Softlayer Vyatta and Netscaler VPX Integration

Softlayer provide Vyatta gateway as firewall and Netscaler VPX as load balancer. You can integrate these two functions to provide DMZ load balancing function, which is commonly requested by Enterprise customer.

We have two options to do load balancing in DMZ on Softlayer: load balancing on Softlayer public network or load balancing on Softlayer private network.

When Netscaler VPX is built by Softlayer, 3 IPs are configured:

1 Netscaler IP Address (NSIP): The Netscaler IP is one IP from the private network.

2 Subnet IP Address (SNIP): 1 SNIP for private VLAN and 1 SNIP for public VLAN.

the follow routing is configured by default:

  1. Default routing to gateway IP of Netscaler public VLAN;
  2. static routing (10.0.0.0/8) to gateway IP of Netscaler private VLAN;

In our example, our Netscaler VPX is setting as below:

  • Public VLAN with IP subnet (100.64.0.0/29) and private VLAN with IP subnet (10.118.0.0/26).
  • Netscaler IP (NSIP) is 10.118.0.2/26.
  • Public VLAN SNIP: 100.64.0.2/29
  • Private VLAN SNIP: 10.118.0.3/26

Let us go through option 1 and 2 here using the above Netscaler setting.

Option 1: Load Balancing on Softlayer public network

Step 0: Associate and route Netscaler VPX private and public VLAN to Vyatta gateway;

Step 1: Order a public static block as vIP, let us use 100.64.1.0/28 as our VIP block;

Step 2: Configure static routing for public vIP block on Vyatta and next-hop is Netscaler VPX public VLAN Subnet IP;

set protocols static route 100.64.1.0/28 next-hop 100.64.0.2

Step 3: Configure firewall rules on Vyatta gateway and only allow inbound traffic to the vIP on specific protocol/port;

Netscaler Option1

Option 2: Load Balancing on Softlayer private network

Step 0: Associate and route Netscaler VPX private and public VLAN to Vyatta gateway;

Step 1: Order a private static block as vIP with Target to Netscaler Subnet IP of private VLAN, let us use 10.118.1.0/28 as our VIP block;

Step 2: Order a public static IP for your Internet facing service with Target to Vyatta gateway public VLAN interface IP;

Step 3: Configure static routing for private vIP block on Vyatta and next-hop is Netscaler VPX private VLAN Subnet IP;

set protocols static route 10.118.1.0/28 next-hop 10.118.0.3

Step 4: Configure static NAT to NAT the public IP to the private vIP;

Step 5: Configure firewall rules on Vyatta gateway and only allow inbound traffic to the vIP on specific protocol/port;

Netscaler Option2

I personally I like the option 1 as it is straightforward and less configuration is required. In addition, it offloads the NAT from Vyatta gateway.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s