01-16-2015 10:27 AM
I've been reading through http://www.brocade.com/support/Product_Manuals/ServerIron_SLBGuide/slb.2.42.html#105590 to figure out a solution to a problem I have in a new deployment. It seems that natively the ADX is meant to be directly connected to the subnets that the real servers are hosted on, however in this particular implementation, it cannot have that access, as the real servers are located behind firewalls and in different subnets.
There exists the option to use remote server, which I did, and I only got that working when I enable global source-nat. However this causes issues with other servers connected in subnets it can reach. Additionally, all the logs on the real servers list all connections as coming from ADX, so it seems to me that if I made some indivual NAT rules (rather than global) I'd still be left with an untenable situation.
So I'm a bit stuck with my config...
ADX(config)#server remote test.site.com 10.10.1.1
WEBZ ----- 126.96.36.199 [ADX] 10.10.0.1 -------- 10.10.0.2 [Firewall] 10.10.1.2 ------------- 10.10.1.1 [Real Server]
Solved! Go to Solution.
01-16-2015 11:33 AM - edited 01-16-2015 11:34 AM
Source-nat is not required for remote server configuration. However you will need to do source-nat when the network topology is single arm (i.e. both client and remote servers are reachable via same ADX interface).
If you are using ADX in an inline setup (i.e. clients and servers are reachable via different ADX interfaces) then you have to add the routes on the intermediate routers in such a way that ADX is in the path of packets going from Servers to the clients and it should work without source-nat.
It will be helpful in finding a solution to your problem if you can provide more details about what is your network topology and what kind of service and features you are planning to use on ADX.
01-16-2015 11:57 AM
Here's an image overview of the situation
Obviously the servers ont he other side of the FW are the problematic ones. Now all that is routable, as in from webserver, to ADX I can ping, and ping the FW and there's no NATing there.
01-16-2015 12:20 PM
Here is how I think it should be configured.
Servers in 10.10.1.1 and 10.10.2.1 should be defined as real servers as they are L2 reachable from ADX.
Server in 10.10.10.x network should be defined as remote servers and they should have route in such a way that traffic towards clients go via ADX (IP 10.10.3.1)
Now when you bind http or ssl ports of all the real servers under same virtual server port, the ADX by default will not use remote servers for load balancing, to resolve this you need to add command "port http lb-pri-servers" to use all the servers for SLB.
After that it should work fine. I don't see any need for using source-nat in your setup.
Hope that helps. :)
01-20-2015 11:36 AM
THanks, part of the problem I was having was specifically with some firewall rules which were cutting my website address as opposed to the acutal server address