For more details, please see ourCookie Policy.

Application Delivery (ADX)

Not applicable
Posts: 1
Registered: ‎06-13-2010

SERVERIRON-PACKET FLOW(Require Expert opinion)

Dear All,

I am working on the live production enviroment to deploy serveriron .I have proposed INLINE solution.

INTERNET client--Internet ROUTER---FIREWALL dmz---SERVERIRON----REAL SERVERS(directly connected to Serveriron)

Firewall DMZ,SERVERIRON and REAL SERVERS are in same IP subnet

I have requested firewall engineer to do nat pointing to VIP and that VIP is binding to respective real servers.Default route on SERVERIRON is firewall

As the solution is INLINE,all servers are connected directly to SERVERIRON ports and default gateway is FIREWALL on REAL SERVERS .

I have some important queries

1)When internet client from outside hit the firewall public IP ,It will nat to VIP and forward traffic to real servers but in case of return traffic of real servers

   how it will go to internet client back though source IP (Client IP never changed) and when Real server will reply to connection(return traffic) to defaultgateway (which is mentioned Firewall ),It will be new session for firewall which has source IP of real server ?

It means firewall is sending to VIP but Real server is replying to firewall which is annoying me .?How firewall detect its already created session

I am little bit confuse in packet flow (Source mac,dest mac source IP dest IP) from internet router to real server

do serveriron replaces mac address across the path ? Please explain

For firewall ,What will be the source IP of real server (REAL SERVER IP or VIP) when real servers will go outside internet in INLINE mode ?? no special configuration on SERVERIRON (eg source-ip,source nat)

2)If some internet ADMIN USER need to access REAL SERVERS from outside by remote desktop ,It will require seperate NAT rule with Public IP to REAL SERVER private IP with needed service. am I correct ?

Experts valuable suggestion are most welcome (PLEASE CONSIDER YOUR OPINION for INLINE MODE)

Thanks and best Regards,

Frequent Contributor
Posts: 90
Registered: ‎12-26-2010

Re: SERVERIRON-PACKET FLOW(Require Expert opinion) look at the load balancing secion on this for your question 1.

Occasional Contributor
Posts: 50
Registered: ‎12-14-2011

Re: SERVERIRON-PACKET FLOW(Require Expert opinion)

For the first question, please, find IP address translation flow below. I skipped on the mac address part because it's not that important to understand the flow.

  • Client ---> (client ip, public VIP) --> F/W --> (client ip, private VIP) -> SI -> (client IP, real server IP) --> real server
  • Client <-- (public VIP, client ip) <--  F/W <-- (private VIP, client IP) <-- SI <-- (real server IP, client IP) <-- real server

In (x, y), x is a source IP address and y is a destination IP address. You don't need source-nat on the SI to make the flow work.

For the second question, yes, you're correct.

Join the Broadcom Community

Get quick and easy access to valuable resources across the Broadcom Community Network.