Segmentation with AppDirector

Advanced Capabilities > Segmentation > Segmentation with AppDirector

Segmentation with AppDirector

AppDirector defines a type of logical network entity known as a segment where a single AppDirector load balances the traffic for all segments, but traffic between segments is always inspected by an external inspection device (for example, firewalls, anti-virus device and so on)

These logical entities (segments) can be associated either with physical ports (including VLANs and Trunks) or with VLAN Tags. A NHR must be associated with each segment; typically this would be the Firewall interface of that segment. A backup NHR can also be configured for each segment.

Layer 4 policies are also associated with segments, to define the logical location of each VIP. Segmentation is performed when there is a conflict between the segment to which the client belongs and the segment to which the Layer 4 policy belongs. AppDirector directly redirects traffic for a Layer 4 Policy’s VIP only when the traffic arrives from a client in the same segment where this policy resides.

Segmentation can also be performed when there is a conflict between the segment to which the Layer 4 policy belongs and the segment to which the server belongs. This conflict (whether to perform segmentation) is configurable by the user.

When AppDirector receives traffic that cannot be handled due to segment conflicts, (meaning the segment over which traffic was received does not match the Layer 4 Policy segment) AppDirector sends this traffic to the NHR of the receiving (clients) segment, while reply traffic is forwarded from the server to the NHR of the Layer 4 policy segment.

Using Segmentation, a single AppDirector platform connects to multiple segments around the firewall (see Figure 37 - Physical Port Segmentation). AppDirector forces the traffic originating in one firewall segment and destined to a different segment, to pass through the firewall. This also applies when the Destination IP address is a VIP of the Layer 4 Policy residing on the same AppDirector.

Note: On the reply path, the behavior is determined by the non-segment-action parameter.

Default Segments

Physical ports, Trunks and 802.1q VLAN Tags that are not part of any segment are considered to be members of a default segment.

No specific NHR is defined for the default segment, but the default gateway belongs to the default segment.

Traffic from a client belonging to segment A to a destination belonging to the default segment (server or VIP) is redirected using segment A NHR. However the reply is redirected according to the Default Segment Operating Method. This can cause undesirable asymmetric routing, so check your parameter configuration.

Note: If you want to enable asymmetric routing on an OnDemand Switch 3 platform, the Session Table must be disabled in order for the traffic to be correctly routed.

To configure segmentation

1.

Enable Segmentation and configure default segment behavior

2.

Configure Segments and attach NHRs.

Note: The AppDirector default gateway can only belong to the default segment.