Re: Second Client Side VLAN - CSM

aanelso1 · ‎10-05-2006

Our current environment has grown to the size that a single Class C subnet on the client side of the CSM is full. We have a need to add an additional Class C subnet for the client side, but our TCOM group gave us a range which is not contiguous to the existing range and therefore cannot be added by simply changing the subnet mask (from 24 to 23).

The default route for all traffic from the CSM is an IP address on the subnet described above.

How should the new subnet be configured? I understand that there can only be one gateway on the CSM...so if traffic comes in on the second subnet, does this mean that it will go back out on the first subnet?

Does this look right

vlan 111 client

ip address 192.168.111.5 255.255.255.0

gateway 192.168.111.1

vlan 222 client

ip address 192.168.222.5 255.255.255.0

On the Switch, when I run

"sho ip route 192.168.111.5"

it replys with "directly connected, via VLan111"

When I run

"sho ip route 192.168.222.5"

it also replies back with the same:

"directly connected, via VLan111"

Please note: That I only manage the CSM and SSL-M. The switch and MSFC are managed by our TCOM group. Thanks for any information on this request!

Gilles Dufour · ‎10-05-2006

If you are clients are inside the client vlan, then, there is no need of a gateway.

If they are multihop away, why do you need a 2nd vlan on the CSM ?

Can't you simply route to the new subnets through the MSFC or any other device existing on the first vlan ?

I personally prefer design where the CSM only share 1 vlan with the MSFC and the MSFC route to all the other locations.

Gilles.

aanelso1 · ‎10-06-2006

Routing client side new VLAN is already in place. The problem exists that the real servers only route is through CSM. So, we think that the packets are getting to the reals, but do not have a way back out through the CSM. Before I added additional VLAN 222 to CSM, pings would fail as well as HTTP calls. With the new VLAN 222 on the CSM, those seem to be working.

But, the SSL module is on VLAN 4 and packets bound to it never return to the vserver. I can ping vserver on VLAN 222 from the SSL module, so I know that they can get back. I think there is not route from new vlan 222 to vlan 4 now.

From your reply, you said that your design of a single vlan connected to MSFC is more desirable. How does the CSM then know about new IP subnet which has been added to the existing VLAN? Is there some other configuration that I should try?

Thank you very much for your replies.

Gilles Dufour · ‎10-06-2006

the solution I suggest is to have the csm connected to the server vlans and one additional vlan between csm and masfc.

Then configure 1 default gateway on the CSM pointing to the MSFC.

The servers should use the CSM as their default gateway.

Like this, you should be able to reach the csm from anywhere and the csm/server to respond back.

In your case, adding the vlan to the csm, just because the routing failed is really a bad solution. You should debug this and figure out where is the problem instead.

We can help you if necessary.

Gilles.

aanelso1 · ‎10-09-2006

First, I want to thank you for the quick replies.

I understand what you are explaining here and believe that our current configuration is as you have explained, but need to further clarify what we have in place.

The single vlan on the client side previously had only a single class C subnet. It now has two separate Class C subnets. Traffic can reach the CSM, but never returns back to the client. When I added the configuration for the second VLAN client side and addressed it as part of the second class C address, content would now be returned to the client from the server side. But, I could not get the content to be forwarded to the SSL module which resides on a separate VLAN. I then removed client VLAN and traffic continued to flow properly (except to SSL module). I then cleared connections to the vservers (to emulate a reboot), this caused all traffic to no longer return to the client.

Below is configuration (IP addresses changed to protect the innocent).

ssl-proxy module 2 allowed-vlan 4,219

ip subnet-zero

!

vlan 200 server

ip address 172.54.200.2 255.255.254.0

alias 172.54.200.1 255.255.254.0

!

vlan 4 server

ip address 192.168.219.5 255.255.255.0

!

vlan 219 client

ip address 192.168.219.5 255.255.255.0

gateway 192.168.219.1

!

natpool SERVERSIDE1 172.54.200.241 172.54.200.254 netmask 255.255.254.0

!

interface Vlan64

description Network 64

ip address 172.32.64.219 255.255.255.0

ip accounting output-packets

ip route-cache flow

logging event link-status

shutdown

!

interface Vlan65

description Network 65

ip address 172.32.65.219 255.255.255.0

ip accounting output-packets

ip route-cache flow

logging event link-status

!

interface Vlan219

description WebTeam URL Network

ip address 192.168.222.2 255.255.255.0 secondary

ip address 192.168.219.2 255.255.255.0

no ip redirects

no ip unreachables

ip pim dense-mode

ip route-cache flow

no ip mroute-cache

standby 10 ip 192.168.219.1

standby 10 timers 3 9

standby 10 priority 110

standby 10 preempt

standby 11 ip 192.168.222.1

standby 11 timers 3 9

standby 11 priority 110

standby 11 preempt

!

ip classless

ip route 172.54.200.0 255.255.254.0 192.168.219.5

NOTES: SSL-MODULE IP address 192.168.219.6 on VLAN 4.

I will go ahead and open TAC Case and post results later.

Gilles Dufour · ‎10-09-2006

the problem is coming from your secondary subnet on the MSFC.

The CSM does not have the option to configure secondary subnet.

Could you create another vlan ie vlan 222 that you would use for clients using ip add 192.168.222.x/24 ?

That's the proper way of doing it.

If you want to share 1 vlan for 2 subnets, normally the CSM should be able to reach this subnet via the default gateway.

Do you have a L4 or L7 vserver on the CSM ?

If yes, can you ping it from a client in subnet x.x.222.x ?

At first glance, I would say there is nothing to do for this config to work. I'm not even sure the problem is the CSM.

This is why you need to capture a sniffer trace of the csm portchannel and see when you send traffic from vlan x.x.222.x if the csm forwards the traffic to the server and if the servers responds. ....

Gilles.

aanelso1 · ‎10-09-2006

By adding the additional client vlan on the CSM, it is working properly. Thanks again for your assistance.

P.S. I did not open a TAC Case for this.