Brocade ADX Source NAT

Global source NAT

Similar to F5’s Automap

Automap will SNAT any traffic going towards the real-server. The client’s source IP will be replaced with the self-IP configured on the Brocade’s interface closest to the real servers. SNAT is implemented for ALL the real servers.

server source-nat

 

Warning: Do not use automap in environments with any considerable number of clients and/or servers, since there is a high chance to run into port-exhaustion and connections will drop.

SNAT IP

server source-nat 
server source-nat-ip 192.168.100.100 255.255.255.255 0.0.0.0 port-range 2 port-alloc-per-real

The client’s source IP will be replaced with the 192.168.100.100 configured in the second line.

The port-alloc-per-real command indicates that a SNAT IP:port combination can be re-used per real server at any particular instance. The  port-range  parameter specifies which port range this peer uses for source NAT for this source IP address. Specify 1 for the lower port range or 2 for the upper port range.

Per-real-server source NAT

SNAT IP is the IP of the interface closest to the real servers.

SNAT is implemented for real servers by configuring them with  source-nat  command:

server real r1 192.168.100.20
source-nat
server source-nat-ip 192.168.100.100 255.255.255.255 0.0.0.0 port-range 2 port-alloc-per-real 
server real r1 192.168.100.20
  source-nat 

Per-real-server source NAT with ACL

Same as automap per-real-server, but in this case, SNAT is implemented only for traffic originating from private 192.168.100.0/22 network by utilizing an  access-list. This way, the access to the VIP from other real servers and the client requests from the Internet will not be subjected to SNAT, their IP will not change.

server source-nat-ip 192.168.100.100 255.255.255.255 0.0.0.0 port-range 2 port-alloc-per-real
access-list 1 permit 192.168.100.0 0.0.3.255 
access-list 1 deny any 

server real r1 192.168.100.20
source-nat access-list 1 

 

HA considerations

If a SNAT configuration is used in an HA config, add the source-nat-ip into the vip-group in order for the secondary to take over the SNAT IP, in case of a failover:

server vip-group 1
source-nat-ip 192.168.100.100

Server Load Balancing : Source NAT – http://www.brocade.com/downloads/documents/html_product_manuals/VADX_03000_SLB/wwhelp/wwhimpl/common/html/wwhelp.htm#context=Virtual_ADX_0300_SLBGuide&file=slb_V_ADX.04.06.html

Leave a Reply