Ok, we have the following setup:
DatPower XI50 with the IP's of:
10.1.242.205:9090 (Admin GUI)
10.1.242.205:5550 (Management Port)
10.5.242.205 (CLI Interface)
There are currently multiple domains configured on the appliance but NONE are sharing the same port. My question is that if we utilize the capability of having Multiple IP's assigned can we do something like this????
Domain: Test with IP: 10.1.242.205 listening on port 30000
Domain: Qa with IP: 10.1.242.206 listening on port 30000
*The Test and QA domains would NOT be running the same policies....
So a request to 10.1.242.205:30000 would return DIFFERENT results that a request to 10.1.242.206:30000*
IE: have 2 different domains listening on the same port on the same device, segregated by having multiple IP's..
I hope that was clear..
Pinned topic Can you share ports across IP's and Domains
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2013-01-04T02:02:38Z at 2013-01-04T02:02:38Z by kenhygh
Trey 120000BTRN227 Posts
Re: Can you share ports across IP's and Domains2012-05-01T19:49:06ZThis is the accepted answer. This is the accepted answer.Yes, you can have multiple listeners on the same port using unique ip's. The only catch is the 0.0.0.0 (listen on all) you can not have a:
The listen all will take precedence.
Also you may get this from other folks on here but be very careful and aware when combining different groups, such as test and QA, on a single device. If test tries an unexpected combination that results in the system throttlers kicking in that would effect QA's work.
MichaelFranek 0100000K9D34 Posts
Re: Can you share ports across IP's and Domains2012-05-01T20:52:53ZThis is the accepted answer. This is the accepted answer.
- Trey 120000BTRN
Sorry for being dense here and to make sure I understand.....
Domain: Test with IP: 10.1.242.205 listening on port 30000 is running an XML Firewall that will return nothing but "HI THERE"
Domain: Qa with IP: 10.1.242.206 listening on port 30000 is running an XML Firewall that will return nothing but "GO AWAY"
So a request to 10.1.242.205:30000 would return a "HI THERE"
and a request to 10.1.242.206:30000 would return a "GO AWAY" response?
harishtd 060002245838 Posts
Re: Can you share ports across IP's and Domains2012-05-03T03:56:49ZThis is the accepted answer. This is the accepted answer.
- MichaelFranek 0100000K9D
If you try to force the GO AWAY firewall to listen on IP 10.1.242.205 or on the special IP 0.0.0.0, the Front Side Handler would not come up to accept requests.
SystemAdmin 110000D4XK6772 Posts
Re: Can you share ports across IP's and Domains2013-01-03T23:15:55ZThis is the accepted answer. This is the accepted answer.I think I understand this and wish it weren't so.
I have two Ethernet ports in use on each of six XI50's - one for management and one for business traffic. One application entails using two Multi-protocol Gateways (MIME with SSL front side handlers) and a Web Service Proxy, accessible through an SSL FSH and an HTTP FSH. This exists on one test appliance that has domains for unit-test, client QA test, and benchmarking. The HTTPS FSH's all use the same cert and key. So far they've used 8 port numbers and the number is growing. Hard to manage and keep track of.
What I wish was true: that I could use two FSH's; one for HTTP and one for HTTPS and let the DataPower route a transaction to the appropriate WSP or MPG.
Doesn't work like that though, right?
kenhygh 120000PD1B2256 Posts
Re: Can you share ports across IP's and Domains2013-01-04T02:02:38ZThis is the accepted answer. This is the accepted answer.
- SystemAdmin 110000D4XK
If I understand, you want to be able to send a request to http://my.datapower.appliance and have DataPower be able to figure out what environment the request should be routed to, either unit-test, QA, or benchmarking.
So, how would you differentiate the requests?
And, what are the risks if a request gets routed incorrectly?
In general, I discourage customers from having a single service support multiple environments. For instance, if you had an MPGW listening for HTTPS and then routing to an environment-specific service, how would you update that routing MPGW? What could break? What schedule impacts could there be if something breaks?
Technically this is certainly possible. From a process/operational point of view, you might want to rethink this.
And if you look upstream in this thread, there may be alternatives: one physical interface listening to multiple IP addresses, and your environment-specific services bound to separate 'virtual' IPs.