Problem connecting locally to VIP address

Answered Question
May 19th, 2008

Hi there. I have a problem that I'm having difficulties solving. I inherited a network design that I think is responsible for the problem but I'm hoping someone out there can help me out. Here's what I've got:

web-servers: dual NIC's with one NIC on a "local" VLAN (10.10.0.0/24), and the other NIC on the load-balancer backend VLAN (10.10.4.0/24)

Load-balancers: back-end VLAN (10.10.4.0/24), front-end in DMZ 10.10.8.0/24). Default-gateway goes to DMZ firewalls.

The problem I'm running into is that I can only configure it so that I can either connect directly to each web-server or I can only connect to the load-balanced vip address -- it's one or the other. I'm fairly certain that this is because since proper load-balancing requires all traffic to go through the load-balancer, the default gateway on my web servers is the Load-balancer.

I'm trying to configure it so that I can have access to the load-balanced VIP addresses from the local VLAN (10.10.0.0/24). How do I make that work though? I've tried using groups, but that didn't seem to work. One thing I haven't tried yet is to create a vip address for VLAN1. I've attached my config for review.

Thanks for your help!

I have this problem too.
0 votes
Correct Answer by Gilles Dufour about 8 years 6 months ago

you can change the default gateway of the server to be a router in the local vlan.

This will give you access to the servers directly.

Then, to get access to the vip, you need to configure a group with a group address belonging to the server subnet (10.10.4.x).

Like this, servers do not need to use a gw to respond to the CSS.

Give that a try and let me know if it works.

Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Gilles Dufour Mon, 05/19/2008 - 06:46

you can change the default gateway of the server to be a router in the local vlan.

This will give you access to the servers directly.

Then, to get access to the vip, you need to configure a group with a group address belonging to the server subnet (10.10.4.x).

Like this, servers do not need to use a gw to respond to the CSS.

Give that a try and let me know if it works.

Gilles.

branfarm1 Mon, 05/19/2008 - 06:50

Thanks for the response. Couple of questions though... how will changing the default gateway of the servers affect the traffic already being load-balanced by the 10.10.8.x VIP's? Also, the 10.10.4.x network only exists between the servers and the load-balancers... it is not routed at all. Should I still create a group address in there?

Thanks!

Gilles Dufour Mon, 05/19/2008 - 06:54

The group will do client nat.

So, all traffic going the LB will be nated with the 10.10.4.x address.

The servers will see traffic coming from that address and will respond to it without the need of a router.

It's the only solution to make your design work.

The other approach would be to change the design and just use a single NIC.

dual nic is always a source of issue with loadbalancers.

Gilles.

branfarm1 Sat, 05/31/2008 - 12:26

Thanks for your help Gilles -- this worked great. I ended up configuring a group and adding service destinations. What's a scenario when you would create a group and use services, instead of service destinations?

Actions

This Discussion