[f-nsp] Serveriron / nat

Cliff Fogle Cliff at ofoto.com
Fri Nov 5 14:16:09 EST 2004 

*My comments in blue or marked with '*'.  You do have alot of
questions...I hope I can answer them somewhat clearly.


>Serveriron XL 16 Port. I will be running an active-standby
configuration (if I can understand how that works too! :)).

*The active standby config is very easy, search the CLI docs for
'sym-priority'.  It also works very well.  I strongly suggest that you
do not download the operating code from the site.  Ask Foundry for a
patch release that is right for you.

>
>>
>> The inside source parameter specifies that the mapping applies to the
>> private address sending traffic to the Internet.
>>
>
>OK, I understand that. I have just tried it and it works fine. Any
traffic from the server to the internet will use the IP address that I
have assigned. However, what happens if I want to go from the internet
to the private address, for incoming SSH requests for example?

*It should work both ways.  Just ssh to the outside address. (from the
outside of course).  Make sure that your real servers only possible
route to the outside is through the serveriron.  You cannot use DSR in
this config.


>
>
>
>
>>
>> If you are running dual chassis devices in an active-active or
>> active-standby mode I would wait for the new code to be released
>> shortly.  The new (shortly released) IronWare 9.2 code will greatly
>> simplify this.  Instructions for the new configuration are in the
>> release notes for that release.
>>
>
>OK, Do you know when this will be, would you recommend not using NAT in
an active/standby configuration? What problems occur if you do?

*The new code release is not for the XL series, sorry.  I don't quite
know how to configure this but it involves creating VRRP-E interfaces
for the static nat addresses.  Hopefully the new method in 9.2 will
trickle into the XL code line.


>
>On a side note, in an active/standby configuration. I have been reading
that you should build the configuration on one serveriron and then
replicate it to the second serveriron (and using the backup commands to
configure the backup port) but how does that work if you have virtual
interfaces? I have a number of ve interfaces for each subnet, so do I
just copy the same configuration across? The documentation says that you
need to change the management address? I am unsure what this means!

*Your VEs will need vrrp-e interfaces.  There are lots of bugs in the
config sync stuff...it's pretty brand new.  I usually just tftp the
config off the 'active' SI, edit the ip addresses, vrrp-e priorities and
the sym-priorities and tftp it up to the 'standby'.  One of the cool
things about the 'sym-priority' stuff is that you can have one SI active
for virtual server X and the other active for virtual Y.  So you have
them backing each other up, but you're balancing load across the two
XLs.  


>
>Sorry if I am asking too many questions! Thanks for all your help!
>
>Kind regards
>Tim.
>
>> -----Original Message-----
>> From: foundry-nsp-bounces at puck.nether.net
>> [mailto:foundry-nsp-bounces at puck.nether.net
<mailto:foundry-nsp-bounces at puck.nether.net> ] On Behalf Of Timothy
>> Arnold
>> Sent: Thursday, November 04, 2004 8:20 AM
>> To: foundry-nsp at puck.nether.net
>> Subject: [f-nsp] Serveriron / nat
>>
>> Hi Foundry Guru's
>>
>> I am hoping someone could enlighten me on now network address
>> translation works in the serveriron. Here is the situation.
>>
>> I have two vlan's configured - the public vlan with routable IP
>> addresses, this is where the VIP addresses are. The second vlan is a
>> standard 10.x netblock where the servers are located. I have a number
>> of VIPs and load balance a number of web servers - this works great.
>>
>> However, I have a management server that will be accessible via web,
>> ssh etc. Do I need to create a VIP address just for this one server,
>> or can I someway map a public IP address to the internal IP address
>> and vice versa?
>>
>> I hope I have made myself clear!
>>
>> Thanks
>> Tim. :)
>>
>> _______________________________________________
>> foundry-nsp mailing list
>> foundry-nsp at puck.nether.net
>> http://puck.nether.net/mailman/listinfo/foundry-nsp
<http://puck.nether.net/mailman/listinfo/foundry-nsp> 
>>
>>
>>
>
>
>
>---
>Timothy Arnold
>Technical Support Engineer
>UK Solutions, Birmingham Road
>Studley, B80 7BG
>
>http://www.uksolutions.co.uk <http://www.uksolutions.co.uk> 
>
>To contact support:
>Via telephone: 08700 681 333
>Via email: support at uksolutions.co.uk
>
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20041105/e1f088be/attachment.html>

More information about the foundry-nsp mailing list