Application Delivery (ADX)

Reply
Contributor
Posts: 39
Registered: ‎05-04-2009

High availability with source NAT - any gotchas?

I had a look at the High Availability 101 (thx to oadam for this) but I have realized that source NAT is not mentioned in there so far. Are there any gotchas implementing SSLB together with source NAT?

Super Contributor
Posts: 316
Registered: ‎05-01-2009

Re: High availability with source NAT - any gotchas?

Gotchas? There is always something which might go wrong. I would suggest to use the SSLB example configs posted here: and to add source-nat-ip's to the config. Ensure you use port-range 2 as argument for the source-nat-ip's at the "master" box (the one with the higher priority). Use port-range 1 at the backup box.

This sounds strange but think about the range as being a priority - the box with the higher priority is the master box.

Ensure you put the source-nat-ip's into the vip-group as well to see them moving to the other box in case of a VRRP-E failover. Another option is to use different source-nat-ip's at both ServerIrons. Each ServerIron does have its own source-nat-ip's using port-range 2. This is of course no going to give you any possibility to get a hitless failover because the NAT addresses do not failover to the other box.

I hope this helps.

Contributor
Posts: 39
Registered: ‎05-04-2009

Re: High availability with source NAT - any gotchas?

What do you mean with port-range? I am not familiar with source-nat so far...

Super Contributor
Posts: 316
Registered: ‎05-01-2009

Re: High availability with source NAT - any gotchas?

The command to define a source-nat-ip is looking like the following:

server source-nat-ip <ip-address> <subnet-mask> <gateway> port-rage

Out of the documentation:

The

port-range parameter specifies which port range this peer uses for source NAT for this source IP address.Specify 1 for the lower port range or 2 for the upper port range.

This is a bit confusing from my point of view because range 2 is as well the higher priority range and range 1 the lower priority range. So it is not only splitting source ports into parts - it is as well a priority (backup/master) thing.





Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook