cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Vladimir
Pearl

ClusterXL with two public IP ranges

I can use your advise on this subject.

Scenario:

Client getting a /30 and /24 IP ranges from ISP.

ISP expects connectivity between themselves and a client over /30 network.

ISP will be forwarding /24 traffic to the single IP in the /30 network.

ISP does not provide routing equipment.

Client does not have an L3 device between cluster and ISP.

What is the appropriate configuration for the cluster and its members to accommodate this scenario?

I am trying to avoid the use of the manual Proxy ARP and rely on Static NAT for the hosts in DMZs.

two-public-ranges-draw.io.png 

Thank you,

Vladimir

7 Replies
Admin
Admin

Re: ClusterXL with two public IP ranges

Since ClusterXL does not support one interface being in two different subnets, you might have to connect two physical interfaces to that network segment (one for the /24, the other on /30).
You might need to use private IPs for the interfaces in the /30 segment and make the ClusterXL IP on that interface something in the /30.
0 Kudos
Vladimir
Pearl

Re: ClusterXL with two public IP ranges

"Since ClusterXL does not support one interface being in two different subnets, you might have to connect two physical interfaces to that network segment (one for the /24, the other on /30)."

 

It there a reason for the physical interfaces of the cluster members on these two network to reside on the same L2 segment?

It seems that if they are on a different L2 segment or the same one, the cluster will have to undertake some roundabout internal routing to forward packets between these two networks.

 

"You might need to use private IPs for the interfaces in the /30 segment and make the ClusterXL IP on that interface something in the /30."

 

What about using public IPs from /24 for physical interfaces while using single IP from /30 for external VIP?

Would this permit the inbound and outbound routing for both public ranges? Is so, what additional configuration parameters may be required to differentiate it from common single public VIP when used with RFC 1918 addresses on physical interfaces?

 

0 Kudos
Wolfgang
Silver

Re: ClusterXL with two public IP ranges

Vladimir,

as Dameon wrote, I think the best way is to use two IPs for the physical interfaces outside on it‘s own private network. One of the IPs from your /30 network should be the cluster VIP.

If you need the addresses from the /24 - pool for real hosts you can deploy a new cluster interface for this subnet and attache it to an switch.

If doing only NAT with this pool you can use it in your rulebase. As you wrote, the ISP is routing this network from external to one of the addresses from /30 pool. You don‘t need any proxy ARP for NAT like this.

your question...

<<<< What about using public IPs from /24 for physical interfaces while using single IP from /30 for external VIP? <>>>>

I think it‘s better to have the /24 subnet separate from the other IPs, the routing and NAT is clearly. 

Wolfgang

Vladimir
Pearl

Re: ClusterXL with two public IP ranges

Thank you @Wolfgang.

I was not sure, for some reason, that the cluster will source the outbound traffic from otherwise arbitrary IP addresses from its external interfaces.

I have just tested it on a single gateway and it does seem to work as you and @PhoneBoy have described:

Host on internal private network statically NAed to the public IP from the range NOT assigned to any of the interfaces or defined in topology is being routed out with the XLATE of the defined public IP out of its external interface.

So long as ISP will be forwarding the traffic to /24 in question, this should work for Static NAT purposes.

The only deviation from norm is that the cluster's portals will be accessible by the IP from /30 range, but the hosts behind it by IPs from /24.

0 Kudos
Wolfgang
Silver

Re: ClusterXL with two public IP ranges

Vladimir,

you ˋre right.

we had a similar configuration at one of our customer sites. They are using a smaller subnet /29 for internet access and two other /26 subnets for a lot of published webservices and . The /26 are all statically NATed and the IP for remote access ( MobileAccessPortal and VPN) is from /29 subnet.

regards

Wolfgang

Highlighted
Employee+
Employee+

Re: ClusterXL with two public IP ranges

Hi!

I'm not 100% sure if I fully understood your question, but there is a way to configure cluster members with different IP ranges:

See sk32073 for configuration instructions.

I configured this last fall for a client who got had only one public IP-address from the ISP.

 

 

 

0 Kudos
Vladimir
Pearl

Re: ClusterXL with two public IP ranges

Thank you @Lari_Luoma , the question was really in regards to the gateway NATing to the IPs that do not belong to the ranges the interfaces are in.

I am routinely using it in cases of overlapping VPN domains, but was not sure if it'll work for the normal traffic.

Looks like it does.

Regards,

Vladimir