Forum Discussion

satish_81675's avatar
satish_81675
Icon for Nimbostratus rankNimbostratus
Sep 10, 2013

Loadbalance the loadblanced traffic with in the same Pool member range!

for example we have an vip range. 10.10.10.x and pool range 10.10.11.x with two vips and have two pools one for each pool and each pool with two nodes. No snating. and we are facing issues...

 

the traffic from internet hits th vip1=>pool1=>node1 or 2.. and the traffic is proxied to vip2=>pool2=>node1 or 2 and gets back to the pool1 nodes and gets back to the requester.

 

looking for a optimum solution either snating will work or any others..design changes are needed.

 

design
microsoft
security

7 Replies

Sort By
  • Jason_40733's avatar
    Jason_40733
    Icon for Cirrocumulus rankCirrocumulus
    Sep 10, 2013

    Not clear what issues you are having. We do have a two stage application with MS Single Sign On using our F5's to load balance. We use SNAT on both VIPs.

     

    Setup: Proxy VIP facing the internet. It SNATs to two proxy servers. The proxy servers refer to a Federated server VIP. That Federated VIP then SNATs to two Federated servers. The reply flows back with a SNAT at each level and back to the original client. Our Proxy and Federated servers are in the same subnet.

     

    Internet -> "Proxy VIP" ->(SNAT) "PROXY server" -> "Federated VIP" -> (SNAT) "Federated server"

     

    It has been running and stable for us for over a year with a couple thousand users and about 8 external partner applications.

     

    • satish_81675's avatar
      satish_81675
      Icon for Nimbostratus rankNimbostratus
      Sep 10, 2013
      thank you for the reply, we dont snat the Trafic in the DMZ and wanted to see if that is the only other way.
    • Jason_40733's avatar
      Jason_40733
      Icon for Cirrocumulus rankCirrocumulus
      Sep 10, 2013
      So if I have this correctly... both of your VIPs are on 10.10.10.x and all four of your pool members are on 10.10.11.x. If you have a loopback IP address of your VIP2 on your Pool2 members. They should respond to the Pool1 members directly with the IP of VIP2. You would probably also want a loopback address of your VIP1 on your Pool1 members. Not sure if that would work for you or not, but it might be worth a try.
    • satish_81675's avatar
      satish_81675
      Icon for Nimbostratus rankNimbostratus
      Sep 10, 2013
      also the f5 is the default gateway for all the pool members, how to setup the loopback IP address, .....sorry can you pelase explain...
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Sep 10, 2013

    Can you describe your network setup a bit more please? Is the F5 the default gateway for the servers? If so, you could do this without NAT, particularly if the servers terminate the traffic that comes in via Virtual Server 1.

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Sep 10, 2013

    Great, so this could work without NAT. The question is, what IP address do the nodes behind VIP2 see, the IP address of the client still or the IP address or a node behind VIP1? Again, does Node1 or 2 operate as a full proxy (and change the source IP) or not do you know?

     

    Client > VIP1 > Pool1 > Node1 or 2 > VIP2 > Pool2 > Node 1 or 2