Configuring gateway address pools
When configuring an address-pool for the Blue Cedar gateway, you are configuring the groups of IP addresses for the gateway to assign to its clients. The gateway accepts these types of address pools:
- Static: Configure a pool of IP addresses on the same subnet as the address of the gateway private interface. Alternately, there must be a route entry in the network infrastructure to route the mobile address pool to the private IP address of the gateway.
- DHCP: Specify a DHCP server to assign inner IP addresses to a tunneled app.
- NAT: Force all tunnel traffic through an internal NAT. The traffic then appears on the private network as a single address, and does not consume a unique private-network IP address per app. Note that this option potentially loses visibility into what clients are connecting to internal services.
Use these templates to configure the address-pool for the gateway:
Configuring the addressing scheme for tunneled clients
% set addressing pool-type scheme domain string nameserver ip-address
Element | Description |
---|---|
pool-type scheme | Assign addressing scheme for tunneled clients. Values:
|
domain string | DNS domain name that you supply. (Leave empty to use default.) Note: Typically, when a client connects to the gateway, it uses its own domain name server (DNS) that is specific for its address pool. However, if a client has set its DNS address pool to "default" (nameserver 0.0.0.0), then the gateway-specific DNS/nameserver is given to that client. |
nameserver ip-address | Address of nameserver that the gateway uses to resolve domain names into IP addresses. (Leave as 0.0.0.0 to use default.) |
search "domain list" | Domain name search list. Use a space-delimited list, quoted with " ". Note: If the search domain is specified for the address-pool, that search domain is sent to the client (if using static addressing). If no pool-specific search domain is specified, the gateway sends the search domain specified for the top level. If no search domain is specified, the gateway-specific DNS search domains are sent to the client. |
Configuring the pool of static addresses for tunneled clients
% set addressing address-pool static_pool_name start ip-address end ip-address
netmask netmask enabled boolean gateway ip-address priority 0-1000 nameserver ip-address domain string
Element | Description |
---|---|
address-pool static_pool_name | Address pools to be used for the tunneled clients (only used with pool-type set to 'static' or 'nat') Note: The addresses in the pool must use the same subnet as the address of the gateway private interface or there must be a route entry in the network infrastructure to route the mobile address pool to the private IP address of the gateway. |
domain string | DNS domain name that you supply. (Leave empty to use default.) |
enabled boolean | True: enable this address pool for use. False: disable this address pool. |
end ip-address | Last IP address for the specified static pool. |
gateway ip-address | Gateway for addresses assigned from pool. |
nameserver ip-address | Address of nameserver. (Leave as 0.0.0.0 to use default.) |
netmask netmask | Divide the IP address into subnets and to specify the available hosts on a network. When this parameter is set, it allows the client to connect to the host on the private side of the gateway, which might not be locally attached. |
priority level | Address pools are ordered by priority levels, and the interface manager attempts to acquire IP addresses for new tunnels starting with the highest priority pool. When a pool gets exhausted (that is, when all addresses in range are used), the next pool in the list is used. (The interface manager configures the ethernet interfaces and monitors the status of changes to those interfaces.) Range: 0–1000. Smaller values indicate higher pool priority. |
search "domain list" | Domain name search list. Use a space-delimited list, quoted with " ". |
start ip-address | First IP address for the specified static pool |
Specifying a DNS domain and search path
Set the default search path at the top level, using a space-delimited quoted list:
% set addressing search "example.com acme.com foo.com"
Set the search path for a specific address-pool:
% set addressing address-pool mypool search "bar.com sample.com"
% show addressing
addressing {
pool-type static;
nameserver 0.0.0.0;
dhcp-arp-check off;
address-pool mypool {
start 10.26.202.1;
end 10.26.206.254;
netmask 255.248.0.0;
gateway 10.26.202.1;
enabled true;
priority 100;
nameserver 0.0.0.0;
search "bar.com sample.com";
}
search "example.com acme.com foo.com";
}
There are three levels for addressing nameservers and search. The gateway chooses in this order, most-specific to least-specific:
- The specific address-pool nameserver.
- The addressing nameserver.
- If neither of the above two is set, the gateway's system DNS nameserver.
Setting up address pools
Static
To set up a static pool, you need to run two commands:
Set the type of IP-address pool as static:
BASH% set addressing pool-type static
Set the range of IP addresses in the static pool:
BASH% set addressing address-pool static_pool_name start ip-address end ip-address
Example
% set addressing address-pool MyPool start 192.168.7.23 end 192.168.7.26 netmask 255.255.255.0 enabled true
% commit
DHCP
To set up a DHCP address pool, run this command:
% set addressing pool-type dhcp
NAT
To set up a NAT address pool, run this command:
% set addressing pool-type nat nameserver ip-address
Example
% set addressing pool-type nat nameserver 192.168.1.2