10-05-2006 07:21 AM
Our current environment has grown to the size that a single Class C subnet on the client side of the CSM is full. We have a need to add an additional Class C subnet for the client side, but our TCOM group gave us a range which is not contiguous to the existing range and therefore cannot be added by simply changing the subnet mask (from 24 to 23).
The default route for all traffic from the CSM is an IP address on the subnet described above.
How should the new subnet be configured? I understand that there can only be one gateway on the CSM...so if traffic comes in on the second subnet, does this mean that it will go back out on the first subnet?
Does this look right
vlan 111 client
ip address 192.168.111.5 255.255.255.0
gateway 192.168.111.1
vlan 222 client
ip address 192.168.222.5 255.255.255.0
On the Switch, when I run
"sho ip route 192.168.111.5"
it replys with "directly connected, via VLan111"
When I run
"sho ip route 192.168.222.5"
it also replies back with the same:
"directly connected, via VLan111"
Please note: That I only manage the CSM and SSL-M. The switch and MSFC are managed by our TCOM group. Thanks for any information on this request!
10-05-2006 10:15 PM
If you are clients are inside the client vlan, then, there is no need of a gateway.
If they are multihop away, why do you need a 2nd vlan on the CSM ?
Can't you simply route to the new subnets through the MSFC or any other device existing on the first vlan ?
I personally prefer design where the CSM only share 1 vlan with the MSFC and the MSFC route to all the other locations.
Gilles.
10-06-2006 07:31 AM
Routing client side new VLAN is already in place. The problem exists that the real servers only route is through CSM. So, we think that the packets are getting to the reals, but do not have a way back out through the CSM. Before I added additional VLAN 222 to CSM, pings would fail as well as HTTP calls. With the new VLAN 222 on the CSM, those seem to be working.
But, the SSL module is on VLAN 4 and packets bound to it never return to the vserver. I can ping vserver on VLAN 222 from the SSL module, so I know that they can get back. I think there is not route from new vlan 222 to vlan 4 now.
From your reply, you said that your design of a single vlan connected to MSFC is more desirable. How does the CSM then know about new IP subnet which has been added to the existing VLAN? Is there some other configuration that I should try?
Thank you very much for your replies.
10-06-2006 08:57 AM
the solution I suggest is to have the csm connected to the server vlans and one additional vlan between csm and masfc.
Then configure 1 default gateway on the CSM pointing to the MSFC.
The servers should use the CSM as their default gateway.
Like this, you should be able to reach the csm from anywhere and the csm/server to respond back.
In your case, adding the vlan to the csm, just because the routing failed is really a bad solution. You should debug this and figure out where is the problem instead.
We can help you if necessary.
Gilles.
10-09-2006 05:36 AM
First, I want to thank you for the quick replies.
I understand what you are explaining here and believe that our current configuration is as you have explained, but need to further clarify what we have in place.
The single vlan on the client side previously had only a single class C subnet. It now has two separate Class C subnets. Traffic can reach the CSM, but never returns back to the client. When I added the configuration for the second VLAN client side and addressed it as part of the second class C address, content would now be returned to the client from the server side. But, I could not get the content to be forwarded to the SSL module which resides on a separate VLAN. I then removed client VLAN and traffic continued to flow properly (except to SSL module). I then cleared connections to the vservers (to emulate a reboot), this caused all traffic to no longer return to the client.
Below is configuration (IP addresses changed to protect the innocent).
ssl-proxy module 2 allowed-vlan 4,219
ip subnet-zero
!
vlan 200 server
ip address 172.54.200.2 255.255.254.0
alias 172.54.200.1 255.255.254.0
!
vlan 4 server
ip address 192.168.219.5 255.255.255.0
!
vlan 219 client
ip address 192.168.219.5 255.255.255.0
gateway 192.168.219.1
!
natpool SERVERSIDE1 172.54.200.241 172.54.200.254 netmask 255.255.254.0
!
interface Vlan64
description Network 64
ip address 172.32.64.219 255.255.255.0
ip accounting output-packets
ip route-cache flow
logging event link-status
shutdown
!
interface Vlan65
description Network 65
ip address 172.32.65.219 255.255.255.0
ip accounting output-packets
ip route-cache flow
logging event link-status
!
interface Vlan219
description WebTeam URL Network
ip address 192.168.222.2 255.255.255.0 secondary
ip address 192.168.219.2 255.255.255.0
no ip redirects
no ip unreachables
ip pim dense-mode
ip route-cache flow
no ip mroute-cache
standby 10 ip 192.168.219.1
standby 10 timers 3 9
standby 10 priority 110
standby 10 preempt
standby 11 ip 192.168.222.1
standby 11 timers 3 9
standby 11 priority 110
standby 11 preempt
!
ip classless
ip route 172.54.200.0 255.255.254.0 192.168.219.5
NOTES: SSL-MODULE IP address 192.168.219.6 on VLAN 4.
I will go ahead and open TAC Case and post results later.
10-09-2006 06:12 AM
the problem is coming from your secondary subnet on the MSFC.
The CSM does not have the option to configure secondary subnet.
Could you create another vlan ie vlan 222 that you would use for clients using ip add 192.168.222.x/24 ?
That's the proper way of doing it.
If you want to share 1 vlan for 2 subnets, normally the CSM should be able to reach this subnet via the default gateway.
Do you have a L4 or L7 vserver on the CSM ?
If yes, can you ping it from a client in subnet x.x.222.x ?
At first glance, I would say there is nothing to do for this config to work. I'm not even sure the problem is the CSM.
This is why you need to capture a sniffer trace of the csm portchannel and see when you send traffic from vlan x.x.222.x if the csm forwards the traffic to the server and if the servers responds. ....
Gilles.
10-09-2006 06:47 AM
By adding the additional client vlan on the CSM, it is working properly. Thanks again for your assistance.
P.S. I did not open a TAC Case for this.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: