Below are general design Highlights
- Dual VLAN design for redundancy. Two external VLANs and Two Internal VLANs
- BGP routing is configured between the LBs, FW and routers. Primary VLANs are always preferred as primary route path. Secondary VLAN only used when primary is down
- GE interface speed should be set to AUTO/AUTO both at switch & LBs
- Server resides behind the Web POD router. LBs are installed as L3 route mode, and forward the traffic between the clients and severs
- Virtual IP addresses are from dedicated subnet assigned within the load balancers. These addresses are being advertised from load balancers itself via BGP routing.
- LBs don’t allow routing pass-thru. It means sever subnets are not reachable from the internet. This creates screened server network, which adds an additional layer of security because the actual server network address is not advertised out to the Internet. In addition, the load balancers will only forward traffic which is configured to be load-balanced – thus no traffic other than the specified web server ports would be forwarded by the load balancers even in the event of a screening firewall mis-configuration or compromise, thereby adding an added layer of security.
- LBs within Web POD don’t change client source IPs when it forward the traffic. Client source IP is preserved when traffic arrive at servers.
Web Pod may contain either netscaler , or BIGIP/LTM
Below are designs details specific to the HW type.
- BIGIP (4.X, 9.X, 10.x)
- Serial failover is used for HA. Serial cable needs to be connected between the two boxes. VLAN failsafe are NOT used within Web POD.
- No mgmt interface configured. All mgmt/administration are done via inside self IP address. One of the internal VLAN self IP will be used for administration.
- BIGIPs are configured with floating IPs. These IP addresses are used as next-hop by FWs and Web POD routers to forward the traffic. This ensures that traffic is forwarded to the BIGIP/LTM who is currently active.
- Netscalers Within Web POD, Netscalers should be installed as L3 INC mode.
- The INC mode installation allows both LBs to run independent routing. This requires that each LB needs to be configured with independent network level config (such as NSIP, MIP, SNIPs,
- VLAN) separately. These configurations are not synchronized.
- For high availability, it uses network based failovers. Each participated internet faces are monitored by NS for high availability.
- Web POD netscalers use “FIS Group” features for high availability. The FIS group ensures that NS fails over only if both interfaces are down. Single interface failure can’t cause NS to fails.
- Since client source IP is preserved within WPOD, the USIP mode should be enabled.
- Netscalers are configured with NSIP, this IP addresses are used for administration. The IPs are assigned from one of the internal VLAN
- For each VLAN (subnet), the SNIP is configured on NS and bonded to the VLANs.