Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Network deployment options on the KEMP LoadMaster

There are two deployment options; one-arm and two-arm. The distinction is made on a per-Virtual Service basis. The LoadMaster can house a combination of one-arm and two-arm Virtual Services. In fact, the LoadMaster can have a Virtual Service that is configured in both methods.

One-Arm Deployment

  • The load balancer has one physical network card connected to one subnet
  • A Single Ethernet port (eth0) is used for both inbound and outbound traffic
  • Real Servers and Virtual Services will be part of the same logical network - sometimes called flat-based - this implies that both have public IP addresses if used for services within the Internet
  • Server NAT does not make sense for one-armed configurations
  • Does not automatically imply the use of Direct Server Return (DSR) methods on the Real Servers
  • IP address transparency will function properly if clients are located on the same logical network as the LoadMaster in a DSR configuration. IP address transparency is not supported when clients are located on the same logical network as the LoadMaster in a NAT configuration.

The one armed solution can be set-up in both a single and Highly Available (HA) configuration.


 Two-Arm Deployment

  • The load balancer has two network interfaces connected to two subnets - this may be achieved by using two physical network cards or by creating VLANs on a single network interface
  • Virtual Services and Real Servers are on different subnets


In the example diagram above, the system has been configured as follows:

  • A Virtual Service has been created on the LoadMaster with an IP address of for an HTTP service
  • The Virtual Service has been configured to balance the incoming traffic across the Real Servers (server 1, 2 and 3)
  • A user requests the URL
  • The URL will be resolved by the DNS into IP address
  • The request will be routed to the LoadMaster, which offers this IP address as an IP-alias of its network interface eth0
  • The LoadMaster is connected to the server farm subnet via its network interface eth1
  • The LoadMaster knows that there are three Real Servers in this subnet that are assigned to the requested address and are able to deliver the required content
  • The LoadMaster uses the load balancing method configured, for example weighted round robin, to send the request on to one of the three Real Servers
  • Other items to note regarding the two-armed configuration are:
    • Both eth0 (net side) and eth1 (farm side) interfaces are used. Additional ports go to the farm side for multi-armed configurations
    • Implies that the LoadMaster (eth0) and server farm(s) are on separate logical networks, sometimes referred to as a NAT-based topology
    • The server farm(s) may make use of non-routable (RFC1918) IP addresses
    • Server NAT may be useful in such a configuration
    • IP address transparency will function properly if clients are located on the same logical network as the LoadMaster in both NAT (common) and DSR (uncommon) configurations.
    • Virtual Services may be created on any of the Ethernet interfaces.
    • Real Servers may exist on either the eth0 or up to the ethX network. However, placing Real Server on eth0 in a two-armed configuration is not recommended.

Leveraging one port and configuring the “Additional Subnet” feature qualifies as two-armed.

Was this article helpful?
1 out of 1 found this helpful



Sajid khan

Can we use multiple subnet in One arm ?



Vincent Mesiti

Yes, But you need to enable "Enable Non-Local Real Servers" option in the Miscellanous Option->Network Options.

But multiple subnets only work if you're not using transparency.




Can we use Load Balancer as a proxy device ? We have two active interfaces on LB, One interface has private IP of LAN and other interface has public IP . We want that all LAN traffic goes to internet thorugh LB and in return also come from LB.

So that on LAN computer when we do " What is my IP " so we can see our LB IP or VIP IP as source.