[f-nsp] Multiple VLAN Issue
Williams, Brian
brian_williams at csgsystems.com
Wed Sep 10 12:06:25 EDT 2008
I've taken over a SI 4G config (not a pretty one to say the least) from
our data center provider and I'm having trouble with an issue accessing
a VIP across VLANs. I have 3 different VLANS ... 10.9.33.0/24 for the
DMZ, 10.9.34.0/24 for private, and 10.9.35.0/24 for the servers behind
the SI. I have server source-ip's in all 3 VLANs (management interface
resides in 10.9.33.0/24). I have a VIP listening on 10.9.34.50, with
two servers behind it, both servers have two interfaces, one in
10.9.34.0/24 for domain controller / standard network communications,
and one in 10.9.35.0 where the SI real server traffic hits. A Cisco ASA
serves as the router / firewall between the 3 subnets. The servers have
a default gateway on the 10.9.34.0/24 subnet pointing at the ASA, and
the real-server config in the SI has source-nat enabled.
My issue is, from the 10.9.34.0/24 subnet, I can access the VIP on
10.9.34.50 without issue. However, when I attempt to access the VIP
from the 10.9.33.0/24 subnet, it appears I'm getting lost on the return
traffic (looking at the ASA logs I see the outbound connection to the
VIP establish successfully, but then it fails from what seems to be
never getting any return traffic). I've pasted the pertinent areas of
my config below, does anyone have any tips or advice on what might be
the issue? I've played around with the routing quite a bit, including
forcing the default gateway on the servers (and via static routes) back
to the SI on 10.9.35.7 and 10.9.34.7 with no success....
server source-ip 10.9.34.7 255.255.255.0 10.9.34.5
server source-ip 10.9.35.7 255.255.255.0 10.9.35.5
server router-ports ethernet 1
server router-ports ethernet 2
!
server real flapp1 10.9.35.22
source-nat
port http
port http url "HEAD /"
!
server real flapp2 10.9.35.23
source-nat
port http
port http url "HEAD /"
!
!
server virtual flapp_http 10.9.34.50
port http
bind http flapp1 http flapp2 http
vlan 1 name DEFAULT-VLAN by port
no spanning-tree
!
vlan 100 by port
tagged ethe 1 to 2
no spanning-tree
!
vlan 101 by port
tagged ethe 1 to 2
no spanning-tree
!
vlan 102 by port
tagged ethe 1 to 2
no spanning-tree
!
vlan 2 by port
untagged ethe 4
no spanning-tree
!
vlan 103 by port
tagged ethe 1 to 2
!
ip address 10.9.33.7 255.255.255.0
ip default-gateway 10.9.33.5
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20080910/3c310af9/attachment.html>
More information about the foundry-nsp
mailing list