[prev in list] [next in list] [prev in thread] [next in thread]
List: loadbalancing-l
Subject: RE: [load balancing] SSL / Alteon / iPlanet
From: "Henry Silva" <hsilva1 () nortelnetworks ! com>
Date: 2003-04-28 17:22:27
[Download RAW message or body]
Hi Steve, yes your understanding is essentially correct. By enabling
server processing, you are telling the switch to look into the session
table to perform the real server ip to virtual server ip address
translation.
This also explains why server processing is not required if you
are PIP'ing your ingress client traffic since the switch uses PIP address to
index
back into the session table if the DIP equals a configured PIP address.
Hope this helps.
Henry
-----Original Message-----
From: Steven Christall [mailto:SChristall@buildonline.com]
Sent: Monday, April 28, 2003 9:57 AM
To: 'lb-l@vegan.net'
Subject: RE: [load balancing] SSL / Alteon / iPlanet
Phil, thanks for that
I am about to embark on more ambitions AD3 work this week, I have another
two arriving, setting up with VRRP etc, plus using cookie tracking for
server persistence.
While the learning curve is a bit steeper than BigIP, I am finding that I
like the cli, and it seems to hang together a bit better ... still have one
BigIP unit though.
Can you explain to me what server processing actually does? Is it using a
lookup table to determine what goes where? I ask because in my environment,
I set the default gateway on my Sun servers to the AD3, but even if I bypass
the AD3 on the way in ... ie direct NAT to a server, not the VIRP of the
AD3, the traffic still correctly finds its way back out ..... is this simply
because the AD3 has no record of the packets arriving at the server
processing port, leaves them alone and forwards to the next gateway?
Thanks a lot
Steve
-----Original Message-----
From: Philip Goldie [mailto:pgoldie@nortelnetworks.com]
Sent: 27 April 2003 12:56
To: lb-l@vegan.net
Subject: RE: [load balancing] SSL / Alteon / iPlanet
Steve,
Not sure why it says to turn off Server processing, this will always be
needed !!
With the setup you've got, you should be able to turn client proxy on or off
on the
iSD and get the same result.
Phil.
-----Original Message-----
From: Steven Christall [mailto:SChristall@buildonline.com]
Sent: 16 April 2003 07:08
To: 'lb-l@vegan.net'
Subject: RE: [load balancing] SSL / Alteon / iPlanet
Followup!
OK .... after bashing around in the AD3 for a while I have parts working.
Have setup basically as per iSD3.0 guide, three VLANs, two real server
groups (webserver=1, iSD=2)
I have my firewalls (fw1 vrrp) partial nat to Virt1 on ad3
I have VLAN1 running with Virt1, client ena, filters enabled with 100
redirecting https to group2 = real iSD + fwlb ena, 224 anything else allowed
I have VLAN2 running with client ena, RTS enabled, iSD is setup with 443
connecting to 80, with Virt1 address from above
I have VLAN3 running with server ena, filters ena 224 (everything allowed
back)
This works (YAH!) after many hours of trying because of our funky
environment. So I have 80+443 all going to 80 on real webserver with iSD
accelerator doing its thing.
PROBLEM! I really would like this to work with client proxy turned on.
When I turn on client proxy, (turning off server processing as per manual on
webserver ports) HTTPS stops working ... HTTP still works
Any ideas?
Great group BTW!
Cheers
Steve Christall
-----Original Message-----
From: Steven Christall [mailto:SChristall@buildonline.com]
Sent: 10 April 2003 11:07
To: lb-l@vegan.net
Subject: RE: [load balancing] SSL / Alteon / iPlanet
Thanks to Philip, Marcel and John for your replies and great ideas!!
Am having a play today, will let you know how it goes
Best
Steve Christall
[Attachment #3 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<TITLE>Message</TITLE>
<META content="MSHTML 6.00.2800.1170" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=254102017-28042003><FONT face=Verdana color=#0000ff size=1>Hi
Steve, yes your understanding is essentially correct. By
enabling</FONT></SPAN></DIV>
<DIV><SPAN class=254102017-28042003><FONT face=Verdana color=#0000ff
size=1>server processing, you are telling the switch to look into the
session</FONT></SPAN></DIV>
<DIV><SPAN class=254102017-28042003><FONT face=Verdana color=#0000ff
size=1>table to perform the real server ip to virtual server ip address
translation.</FONT></SPAN></DIV>
<DIV><SPAN class=254102017-28042003><FONT face=Verdana color=#0000ff size=1>This
also explains why server processing is not required if you
</FONT></SPAN></DIV>
<DIV><SPAN class=254102017-28042003><FONT face=Verdana color=#0000ff size=1>are
PIP'ing your ingress client traffic since the switch uses PIP address to
index</FONT></SPAN></DIV>
<DIV><SPAN class=254102017-28042003><FONT face=Verdana color=#0000ff size=1>back
into the session table if the DIP equals a configured PIP
address.</FONT></SPAN></DIV>
<DIV><SPAN class=254102017-28042003><FONT face=Verdana color=#0000ff
size=1></FONT></SPAN> </DIV>
<DIV><SPAN class=254102017-28042003><FONT face=Verdana color=#0000ff size=1>Hope
this helps.</FONT></SPAN></DIV>
<DIV><SPAN class=254102017-28042003><FONT face=Verdana color=#0000ff
size=1></FONT></SPAN> </DIV>
<DIV><SPAN class=254102017-28042003><FONT face=Verdana color=#0000ff
size=1>Henry</FONT></SPAN></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left><FONT
face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Steven Christall
[mailto:SChristall@buildonline.com] <BR><B>Sent:</B> Monday, April 28, 2003
9:57 AM<BR><B>To:</B> 'lb-l@vegan.net'<BR><B>Subject:</B> RE: [load balancing]
SSL / Alteon / iPlanet<BR><BR></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=234025013-28042003>Phil, thanks for that</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=234025013-28042003></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=234025013-28042003>I am
about to embark on more ambitions AD3 work this week, I have another two
arriving, setting up with VRRP etc, plus using cookie tracking for server
persistence.</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=234025013-28042003></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=234025013-28042003>While the learning curve is a bit steeper than BigIP,
I am finding that I like the cli, and it seems to hang together a bit better
... still have one BigIP unit though.</SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=234025013-28042003>Can
you explain to me what server processing actually does? Is it using a
lookup table to determine what goes where? I ask because in my
environment, I set the default gateway on my Sun servers to the AD3, but even
if I bypass the AD3 on the way in ... ie direct NAT to a server, not the VIRP
of the AD3, the traffic still correctly finds its way back out ..... is this
simply because the AD3 has no record of the packets arriving at the server
processing port, leaves them alone and forwards to the next
gateway?</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=234025013-28042003></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=234025013-28042003>Thanks a lot</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=234025013-28042003>Steve</SPAN></FONT></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> Philip Goldie
[mailto:pgoldie@nortelnetworks.com]<BR><B>Sent:</B> 27 April 2003
12:56<BR><B>To:</B> lb-l@vegan.net<BR><B>Subject:</B> RE: [load balancing]
SSL / Alteon / iPlanet<BR><BR></DIV></FONT>
<DIV><SPAN class=558054803-20042003><FONT face=Arial color=#0000ff
size=2>Steve, </FONT></SPAN></DIV>
<DIV><SPAN class=558054803-20042003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=558054803-20042003><FONT face=Arial color=#0000ff
size=2>Not sure why it says to turn off Server processing, this will always
be needed !!</FONT></SPAN></DIV>
<DIV><SPAN class=558054803-20042003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=558054803-20042003><FONT face=Arial color=#0000ff
size=2>With the setup you've got, you should be able to turn client proxy on
or off on the </FONT></SPAN></DIV>
<DIV><SPAN class=558054803-20042003><FONT face=Arial color=#0000ff
size=2>iSD and get the same result. </FONT></SPAN></DIV>
<DIV><SPAN class=558054803-20042003><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=558054803-20042003><FONT face=Arial color=#0000ff
size=2>Phil.</FONT></SPAN></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> Steven Christall
[mailto:SChristall@buildonline.com]<BR><B>Sent:</B> 16 April 2003
07:08<BR><B>To:</B> 'lb-l@vegan.net'<BR><B>Subject:</B> RE: [load
balancing] SSL / Alteon / iPlanet<BR><BR></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=250474615-15042003>Followup!</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=250474615-15042003></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=250474615-15042003>OK .... after bashing around in the AD3 for a
while I have parts working.</SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=250474615-15042003>Have setup basically as per iSD3.0 guide, three
VLANs, two real server groups (webserver=1, iSD=2)</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=250474615-15042003>I have my firewalls (fw1 vrrp) partial nat to
Virt1 on ad3</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=250474615-15042003>I have VLAN1 running with Virt1, client ena,
filters enabled with 100 redirecting https to group2 = real iSD + fwlb
ena, 224 anything else allowed</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=250474615-15042003>I have VLAN2 running with client ena, RTS
enabled, iSD is setup with 443 connecting to 80, with Virt1 address from
above</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=250474615-15042003>I have VLAN3 running with server ena, filters ena
224 (everything allowed back)</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=250474615-15042003></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=250474615-15042003>This works (YAH!) after many hours of trying
because of our funky environment. So I have 80+443 all going to 80
on real webserver with iSD accelerator doing its
thing.</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=250474615-15042003></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=250474615-15042003>PROBLEM! I really would like this to work
with client proxy turned on. When I turn on client proxy, (turning
off server processing as per manual on webserver ports) HTTPS stops
working ... HTTP still works</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=250474615-15042003></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=250474615-15042003>Any ideas?</SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=250474615-15042003>Great group BTW!</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=250474615-15042003>Cheers</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=250474615-15042003>Steve Christall</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=250474615-15042003></SPAN></FONT> </DIV>
<BLOCKQUOTE style="MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> Steven Christall
[mailto:SChristall@buildonline.com]<BR><B>Sent:</B> 10 April 2003
11:07<BR><B>To:</B> lb-l@vegan.net<BR><B>Subject:</B> RE: [load
balancing] SSL / Alteon / iPlanet<BR><BR></DIV></FONT>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=656580210-10042003>Thanks to Philip, Marcel and John for your
replies and great ideas!!</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=656580210-10042003></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=656580210-10042003>Am having a play today, will let you know how
it goes</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=656580210-10042003></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=656580210-10042003>Best</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=656580210-10042003>Steve
Christall</SPAN></FONT></DIV></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>
____________________
The Load Balancing Mailing List
Unsubscribe: mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
Archive: http://vegan.net/lb/archive
LBDigest: http://lbdigest.com
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic