Application Delivery (ADX)

Reply
N/A
Posts: 1
Registered: ‎06-24-2010

ADX SLB "one-arm" DSR, multi-subnet, multi-vlan, VIP routing issue

I have a pair of ADX1000's running L3PREM in a HA setup. (active-active)

Our  primary deployment is to use the ADX's in a 'one-arm' configuration  utilizing DSR.  So far so good.  We have the ADX's doing nearly  everything perfectly.

The concept and design is  simple.  The ADX's are uplinked to via two LACP links to it's upstream  switch.  We are using multiple VLAN's to service the various server  LAN's we need to load balance.

First stumbling block  was that we had to put IP's on each VE so that the ADX could do health  checks to the real servers.  This was not a problem.  After doing so we  found that the load balacing, VIP's, all worked perfectly as expected  and using DSR the real servers knew exactly where to send their traffic  and to which gateway based on the subnet they were on/configured for.

The  problem now is the ADX VIP's responding to pings from client hosts.   This is mainly because there are literally no routes on the ADX.  The  ADX had a directly connected management network and it sees each one of  the server subnets as directly connected router-interfaces (VE)'s.

The servers know their routes because of the DSR design.

So  now here is the problem... how do we fix the ADX so that VIP's return  traffic to the proper gateway.  Remember, which VLAN has it's own subnet  and own gateway for their respected set of real servers.. so a simple  single default route will not work as traffic would not be sent to the  proper upstream router.

In the lab we DID set a default  route for one of the subnets routers, and the VIP's started answering  pings correctly, but only for that subnet.

We were told to try two things....

Setting the "next-hop" under the VIP.  This did not work.

Setting  up a policy-based route.  For whatever reason, this did not work  either.   Doing a wireshark dump on the uplinks shows the ICMP request  hit the ADX, but we never see anything in return.... ONLY if we set a  default route.

Suggestions on what to try and what to  look for?  Below are snipets from one of the ADX's running 12.2...  DSR  load balancing works fine... answers for VIP's do not:

!Building configuration...
!Current configuration : 1642 bytes
!
ver      12.2.01bT403
!
global-protocol-vlan
!
server active-active-port ethe 16 vlan-id 2
!
!
server port 80
session-sync
tcp
server port 21
session-sync
tcp
server port 443
session-sync
tcp
!
context default                                               
!
server real web1 10.1.0.100
port http
port http url "HEAD /"
port ftp
port ssl
port ssl keepalive
!
server real web2 10.1.0.101
port http
port http url "HEAD /"
port ftp
port ssl
port ssl keepalive
!
!
server virtual www 10.1.0.200
sticky-age 10
sym-priority 254
sym-active
next-hop 10.1.0.1
predictor least-conn
port default disable                                         
port http sticky
port http dsr
port ftp sticky concurrent
port ftp dsr
port ssl sticky
port ssl dsr
bind http web1 http web2 http
bind ftp web1 ftp web2 ftp
bind ssl web1 ssl web2 ssl
!
vlan 1 name DEFAULT-VLAN by port
!
vlan 50 by port
tagged ethe 1 to 2
router-interface ve 50
!
vlan 2 by port
untagged ethe 16
static-mac-address 001b.ed05.e86f ethernet 16
!
vlan 51 by port
tagged ethe 1 to 2
!                                                             
aaa authentication web-server default local
aaa authentication login default local
enable telnet authentication
enable super-user-password .....
no enable aaa console
no ip source-route
telnet server
username root password .....
router vrrp-extended
router vrrp-extended-ipv6
sntp server 172.20.0.10
no-asm-block-till-bootup
!
interface management 1
ip address 172.20.0.222 255.255.252.0
!
interface ethernet 1
link-aggregate active
!
interface ethernet 2
link-aggregate active                                        
!
interface ve 50
ip address 10.1.0.254 255.255.255.0
!
end

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.