
2/32



ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THISMANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTEDWITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED.

INTELLECTUAL PROPERTY RIGHTS:

THIS DOCUMENT CONTAINS VALUABLE AND CONFIDENTIAL

INFORMATION ON MIGRATION OF DMZ SWITCHES IN THE DATA

CENTER OF MINISTRY OF CORPORATE AFFAIRS, (MCA) DELHI. AND

SHALL NOT BE DISCLOSED TO ANY PERSON, ORGANIZATION, ORENTITY UNLESS SUCH DISCLOSURE IS SUBJECT TO THE PROVISIONS

OF A NONDISCLOSURE AND PROPRIETARY RIGHTS AGREEMENT

APPROVED BY MINISTRY OF CORPORATE AFFAIRS (MCA).


3/32



Document Information

AUTHOR : Chandra Bhanu Panigrahi

CHANGE AUTHORITY : INTEGRATED COMMUNICATION SERVICES

CHANGE FORECAST : MEDIUM

ORGANIZATION : IBM INDIA (P) LTD

Review

ORGANIZATION NAME TITLEINFOSYS ANIL KUMAR AKELLA

INFOSYS MANOJ KUMAR YADAV

Modification History

REV. DATE ORIGINATOR STATUS COMMENT

1.0 12/07/2013 Chandra Bhanu Initial Version

1.1 17/12/2013 Chandra Bhanu Updated


4/32



Document Acceptance Signoff

FOR IBM INDIA (P) LTD

NAME …………………………………………………………………..

TITLE ……………………………………………………………………

COMPANY …………………………………………………………….

SIGNATURE & STAMP ………………………………………………………..

DATE ………………………………………………………………….

FOR INFOSYS

NAME …………………………………………………………………..

TITLE ……………………………………………………………………

COMPANY …………………………………………………………….

SIGNATURE & STAMP ………………………………………………………..

DATE ………………………………………………………………….

Note: Acceptance can be in the form of written / or email


5/32


6/32



1.0 Radware Link Proof migration plan for MCA DC Internet

Segment consists of following

1.1 Network Changes Required for Migrating Existing LB’s.

Presently the subnet 10.64.21.0/24 provides connectivity between

Internet Router and LinkProof LBs.

As Secondary Internet Link will be terminated at Second Router,

Public LAN IP address provided by TCIL and Bharti will beconfigured at each Internet Router’s LAN interfaces.

So the connectivity between LBs and Internet router will bethrough Public IP Addresses provided by both ISPs.


7/32



Presently Internet Router LAN, LBs interfaces and Checkpoint

Firewalls are all connected to DMZ switch. So two Cisco 2960-S

switches will be introduced to connect Internet Router LAN, LBsand Checkpoint Firewall Outside Interface and Managements

interfaces of Internet segment devices except Checkpoint and

DMZ switches.

Internet Routers, Cisco 2960-S wan switches, LinkProof’s

management interfaces will be connected at Cisco 2960-S

switches and specific LAN subnet will be routed for Management

access with 10.64.22.1 as next hop.The subnet 10.64.22.0/24 willbe used for this purpose.

Presently Linkproof1(LP1)’s LAN interface is connected to DMZ

switch through IPS4240.This will be connected as it but theconnectivity will be moved from DMZ switch to WAN switch.

1.2 Prerequisites for Internet Link Loadbalancer(LB) Migration

Second link details like WAN and LAN Public IP Address. Changes Required at Public DNS server at the time of activity. DNS A record entry for VPN host name.


8/32



1.3 Devices to be Installed/Replaced for this activity

Sl No. Location/Type Make / Model Device Type / Role Device Host Name

1 MCA DC Delhi Cisco 2960-S Switch FO Aggregation Switch 1 DELDCSWTAGRF01

2 MCA DC Delhi Cisco 2960-S Switch FO Aggregation Switch 2 DELDCSWTAGRF023 MCA DC Delhi Radware Link Proof 208 Internet Link Load Balancer 1 DELDCLLBACTF01

4 MCA DC Delhi Radware Link Proof 208 Internet Link Load Balancer 2 DELDCLLBSTBF02

1.4 Internet Link Loadbalancer (LB)


9/32


10/32



New Layer3 VLAN vlan 101 and vlan 102 would be used for

connecting Internet Router’s (Router-01 and Router-02) LAN

interface with LB outside interfaces through Cisco 2960-S WANSwitch.

Chapter 2.0 IP Address & VLAN details

Physical Connectivity Details

WAN Switch-01 VLAN

WANSwitch-

01Interface

WAN Switch Interface DescriptionsConnected

DeviceDevice

Interface

VLAN 101 Gi1/0/1## Connected to Internet Router-01 LANInterface(Gi0/0) ##

InternetRouter-01 Gi0/0

VLAN 101 Gi1/0/2 ## Connected to LP-01 LAN Interface(G2) ## LP-01 G2


VLAN 59 Gi1/0/4## Connected to LP-01 LAN Interface(G1) throughDC-IPS4240 ## LP-01 G1

VLAN 22 Gi1/0/11## Connected to Internet Router-01 LANInterface(Gi0/3) - Management ##


VLAN 22 Gi1/0/12 ## Connected to LP-01 LAN Interface(MNG1) ## LP-01 MNG1

VLAN 22 Gi1/0/22 ## Connected to DMZ SW-01 - Port 43 ## DMZSW Gi1/0/43

Trunk (59,101, 102) Gi1/0/23 ## Connected to WAN Switch-02 - Gi1/0/23 ##

WANSwitch-02 Gi1/0/23



WAN Switch-02 VLAN

WANSwitch-

02Interface

WAN Switch Interface DescriptionsConnected

DeviceDevice

Interface

VLAN 102 Gi1/0/1## Connected to Internet Router-02 LANInterface(Gi0/0) ##





VLAN 22 Gi1/0/11## Connected to Internet Router-02 LANInterface(Gi0/3) - Management ##


VLAN 22 Gi1/0/12 ## Connected to LP-01 LAN Interface(MNG1) ## LP-02 MNG1

VLAN 22 Gi1/0/22 ## Connected to DMZ SW-02 - Port 43 ## DMZSW Gi2/0/43






11/32



Chart# IPADD-2.0

VLAN ID L2/L3 Radware Physical Port

101 L3 G2

102 L3 G359 L3 G1

22 L3 MNG1

Primary Radware LP

RadwarePhysical Port

Radware Physical IPAddress

WAN Switch 1Physical Port

G1 59.165.200.11/24 Gi1/0/4G2 14.140.191.13/25 Gi1/0/2

G3 202.56.229.130/28 Gi1/0/3

MNG1 10.64.22.25/24 Gi1/0/12

Secondary Radware LP

RadwarePhysical Port

Radware Physical IPAddress

WAN Switch 1

Physical PortG1 59.165.200.12/24 Gi1/0/4

G2 14.140.191.14/25 Gi1/0/2

G3 202.56.229.131/28 Gi1/0/3

MNG1 10.64.22.26/24 Gi1/0/12


12/32


13/32



3.1 Radware LB Configuration Details

3.1.1 Farm Details

Sl. No. FARMs Dispatch Method

1 MCA-FARM1 Cyclic

2 MCA-FARM2 Cyclic

3 MCA-DEFAULT-FARM3 Cyclic

4 MCA-DEFAULT-FARM4 Cyclic

LB Load Balancing Algorithm

Dispatch method in Radware LB decides how to distribute traffic to realservers/Internet Link. In this deployment scenario there is no use of

dispatch method as farms will forward to only one Link for outgoing orin coming traffic in Primary / Redundant mode.

3.1.2 Router Farm Details

Sl. No. Routers Router IP Address

1 MCA-FM1-RTR-TCIL 14.140.191.1

2 MCA-FM1-RTR-BHARTI 202.56.229.1293 MCA-FM2-RTR-TCIL 14.140.191.1

4 MCA-FM2-RTR-BHARTI 202.56.229.129

5 MCA-DEFAULT-FM3-RTR-TCIL 14.140.191.1

6 MCA-DEFAULT-FM4-RTR-BHARTI 202.56.229.129

3.1.3 Host network/classes Details

Sl.

No. Networks IP Address1 mca.gov.in 59.165.200.120

2 mca21.gov.in 59.165.200.120

3 servicedesk.mca 59.165.200.103

4 www.mca.gov.in/XBRL 59.165.200.113

5 dcdeldns2.mca.gov.in 59.165.200.3

6 vpn.mca.gov.in 59.165.200.59


14/32


15/32



3 59.165.200.10 59.165.200.10 14.140.191.1 14.140.191.10 14.140.191.10

4 59.165.200.15 59.165.200.15 14.140.191.1 14.140.191.15 14.140.191.15

5 59.165.200.16 59.165.200.16 14.140.191.1 14.140.191.16 14.140.191.16

6 59.165.200.21 59.165.200.21 14.140.191.1 14.140.191.21 14.140.191.21

7 59.165.200.22 59.165.200.22 14.140.191.1 14.140.191.22 14.140.191.22

8 59.165.200.23 59.165.200.23 14.140.191.1 14.140.191.23 14.140.191.23

9 59.165.200.24 59.165.200.24 14.140.191.1 14.140.191.24 14.140.191.24

10 59.165.200.25 59.165.200.25 14.140.191.1 14.140.191.25 14.140.191.25

11 59.165.200.26 59.165.200.26 14.140.191.1 14.140.191.26 14.140.191.26

12 59.165.200.27 59.165.200.27 14.140.191.1 14.140.191.27 14.140.191.27

13 59.165.200.28 59.165.200.28 14.140.191.1 14.140.191.28 14.140.191.28

14 59.165.200.29 59.165.200.29 14.140.191.1 14.140.191.29 14.140.191.29

15 59.165.200.32 59.165.200.32 14.140.191.1 14.140.191.32 14.140.191.32

16 59.165.200.33 59.165.200.33 14.140.191.1 14.140.191.33 14.140.191.33

17 59.165.200.34 59.165.200.34 14.140.191.1 14.140.191.34 14.140.191.34

18 59.165.200.37 59.165.200.37 14.140.191.1 14.140.191.37 14.140.191.37

19 59.165.200.38 59.165.200.38 14.140.191.1 14.140.191.38 14.140.191.38

20 59.165.200.39 59.165.200.39 14.140.191.1 14.140.191.39 14.140.191.3921 59.165.200.40 59.165.200.40 14.140.191.1 14.140.191.40 14.140.191.40

22 59.165.200.42 59.165.200.42 14.140.191.1 14.140.191.42 14.140.191.42

23 59.165.200.43 59.165.200.43 14.140.191.1 14.140.191.43 14.140.191.43

24 59.165.200.57 59.165.200.57 14.140.191.1 14.140.191.57 14.140.191.57

25 59.165.200.90 59.165.200.90 14.140.191.1 14.140.191.90 14.140.191.90

26 59.165.200.103 59.165.200.103 14.140.191.1 14.140.191.103 14.140.191.103

27 59.165.200.105 59.165.200.105 14.140.191.1 14.140.191.105 14.140.191.105

28 59.165.200.106 59.165.200.106 14.140.191.1 14.140.191.106 14.140.191.106

29 59.165.200.107 59.165.200.107 14.140.191.1 14.140.191.107 14.140.191.107

30 59.165.200.108 59.165.200.108 14.140.191.1 14.140.191.108 14.140.191.108

31 59.165.200.109 59.165.200.109 14.140.191.1 14.140.191.109 14.140.191.109

32 59.165.200.110 59.165.200.110 14.140.191.1 14.140.191.110 14.140.191.110

33 59.165.200.111 59.165.200.111 14.140.191.1 14.140.191.111 14.140.191.111

34 59.165.200.112 59.165.200.112 14.140.191.1 14.140.191.112 14.140.191.112

35 59.165.200.113 59.165.200.113 14.140.191.1 14.140.191.113 14.140.191.113

36 59.165.200.114 59.165.200.114 14.140.191.1 14.140.191.114 14.140.191.114

37 59.165.200.115 59.165.200.115 14.140.191.1 14.140.191.115 14.140.191.115

38 59.165.200.116 59.165.200.116 14.140.191.1 14.140.191.116 14.140.191.116

39 59.165.200.117 59.165.200.117 14.140.191.1 14.140.191.117 14.140.191.117

40 59.165.200.118 59.165.200.118 14.140.191.1 14.140.191.118 14.140.191.118

41 59.165.200.120 59.165.200.120 14.140.191.1 14.140.191.120 14.140.191.120

42 59.165.200.121 59.165.200.121 14.140.191.1 14.140.191.121 14.140.191.121

43 59.165.200.122 59.165.200.122 14.140.191.1 14.140.191.122 14.140.191.12244 59.165.200.126 59.165.200.126 14.140.191.1 14.140.191.126 14.140.191.126


16/32


17/32



Management Connectivity Diagram


18/32


19/32



Redindancy Configuration


20/32



Configure NHR Tracking Table

1. Select Services > Tuning > Device. 2. In the NHR Tracking Table text box, type the limit on the number of entries in the

NHR Table. Default: 100,000. 3. Click Set. 4. Select LinkProof > Global Configuration > General.

5. Configure the following parameters: NHR Tracking Table Status & NHR TrackingTable Aging 6. Click Set.

LinkProof > Global Configuration > General


21/32



Static NAT Configuration


22/32



Dynamic NAT Configuration

For Inbound web traffic.

Existing TCIL Internet Link will be used for inbound web traffic.

Second internet Link will be used for Inbound SSL VPN traffic.

Outgoing Internet, patch management etc will use Second Internet Link.

LinkProof > Farms > Farm Table


23/32



LinkProof > Servers > Logical Routers Table

Classes > Modify > Networks


24/32




25/32



LinkProof > DNS Configuration > Name to Local IP

LinkProof > Flow Management > Farms Flow Table (To Configure Flow Management)


26/32



LinkProof > Flow Management > Modify policies (To Configure Flow Policies)

LinkProof > Smart NAT > Static NAT Table (To Configure Static NAT)


27/32



DNS Changes


28/32



5.0: Traffic flow Through Link Loadbalancer

5.1: Traffic flow diagram in all working conditions: In all working

condition primary Radware LB will process all traffic.

Traffic flow classification in case of stable scenarios:

In coming Traffic for MCA web application will use TCIL ISP link

only. In coming Traffic for SSL VPN access will use Bharti ISP link only. All outgoing traffic linke patchmanagement or internet

requirement for DC ,Bharti ISP link will be used as primary and

TCIL as Backup.

Note : In case of any ISP link not available , all traffic (incoming &

outgoing ) will be through other available ISP link.


29/32



5.2 Traffic flow when a Primary Radware LB Fails.

When Primary Radware LB fail or any one interface of primary LBfails ,secondary Radware box becomes active


30/32



6.0 Test cases: Test cases are based upon the ping,

http,nslookup,telnet and trace route of Radware vip/physical ip address

and natted servers.

Table 6.1- When Both Radware LP are up and running

Test case Ping/traceroute/telnet/HTTP response

When Both

Radware LB are up

and working.(before migration)

1. Nslookup the web application sites

like www.mca.gov.in ,

www.mca21.gov.in(14.140.191.120),servicedesk.mca.gov.in(14.140.191.103)

2. Ping corresponding public ip address

static natted with with realservers.Public ip address to ping areto be captured.

Ping Response will

confirm reach

ability of Natted IPaddress from theinternet

When Both

Radware LB are up


Telnet public vip ip address on port 80

and 53

14.140.191.120 –port 8014.140.191.113- port 80

14.140.191.3 -port 53

Successful telnet

session

establishment willconfirm the

accessibility of

application through

Radware LP.

When BothRadware LB are up


Ping both Radware physical interface ipaddress. Ping Response willconfirm reach

ability of Radwarephysical interface

and connectivity.

When Both

Radware LB are upand working.

(before migration)

http://www.mca.gov.in &

http://www.mca21.gov.in

Some Ping

response andnslookup to Web

site should have

14.140.191.120 as

ip address due toGSLB setup. Otherip would be of DR

Chennai ie

115.114.108.120

http://www.mca.gov.in/http://www.mca.gov.in/http://www.mca.gov.in/http://www.mca.gov.in/http://www.mca.gov.in/http://www.mca.gov.in/http://www.mca.gov.in/


31/32


32/32


Post Migration – Test Cases

Table 6.1 & 6.2 test cases will be performed post migration of new

Radware devices in Internet Segment.

Radware Link Loadbalancer_MIGRATION PLAN_V1.1

Documents

Transcript of Radware Link Loadbalancer_MIGRATION PLAN_V1.1