Multiple VIPs in Different Subnets

Is there any way to setup the CSS with VIPs in different subnets. If we were using an inline configuration, I don't see how this would be possible.
Let's assume three subnets A, B, and C. We would like to have a VIP in subnet A pointing to all the web servers in subnet A. Same for subnets B and C.
I guess we could configure a trunk port with a CIRCUIT interface in each of the subnets A, B, and C. This would allow clients to route to the VIP in each subnet. My concern is the return traffic. With only one default route in the CSS, all return traffic would traverse one CIRCUIT interface. Am I correct, or am I misunderstanding something?
Thanks!
Tom

I believe you are correct. We have practically the same scenario working here. I have a /29 allocated to the front-end of the CSS and the upstream HSRP routers (call that vlan 10). Then I have multiple subnets for backend servers behind the CSS setup as an 802.1q trunk vlans (call them VLAN 100, 101, 102, etc). I route for those subnets belonging to VLANs 101, 102, etc on the upstream routers to point to the VRRP address of the CSS (the VRRP address of the CSS in VLAN 10). I also route whatever IP used as a virtual to the CSS VRRP address as well. So my upstream routes will have routes to the VIPs and the backend VLANs all pointing to the CSS's VRRP address.
Casey

Similar Messages

  • RAC 11.2:  VIP on different subnet?

    Hi all,
    i searched over the 11.2 docs, but I can't find anything.
    It seems to me that the previous restriction on having vips on the same subnet ad interface of the rac's "public" one is gone in 11.2
    When trying to add a rac listener I get a list of defined subnet.
    Anyone have tried to add a listener on a subnet different than the public one?
    PS:
    I think it's related to the new "listener_networks" initialization parameter... I'm trying to understand the meaning of this parameter in a rac env.
    Regards,
    Roberto
    Edited by: user627529 on Oct 12, 2009 6:11 AM

    user627529 wrote:
    I host a database which client are on different network.
    Eg: one rac database is on the private (not in rac terminology, but "internal") network, and another database hosted on the cluster had to be accessed from another, public network (firewalled).
    I have 3 options at this point
    1) oracle conn. gw
    2) nat from fw (which is the current cfg)
    3) define another subnet on the rac and create listener on them, registering the db with the second listenerWould also have used the 2 ^nd^ option - not too comfortable with the idea of having a node directly wired to a public network, despite firewalls. I would want that to be DMZ'ed and access "proxied" from the public network to the server node using NAT...
    Also.. why direct database access? Usually in such a case (from a public network) access will be via a web based application. In which case you can reverse proxy the public web calls to an Oracle Apache server and have it connect to the server node.

  • 1841 with HWIC-AP multiple SSIDs to different subnets

    Hi experts,
    Please point me toward the right direction, how do I do this setup? Please give me some example? Is this different L3 BVIs along with sub interfaces on dot11radio interface assigned to different bridge-groups?
    Thanks a lot.
    Regards,
    GP

    Hi again,
    I have managed to make it work. Just in case someone needs the same configuration within a singe Cisco1841 router.
    Thanks.
    dot11 ssid cisco
    vlan 10
    authentication open
    authentication key-management wpa
    wpa-psk ascii 7 05080F1C22434D000A0618
    dot11 ssid cisco-guest
    vlan 100
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 7 1511021F0725282D3B303A
    bridge irb
    interface Dot11Radio0/0/0
    no ip address
    encryption mode ciphers aes-ccm
    encryption vlan 10 mode ciphers aes-ccm
    encryption vlan 100 mode ciphers aes-ccm
    ssid cisco
    ssid cisco-guest
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
    station-role root access-point
    interface Dot11Radio0/0/0.10
    encapsulation dot1Q 10
    no cdp enable
    bridge-group 10
    bridge-group 10 subscriber-loop-control
    bridge-group 10 block-unknown-source
    no bridge-group 10 source-learning
    no bridge-group 10 unicast-flooding
    interface Dot11Radio0/0/0.100
    encapsulation dot1Q 100
    no cdp enable
    bridge-group 100
    bridge-group 100 subscriber-loop-control
    bridge-group 100 block-unknown-source
    no bridge-group 100 source-learning
    no bridge-group 100 unicast-flooding
    interface BVI10
    ip address 10.0.0.1 255.255.255.0
    interface BVI100
    ip address 10.1.1.1 255.255.255.0
    bridge 10 route ip
    bridge 100 route ip

  • Multiple RAC databases on same GI using different subnets for Public i/face

    Hello. We are configuring a 2 node cluster. That cluster will host several RAC databases. For security reasons our networking team want to create separate subnets for the application traffic to each specific RAC database on the cluster.
    E.g. application 1 has 2 application servers that will connect to RAC database PROD1 via one subnet, application 2 has 3 application servers that will connect to RAC database PROD2 via a different subnet, etc.
    In addition the networking team want to configure a separate management subnet that DBAs etc. will use to administer all RAC databases and infrastructure in the cluster.
    Grid Infrastructure version 11.2.0.2. Database versions will vary from 10.2.0.x to 11.2.0.2. All databases will utilise RAC.
    We want to take advantage of SCAN listener functionality to support connectivity to all databases on the cluster. Forum thread 2199620 [https://cn.forums.oracle.com/forums/thread.jspa?threadID=2199620] suggests that 11gR2 supports multiple subnets, which looks to be exactly the feature we need. Please can you confirm how this works and point us to any documentation (standard docs, white papers, MOS, etc.) that might help us configure this.
    Document referenced in thread 2199620 was not exactly what we were looking for, and didn't translate too well in Google Translate.
    Any guidance much appreciated. Thanks, Rich.
    Similar threads:
    https://cn.forums.oracle.com/forums/thread.jspa?messageID=9846298? (Dual SCAN on multi homed cluster)
    https://cn.forums.oracle.com/forums/thread.jspa?threadID=2199620 (scan listener in OAM VLAN)
    Edited by: 887449 on 26-Sep-2011 01:41

    Thanks Levi. Your advice is very much appreciated.
    Your statement that we can only have one SCAN listener listening on one public network is actually the clarification I was looking for.
    For anyone else reading this thread I believe this gives us 3 options:
    1) Configure a SCAN listener and have all applications, and all management/administration, connecting to the corresponding database on the same cluster via that SCAN listener, all on the same subnet.
    2) Configure a SCAN listener for use by all applications connecting to the corresponding database on the same cluster, and use TNSNAMES/VIP for management/administration traffic, both on separate subnets (by configuring the LISTENER_NETWORKS parameter)
    3) Configure a SCAN listener for use by applications connecting to one of the databases on the cluster via one subnet, use TNSNAMES/VIP for all other applications connecting to other databases, each using their own subnet. Plus, the management/administration could be via another subnet utilising TNSNAMES/VIP.
    From our perspective we will work out the best one for us and implement accordingly.
    Thanks again for your timely and comprehensive response.

  • IP and VIP adresses temporary on different subnets

    I was wondering if it's possible to add a third node temporary on a different subnet ?
    I mean.. now my two nodes have these IP: XXX.XXX.0.5 and XXX.XXX.0.6 , VIP are: XXX.XXX.7.15 and XXX.XXX.7.16
    Is it possible to add a third node with IP YYY.YYY.0.7 and VIP YYY.YYY.7.17 ?
    Of course they can ping each other and successfully use ssh equivalence...
    Thanks.

    Unfortunately not, the nature of the way VIPs work means that that must be on the same subnet throughout the cluster

  • CSM Is it possible to have the vserver (VIP) IP in a different subnet range

    CSM - Is it possible to have the vserver (VIP) IP in a different subnet range than the real IP addresses in the serverfarm that is bound to it?
    In other words, as an example a typical bridge configuration is like this:
    vlan 221 client
    ip address 10.20.220.2 255.255.255.0
    gateway 10.20.220.1
    vlan 220 server
    ip address 10.20.220.2 255.255.255.0
    <<<<<<<<<<<<Two VLANs with the same IP address are bridged together>>>>>>>>>>>>>>>>>.
    serverfarm WEBFARM
    nat server
    no nat client
    real 10.20.220.10
    inservice
    real 10.20.220.20
    inservice
    vserver WEB
    virtual 10.20.220.100 tcp www
    serverfarm WEBFARM
    persistent rebalance
    inservice
    ==================================================================================
    NOW:
    =====
    Is it possible to do something like this:
    ==================================================================================
    vlan 221 client
    ip address 10.20.220.2 255.255.255.0
    gateway 10.20.220.1
    vlan 220 server
    ip address 10.20.220.2 255.255.255.0
    <<<<<<<<<<<<Two VLANs with the same IP address are bridged together>>>>>>>>>>>>>>>>>.
    serverfarm WEBFARM
    nat server
    no nat client
    real 10.20.220.10
    inservice
    real 10.20.220.20
    inservice
    vserver WEB
    virtual 50.40.220.99 tcp www <<<<<<<<<< Place the IP address in a different subnet than the IP's in the serverfarm >>>>>>>>>>>>>>>
    serverfarm WEBFARM
    persistent rebalance
    inservice
    <<<<<<<<On the MSFC place a static route to route the 50.40.220.99 address towards the CSM IP on vlan 221>>>>>>>>>.
    ip route 50.40.220.99 255.255.255.255 10.20.220.2
    Please if somebody knows if this is or is not possible it would be highly appreciated to hear your feedback.

    Pointers to examples - much appreciated.

  • Multiple BDC's one on different subnet

    I have just finished an upgrade of our network to 10.5 (we will be going 10.6 when we do XSan 2.2)
    OD Master fine all working
    PDC fine all working (including keeping old SID)
    OD Replica in site 1 all working
    BDC on Replica in site 1 all working
    OD Replica site 2 (different subnet via WAN connection) all working
    BDC on Replica on site 2 - no
    with a net rpc testjoin DOMAIN I get this error
    getschannel_sessionkey: could NOT fetch trust account password for domain
    has anyone seen it before?
    net rpc getsid -S DOMAIN -U Administrator%password
    does not work but
    net rpc getsid -S DOMAIN -I 192.168.1.88 -U Administrator%password
    does so I have the SID but Server Admin just spins the little wheel thing and goes back to Standalone, it 'looks' like a subnet issue - help!

    Chris,
    Is this still an issue?
    Thanks!
    Ed Price, Power BI & SQL Server Customer Program Manager (Blog,
    Small Basic,
    Wiki Ninjas,
    Wiki)
    Answer an interesting question?
    Create a wiki article about it!

  • Can ARD 3 now share a screen across 2 different subnets

    We have one central office. Clients access that office via a VPN. We can then share our screen with them as we work on a proof of a project.
    It's a great solution, however, we can't with ARD 2.2 get it to work with two clients at once over the VPN.
    An old Kbase article said that it wasn't possible to route screen sharing to two different subnets in the 2.2 version. But rather required all clients be on the same subnet.
    Does anyone know or have the ability to test to see if this is different is 3.0. I'm hopeful that it is, as I can no longer find the old Kbase article saying that it wasn't possible.
    Thanks,
    Greg

    Still no reply as to if this was resolved. I'm not so much worried about the move on the client side. As once we upgrade we have the luxury of upgrading everyone at once. I think that will be a smooth process.
    However, our motivation to upgrade is dependant on wether or not the ability to route traffice over multiple subents is fixed or not. So we'll wait and see. If anyone can easily test this. I'd love to know. Sounds like a few other people are hoping to hear something as well.
    Thanks in advance,
    Greg

  • ACE load balancing servers on different subnets...

    Hello,
    I have the following issue.... need to load balance traffic between two servers already working in two different subnets (vlans), at this point is highly desirable to avoid changing IP addresses. Is it possible to accomplish this goal using ACE? routed or bridged mode? is it strictly necessary to have all servers belonging to a serverfarm in the same subnet?
    Thanks in advanced for your support.

    Hi,
    You can do this, but you have to use client-NAT (Source-NAT) to force the return traffic to pass back through the ACE. You also then need static routes in the ACE context to point at each server. PBR is an alternative approach but I have not implemented that in a live network. The important thing is that the ACE sees both sides of the conversation.
    The following extract from a configuration shows the basic principle:
    rserver host master
    ip address 10.199.95.2
    inservice
    rserver host slave
    ip address 10.199.38.68
    inservice
    serverfarm host FARM-web2-Master
    description Serverfarm Master
    probe PROBE-web2
    rserver master
    inservice
    serverfarm host FARM-web2-Slave
    description Serverfarm Slave
    probe PROBE-web2
    rserver slave
    inservice
    class-map match-any L4VIPCLASS
    2 match virtual-address 10.199.80.12 tcp eq www
    3 match virtual-address 10.199.80.12 tcp eq https
    policy-map type management first-match REMOTE-MGMT-ALLOW-POLICY
    class REMOTE-ACCESS
    permit
    policy-map type loadbalance first-match LB-POLICY
    class class-default
    serverfarm FARM-web2-Master backup FARM-web2-Slave
    policy-map multi-match L4POLICY
    class L4VIPCLASS
    loadbalance vip inservice
    loadbalance policy LB-POLICY
    loadbalance vip icmp-reply active
    loadbalance vip advertise
    nat dynamic 1 vlan 384
    service-policy input L4POLICY
    interface vlan 383
    description ACE-web2-Clientside
    ip address 10.199.80.13 255.255.255.248
    alias 10.199.80.12 255.255.255.248
    peer ip address 10.199.80.14 255.255.255.248
    access-group input ACL-IN
    access-group output PERMIT-ALL
    no shutdown
    interface vlan 384
    description ACE-web2-Serverside
    ip address 10.199.80.18 255.255.255.240
    alias 10.199.80.17 255.255.255.240
    peer ip address 10.199.80.19 255.255.255.240
    access-group input PERMIT-ALL
    access-group output PERMIT-ALL
    nat-pool 1 10.199.80.20 10.199.80.20 netmask 255.255.255.240 pat
    no shutdown
    ip route 0.0.0.0 0.0.0.0 10.199.80.9
    ip route 10.199.95.2 255.255.255.255 10.199.80.21
    ip route 10.199.38.68 255.255.255.255 10.199.80.21
    HTH
    Cathy

  • Hyperion Servers on Different Subnets

    <p>Our network engineers have designed a new scheme for our networkwhereby there will be different subnets for the web servers,application servers, and database servers.   We are onHyperion System 9, our web server contains the Hyperion WASservices (planning, reporting, shared services, openldap, etc); ouressbase db and license server are on one database server, and SQLand the reports server (communications, scheduler, etc) are onanother server.  In this new network scheme, the Hyperion webserver will be on a different subnet than the two database servers. </p><p> </p><p>Does anyone see any issues or know of any issues with thissetup?</p><p> </p><p>Thanks,</p><p>Candy</p>

    Hi,
    You can do this, but you have to use client-NAT (Source-NAT) to force the return traffic to pass back through the ACE. You also then need static routes in the ACE context to point at each server. PBR is an alternative approach but I have not implemented that in a live network. The important thing is that the ACE sees both sides of the conversation.
    The following extract from a configuration shows the basic principle:
    rserver host master
    ip address 10.199.95.2
    inservice
    rserver host slave
    ip address 10.199.38.68
    inservice
    serverfarm host FARM-web2-Master
    description Serverfarm Master
    probe PROBE-web2
    rserver master
    inservice
    serverfarm host FARM-web2-Slave
    description Serverfarm Slave
    probe PROBE-web2
    rserver slave
    inservice
    class-map match-any L4VIPCLASS
    2 match virtual-address 10.199.80.12 tcp eq www
    3 match virtual-address 10.199.80.12 tcp eq https
    policy-map type management first-match REMOTE-MGMT-ALLOW-POLICY
    class REMOTE-ACCESS
    permit
    policy-map type loadbalance first-match LB-POLICY
    class class-default
    serverfarm FARM-web2-Master backup FARM-web2-Slave
    policy-map multi-match L4POLICY
    class L4VIPCLASS
    loadbalance vip inservice
    loadbalance policy LB-POLICY
    loadbalance vip icmp-reply active
    loadbalance vip advertise
    nat dynamic 1 vlan 384
    service-policy input L4POLICY
    interface vlan 383
    description ACE-web2-Clientside
    ip address 10.199.80.13 255.255.255.248
    alias 10.199.80.12 255.255.255.248
    peer ip address 10.199.80.14 255.255.255.248
    access-group input ACL-IN
    access-group output PERMIT-ALL
    no shutdown
    interface vlan 384
    description ACE-web2-Serverside
    ip address 10.199.80.18 255.255.255.240
    alias 10.199.80.17 255.255.255.240
    peer ip address 10.199.80.19 255.255.255.240
    access-group input PERMIT-ALL
    access-group output PERMIT-ALL
    nat-pool 1 10.199.80.20 10.199.80.20 netmask 255.255.255.240 pat
    no shutdown
    ip route 0.0.0.0 0.0.0.0 10.199.80.9
    ip route 10.199.95.2 255.255.255.255 10.199.80.21
    ip route 10.199.38.68 255.255.255.255 10.199.80.21
    HTH
    Cathy

  • Multiple VIPs per VR

    hello,
    is it possible to configure multiple VIPs for the same virtual-router on a particular circuit configuration which uses the same redundant-interfaces instead of having to configure redundant-interfaces for each VIP that's added?
    I want to do something along the lines of:
    ip virtual-router 1 priority 200 preempt
    ip redundant-interface 1 192.168.3.254
    ip redundant-vip 1 192.168.3.100
    ip redundant-vip 1 192.168.3.120
    ip redundant-vip 1 192.168.3.140
    and then do different things for traffic going to each of these VIPs in my content rules, i.e. have different content-rules for each VIP so different operations can be performed on them.
    Currently, although the CSS lets me do this kind of thing, AND the newly created VIPs can be seen in the ARP tables of other network devices in that broadcast domain, I can't seem to ping these VIPs.
    Thanks in advance

    Hi Gilles, thx for that. So basically what you're saying is that if I have a VIP configured but the content rule that uses this is inactive/suspended OR say the backend server is dead or unreachable for any reason, the ping to the VIP will not be replied to? For some reason I was under the impression that if I configure the VIP in the circuit, I will be able to ping it but now the other way makes more sense.
    Now the other question is, if I have all these VIPs as in my original question, and they ALL need SSL termination on the CSS AND they all point to different sub-domains AND I have a wildcard SSL cert for that parent domain, then can I create multiple ssl-server entries in my ssl-proxy-list BUT use the same certificate for each ssl-server in the list?
    Not sure if that's clear, let me know and I will provide more detail
    Thanks in advance

  • Creating zones that are on different subnets

    Hi,
    I am running Solaris 10 11/06 with zones. I had no issues creating zones with the same default router as the global zone. However, I want to create zones that will live in the DMZ, on a different subnet. I have looked around and the only thing I could find was to add the new subnet in the defaultrouter on the global zone.
    192.168.69.1 default route for global and zone 1
    10.10.6.1 default route for zone 2
    cat /etc/defaultrouters
    192.168.69.1
    10.10.6.1
    I did that, rebooted, and created the new zone. The new zone did not get the default route set. It was also not set in the global. The only way I can get this to work, is run :
    route add default 10.10.6.1
    I have created an init script to add this route at bootup on the global zone.
    Is this the right way to handle multiple subnets on a container host? Do I need to add the network in ./etc/netmasks?
    Thanks,
    David

    If you are stuck with update 3, this is a workaround we did on our system.
    create a startup script /etc/init.d/zone-defaultroute
    #!/usr/bin/sh
    #######START######
    /usr/sbin/ifconfig interface:x addif zone2_ipaddress netmask up
    /usr/sbin/route add default ip_router_zone2
    /usr/sbin/ifconfig interface:x removeif zone2_ipaddress
    /usr/sbin/zoneadm -z zone2 boot
    #######END########
    link the file to rc3.d
    ln -s /etc/init.d/zone-defaultroute /etc/rc3.d/S90zonedefaultroute
    Edited by: almazh on Oct 16, 2007 2:27 PM

  • Airtunes on different subnets - Why not?

    I've been googling for the past week in order to try and find out if it is possible to use airtunes on different subnets before I actually buy the device only to find out that it does not satisfy my needs. For various reasons I can not have all my machines into the same subnet.
    Searching revealed that because the Airtunes relies on Bonjour which in turn relies onto mDNS (i.e. mullticast) it simply can not be used in two different subnets. I've read that it cannot be done everywhere. I just can't understand the actual reason. Being a network engineer for more than 9 years I find it hard to accept that if both local subnets on my 3640 have multicast routing enabled it still won't do the trick. Can anyone shed some light into this? Unfortunately I still don't own the device so I can not do any tests...
    Any help would be much appreciated.
    TIA,
    GrSpider
    Powermac G5 Quad, MB C2D   Mac OS X (10.4.9)  

    GrSpider -
    Bonjour (and mDNS) work perfectly well across multiple subnets so long as your router is configured to support (i.e. route) multicast traffic. I use Bonjour on a constant basis across three subnets with both Mac and Windows platforms for a variety of service location purposes (printing, file sharing, streaming media) and have no problems whatsoever.
    The AirTunes limitation you're referring to is an Apple policy decision, not a technical issue. It appears they've restricted iTunes<-->Airport streaming media connectivity to connections that originate and terminate on the same subnet. I assume they feel it's a mechanism to help enforce digital rights management.
    Just to summarize: I routinely print to my Airport Express units across subnets, and share my iTunes music library to non-AirPort devices on different subnets; I just don't (can't) share my iTunes music library to an Airport Express on a different subnet.
    That one limitation aside, they've been a great addition to my network.
    FWIW.

  • In DFS, How to make servers LEAST COST for different subnets.

    Hello, We setup DFS in our domain (SERVER1) and we replicated the DFS namespace into a server which is also a member of the domain but it is on a DIFFERENT SUBNET (let's call this server SERVER2).
    How can I make sure that the SERVER2 DFS redirection should NOT go to SERVER1 unless SERVER2 is down, etc.? or How do we make sure SERVER2 clients don’t go to the wrong site and vice versa WHEN we enable DFS on multiple systems?
    I have also enable least expensive target selection (site-costing) in DFS but I am not sure if that will work.
    Note: SERVER2 is not a Domain Controller
    SERVER1 is Server 2008 Standard
    SERVER2 is Server 2008 R2 Standard
    Please help and Thank you in advance.
    Regards,
    Rod
    --- Network Security Administrator

    Dear Mandy,
    I have run the command DFSUTIL /PKTINFO on SERVER2 Client's computer and seems like it is referred
    to SERVER1 DFS namespace targets.
    Namespace Referrals is set to Lowest cost. 
    Here is the output of the command:
    C:\>DFSUTIL /PKTINFO
    1 entries...
    Entry: \Jessel.local\SysVol
    ShortEntry: \Jessel.local\SysVol
    Expires in 0 seconds
    UseCount: 0 Type:0x1 ( DFS )
       0:[\filesv02.Jessel.local\SysVol] AccessStatus: 0 ( ACTIVE TARGETSET )
       1:[\FILESV03.Jessel.local\SysVol]
    DfsUtil command completed successfully.
    Please advise.
    Thank You very much.
    Rod Lopez
    --- Network Security Administrator

  • Stickyness across multiple VIPs

    I was wondering if anyone knows if it is possible to implement stickyness across multiple VIPs. In other words, if a client hits a specific VIP on a specific TCP port, then hits a different VIP on a different tcp port, can stickyness be configured to stick that client to the same server?
    Thanks!

    Hi,
    u talk about stickineess on the CSM? it's possible :), but be careful...
    example:
    vserver1: vip1:port1
    rserver1: rserver_ip1:portX
    vserver2: vip2:port2
    rserver2: rserver_ip1:portY
    and one sticky group for both server farms (one for rserver1, second for rserver2).
    first session is established to vserver1:
    - sticky is recorded to rserver1 (rserver_ip1:portX)
    second session is established to vserver2:
    - sticky exists (client matched the sticky rule)
    - session is not load-balanced, but connected to rserver by sticky record (!), in other words, session is directed to rserver_ip1:portX and no to :portY
    ^^^ answer to your question: it's possible :), but be careful... in other words, it's possible if the service on the server side is running on the same real server and port (portX=portY). other, use different sticky group for second server farm.
    is it answer to your question?
    regards,
    martin

Maybe you are looking for