[f-nsp] Serveriron 4G-SSL with vlans and VIPs.

[Jared Valentine]

I've configured something similar with switch code before. It was a little convoluted and there wasn't a firewall between the different load balanced layers. 

You can use source-nat-ip addresses as the default gateway for the different tiers. They NAT overload out when they initiate Internet-bound traffic  

The only problem we ran into was that real servers couldn't access VIPs in other subnets. We fixed that by duplicating some VIPs in different subnets. 

Also look at ACL-based source-nat. You might need that tool as well. 

Prem code doesn't have this limitation according to TAC. So upgrading might be in the cards for you. 

If this isn't clear, send over a network diagram and I will see if I can provide a little more help. 

Good luck,

Jared



On Jun 23, 2010, at 7:19 PM, Jimmy Stewpot <mailers at oranged.to> wrote:

> Hi All,
> 
> I am currently managing a pair of 4G-SSL's which handle a very busy web service. The load on those web servers has now increased beyond what our back end application servers can handle so we need to start load balancing on the back end too. I have looked at the configuration and was trying to see if its possible to have multiple vlans and segregate the traffic and vips between VLAN's so we have something like this
> 
> Internet -> FW -> Load Balancer A (vlan2) -> Web -> FW -> Load Balancer A (vlan3) -> Application Tier -> FW -> DB Tier.
> 
> The Application tier has intelligence at the app level that does load balancing and so on which makes that area scale, however the web page runs on rpc over https.. That is what we need to load balance so we can scale out sideways. Now my question is do we need to have the routing/advanced l3 feature set to be able to accommodate this type of requirement on the 4G-SSL?
> 
> Regards,
> 
> Jimmy Stewpot.
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp