Hi-- On Oct 19, 2012, at 11:25 AM, John Miller wrote: > Hello everyone, > > Perhaps a Cisco list is a better destination for this, but I've seen a > similar post here in the past couple of months, so posting here as well. > > I'm trying to get our Cisco ACE set up appropriately to handle DNS traffic. > So far, I've gotten it working using NAT (each rserver has a public and a > private IP) and using transparent load-balancing (ACE talks directly to the > public IP), aka direct server return.
IMO, the only boxes which should have IPs in both public and private netblocks should be your firewall/NAT routing boxes. > Here's a question, however: how does one get probes working for a transparent > LB setup? If an rserver listens for connections on all interfaces, then > probes work fine, but return traffic from the uses the machine's default IP > (not the VIP that was originally queried) for the source address of the > return traffic. That's the default routing behavior for most platforms. Some of them might support some form of policy-based routing via ipfw fwd / route-to or similar with other firewall mechanisms which would let the probes get returned from some other source address if you want them to do so. > What have people done to get probes working with transparent LB? Are any of > you using NAT to handle your dns traffic? Not tying up NAT tables seems like > the way to go, but lack of probes is a deal-breaker on this end. The locals around here have the luxury of a /8 netblock, so they can setup the reals behind a LB using publicly routable IPs and never need to NAT upon DNS traffic. Folks with more limited # of routable IPs might well use LB to reals on an unrouteable private network range behind NAT, but in which case they wouldn't configure those boxes with public IPs. Regards, -- -Chuck _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
