Application Delivery (ADX)

Reply
Contributor
steve14
Posts: 20
Registered: ‎07-06-2012

accessing VIP from real server network

Hi community,

I have typical router based serveriron loadbalancing setup to balance virtual server VIP which is in one (external) network to pool of real servers in another (internal) network. everything is working fine from the external network but I obviously cannot access the VIP from the internal network as the response of the real server goes back to the client directly and not via the balancer. I understand I could solve it using SNAT but the strange thing to me is that SNAT needs to be configured on the real servers. But then even the main traffic from the external network would be SNATted and I can't have that.

Is there a way to access the virtual server from the network of the real servers without using SNAT in the real server configs?

Thx,

Steve.

Occasional Contributor
arunbk
Posts: 9
Registered: ‎01-05-2010

Re: accessing VIP from real server network

There is an option to do 'source-nat access-list' under the real server. You can permit only your internal traffic to be source-nat'ed and all external traffic to go without source-nat.

By default, if you configure the ServerIron ADX to apply source NAT for a real server, it is applied to

all traffic for the real server. You can configure the ServerIron ADX to apply source NAT for a real

server to traffic from specified source IP addresses.

To do this, you create an ACL, then specify the ACL in the source NAT configuration of the real

server. When a flow is sent to the VIP, if the ACL specifies a permit action for the flow’s source IP

address, then source NAT is performed on traffic in the flow.

ServerIronADX(config)# access-list 1 permit 192.168.0.0 255.255.0.0

ServerIronADX(config)# access-list 1 deny any

The source-nat access-list <acl-id> command configures source NAT on a real

server to be performed on traffic whose source IP address is permitted by ACL 1.

ServerIronADX(config)# server real r1 10.10.10.10

ServerIronADX(config-rs-r1)# source-nat access-list 1

Contributor
steve14
Posts: 20
Registered: ‎07-06-2012

Re: accessing VIP from real server network

thanks Arunbk, very helpful indeed, works as a charm.

is there by any chance something similar when running in switch mode? I have one another environment with older unit:

SW: Version 07.5.00T12 Copyright (c) 1996-2002 Foundry Networks, Inc.

     Compiled on Mar 17 2005 at 12:08:20 labeled as SLB07500

     (1570406 bytes) from Primary SLB07500.bin

HW: ServerIron Switch, serial number 10b0a4

and in this version/mode the source-nat command on the real server doesn't have the option to specify the acl...

thank you,

Steve.

Occasional Contributor
arunbk
Posts: 9
Registered: ‎01-05-2010

Re: accessing VIP from real server network

Unfortuantely I do not think the older XL hardware will work with this scenario.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.