DataPower Networking on SoftLayer

IBM DataPower Gateway Virtual Edition can be deployed on SoftLayer and used as the public entry point to your service allowing your backend servers to be on private networks. The following shows one method to configure the DataPower ethernet interfaces in this environment.

DataPower-Network

You need to deploy DataPower to a supported hypervisor on a bare metal instance.

The following instructions were done using VMWare ESXi 5.5 using DataPower version  XI52.7.0.0.8.

This setup also assumes you are setting static IPv4 addresses.

Three interfaces were configured in the virtual machines settings (private, public, private):

DataPower-Virtual Machine Properties

On SoftLayer you need to order subnets of type “portable” to assign to your DataPower appliance. This setup used two private subnets (one for the management interface and one for the backend servers), and one portable public subnet.

Management interface (eth0):

You need to configure static routes for the softlayer VPN. Depending on which datacenter(s) you VPN into you can set more specific routes.

(More info here: http://knowledgelayer.softlayer.com/faq/what-ip-ranges-do-i-allow-through-firewall)

Configure with WebGUI:

DataPower_Configure_ Ethernet InterfaceEth0

Configure with SSH Service:

xi52# config
Global configuration mode
xi52(config)# int eth0
Modify Ethernet Interface configuration

xi52(config ethernet eth0)# ip-address 10.125.109.140/27
xi52(config ethernet eth0)# ip-route 10.1.0.0/16 10.125.109.129 0
xi52(config ethernet eth0)# ip-route 10.2.0.0/16 10.125.109.129 0
xi52(config ethernet eth0)# ip-route 10.3.0.0/16 10.125.109.129 0
xi52(config ethernet eth0)# exit

 

Public interface (eth1):

A networking rule is to only set one default gateway. Set that on the public interface.

Configure with WebGUI:

DataPower_Configure_ Ethernet InterfaceEth1

Configure with SSH Service:

xi52# config
Global configuration mode
xi52(config)# int eth1
Modify Ethernet Interface configuration

xi52(config ethernet eth1)# ip-address 169.54.60.11/28
xi52(config ethernet eth1)# ipv4-default-gateway 169.54.60.1
xi52(config ethernet eth1)# exit

 

Private interface (eth2):

Set a static route for all private traffic to go over this interface. (The more specific routes will take precedence for the management interface.)

Configure with WebGUI:

DataPower_Configure_ Ethernet InterfaceEth2

Configure with SSH Service:

xi52# config
Global configuration mode
xi52(config)# int eth2
Modify Ethernet Interface configuration

xi52(config ethernet eth2)# ip-address 10.126.109.141/27
xi52(config ethernet eth2)# ip-route 10.0.0.0/8 10.126.109.129 0
xi52(config ethernet eth2)# exit

Test your network connectivity:

Check your configuration from the SSH service with show ethernet

You should be able to ping each of your interfaces. (You need to be connected to the SL VPN to ping the private interfaces)

Also from WebGUI or SSH service you can ping your backend systems.

Failover:

To configure a second DataPower in an active/passive setup you need a third public IP in the same subnet.

On the interface with the public IP, enable the standby control and set the IP and priority. On the passive DataPower set the priority to a lower number.

DataPower_Configure_ Ethernet InterfaceEth1-standbycontrol

To force the DataPower to failover to the secondary (so you can do maintenance on the primary), disable the public interface on the primary.

You can check which DataPower is currently active by logging into the console (or ssh) and running “show standby”:

xi52# show standby

 ifIndex Type     Name Group Virtual IP address Priority State   Preemption state VIP owner      Self-balancing Distribution algorithm
 ------- -------- ---- ----- ------------------ -------- ------- ---------------- -------------- -------------- ----------------------
 6       Ethernet eth1 10    169.54.60.10     100      standby off              169.54.60.11 off            wlc

xi52# show standby

 ifIndex Type     Name Group Virtual IP address Priority State  Preemption state VIP owner      Self-balancing Distribution algorithm
 ------- -------- ---- ----- ------------------ -------- ------ ---------------- -------------- -------------- ----------------------
 6       Ethernet eth1 10    169.54.60.10     10       active off              169.54.60.12 off            wlc
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s