Application Delivery (ADX)

Reply
N/A
Posts: 1
Registered: ‎06-13-2010

SERVERIRON-PACKET FLOW(Require Expert opinion)

Dear All,


I am working on the live production enviroment to deploy serveriron .I have proposed INLINE solution.


INTERNET client--Internet ROUTER---FIREWALL dmz---SERVERIRON----REAL SERVERS(directly connected to Serveriron)

Firewall DMZ,SERVERIRON and REAL SERVERS are in same IP subnet


I have requested firewall engineer to do nat pointing to VIP and that VIP is binding to respective real servers.Default route on SERVERIRON is firewall

As the solution is INLINE,all servers are connected directly to SERVERIRON ports and default gateway is FIREWALL on REAL SERVERS .


I have some important queries


1)When internet client from outside hit the firewall public IP ,It will nat to VIP and forward traffic to real servers but in case of return traffic of real servers

   how it will go to internet client back though source IP (Client IP never changed) and when Real server will reply to connection(return traffic) to defaultgateway (which is mentioned Firewall ),It will be new session for firewall which has source IP of real server ?

It means firewall is sending to VIP but Real server is replying to firewall which is annoying me .?How firewall detect its already created session


I am little bit confuse in packet flow (Source mac,dest mac source IP dest IP) from internet router to real server

do serveriron replaces mac address across the path ? Please explain


For firewall ,What will be the source IP of real server (REAL SERVER IP or VIP) when real servers will go outside internet in INLINE mode ?? no special configuration on SERVERIRON (eg source-ip,source nat)


2)If some internet ADMIN USER need to access REAL SERVERS from outside by remote desktop ,It will require seperate NAT rule with Public IP to REAL SERVER private IP with needed service. am I correct ?

Experts valuable suggestion are most welcome (PLEASE CONSIDER YOUR OPINION for INLINE MODE)



Thanks and best Regards,


Frequent Contributor
Posts: 90
Registered: ‎12-26-2010

Re: SERVERIRON-PACKET FLOW(Require Expert opinion)

http://communities.netapp.com/blogs/ethernetstorageguy/2009/04/04/multimode-vif-survival-guide look at the load balancing secion on this for your question 1.

Occasional Contributor
Posts: 50
Registered: ‎12-14-2011

Re: SERVERIRON-PACKET FLOW(Require Expert opinion)

For the first question, please, find IP address translation flow below. I skipped on the mac address part because it's not that important to understand the flow.

  • Client ---> (client ip, public VIP) --> F/W --> (client ip, private VIP) -> SI -> (client IP, real server IP) --> real server
  • Client <-- (public VIP, client ip) <--  F/W <-- (private VIP, client IP) <-- SI <-- (real server IP, client IP) <-- real server

In (x, y), x is a source IP address and y is a destination IP address. You don't need source-nat on the SI to make the flow work.

For the second question, yes, you're correct.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook