RE: [load balancing] alteon 180e outbound NAT

From: Giles Scott <gscottIZZATarubanetworks.com>
Date: Fri Apr 01 2005 - 08:17:10 EST

Hi,

To stop the switch using the proxy address when sending requests to the
web servers you need to disable proxy on the real server
/c/sl/real <x>/proxy dis
But you probably won't need to do this if you remove the PIP for port 2
as its not needed in this case.

As VMA is disabled the PIP address needs to be on the port where the
servers are connected, in your case port 1.
/c/slb/port 1/
        pip 195.160.235.240
        proxy ena

With VMA disabled it's almost like having 9 separate switches in one
switch.
You have to think very carefully which processor is going to handle the
session.

I think that will work.

Cheers

Giles

-----Original Message-----
From: owner-lb-l@vegan.net [mailto:owner-lb-l@vegan.net] On Behalf Of
Todd Underwood
Sent: Friday, April 01, 2005 12:46 PM
To: lb-l@vegan.net
Subject: [load balancing] alteon 180e outbound NAT

howdy,

i will admit at the onset that i just don't understand filters in
webOS at all. they make no sense to me. but i'm in there swinging.

here's what i have:

195.160.236.0/24 public, routed network
192.168.11.0 private DMZ for web servers
an ace director 180e

what i want is two things:

1) i want to NAT inbound requests to the web servers so that they get
the source ip of the requestor (not proxy). this makes the web logs
more useful to us

2) i want outbound dynamic NAT (i think that's the right term--i want
the private web server ips to be rewritten into some public ip after
traversing the alteon) for the web servers through the lb.

port 1 is the web servers (inside)
port 2 is the ISP uplink

i can't get the outbound NAT stuff to work. the relevant parts of my
config so far are:

/c/ip/if 1
        ena
        addr 192.168.11.1
/c/ip/if 2
        ena
        addr 195.160.236.4
/c/ip/gw 1
        ena
        addr 195.160.236.1
/c/slb
        on
/c/slb/real 1
        ena
        rip 192.168.11.15
/c/slb/real 2
        ena
        rip 192.168.11.16
/c/slb/group 1
        add 1
        add 2
/c/slb/port 1
        client ena
        server ena
/c/slb/virt 1
        ena
        vip 195.160.236.21
/c/slb/virt 1/service http
        group 1
        rport 8080
/c/slb/filt 5
        ena
        action allow
        sip 192.168.11.0
        smask 255.255.255.0
        dip 192.168.11.0
        dmask 255.255.255.0
/c/slb/filt 6
        ena
        action nat
        sip 192.168.11.0
        smask 255.255.255.0
        dip 195.150.236.0
        dmask 255.255.255.0
        nat source
/c/slb/port 1
        filt ena
        add 5,6
/c/slb/port 2
        pip 195.160.235.240
        proxy ena
/c/slb/adv/matrix dis
/

and that doesn't work.

the documentation is pretty unclear about whether it's possible to
NAT->proxy *outbound* requests from the web farm but just NAT inbound
stuff to the web farm.

thanks,

t

-- 
_____________________________________________________________________
todd underwood
director of operations & security
renesys - interdomain intelligence
todd@renesys.com   www.renesys.com
____________________
The Load Balancing Mailing List
Unsubscribe:    mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
Archive:        http://vegan.net/lb/archive
LBDigest:       http://lbdigest.com
MRTG with SLB:  http://vegan.net/MRTG
Hosted by:	http://www.tokkisystems.com
____________________
The Load Balancing Mailing List
Unsubscribe:    mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
Archive:        http://vegan.net/lb/archive
LBDigest:       http://lbdigest.com
MRTG with SLB:  http://vegan.net/MRTG
Hosted by:	http://www.tokkisystems.com
Received on Fri Apr 1 09:22:59 2005

This archive was generated by hypermail 2.1.8 : Fri Apr 01 2005 - 09:36:37 EST