I am running VCS x7.0.1.
I'm trying to figure out the right way to configre the IP routing on the VCS-E when the Dual NIC option is enabled.
Do I need to put routes to both the internal networks and the outside world?
LAN1 is the inside connection, LAN2 is the outside connection.
Which LAN interface gets the default gateway, and then what would I put as route statements for the other interface to make sure that all non-internal IP addresses should be routed out to the internet?
You have the default gw on the first interface, so this will send out all ipv4 traffic out to this interface,
*h xConfiguration IP Gateway:
"Specifies the IPv4 gateway of the VCS.
unless you have defined a more specific route, for example pointing to your second interface:
If you use an addtional interface you would have to define which ips will be routed over the second interface,
like your 10.0.0.0/8 network or whatever you use behind the LAN2 interface.
Here is the info about the xconf commands:
xconfiguration ip route ?
*h xConfiguration IP Route [1..50] Address: < 0="">>
"Specifies an IP address used in conjunction with the prefix length to determine the network to which this route applies."
*h xConfiguration IP Route [1..50] PrefixLength: <1..128>
"Specifies the number of bits of the IP address which must match when determining the network to which this route applies. Default: 32"
*h xConfiguration IP Route [1..50] Gateway: < 0="">>
"Specifies the IP address of the gateway for this route."
*h xConfiguration IP Route [1..50] Interface:
"Specifies the LAN interface to use for this route. Auto: the VCS will select the most appropriate interface to use. Default: Auto"
xConfiguration IP Route 50 Address: 10.0.0.0xConfiguration IP Route 50 PrefixLength: 8xConfiguration IP Route 50 Gateway: 10.1.0.1
If your vcs is for example LAN2=10.1.0.2/24 it should auto select the LAN2 interface
for this route, but you could also specify:
xConfiguration IP Route 50 Interface: LAN2
But still all other traffic would go out on the default route.
So would the syntax for what is essentially a "default route" look like this?
xConfiguration IP Route 4 Address: 0.0.0.0xConfiguration IP Route 4 PrefixLength: 0I'm trying to configre a route to send all traffic to IP addresses that aren't known to the Internet.xConfiguration IP Route 4 Gateway: 192.168.42.9
xconfiguration IP Route 4 Interface: LAN2
hehe, I had already added that to my posting but you were faster :-)
xConfiguration IP Gateway:
defines the default route, there can only be one default route, this shall point to the Internet
which shall be on LAN1.
This default route "knows all the addresses", or different said: "the Internet is all addresses".
You know what is not the internet and has to be routed internally via LAN2, for example priate networks
10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ... or whatever public ip addresses you use internally.
If this is not suitable for you you could also put the VCS-E in a DMZ with a router which exactly knows
how your organization has to route traffic (possibly using dynamic routing protocols).
Did this answer your question?
Please rate the answerers by using the stars underneath each message, thx!
I just did not have a VCS with dual nix to test with, but I think there is some nat setting for LAN1, so I would
always use that for the outside world or where you might need NAT.
Could you shortly say how your deployment is? regards what kind of ip addresses are used?
You wrote the internet is on LAN2, but you define a route to a private ip (192.168.42.9)
I would do it like that:
Public IP in DMZ on LAN1
Private IP for intranet on LAN2
Private IP behind Static NAT in a DMZ on LAN1 with NAT setting on the VCS with the outside fixed up
Private IP for intranet on LAN2
always point the default route to the router in LAN1
and add the internal routes pointing to the router in LAN2
to add to Martin's comments, here are a few general guidelines with regards to static routes, dual NICs and static NAT on the VCS-E:
- When using both LAN1 and LAN2, these have to reside in separate, non-overlapping subnets
- Both LAN1 and LAN2 can act as the externally-facing interface. If LAN1 is assigned as 10.0.10.2/24 and LAN2 is assigned as 10.0.20.2/24, and the default gateway is set to 10.0.20.1/24, the VCS will send all outgoing traffic out through LAN2 if no static routes are added, since the default gateway address is only directly reachable via LAN2.
- Static routes can be considered as exceptions to the default route, meaning that static routes only have to be added for traffic which is not going to pass via the default gateway.
I recommend using the 'xCommand RouteAdd' and 'xCommand RouteDelete' CLI commands on the VCS when adding/removing static routes. Using these commands, you can add/remove static routes using a single-line command rather than adding routes via 4 different xConfiguration statements.
When the X7.1 software for the VCS ships, we plan to release a new version of the Basic Configuration Deployment Guide for VCS Control/Expressway , containing a new appendix covering Dual NIC/Static NAT deployments with example scenarios and configurations, which should hopefully make things easier
Hope this helps,
thx for adding the info.
What about adding the static nat external ip info?
Think this was only available on the webinterface on one field?
Is this limited to LAN1 or the interface with the default raute?
How to add this with and xconfig?
static NAT can be enabled on both LAN1 and LAN2, as can be seen from the screenshot below:
When using dual NICs and static NAT on a VCS-E, I would normally recommend using LAN2 as the externally facing/static NAT interface. The reason for this is that when clustering dual NIC VCS's, the cluster peer addresses have to specify the LAN1 interface addresses of participating VCS's.
In addition, LAN1 can not have static NAT mode enabled if the VCS is to be part of a cluster (While it's fine to have static NAT enabled on LAN2 on a clustered VCS-E).
Therefore, if you deploy a VCS-E with dual NIC and static NAT on LAN1, and later want to add an additional VCS-E in the same manner and cluster these two, you would have to reconfigure the first VCS to use LAN2 for static NAT and possibly swap cables and so on, which complicates things. Is is therefore best to deploy the initial VCS-E to use LAN2 as the externally facing interface and static NAT.
So to make my life easy, I can set the default gateway of LAN2, which is the externally facing interface, and that will take care of routing to all "unknown" IP addresses.
Since the VSC-E only communicates with the VCS-C, AD/LDAP, NTP and TMS on the inside, I can either define host routes facing inward on LAN1, or define the subnets those devices exist in, whichever I feel is best.
Is my understanding correct?
yes that is correct. One key thing here however is that whether or not you have to add static route towards the internal parts of your network, depends on whether or not there is NAT in between these internal hosts/subnets and LAN1 of your Expressway.
If traffic from your internal networks/hosts is NATed to the address of a router which is on the same subnet as LAN1 as it is passed to LAN1, you will not need static routes to route the reply traffic from the VCS back to these networks/hosts since the traffic will appear as coming from a host on the same subnet as LAN1.
For your info, the new VCS Basic configuration guide for VCS Control and Expressway has now been released for X7.1.
This new document contains a new appendix (Appendix 4) covering Dual NIC and Static NAT deployments in detail.
The new guide can downloaded here.
Comments and feedback for the document in general and the appendix in particular is appreciated, so feel free to PM me with this if possible.