (net side) and eth1 (farm side) interfaces are used. Additional ports go to the farm side for multi-armed configurations
    • Implies that the LoadMaster (eth0) and server farm(s) are on separate logical networks, sometimes referred to as a NAT-based topology
    • The server farm(s) may make use of non-routable (RFC1918) IP addresses
    • Server NAT may be useful in such a configuration
    • IP address transparency will function properly if clients are located on the same logical network as the LoadMaster in both NAT (common) and DSR (uncommon) configurations.
    • Virtual Services may be created on any of the Ethernet interfaces.
    • Real Servers may exist on either the eth0 or up to the ethX network. However, placing Real Server on eth0 in a two-armed configuration is not recommended.

Leveraging one port and configuring the “Additional Subnet” feature qualifies as two-armed.

Was this article helpful?
2 out of 2 found this helpful



Sajid khan

Can we use multiple subnet in One arm ?



Vincent Mesiti

Yes, But you need to enable "Enable Non-Local Real Servers" option in the Miscellanous Option->Network Options.

But multiple subnets only work if you're not using transparency.




Can we use Load Balancer as a proxy device ? We have two active interfaces on LB, One interface has private IP of LAN and other interface has public IP . We want that all LAN traffic goes to internet thorugh LB and in return also come from LB.

So that on LAN computer when we do " What is my IP " so we can see our LB IP or VIP IP as source.



Hugo Boss

Is it possible to perform routing using the Layer7 http header?
1. if a request has in the http header, then routing continues
2. if a request has in the http header, then routing continues

It should not be checked to which destination IP address the request wants to go, but which name is in the http header and whether this is allowed.