北電Alteon應(yīng)用層交換機(jī)技術(shù)手冊(cè)_Proxy IP

1、Technical Tip TT-0506401a - Informational - 22-Jun-2005 Proxy IP for the Nortel Application Switch OS version 22.x and later Contents Associated Products: .1 Previous Proxy IP Functionality .1 Current Proxy IP Functionality .2 Limitation of Proxy IP .2 Configuring Proxy IP using the CLI (Command Lin

2、e Interface) .2 Port and VLAN based Proxy IP addresses .2 Filter Based Proxy IP Addresses.6 Enabling Proxy IP on a Port .8 Egress PIP for a Virtual Service .9 Configuring Proxy IP using the BBI (Browser-Based Interface) .10 Understanding Proxy IP in the /cfg/dump Output .19 Sample Configuration Cont

3、aining Proxy IP .20 Introduction: The purpose of this document is to detail the updated functionality of proxy IP addressing on the Nortel Application Switch. Beginning with the Nortel Application Switch operating system version 22.0, proxy IP functionality has been altered to better suit the needs

4、of the network administrator. Associated Products: The information in this document is intended to be used with the following product(s) with the indicated software or hardware revisions: Product Name or Order Number Nortel Application switches: 2208, 2216, 2224, 2424, 3408 Revision Information Pote

5、ntially Affected Corrected 22.x and above N/A Previous Proxy IP Functionality In the Nortel Web Switch and in the Nortel Application Switches running software prior to release 22.0, proxy IP addresses were assigned to SPs (Switch Processors) instead of physical ports or VLANs. Because proxy processi

6、ng occurred after VMA (virtual matrix architecture) processing, there was no way to determine which SP a packet would be VMAd to, and hence which proxy IP would be used. Proxy IP addresses had to be assigned to every SP due to this functionality. The only way to avoid assigning a proxy IP address to

7、 every SP was to disable VMA, which is not recommended as doing so will decrease the performance of the switch. Packets would use the proxy IP address of whichever port it was VMAd to, which could be that of the ingress port, the egress port, or neither. There was no way to accurately predict which

8、proxy IP address would be used. A further limitation to this proxy service was that the number of proxy IP addresses was limited to the number of SPs on the switch. The AD3/AD4/180e/184 Web Switches have eight SPs, while the Application Switches (2000 and 3000 series) have only four SPs. 2005 Nortel

9、 Networks Limited. All Rights Reserved TT-0506401aProxy IP for the Nortel Application Switch OS version 22.x and laterCurrent Proxy IP FunctionalityBeginning with the Nortel Application Switch operating system version 22.0, proxy IP processing is not affected by VMA. Proxy IP addresses are assigned

10、to either physical ports or VLANs instead of SPs. If proxy is set to a type of port, then each proxy IP address is associated with a specific port. If proxy is set to a type of vlan, then each proxy IP address is associated with a specific VLAN. Also new is the fact that the proxy feature can be con

11、figured to use either the packets ingress port or VLAN proxy IP address or the proxy IP address of the egress port or VLAN. A maximum of 32 proxy IP addresses can be configured on the switch. This means that you can configure up to 32 port-based proxy IP addresses, 32 VLAN-based proxy IP addresses,

12、or a combination of both types totaling 32 proxy IP addresses.Limitation of Proxy IPAlthough the use of proxy IP addresses can have many advantages for a network, there is at least one possiblelimitation to either type of proxy IP functionality. When client requests directed to a virtual server are

13、forwarded on to a real server, the clients source IP address is changed to the configured proxy IP address. This applies to all clients that ingress and egress the same ports or VLANs. The limitation to this is that the real servers have no way ofidentifying various clients via their source IP addre

14、ss because all sessions appear to the real server as though they were sourced by the application switch. This limitation leads to another new feature called X-Forwarded-For. The X-Forwarded-For makes it possible to use proxy IP addresses and overcome this limitation, allowing the clientsidentity to

15、be maintained by the real server. Please refer to the Technical Tip for more information on this feature.Configuring Proxy IP using the CLI (Command Line Interface)Port and VLAN based Proxy IP addressesIn order for proxy IP services to be used, server load balancing must first be turned on. This can

16、 be done via the /cfg/slb command as such: main# /cfg/slb onProxy IP services has its own configuration menu. Not all of the required proxy IP configuration is done in this menu, but here is where the proxy IP addresses are configured along with the type of proxy IP address they will be. The proxy I

17、P address menu is located at /cfg/slb/pip. Proxy IP Address# pwd/cfg/slb/pip2005 Nortel Networks Limited. All Rights Reserved Page: 2 of 22TT-0506401aProxy IP for the Nortel Application Switch OS version 22.x and laterUsing the single dot command displays the available menu options. They are shown b

18、elow and areself-explanatory. Each of these menu options are used in the following configuration examples: Proxy IP Address# .-Proxy IP Address Menutype - Set base type of Proxy IP addressadd - Add port or VLAN to Proxy IP addressrem - Remove port or VLAN from Proxy IP addresscur - Display current P

19、roxy IP address configurationFirst look at the default configuration. The cur command shows that by default, the active PIP type is port. The type vlan is inactive. This means that any proxy IP addresses configured right now would be associated with a physical port on the switch. You can configure a

20、 number of proxy IP addresses equal or less than the number of physical ports on the switch. It is not required to assign a proxy IP address to every physical port. Proxy IP Address# curCurrent Proxy IP address settings:Active PIP type: portInactive PIP type: vlanNow consider adding a proxy IP addre

21、ss to ports 1, 2, 3, and 4. A proxy IP address can be assigned to one or more physical ports. When the address is assigned to multiple ports, the ports do not have to be contiguous. The CLI displays an example of how to assign an address to multiple ports, both contiguous and non-contiguous.To add a

22、 proxy IP address, use the add command. The user is prompted to enter the proxy IP address to beassigned to the port(s). Next, the user is prompted to designate the port(s) onto which the proxy IP address will be assigned. In this example below, the proxy IP address 0 is assigned to physic

23、al ports 1, 2, 3, and 4 using the designation 1-4. Proxy IP Address# addEnter Proxy IP address: 0Enter port or block : e.g. 1 2 3-101-4New pending: 1: 0 port 1-4The process to assign a proxy IP address to one or more physical ports can be shortened by following the add command wi

24、th the proxy IP address to be assigned. Below, the command add 0 is used and then a prompt appears for the designated port(s) onto which the proxy IP address will be assigned. Using the command 5-8, ports 5, 6, 7, and 8 are designated for this proxy IP address. Proxy IP Address# add 10.10.

25、10.20Enter port or block : e.g. 1 2 3-105-8New pending: 2: 0 port 5-82005 Nortel Networks Limited. All Rights Reserved Page: 3 of 22TT-0506401aProxy IP for the Nortel Application Switch OS version 22.x and laterThe process to assign a proxy IP address can be further shortened by following

26、the add command with the proxy IP address to be assigned, and the port(s) to be designated to this proxy IP address. The following example shows the continuation of configuring proxy IP addresses to physical ports in groups of four ports per IP address. Starting with the first address below, the pro

27、xy IP address 0 is assigned to physical ports 9, 10, 11, and 12 in a single command: add 0 9-12. After adding the rest of the proxy IP addresses in the same manner, it is necessary to apply and save the changes. The apply command activates the changes, and the save command allows

28、 the changes to survive a reboot. Proxy IP Address# add 0 9-12New pending: 3: 0 port 9-12 Proxy IP Address# add 0 13-16New pending: 4: 0 port 13-16 Proxy IP Address# add 0 17-20New pending: 5: 0 port 17-20 Proxy IP Address# add 0

29、21-24New pending: 6: 0 port 21-24 Proxy IP Address# add 0 25-28 New pending: 7: 0 port 25-28 Proxy IP Address# apply/saveThe new proxy IP addresses and their respective physical port(s) can be displayed using the cur command. Proxy IP Address# curCurrent Proxy IP addres

30、s settings:Active PIP type: port1: 0 port 1-42: 0 port 5-83: 0 port 9-124: 0 port 13-165: 0 port 17-206: 0 port 21-247: 0 port 25-28Inactive PIP type: vlanNow that proxy IP addresses have been created and associated with the ports

31、, change the proxy IP functionality to use VLANs instead of physical ports. The switch will only support one type of proxy IP address at a time, so once the type is changed to vlan, the previously created port-based proxy IP addresses will no longer be used.Use the type command to change the proxy I

32、P type from port to vlan. This can be done in a single command as shown below. If you were to simply enter the command type, the user would be prompted for which type they would like to use. The only options are port and vlan. Dont forget to apply and save your changes. Proxy IP Address# type vlan P

33、roxy IP Address# apply/save2005 Nortel Networks Limited. All Rights Reserved Page: 4 of 22TT-0506401aProxy IP for the Nortel Application Switch OS version 22.x and laterBefore creating any proxy IP addresses for the VLANs, take a look at the current configuration now that the proxy IP type has been

34、changed from port to vlan.Notice below that the previously configured proxy IP addresses still exist in the configuration, but they are inactive. This is because the active PIP type is now vlan. Now configure some proxy IP addresses to be associated with the switchs VLANs. Proxy IP Address# curCurre

35、nt Proxy IP address settings:Active PIP type: vlanInactive PIP type: port1: 0 port 1-42: 0 port 5-83: 0 port 9-124: 0 port 13-165: 0 port 17-206: 0 port 21-24 7: 0 port 25-28Start by adding a proxy IP address to VLAN 1. A proxy IP

36、 address can be assigned to one or more VLANs. When the address is assigned to multiple VLANs, the VLANs do not have to be contiguous. The CLI displays an example of how to assign an address to VLANs, both contiguous and non-contiguous.To add a proxy IP address, use the add command. The user is prom

37、pted to enter the proxy IP address to beassigned to the VLAN(s). Next, the user is prompted to designate the VLAN(s) onto which the proxy IP address will be assigned. In the following example, the proxy IP address 0 is assigned to VLAN 1 using the designation 1. Proxy IP Address# add Enter

38、 Proxy IP address: 0Enter VLAN or block : e.g. 1 2 3-101New Pending: 1: 0 vlan 1The process to assign a proxy IP address to one or more VLANs can be shortened by following the add command with the proxy IP address to be assigned. Below, the command add 0 is used and the

39、n the prompt appears for the designated VLAN(s) onto which the proxy IP address will be assigned. Using the command 2, VLAN 2 is designated for this proxy IP address. Proxy IP Address# add 0Enter VLAN or block : e.g. 1 2 3-102New Pending: 3: 0 vlan 22005 Nortel Networks Limited.

40、All Rights Reserved Page: 5 of 22TT-0506401aProxy IP for the Nortel Application Switch OS version 22.x and laterThe process to assign a proxy IP address can be further shortened by following the add command with the proxy IP address to be assigned, and the VLAN(s) to be designated to this proxy IP a

41、ddress. Below shows the continuation of configuring proxy IP addresses to VLANs. Starting with the first address below, the proxy IP address 0 is assigned to VLAN 3 in a single command: add 0 3. After adding the last of the proxy IP addresses in the same manner, it is necessary t

42、o apply and save the changes. The apply command activates the changes, and the save command allows the changes to survive a reboot. Proxy IP Address# add 0 3New Pending: 5: 0 vlan 3 Proxy IP Address# add 0 4New Pending: 7: 0 vlan 4 Proxy IP Address# apply/save

43、Take another look at the current configuration now that the proxy IP type has been changed from port to vlan and some proxy IP addresses have been added.Notice below that the previously configured proxy IP addresses still exist in the configuration, but they are inactive. This is because the active

44、PIP type is now vlan. Only the active PIP type will be used by the switch during runtime. Proxy IP Address# curCurrent Proxy IP address settings:Active PIP type: vlan1: 0 vlan 13: 0 vlan 2 5: 0 vlan 37: 0 vlan 4Inactive PIP type: port1: 0 port 1-42:

45、0 port 5-83: 0 port 9-124: 0 port 13-165: 0 port 17-206: 0 port 21-247: 0 port 25-28Filter Based Proxy IP AddressesA separate proxy IP address can be configured for use with specific filters. This is configured in the filters advanced menu

46、/cfg/slb/filt /adv. Filter 10 Advanced# pwd/cfg/slb/filt/adv2005 Nortel Networks Limited. All Rights Reserved Page: 6 of 22TT-0506401aProxy IP for the Nortel Application Switch OS version 22.x and laterThe first step is to enable proxy IP on the filter. As shown below, this can be done using the pro

47、xy command. The user is prompted to either enable or disable proxy for this filter. The e command is used in this example to enable proxy. This could also have been accomplished in a single command such as proxy e. Filter 10 Advanced# proxyCurrent client proxy: enabledEnter new client proxy d/e: eTh

48、e proxyip command allows the user to specify a proxy IP address to be used on a packet matching this filter. The user may enter either an IP address or “any”. The switch uses the configured proxy IP address to replace the clients IP address. If the user does not configure the proxy IP address in the

49、 filter, the switch uses the proxy IP address configured under /cfg/slb/pip command. Filter 10 Advanced# proxyipCurrent proxy IP address: anyEnter new proxy IP address or any: 0Another parameter that affects how proxy IP is handled by the filter is the epip command. This command onlyapplie

50、s when the proxyip parameter of the filter is set to any. It enables or disables proxy IP selection based on egress port or VLAN. By default, the SP selects the proxy IP address based on ingress port or VLAN. By enabling the epip command, you can configure the SP to select proxy IP address based on

51、the egress port or VLAN. Dont forget to apply and save your changes. Filter 10 Advanced# epipCurrent egress pip: disabledEnter new egress pip d/e: e Filter 10 Advanced# apply/save2005 Nortel Networks Limited. All Rights Reserved Page: 7 of 22TT-0506401aProxy IP for the Nortel Application Switch OS v

52、ersion 22.x and laterNow move up one directory and execute the cur command to look at the current configuration of the filter, including the latest changes. Highlighted below are the three proxy IP attributes: Filter 10 Advanced# ./curCurrent filter 10:enabled, name HTTP Redirinvert disabled sip any

53、, dip anyproto tcp, sport any, dport httpvlan anyaction redir, group 2, rport 0log disabled, cache enabledproxy enabled, proxy IP address 0, epip enabled, fwlb disabledlinklb disabled, dbind disabled, pbind disabledoption disabled, tos 0 0 0length anytcp no flags enabledack_or_reset disabledl7lkup disabled, ftpa disabled, radius snoop disabledradius/wap persistence disabledparseall enabledidshash dip, idsgrp nonethash autoBW Contract 256BW Contract for reverse traffic 256pmatch disa