[f-nsp] Multiple VLAN Issue
dtemkin at yahoo.com
dtemkin at yahoo.com
Sat Sep 13 17:46:41 EDT 2008
Brian,
What is the gateway from the real servers back into the network to get to 10.9.34.0/24?
It would seem, from your description, that traffic is leaving the source on 10.9.33.0/24 network, going via the ASA to the VIP, from the SI to the real on 10.9.35.0/24. Do the reals then have a default route or a specific route back to the .33 network via the ASA or the SI? If it's via the ASA, you're correct, your return traffic will get dropped as it's not aware of the forward connection in that context..
-Dave
----- Original Message ----
From: "Williams, Brian" <brian_williams at csgsystems.com>
To: foundry-nsp at puck.nether.net
Sent: Wednesday, September 10, 2008 9:06:25 AM
Subject: [f-nsp] Multiple VLAN Issue
I’ve taken over a SI 4G config (not a pretty one to
say the least) from our data center provider and I’m having trouble with
an issue accessing a VIP across VLANs. I have 3 different VLANS …
10.9.33.0/24 for the DMZ, 10.9.34.0/24 for private, and 10.9.35.0/24 for the
servers behind the SI. I have server source-ip’s in all 3
VLANs (management interface resides in 10.9.33.0/24). I have a VIP listening
on 10.9.34.50, with two servers behind it, both servers have two interfaces,
one in 10..9.34.0/24 for domain controller / standard network communications,
and one in 10.9.35.0 where the SI real server traffic hits. A Cisco ASA
serves as the router / firewall between the 3 subnets. The servers have a
default gateway on the 10.9.34.0/24 subnet pointing at the ASA, and the
real-server config in the SI has source-nat enabled.
My issue is, from the 10.9.34.0/24 subnet, I can access the
VIP on 10.9.34.50 without issue. However, when I attempt to access the
VIP from the 10.9.33.0/24 subnet, it appears I’m getting lost on the
return traffic (looking at the ASA logs I see the outbound connection to the
VIP establish successfully, but then it fails from what seems to be never
getting any return traffic). I’ve pasted the pertinent areas of my
config below, does anyone have any tips or advice on what might be the
issue? I’ve played around with the routing quite a bit, including
forcing the default gateway on the servers (and via static routes) back to the
SI on 10.9.35.7 and 10.9.34.7 with no success….
server source-ip 10.9.34.7 255.255.255.0 10.9.34.5
server source-ip 10.9.35.7 255.255.255.0 10.9.35.5
server router-ports ethernet 1
server router-ports ethernet 2
!
server real flapp1 10.9.35.22
source-nat
port http
port http url "HEAD /"
!
server real flapp2 10.9.35.23
source-nat
port http
port http url "HEAD /"
!
!
server virtual flapp_http 10.9.34.50
port http
bind http flapp1 http flapp2 http
vlan 1 name DEFAULT-VLAN by port
no spanning-tree
!
vlan 100 by port
tagged ethe 1 to 2
no spanning-tree
!
vlan 101 by port
tagged ethe 1 to 2
no spanning-tree
!
vlan 102 by port
tagged ethe 1 to 2
no spanning-tree
!
vlan 2 by port
untagged ethe 4
no spanning-tree
!
vlan 103 by port
tagged ethe 1 to 2
!
ip address 10.9.33.7 255.255.255.0
ip default-gateway 10.9.33.5
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20080913/f74147a7/attachment.html>
More information about the foundry-nsp
mailing list