[f-nsp] One Serveriron XL, multiple VLANs

Timothy Arnold tim at uksolutions.co.uk
Thu Dec 2 07:46:53 EST 2004


Thanks to everyone who has replied. I think I might need to describe the
configuration a little better as it is a little more complicated!

At present, I have two Cisco PIX firewalls, on ethernet1 (the inside
interface) I have:

PIX1 	-	10.0.10.1/24
PIX2	- 	10.0.20.1/24

These PIXs connect into a 3COM switch and I tag up the ports with VLAN10
and VLAN20 respectively.

On each network, I have a number of servers. In VLAN10 I would like to
use the ServerIron to load balance my mail servers. These have the IP
addresses 10.0.10.100 and 10.0.10.101

The load balanced IP address should be 10.0.10.10

In VLAN20 I have my web servers and would like to load balance. These
have the IP addresses 10.0.20.200 and 10.0.20.201

The load balanced IP should be 10.0.20.20

There is no requirement for the two VLANs to see each other. However, I
want to use the ServerIron to do both load balancing. I.e. a physical
ServerIron split into two logical ServerIrons.

I am unsure how this would work! Two questions:

1. If a client request hits, 10.0.10.10, it will send the request to
10.0.10.100 for example - does it send the client IP or will I need to
do some kind of NAT to ensure the reply is sent back to the ServerIron?

2. How does the default route work if I try to separate the ServerIron
into two VLANs? If a request is made for 10.0.20.20, I need it to be
sent back via 10.0.20.1 (even if it is an external IP address!). I guess
I need some source based routing?

I hope I have made myself clear! Feel free to give any comments (good or
bad!) 

Thanks
Tim














On Wed, 2004-12-01 at 21:12 -0800, Mike Allen wrote:
> This will work as L2 as well, but you would need to multinet the
> upstream router or use a source-ip as the def-gw.  This gets tricky in
> a HA config, so multinetting is usually the easiest
> 
> 
> On Thu, 2 Dec 2004 15:04:35 +1000, David J. Hughes <bambi at hughes.com.au> wrote:
> > 
> > Sorry, all my SI experience is in layer 3 configurations.  Guess I'm a
> > routing kinda guy ;-)
> > 
> > David
> > ...
> > 
> > 
> > 
> > 
> > On 02/12/2004, at 1:34 PM, Emilia Lambros wrote:
> > 
> > > Is it possible to do this in L2 mode at all?
> > >
> > >
> > > em
> > >
> > >
> > > -----Original Message-----
> > > From: foundry-nsp-bounces at puck.nether.net
> > > [mailto:foundry-nsp-bounces at puck.nether.net] On Behalf Of Michael
> > > Bellears
> > > Sent: Thursday, 2 December 2004 12:29 PM
> > > To: David J. Hughes; Timothy Arnold
> > > Cc: foundry-nsp at puck.nether.net
> > > Subject: RE: [f-nsp] One Serveriron XL, multiple VLANs
> > >
> > >> And, as I mentioned,
> > >> make sure "ip forward"
> > >> is turned on - just went through this with a mate and it worked much
> > >> better when the box was told to route :-)   [Hi Michael ;-]
> > >
> > > Haha!! - DEFINITELY make sure you have "ip forward" enabled!! (Spent
> > > nearly 2 days trying to work out why traffic would get to the SI, but
> > > not "forward!" to my reals!
> > >
> > > Thanks again David!
> > >
> > > MB
> > >
> > > _______________________________________________
> > > foundry-nsp mailing list
> > > foundry-nsp at puck.nether.net
> > > http://puck.nether.net/mailman/listinfo/foundry-nsp
> > >
> > > This e-mail has been scanned for viruses by Hostworks Message Scanning
> > > Services - powered by MessageLabs. For further information contact
> > > Hostworks on 1300 30 4848.
> > >
> > > _______________________________________________
> > > foundry-nsp mailing list
> > > foundry-nsp at puck.nether.net
> > > http://puck.nether.net/mailman/listinfo/foundry-nsp
> > >
> > 
> > _______________________________________________
> > foundry-nsp mailing list
> > foundry-nsp at puck.nether.net
> > http://puck.nether.net/mailman/listinfo/foundry-nsp
> >
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp




More information about the foundry-nsp mailing list