Layer 4 device on a Layer 3 switch

I have an Alteon Ace Director 3, which is a Layer 4-7 device responsible
for load ballancing a set of web server.

Traffic entering the network is NAT'd from the public address to the
virtual ipaddress of the Layer 4 device and then the Layer 4 device is
responsible for substituting the destination ip address for one of the
real server that it load ballances.

Public
|
NAT
|
Virtual IP
|
Group Of real servers

What I don't understand is when Layer3 switching enters the equation. The
real servers have there defualt gateway set to the interace on the Layer 4
device, and by all logic a packet with a source IP of the real server
should never reach the firewall. Especially if the TCP session was
initiated from a public IP outside of my network and then connected
through the Layer 4 device.

Is it possible that the 6509 that this Layer4 device is plugged into is
forwarding packets from one VLAN to another and bypassing the expected
flow of traffic through the Layer 4 device. In doing so packets are not
getting re-writed with the correct source IP?

How does one know when the switch will use L3 switching?

How can I safly disable L3 switching to test that this is not my problem?

Thanks
Warrick

 

Is the Alteon on the same subnet as your real servers? If so, the real
servers will never use the default gateway, since they can just send back to
the web director. The 6509 isn't doing really anythiing here, since all of
the communication is at layer 2. No routing or layer 3 switching takes
place except from the Alteon to the 6509.

Craig Johnson, CCIE #6965

 

The Alteon has multiple interfaces on it. It have one interface connected
to VLAN 3 which is where the inbound internet traffic gets NAT'd to, and
that it has another interface on VLAN 10 which is where my real servers
are.

When the packer arives at the real server it still has the source address
of the internet client (public ip). The real server when responding to the
public ip must then use it's default gateway to get out (which is of
course the alteon interface on that VLAN).

In essence the Alteon bridges the VLAN's in much the same way that the
MSFC modules \ routers do.

Thanks
Warrick

 

I see. You are correct; the real NAT IPs of the servers should never been
seen on the outside. The Alteon pretty much acts like a normal router in
this way. Your 6509 is completely oblivious to what happens after traffic
hits the alteon.

I think you may be confusing layer 3 switching. Layer 3 switching is just
routing. You can't really disable it, without disabling routing. Some
marketing guys made the term up a few years ago because switching sounds
fast and routing sounds slow. Just think of the 6509 as a router with a
whole lot of ports on it. Let me know if that clears anything up.

Craig Johnson, CCIE #6965

 

I guess the piece I don't understand is how it makes these L3 decisions.
In a normal L2 environment the CAM table is built up using regular MAC
addresses. When this concept is applied to L3 switching \ routing does the
switch maintain some kind of tabel for doing the same thing?

If this were the case, then I would expect that L3 switching would only
come into play when the destination IP address in the packet is on one of
the MSFC routers locally connected VLAN's?

If I'm understanding you correctly the only difference between L3
switching and routing is that the internal routers have a hook into the
backplane, so that instead of having to read the packet into the router,
then routing it to another VLAN, they simply send an instuction to the
backplane to copy the packet from point A to point B without having to
fully traverse the router?

Thanks for all your help
Warrick

 

A layer 3 switch makes forwarding decisions just like any other router, with
its routing table. If you just have VLANs, it forwards these directly
connected interfaces. You are mostly correct about when layer 3 decisions
are made, but the destination doesn't have to be local. If it has routes,
whether connected, statically or dynamically, the switch will rewrite the
destination mac and next hop IP to forward. The biggest difference is that
you don't explicitly have to copy the frame to the router, which is where
the performance benefit is. Logically, however, layer 3 switching and
routing are exactly the same.

Craig Johnson, CCIE #6965