Topic
  • 5 replies
  • Latest Post - ‏2013-01-04T02:02:38Z by kenhygh
MichaelFranek
MichaelFranek
34 Posts

Pinned topic Can you share ports across IP's and Domains

‏2012-05-01T19:32:41Z |
Ok, we have the following setup:

DatPower XI50 with the IP's of:
10.1.242.205:9090 (Admin GUI)
10.1.242.205:5550 (Management Port)
----
10.5.242.205 (CLI Interface)

============================
There are currently multiple domains configured on the appliance but NONE are sharing the same port. My question is that if we utilize the capability of having Multiple IP's assigned can we do something like this????

Domain: Test with IP: 10.1.242.205 listening on port 30000
Domain: Qa with IP: 10.1.242.206 listening on port 30000

*The Test and QA domains would NOT be running the same policies....
So a request to 10.1.242.205:30000 would return DIFFERENT results that a request to 10.1.242.206:30000*

IE: have 2 different domains listening on the same port on the same device, segregated by having multiple IP's..

I hope that was clear..

Thanks!
Updated on 2013-01-04T02:02:38Z at 2013-01-04T02:02:38Z by kenhygh
  • Trey
    Trey
    225 Posts

    Re: Can you share ports across IP's and Domains

    ‏2012-05-01T19:49:06Z  
    Yes, you can have multiple listeners on the same port using unique ip's. The only catch is the 0.0.0.0 (listen on all) you can not have a:
    0.0.0.0:443
    10.x.x.x:443
    The listen all will take precedence.

    Also you may get this from other folks on here but be very careful and aware when combining different groups, such as test and QA, on a single device. If test tries an unexpected combination that results in the system throttlers kicking in that would effect QA's work.

    Good luck.
  • MichaelFranek
    MichaelFranek
    34 Posts

    Re: Can you share ports across IP's and Domains

    ‏2012-05-01T20:52:53Z  
    • Trey
    • ‏2012-05-01T19:49:06Z
    Yes, you can have multiple listeners on the same port using unique ip's. The only catch is the 0.0.0.0 (listen on all) you can not have a:
    0.0.0.0:443
    10.x.x.x:443
    The listen all will take precedence.

    Also you may get this from other folks on here but be very careful and aware when combining different groups, such as test and QA, on a single device. If test tries an unexpected combination that results in the system throttlers kicking in that would effect QA's work.

    Good luck.
    Trey,

    Sorry for being dense here and to make sure I understand.....

    Domain: Test with IP: 10.1.242.205 listening on port 30000 is running an XML Firewall that will return nothing but "HI THERE"
    Domain: Qa with IP: 10.1.242.206 listening on port 30000 is running an XML Firewall that will return nothing but "GO AWAY"

    So a request to 10.1.242.205:30000 would return a "HI THERE"
    and a request to 10.1.242.206:30000 would return a "GO AWAY" response?

    Thanks!!!
  • harishtd
    harishtd
    38 Posts

    Re: Can you share ports across IP's and Domains

    ‏2012-05-03T03:56:49Z  
    Trey,

    Sorry for being dense here and to make sure I understand.....

    Domain: Test with IP: 10.1.242.205 listening on port 30000 is running an XML Firewall that will return nothing but "HI THERE"
    Domain: Qa with IP: 10.1.242.206 listening on port 30000 is running an XML Firewall that will return nothing but "GO AWAY"

    So a request to 10.1.242.205:30000 would return a "HI THERE"
    and a request to 10.1.242.206:30000 would return a "GO AWAY" response?

    Thanks!!!
    Yes, this will work without any problems.

    If you try to force the GO AWAY firewall to listen on IP 10.1.242.205 or on the special IP 0.0.0.0, the Front Side Handler would not come up to accept requests.
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Can you share ports across IP's and Domains

    ‏2013-01-03T23:15:55Z  
    I think I understand this and wish it weren't so.
    I have two Ethernet ports in use on each of six XI50's - one for management and one for business traffic. One application entails using two Multi-protocol Gateways (MIME with SSL front side handlers) and a Web Service Proxy, accessible through an SSL FSH and an HTTP FSH. This exists on one test appliance that has domains for unit-test, client QA test, and benchmarking. The HTTPS FSH's all use the same cert and key. So far they've used 8 port numbers and the number is growing. Hard to manage and keep track of.
    What I wish was true: that I could use two FSH's; one for HTTP and one for HTTPS and let the DataPower route a transaction to the appropriate WSP or MPG.
    Doesn't work like that though, right?
    Thanks, Scott
  • kenhygh
    kenhygh
    1620 Posts

    Re: Can you share ports across IP's and Domains

    ‏2013-01-04T02:02:38Z  
    I think I understand this and wish it weren't so.
    I have two Ethernet ports in use on each of six XI50's - one for management and one for business traffic. One application entails using two Multi-protocol Gateways (MIME with SSL front side handlers) and a Web Service Proxy, accessible through an SSL FSH and an HTTP FSH. This exists on one test appliance that has domains for unit-test, client QA test, and benchmarking. The HTTPS FSH's all use the same cert and key. So far they've used 8 port numbers and the number is growing. Hard to manage and keep track of.
    What I wish was true: that I could use two FSH's; one for HTTP and one for HTTPS and let the DataPower route a transaction to the appropriate WSP or MPG.
    Doesn't work like that though, right?
    Thanks, Scott
    Scott,
    If I understand, you want to be able to send a request to http://my.datapower.appliance and have DataPower be able to figure out what environment the request should be routed to, either unit-test, QA, or benchmarking.

    So, how would you differentiate the requests?

    And, what are the risks if a request gets routed incorrectly?

    In general, I discourage customers from having a single service support multiple environments. For instance, if you had an MPGW listening for HTTPS and then routing to an environment-specific service, how would you update that routing MPGW? What could break? What schedule impacts could there be if something breaks?

    Technically this is certainly possible. From a process/operational point of view, you might want to rethink this.

    And if you look upstream in this thread, there may be alternatives: one physical interface listening to multiple IP addresses, and your environment-specific services bound to separate 'virtual' IPs.

    Ken