Skip to main content
IrbkOrrum
IrbkOrrum
Explorer III
December 2, 2024
Solved

Multiple external IP passthrough for VDOMs

  • December 2, 2024
  • 1 reply
  • 4292 views

Quick background on the environment.
Root vdom contains all the physical connections to the VMWare stack and the internet. 

VDOM A - All internet bound traffic (inbound or outbound) runs through an intervdom link.  Everything works as expected.

I understand how one would pass traffic through for either all ports or a single port from an external IP, through a VIP on Root, to the intervdom link IP of VDOM-A and then another VIP on VDOM-A to 'inside' VDOM-A.

What happens when you need to have multiple external IPs all routing to something within VDOM-A?  With the intervdom link, VDOM-A essentially only has 1 'external' IP.  
For example, you've got external IP: 40.40.40.40 that goes to WebserverA in VDOM-A and you've got 40.40.40.41 that goes to WebserverB in VDOM-A.  

Do I create separate intervdom links for each external IP?
Do I take the VIP from external to Root and do something like take 40.40.40.40 port 80 outside, translate it to 172.17.172.1 (intervdom link IP) port 80 then at the VDOM-A VIP, take 172.17.172.1 port 80 and translate to 10.10.10.10 port 80 (this I've done and it works).  Then take 40.40.40.41 port 80 outside, translate it it to 172.17.172.1 port 79 then at the VDOM-A VIP translate 172.17.172.1 port 79 and translate it to 10.10.10.11 port 80.

So something like this:

External IPRoot VIPVDOM A VIP
40.40.40.40 port 80172.17.172.1 port 8010.10.10.10 port 80
40.40.40.41 port 80172.17.172.1 port 7910.10.10.11 port 80

 

I'm not sure how else I would get the traffic from 'outside' to VDOM-A when VDOM-A essentially only has 1 IP.  I can't VIP both of the external IPs to port 80 but I'm also not sure how to get around it.

Best answer by Toshi_Esumi

Then you need to keep your original design. As I said the subnet you would route from root to VDOM-A doesn't have to be on any interface (means can be bogus). You just need to have a static route toward the vdom-link(npu-vlink) at the root vdom. Then, you can just map them to local subnet like 10.10.10.0/24 by VIPs at VDOM-A.

Don't forget the opposite direction. Outgoing traffic for 10.10.10.0/24 toward the outside/interfnet needs to NATed as well. You might use the same subnet 172.17.172.0/24 or a different one. If different, you need to have another route at root vdom.

Toshi

1 reply

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
December 2, 2024

VIPs are necessary because of NAT, hiding the internal subnets from outside/internet. Between VDOMs (root and other vdoms) if you don't have NAT you can just route them, then you don't need VIPs at the VDOM borders. 

Further, if you route the public IPs/40.40.40.40 and .41 to VDOM-A, you don't need the VIPs at all even at the root VDOM.

Toshi

IrbkOrrum
IrbkOrrumAuthor
Explorer III
December 2, 2024

Sorry, but that makes 0 sense.  Even completely ignoring the VDOMs, I need a VIP to translate 40.40.40.40 to 10.10.10.10.  

Perhaps my original statement was unclear.  All traffic from VDOM-A runs through the intervdom link to Root and then out the interface contained in Root.  All traffic inbound runs through Root, then to the intervdom link to VDOM-A.  VDOM-A has no access to anything without the intervdom link.

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
December 2, 2024

I meant if you have assigned like 40.40.40.40 instead of 10.10.10.10 at the sever, you don't need any VIPs. Of course, if the server has local IP, you at least need to have the VIP at the VDOM-A.

Toshi

Terms & ConditionsAccessibility statement