ServerIron ADX Server Load Balancing Guide
Release 12.0.00
June 15, 2009

Table of Contents Previous Next Print


High Availability > Shareable Source NAT for High Availability
Shareable Source NAT for High Availability
You can configure both peer ServerIrons in a high-availability configuration to share the same source NAT IP address. In addition, the source NAT sessions are synchronized between the peers. Shareable source NAT IP addresses were supported only for hot-standby configurations, and source NAT sessions were not synchronized.
In a high-availability configuration, an address configured as a source IP address serves the following purposes:
It provides the real servers with a default gateway address.
The ServerIron uses the address for source NAT. To keep track of the flows for which source NAT has been performed, the ServerIron allocates a “port” to each flow. For each source IP address, up to 54,000 ports can be allocated to flows.
In a hot-standby configuration, the active ServerIron “owned” the source NAT IP address, responding to ARP requests and performing source NAT with the configured source IP address. When failover occurred, the standby ServerIron, also configured with the same source NAT IP address, took over these duties. However, the source NAT sessions were not synchronized between the peers.
In an active-active SSLB configuration, where both peer ServerIrons are active for the same application port and VIP at the same time, it was not possible for both peer ServerIrons to perform source NAT using the same source IP address, since a conflict could occur if both ServerIrons allocated the same port to different flows.
You can divide the ports used for source NAT for a given source IP address into two equal groups, or port ranges. One peer controls the “lower” port range, and the other peer controls the “upper” port range. When performing source NAT, each peer allocates ports belonging only to its port range, thus avoiding port conflicts.
In Symmetric SLB configurations, ownership of the source IP address is based on the port range. The peer controlling the upper port range for the source IP address is the owner of the address and responds to ARP requests. If the owner of the source IP address fails, the peer takes over ownership of the source IP address. When this feature is enabled, the two ServerIrons report and receive the ownership of the source IP address using a variation of the SSLB protocol. When the ports used for source NAT for a given source IP address are divided in this way, it allows the same source IP address to be configured on both peers in all supported high-availability configurations, including active-standby and active-active SSLB.
In hot-standby SLB configurations, the active ServerIron is the owner of the source IP address. However, you must still define each ServerIron’s port range in order to prevent port conflicts between different flows.
NOTE: System limitation: The ServerIron does not support symmetric SLB with shared source NAT IPs. The reason is because the VIP and the source IP may not be active on the same ServerIron, and as a result, the ServerIron will not know how to forward return traffic. Configure sym-active as a workaround.
Router Configuration Example
Figure 6.13 illustrates a sample active-active SSLB configuration that uses shared source IP addresses.
Figure 6.13
Sample active-active SSLB configuration using shared source IP addresses
ServerIron-A Configuration
The following commands configure ServerIron-A in Figure 6.13.
ServerIron-A(config)# ip address 10.10.1.1 255.255.0.0
ServerIron-A(config)# ip default-gateway 10.10.1.254

ServerIron-A(config)# server port 80
ServerIron-A(config-port-http)# session-sync
ServerIron-A(config-port-http)# tcp
ServerIron-A(config-port-http)# exit

ServerIron-A(config)# server port 21
ServerIron-A(config-port-ftp)# session-sync
ServerIron-A(config-port-ftp)# exit

ServerIron-A(config)# server port 23
ServerIron-A(config-port-telnet)# session-sync
ServerIron-A(config-port-telnet)# exit

ServerIron-A(config)# server source-nat-ip 10.10.1.10 255.255.0.0 0.0.0.0 port-ra 1
ServerIron-A(config)# server source-nat-ip 10.10.1.11 255.255.0.0 0.0.0.0 port-ra 1
ServerIron-A(config)# server source-nat-ip 10.10.1.12 255.255.0.0 0.0.0.0 port-ra 1

ServerIron-A(config)# server router-ports ethernet 3/1

ServerIron-A(config)#server real rs1 10.10.1.30
ServerIron-A(config-rs-rs1)# port http
ServerIron-A(config-rs-rs1)# port http url "HEAD /"
ServerIron-A(config-rs-rs1)# port ftp
ServerIron-A(config-rs-rs1)# port rtsp
ServerIron-A(config-rs-rs1)# port telnet
ServerIron-A(config-rs-rs1)# exit

ServerIron-A(config)# server real rs2 10.10.1.31
ServerIron-A(config-rs-rs2)# port http
ServerIron-A(config-rs-rs2)# port http url "HEAD /"
ServerIron-A(config-rs-rs2)# port ftp
ServerIron-A(config-rs-rs2)# port rtsp
ServerIron-A(config-rs-rs2)# port telnet
ServerIron-A(config-rs-rs2)# exit

ServerIron-A(config)# server real rs3 10.10.2.30
ServerIron-A(config-rs-rs3)# port http
ServerIron-A(config-rs-rs3)# port http url "HEAD /"
ServerIron-A(config-rs-rs3)# port ftp
ServerIron-A(config-rs-rs3)# port telnet
ServerIron-A(config-rs-rs3)# exit

ServerIron-A(config)# server real rs4 10.10.2.31
ServerIron-A(config-rs-rs4)# port http
ServerIron-A(config-rs-rs4)# port http url "HEAD /"
ServerIron-A(config-rs-rs4)# port ftp
ServerIron-A(config-rs-rs4)# port telnet
ServerIron-A(config-rs-rs4)# exit

ServerIron-A(config)# server virtual-name-or-ip test 10.10.1.100
ServerIron-A(config-vs-test)# sym-priority 200
ServerIron-A(config-vs-test)# sym-active
ServerIron-A(config-vs-test)# port http
ServerIron-A(config-vs-test)# port ftp
ServerIron-A(config-vs-test)# port telnet
ServerIron-A(config-vs-test)# bind http rs1 http rs2 http rs3 http rs4 http
ServerIron-A(config-vs-test)# bind ftp rs1 ftp rs2 ftp rs3 ftp rs4 ftp
ServerIron-A(config-vs-test)# bind telnet rs1 telnet rs2 telnet rs3 telnet rs4 telnet
ServerIron-A(config-vs-test)# exit
ServerIron-B Configuration
The following commands configure ServerIron-B in Figure 6.13. The commands are identical as those for ServerIron-A except for the ServerIron’s IP address.
ServerIron-B(config)# ip address 10.10.1.2 255.255.0.0
ServerIron-B(config)# ip default-gateway 10.10.1.254

ServerIron-B(config)# server port 80
ServerIron-B(config-port-http)# session-sync
ServerIron-B(config-port-http)# tcp
ServerIron-B(config-port-http)# exit

ServerIron-B(config)#server port 21
ServerIron-B(config-port-ftp)#session-sync
ServerIron-B(config-port-ftp)#exit

ServerIron-B(config)# server port 23
ServerIron-B(config-port-telnet)# session-sync
ServerIron-B(config-port-telnet)# exit

ServerIron-B(config)# server source-nat-ip 10.10.1.10 255.255.0.0 0.0.0.0 port-ra 2
ServerIron-B(config)# server source-nat-ip 10.10.1.11 255.255.0.0 0.0.0.0 port-ra 2
ServerIron-B(config)# server source-nat-ip 10.10.1.12 255.255.0.0 0.0.0.0 port-ra 2
ServerIron-B(config)# server router-ports ethernet 3/1
ServerIron-B(config)# server real rs1 10.10.1.30
ServerIron-B(config-rs-rs1)# port http
ServerIron-B(config-rs-rs1)# port http url "HEAD /"
ServerIron-B(config-rs-rs1)# port ftp
ServerIron-B(config-rs-rs1)# port rtsp
ServerIron-B(config-rs-rs1)# port telnet
ServerIron-B(config-rs-rs1)# exit

ServerIron-B(config)# server real rs2 10.10.1.31
ServerIron-B(config-rs-rs2)# port http
ServerIron-B(config-rs-rs2)# port http url "HEAD /"
ServerIron-B(config-rs-rs2)# port ftp
ServerIron-B(config-rs-rs2)# port rtsp
ServerIron-B(config-rs-rs2)# port telnet
ServerIron-B(config-rs-rs2)# exit

ServerIron-B(config)# server real rs3 10.10.2.30
ServerIron-B(config-rs-rs3)# port http
ServerIron-B(config-rs-rs3)# port http url "HEAD /"
ServerIron-B(config-rs-rs3)# port ftp
ServerIron-B(config-rs-rs3)# port telnet
ServerIron-B(config-rs-rs3)# exit

ServerIron-B(config)# server real rs4 10.10.2.31
ServerIron-B(config-rs-rs4)# port http
ServerIron-B(config-rs-rs4)# port http url "HEAD /"
ServerIron-B(config-rs-rs4)# port ftp
ServerIron-B(config-rs-rs4)# port telnet
ServerIron-B(config-rs-rs4)# exit

ServerIron-B(config)# server virtual-name-or-ip test 10.10.1.100
ServerIron-B(config-vs-test)# sym-priority 100
ServerIron-B(config-vs-test)# sym-active
ServerIron-B(config-vs-test)# port http
ServerIron-B(config-vs-test)# port ftp
ServerIron-B(config-vs-test)# port telnet
ServerIron-B(config-vs-test)# bind http rs1 http rs2 http rs3 http rs4 http
ServerIron-B(config-vs-test)# bind ftp rs1 ftp rs2 ftp rs3 ftp rs4 ftp
ServerIron-B(config-vs-test)# bind telnet rs1 telnet rs2 telnet rs3 telnet rs4 telnet
ServerIron-B(config-vs-test)# exit
Enabling VRRP and Binding a VIP Group to a Virtual Router ID
To enable VRRP and bind a VIP group to a Virtual Router ID (vrid), enter commands such as the following:
ServerIron(config)#router vrrp
ServerIron(config)#interface e 1/2
ServerIron(config-if-e100-1/2)#ip vrrp vrid 1
ServerIron(config-if-e100-12-vrid-1)#vip-group 1
Syntax: [no] router vrrp | vrrp-extended
Syntax: [no] ip vrrp <vrid number>
Syntax: [no] vip-group <number>
The <number> parameter is the VIP group number (from 1 to 10) that you are binding to the VRID. Note that each VIP group can have only one VRID associated with it.
Each virtual IP address can belong to only one VIP group. Also, each VIP group can have only one VRID associated with it.
Use these commands with the server vip-group command to guarantee simultaneous VIP failover in the event VRRP-E fails over to a Backup router.
High Availability > Shareable Source NAT for High Availability

Table of Contents Previous Next Print
Copyright © 2009 Brocade Communications Systems, Inc.