SLB Protocol Translation

SLB Protocol Translation (SLB-PT) enables IPv4 servers to be used for serving content to IPv6 clients. Likewise, SLB-PT enables IPv6 servers to be used for serving content to IPv4 clients. Server farms can contain both IPv4 and IPv6 servers.

SLB-PT is supported for the following virtual port types:

     UDP

     TCP

     HTTP

     HTTPS

     SSL-proxy

     SMTP

FIGURE 50    shows an example of a SLB-PT deployment that uses a mixed server farm of IPv4 and IPv6 servers to serve IPv6 cli­ents.

FIGURE 50         SLB Protocol Translation

slb-prot-lb-translation00001.jpg

 

In this example, a server farm consisting of IPv6 and IPv4 servers is configured with an IPv6 VIP address. IPv6 clients send requests to the IPv6 VIP. ACOS then selects an IPv6 or IPv4 server and forwards the client’s request to the selected server. If the server is an IPv4 server, the ACOS device translates the IP protocol of the client’s request from IPv6 to IPv4 before forwarding it to the IPv4 server. Likewise, when the ACOS device receives the servers’s reply, the ACOS device translates the reply from IPv4 to IPv6, then forwards the reply to the client.

Source NAT Requirement

In addition to the standard SLB configuration items (servers, service groups, the VIP, and so on), SLB-PT requires IP source NAT.

As a minimum requirement, a single NAT pool is required, for the IP type (IPv4 or IPv6) that differs from the IP type of clients. In this example, an IPv4 pool is required. The pool is used if the ACOS device selects an IPv4 server for an IPv6 client’s request. The pool must be bound to each of the virtual ports that has a corresponding real port on an IPv4 server.

If the deployment also will send IPv4 client requests to IPv6 servers, an IPv6 pool is also required.

For simplicity, the CLI example below uses a single IPv4 NAT pool. Following the example, the Examples Using Multiple Source NAT Pools section describes how to use multiple pools.

CLI Example

The following commands configure the SLB-PT deployment shown in FIGURE 50   . All of the CLI commands are also present in ACOS 2.2.x releases. Unlike previous releases, the ACOS device does not require the VIP and real server IP addresses to be of the same IP type (IPv4 or IPv6).

The following commands configure the Ethernet interfaces connected to the clients and servers:

ACOS(config)#interface ethernet 1

ACOS(config-if:ethernet:1)#ip address 192.168.217.100 255.255.255.0

ACOS(config-if:ethernet:1)#ipv6 address 2001:558:ff4e:2::100/64

ACOS(config-if:ethernet:1)#enable

ACOS(config-if:ethernet:1)#interface ethernet 2

ACOS(config-if:ethernet:2)#ipv6 address 2001:32::2020:2001/64

ACOS(config-if:ethernet:2)#enable

ACOS(config-if:ethernet:2)#exit

The following command configures an IPv4 source NAT pool.

ACOS(config)#ip nat pool v4natpool-1 192.168.217.200 192.168.217.202 netmask /24

NOTE:                               For simplicity, this example uses only a single pool. If multiple pools are used, ACLs are also required. The ACLs must match on the client IP address(es) as the source address. If the real servers and VIP are in different subnets, the ACLs also must match on the real server IP address(es) as the destination address. (For more information, see Examples Using Multiple Source NAT Pools. Also see the “Network Address Transla­tion” chapter in the System Configuration and Administration Guide.)

The following commands configure the IPv4 real servers. For simplicity, all the IPv4 and IPv6 servers have the same real ports.

ACOS(config)#slb server v4server-1 192.168.217.10

ACOS(config-real server)#port 80 tcp

ACOS(config-real server-node port)#exit

ACOS(config-real server)#port 53 udp

ACOS(config-real server-node port)#exit

ACOS(config-real server)#port 443 tcp

ACOS(config-real server-node port)#exit

ACOS(config-real server)#port 25 tcp

ACOS(config-real server-node port)#exit

ACOS(config-real server)#exit

ACOS(config)#slb server v4server-2 192.168.217.11

ACOS(config-real server)#port 80 tcp

ACOS(config-real server-node port)#exit

ACOS(config-real server)#port 53 udp

ACOS(config-real server-node port)#exit

ACOS(config-real server)#port 443 tcp

ACOS(config-real server-node port)#exit

ACOS(config-real server)#port 25 tcp

ACOS(config-real server-node port)#exit

ACOS(config-real server)#exit

The following commands configure the IPv6 real servers:

ACOS(config)#slb server v6server-1 2001:558:ff4e:2::1

ACOS(config-real server)#port 80 tcp

ACOS(config-real server-node port)#exit

ACOS(config-real server)#port 53 udp

ACOS(config-real server-node port)#exit

ACOS(config-real server)#port 443 tcp

ACOS(config-real server-node port)#exit

ACOS(config-real server)#port 25 tcp

ACOS(config-real server-node port)#exit

ACOS(config-real server)#exit

ACOS(config)#slb server v6server-2 2001:558:ff4e:2::2

ACOS(config-real server)#port 80 tcp

ACOS(config-real server-node port)#exit

ACOS(config-real server)#port 53 udp

ACOS(config-real server-node port)#exit

ACOS(config-real server)#port 443 tcp

ACOS(config-real server-node port)#exit

ACOS(config-real server)#port 25 tcp

ACOS(config-real server-node port)#exit

ACOS(config-real server)#exit

The following commands configure the service groups. A separate service group is configured for each application (real port):

ACOS(config)#slb service-group sgv4v6-http

ACOS(config-slb svc group)#member v4server-1 80

ACOS(config-slb svc group-member:80)#member v4server-2 80

ACOS(config-slb svc group-member:80)#member v6server-1 80

ACOS(config-slb svc group-member:80)#member v6server-2 80

ACOS(config-slb svc group-member:80)#exit

ACOS(config-slb svc group)#exit

ACOS(config)#slb service-group sgv4v6-dns

ACOS(config-slb svc group)#member v4server-1 53

ACOS(config-slb svc group-member:53)#member v4server-2 53

ACOS(config-slb svc group-member:53)#member v6server-1 53

ACOS(config-slb svc group-member:53)#member v6server-2 53

ACOS(config-slb svc group-member:53)#exit

ACOS(config-slb svc group)#exit

ACOS(config)#slb service-group sgv4v6-https

ACOS(config-slb svc group)#member v4server-1 443

ACOS(config-slb svc group-member:443)#member v4server-2 443

ACOS(config-slb svc group-member:443)#member v6server-1 443

ACOS(config-slb svc group-member:443)#member v6server-2 443

ACOS(config-slb svc group-member:443)#exit

ACOS(config-slb svc group)#exit

ACOS(config)#slb service-group sgv4v6-smtp

ACOS(config-slb svc group)#member v4server-1 25

ACOS(config-slb svc group-member:25)#member v4server-2 25

ACOS(config-slb svc group-member:25)#member v6server-1 25

ACOS(config-slb svc group-member:25)#member v6server-2 25

ACOS(config-slb svc group-member:25)#exit

ACOS(config-slb svc group)#exit

ACOS(config)#exit

The following commands import an SSL certificate and key, and configure a client-SSL template to use them. ACOS will use the certificate and key to terminate SSL sessions between clients and the VIP.

ACOS#import cert sslcert.pem scp:

Address or name of remote host []?10.10.10.2

User name []?ACOSadmin

Password []?*********

File name [/]?sslcert.pem

ACOS#import key certkey.pem scp:

Address or name of remote host []?10.10.10.2

User name []?ACOSadmin

Password []?*********

File name [/]?certkey.pem

ACOS#config

ACOS(config)#slb template client-ssl cssl

ACOS(config-client SSL template)#certsslcert.pem

ACOS(config-client SSL template)#key certkey.pem

ACOS(config-client SSL template)#exit

The following commands configure the VIP:

ACOS(config)#slb virtual-server v6vip 2001:32::2020:2000

ACOS(config-slb vserver)#port 80 http

ACOS(config-slb vserver-vport)#source-nat pool v4natpool-1

ACOS(config-slb vserver-vport)#service-group sgv4v6-http

ACOS(config-slb vserver-vport)#exit

ACOS(config-slb vserver)#port 53 udp

ACOS(config-slb vserver-vport)#source-nat pool v4natpool-1

ACOS(config-slb vserver-vport)#service-group sgv4v6-dns

ACOS(config-slb vserver-vport)#exit

ACOS(config-slb vserver)#port 443 https

ACOS(config-slb vserver-vport)#source-nat pool v4natpool-1

ACOS(config-slb vserver-vport)#template client-ssl cssl

ACOS(config-slb vserver-vport)#service-group sgv4v6-https

ACOS(config-slb vserver-vport)#exit

ACOS(config-slb vserver)#port 25 smtp

ACOS(config-slb vserver-vport)#source-nat pool v4natpool-1

ACOS(config-slb vserver-vport)#service-group sgv4v6-smtp

ACOS(config-slb vserver-vport)#exit

Examples Using Multiple Source NAT Pools

The example shown above uses only a single NAT pool, for access to the IPv4 servers. If multiple pools are used, then different CLI syntax is required.

Multiple IPv4 Pools

Here is an example that uses multiple IPv4 pools.

First, IPv6 ACLs that match on the client IP address(es) are configured. A separate ACL is required for each NAT pool.

ACOS(config)#ipv6 access-list v6acl-1

ACOS(config-access-list:v6acl-1)#permit ipv6 2001:32::/96 any

ACOS(config-access-list:v6acl-1)#exit

ACOS(config)#ipv6 access-list v6acl-2

ACOS(config-access-list:v6acl-2)#permit ipv6 2001:64::/96 any

ACOS(config-access-list:v6acl-2)#exit

The following commands configure the IPv4 NAT pools:

ACOS(config)#ip nat pool v4natpool-1 192.168.217.200 192.168.217.200 netmask /24

ACOS(config)#ip nat pool v4natpool-2 192.168.217.220 192.168.217.220 netmask /24

The following commands access the configuration level for a virtual port on the VIP and configure the port to use the IPv4 pools:

ACOS(config)#slb virtual-server v6vip 2001:32::2020:2000

ACOS(config-slb vserver)#port 80 http

ACOS(config-slb vserver-vport)#access-list name v6acl-1 source-nat-pool v4natpool-1

ACOS(config-slb vserver-vport)#access-list name v6acl-2 source-nat-pool v4natpool-2

Each of the access-list commands binds one of the IPv6 ACLs to the virtual port. The source-nat-pool option used with each command binds an IPv4 pool to the ACL. When the ACOS device receives a request for the VIP, the ACOS device matches the client address against the source addresses in the ACLs. ACOS then uses the IPv4 NAT pool bound to the first matching ACL.

ACOS translates the client’s request from an IPv6 packet into an IPv4 packet. ACOS replaces the client’s IPv6 address with an IPv4 address from the selected pool. The IPv6 VIP address is replaced with the server’s IPv4 address.

If the client’s address does not match the source address in any of the ACLs, the request is dropped.

NOTE:                               This is different from the behavior if a single NAT pool is used. If only one NAT pool is bound to the virtual port, the pool is used if the client’s IP type (IPv4 or IPv6) is not the same as the IP type of the selected server. Otherwise, if the IP type of the client and the selected server is the same, SLB-PT is not required for the request. The request is sent to the server with the client’s original IP address.

Multiple IPv4 and IPv6 Pools

It is not required to use pools of the same IP type as the IP type used by clients. For example, IPv6 pools are not required for IPv6 clients.

Using pools of the same IP type as the client IP type provides a way to control access to the real servers. When multiple pools are bound to a virtual port, the client’s IP address must match the source address in at least one of the ACLs associated with the pools. Otherwise, the client’s traffic is dropped.

NOTE:                               In the case of IPv4, IPv4 pools are still required if the VIP and the real servers are in differ­ent IPv4 subnets. For more information, see the “Source NAT for Servers in Other Sub­nets” section in the “Network Address Translation” chapter of the System Configuration and Administration Guide.

This example builds on the example in Multiple IPv4 Pools. The virtual port will have 4 pools: 2 IPv4 pools and 2 IPv6 pools. Each of the IPv6 ACLs will be bound to an IPv4 pool and an IPv6 pool. If SLB selects an IPv4 server, the IPv4 pool bound to the ACL that matches the client’s IP address will be used. Likewise, if SLB selects an IPv6 server, the IPv6 pool bound to the ACL will be used.

The following commands configure the IPv6 NAT pools:

ACOS(config)#ipv6 nat pool v6natpool-1 2001:32::2020:2010 2001:32::2020:2010 netmask 64

ACOS(config)#ipv6 nat pool v6natpool-2 2001:32::2020:2020 2001:32::2020:2020 netmask 64

The following commands bind the IPv6 NAT pools to the virtual port:

ACOS(config-slb vserver-vport)#access-list name v6acl-1 source-nat-pool v4natpool-2

ACOS(config-slb vserver-vport)#access-list name v6acl-2 source-nat-pool v6natpool-1

 

Table of Contents

Index

Glossary

-Search-

Back