[prev in list] [next in list] [prev in thread] [next in thread]
List: loadbalancing-l
Subject: Re: Re: [load balancing] Re: Help with Alteon 2208 configuration
From: Ken Thurman <ken_thurman () alltel ! net>
Date: 2007-01-09 14:39:52
Message-ID: 20070109143952.DATZ10623.ispmxmta05-srv.windstream.net () webmail-relay ! alltel ! net
[Download RAW message or body]
Hi Qian,
First let me ask did my suggestion resolve the problem? It was historical for the \
Alteon/Nortel loadbalancer to not allow using a VIP address as a proxy/NAT address, \
this was introduced in version 22 when they separated the proxy processing from the \
SP's. So it may very well be a design funtion that if there is no services available \
for the VIP then the switch would not respond to the VIP address even for proxy/NAT \
processing. That is why I suggested that you us a different NAT address than the VIP. \
As for your understanding of the flow, you are pretty much correct, except it is a \
little more complicated than that. When doing a MANY to ONE NAT the switch will \
replace both the source port and source IP address of the request, and filter 14 says \
to replace any source as long as it is not destined for the 10.10.10.0/23 network. So \
in the case of SLB processing Server processing happens before filter processing so \
when accessing the VIP on a service port the switch will first translate the private \
address to the VIP then when it does filter processing it will try and NAT it again, \
which will change the source port from 80 or whatever the service was that was \
responding. This is why you needed the filter 10 to exempt packets that are from the \
VIP from being NAT'ed by filter 14.
Does this make sense? If you want to verify the behavior of using a many to one \
NAT with same address as the VIP when there are no services up on the VIP, then you \
should call Nortel support. It could be that it's not a design function but just a \
bug. In any case if you change the NAT address to some other public address it should \
work as you want it to. There is no reason that I can think of that you would need to \
source your private servers requests to the internet from the VIP address, it might \
be more convient if you are doing both inbound SMTP and outbound SMTP but not a \
requirement.
Regards,
Ken Thurman
>
> From: "qian hangwei" <qianhangwei@gmail.com>
> Date: 2007/01/08 Mon PM 11:27:53 CST
> To: lb-l@vegan.net
> Subject: Re: Re: [load balancing] Re: Help with Alteon 2208 configuration
>
> Hi Ken,
>
> Thank for your reply!
> I still do not quite understand well and I am sorry for my stupidness!
> I think I still do not understand well about filter 14. In my unverstanding,
> it is used to translate the source IP into proxy IP(same with VIP in my
> case) when the internal server want to access external network.
> Following is my understanding of the translation of the IPs:
> When an external client IP(a.b.c.d) want to access the internal server,it
> use the VIP as the destination IP and a.b.c.d as source IP. when the packet
> reaches the application switch, the swich use SLB and the desination IP
> (VIP)will be replaced with an internal server IP(10.10.10.x).And the then
> filter 14 functions, replacing souce IP(a.b.c.d) with proxy IP(the same
> with VIP). Do you mean at this time the switch will deny the packet from
> being sent to internal Server(10.10.10.x)? Why? Because I did not see any
> command in filter 14 that deny this.
> And then the internal server sends response packet with 10.10.10.x as source
> IP and a.b.c.d as destination IP.When the response packet reaches the
> switch, filter 14 functions and replaces the source IP(10.10.10.x) with VIP
> and the packet reaches the external client a.b.c.d.
> What am I missing in the flow above?
>
> Thanks,
>
> Best wishes,
> -Qian
>
> On 1/8/07, Ken Thurman <ken_thurman@alltel.net> wrote:
> >
> > Qian,
> >
> > I think this is caused by using the VIP address as the NAT Proxy IP
> > address, try using another address that is public accessable in the same
> > subnet as the VIP for your NAT address (proxy in filter 14). As for what you
> > did to deny VIP responses, you did that when you put in the NAT filter, it
> > only excludes packets that are destined for the local internal subnet so
> > that health checks will work and local server to server traffic doesn't get
> > NAT'ed.
> >
> > Good luck
> >
> > Ken Thurman
> > >
> > > From: "qian hangwei" <qianhangwei@gmail.com>
> > > Date: 2007/01/07 Sun PM 11:24:54 CST
> > > To: lb-l@vegan.net
> > > Subject: Re: Re: [load balancing] Re: Help with Alteon 2208
> > configuration
> > >
> > > Hi,
> > > Also I found just now that the all the internal servers can not access
> > the
> > > external internet if I turn the services off on every server. And as
> > long
> > > as I turn the service on on a single internal server, all the internal
> > > servers can access the internet. It's a little wierd.
> > > Could any one please give some comments to me?
> > > Thanks,
> > >
> > > Best wishes,
> > > Hangwei Qian
> > >
> > > On 1/7/07, qian hangwei <qianhangwei@gmail.com> wrote:
> > > >
> > > > Hi Ken,
> > > >
> > > > Thank you very much for your hints It works now:)
> > > > But I still do not understand the reason. I am new to Alteon and
> > still
> > > > confused by some basic concepts,like filter, SLB and so forth.
> > > > Can the NAT and the SLB coexist? Because you know, SLB allows me to
> > access
> > > > the internal servers using the VIP from external network and NAT(I
> > mean just
> > > > filt 14 only ) allows the internal servers to access the external
> > internet.
> > > > And why do I need to add a filter to allow response from VIP? Because
> > I did
> > > > nothing to deny the response from VIP, is it by default denying the
> > response
> > > > from VIP?
> > > > Thank you again for you help !
> > > >
> > > > Best wishes,
> > > > Hangwei Qian
> > > >
> > > >
> > > >
> > > >
> > > > On 1/7/07, Ken Thurman < ken_thurman@alltel.net> wrote:
> > > > >
> > > > > Qian,
> > > > >
> > > > > You also need a filter to allow responses from the VIP so that it
> > > > > doesn't NAT it. Server processing happens before Filter processing
> > so you
> > > > > will need a filter number 10 (lower than 14) with SIP = the VIP
> > address, and
> > > > > SIP mask = 255.255.255.255. with action allow and apply this the
> > same
> > > > > ports that your servers are connected to (same port that filter 14
> > is
> > > > > enabled on). This will allow the server responses that are lb'ed to
> > NOT get
> > > > > natted again.
> > > > >
> > > > > Regards,
> > > > >
> > > > > Ken Thurman
> > > > > >
> > > > > > From: "qian hangwei" <qianhangwei@gmail.com>
> > > > > > Date: 2007/01/07 Sun PM 04:40:36 CST
> > > > > > To: lb-l@vegan.net
> > > > > > Subject: Re: [load balancing] Re: Help with Alteon 2208
> > configuration
> > > > > >
> > > > > > Hi All,
> > > > > > After I fixed the SLB problem, I have tried the NAT on the
> > Alteon,
> > > > > adding
> > > > > > filter on the port 1 and 2, which connect the internal servers to
> > the
> > > > > > Alteion, and now the internal servers in the private network can
> > > > > access
> > > > > > internet.
> > > > > > The filter I add on port 1 and 2 is as follows:
> > > > > > /cfg/slb/filt 14
> > > > > > invert ena
> > > > > > dip 10.10.10.0
> > > > > > 255.255.254.0
> > > > > > sip any
> > > > > > action nat
> > > > > > nat source
> > > > > > ena
> > > > > > adv/proxy enable
> > > > > > proxyip 129.22.151.164
> > > > > >
> > > > > > But now new problems happened. The SLB does not work and external
> > > > > clients
> > > > > > can not access the server now using virtual IP. And After I
> > disable
> > > > > the
> > > > > > filtter, The SLB is ok and I can access the servers from outside.
> > > > > > Do I miss something? Can I access the internal servers from
> > external
> > > > > network
> > > > > > using the
> > > > > > Virtual IP and meanwhile make the internal servers be able to
> > access
> > > > > the
> > > > > > internet using NAT?
> > > > > >
> > > > > > Thank very much again!
> > > > > >
> > > > > > -Qian
> > > > > >
> > > > > >
> > > > > >
> > > > > > On 1/6/07, Ken Thurman <ken_thurman@alltel.net> wrote:
> > > > > > >
> > > > > > > Qian,
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > First off, service 8080 is not defined for the VIP only
> > service
> > > > > 80 is,
> > > > > > > second check to verify that the default gateway of the real
> > server
> > > > > is
> > > > > > > 10.10.10.1 so that it routes back thru the Alteon. If you want
> > to
> > > > > have the
> > > > > > > servers access the internet you need to do a NAT which can be
> > done
> > > > > on the
> > > > > > > Alteon, see the application guide on how to set it up for a many
> > to
> > > > > one NAT.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Regards,
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Ken Thurman
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > -----Original Message-----
> > > > > > > *From:* owner-lb-l@vegan.net [mailto:owner-lb-l@vegan.net] *On
> > > > > Behalf Of *Ron
> > > > > > > Olsen
> > > > > > > *Sent:* Friday, January 05, 2007 6:00 PM
> > > > > > > *To:* 'lb-l@vegan.net'
> > > > > > > *Subject:* RE: [load balancing] Re: Help with Alteon 2208
> > > > > configuration
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Are you sure Tomcat is listening on the public IP address? I
> > > > > recently ran
> > > > > > > into the same thing on a newly installed server, and Tomcat
> > > > > responded
> > > > > > > perfectly when tested locally using the http://localhost but not
> > via
> > > > > the
> > > > > > > network. It turns out that Tomcat was listening on the loopback
> > > > > address (
> > > > > > > 127.0.0.1 ) and not the public one.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Ron
> > > > > > >
> > > > > > > -----Original Message-----
> > > > > > > *From:* qian hangwei [mailto: qianhangwei@gmail.com]
> > > > > > > *Sent:* Friday, January 05, 2007 11:33 AM
> > > > > > > *To:* lb-l@vegan.net
> > > > > > > *Subject:* Re: [load balancing] Re: Help with Alteon 2208
> > > > > configuration
> > > > > > >
> > > > > > > Hi Robert,
> > > > > > >
> > > > > > > Thank you for your message!
> > > > > > > Actually, I have use the "/cfg/slb/adb/direct e",but it still
> > does
> > > > > not
> > > > > > > work.
> > > > > > > I installed tomcat on the server and use
> > http://129.22.151.164:8080to
> > > > > > > access the tomcat default page from external network, but
> > failed.
> > > > > And I am
> > > > > > > sure that tomcat works correctly because on the server I can get
> > the
> > > > > default
> > > > > > > page using http://localhost:8080 .
> > > > > > >
> > > > > > > Thanks,
> > > > > > >
> > > > > > > On 1/4/07, *robert rauch* <r.rauch@mobilkom.at > wrote:
> > > > > > >
> > > > > > > Hallo,
> > > > > > >
> > > > > > > if i understand you correctly then to access the servers you can
> > > > > enable
> > > > > > > dam "direct access monde"
> > > > > > > /cfg/slb/adv/direct e
> > > > > > > This will allow direct connectivity to the servers without
> > alteon.
> > > > > > > As far as the servers not being able to access the internet you
> > > > > will have
> > > > > > > to
> > > > > > > use a Nat, either on the alteon or if possible on the default
> > > > > gateway.
> > > > > > >
> > > > > > > Hope this helps a bit
> > > > > > > Robert
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > qian hangwei <qianhangwei <at> gmail.com> writes:
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Hi Folks,Happy new year!Now I am working on an Alteon 2208
> > switch
> > > > > and have
> > > > > > > problems.What I want is server load balancing, with servers in a
> > > > > private
> > > > > > > network ( 10.10.10.x
> > > > > > >
> > > > > > > /23)providing same services. I use virtual server and real
> > server
> > > > > method.
> > > > > > > For
> > > > > > > testing ,I just use one server with private IP
> > > > > > > 10.10.10.2. virtual IP is 129.22.151.164
> > > > > > > ,which is a public accessible IP. The server uses port 1 to
> > connect
> > > > > to the
> > > > > > > Alteon 2208 switch and the switch uses port 9 connect to the
> > router
> > > > > > > (129.22.150.1). I use the following commands to do so:
> > > > > > >
> > > > > > > L2?/cfg/l2/vlan 2
> > > > > > > Add 9 Ena
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > /cfg/12/valn 3
> > > > > > > Add add 1-3 Ena
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > L3?/cfg/l3/if 1 Addr
> > > > > > >
> > > > > > >
> > > > > > > 129.22.151.173
> > > > > > > Mask 255.255.254.0 Vlan 2
> > > > > > > Ena
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > /cfg/l3/if 2 Addr 10.10.10.1
> > > > > > > Mask 255.255.254.0
> > > > > > > Vlan 3
> > > > > > > Ena
> > > > > > >
> > > > > > > /cfg/l3/gw 5
> > > > > > > Addr 129.22.150.1 Vlan 2 Ena
> > > > > > >
> > > > > > > /cfg/l3/gw 1
> > > > > > > Addr 129.22.150.1 Ena
> > > > > > >
> > > > > > >
> > > > > > > Slb?
> > > > > > > /cfg/slb/real 1 Rip 10.10.10.2
> > > > > > > Ena
> > > > > > >
> > > > > > > /cfg/slb/group 1
> > > > > > >
> > > > > > > Add 1
> > > > > > > /cfg/slb/virt 1
> > > > > > >
> > > > > > > Vip 129.22.151.164?
> > > > > > >
> > > > > > > a public accessible IP?
> > > > > > >
> > > > > > > Ena
> > > > > > >
> > > > > > > Service http
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Group 1
> > > > > > >
> > > > > > > /cfg/slb/port 1
> > > > > > > server ena
> > > > > > >
> > > > > > > /cfg/slb port 9
> > > > > > > client ena
> > > > > > >
> > > > > > >
> > > > > > > /cfg/slb/on
> > > > > > > Now I can ping the virtual IP 129.22.151.164
> > > > > > > from external network,but can not access the server in the
> > private
> > > > > > > network. And also, the server in the private network can not
> > access
> > > > > the
> > > > > > > internet either.
> > > > > > > I am new to Alteon switch and have no idea about it. Could you
> > > > > please give
> > > > > > > me
> > > > > > > some hints?Thank you very much
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > ____________________
> > > > > > > The Load Balancing Mailing List
> > > > > > > Unsubscribe: mailto:
> > majordomo@vegan.net?body=unsubscribe%20lb-l
> > > > > > > Archive: http://vegan.net/lb/archive
> > > > > > > LBDigest: http://lbdigest.com
> > > > > > > MRTG with SLB: http://vegan.net/MRTG
> > > > > > > Hosted by: http://www.tokkisystems.com
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > > ____________________
> > > > > The Load Balancing Mailing List
> > > > > Unsubscribe: mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
> > > > > Archive: http://vegan.net/lb/archive
> > > > > LBDigest: http://lbdigest.com
> > > > > MRTG with SLB: http://vegan.net/MRTG
> > > > > Hosted by: http://www.tokkisystems.com
> > > > >
> > > > >
> > > >
> > >
> > >
> >
> > ____________________
> > The Load Balancing Mailing List
> > Unsubscribe: mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
> > Archive: http://vegan.net/lb/archive
> > LBDigest: http://lbdigest.com
> > MRTG with SLB: http://vegan.net/MRTG
> > Hosted by: http://www.tokkisystems.com
> >
> >
>
>
____________________
The Load Balancing Mailing List
Unsubscribe: mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
Archive: http://vegan.net/lb/archive
LBDigest: http://lbdigest.com
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic