[NCLUG] Question about IP forwarding

Marcio Luis Teixeira marciot at yahoo.com
Mon Apr 26 17:24:27 MDT 2010 

Ok, now that I think the problem has been identified, I'ld like to expand this scenario a bit. A few weeks ago, I had the following network architecture:

            Internet
               |
           Cisco ASA
     10.50.0.1/192.168.2.1
               |
     +---------+------------+   10.50.0.0/255.255.240.0 and
     |                      |     192.168.2.0/255.255.255.0
     |                      |
  10.50.10.1          192.168.2.10
Workstation            LinuxNFS
(gw: 10.50.0.1)        192.168.234.1
                            |
                            |   192.168.234.0/255.255.255.0
                    +-------+-------------+-- ...  
                    |                          
              192.168.234.100    
              Diskless Node #1
             (gw: 192.168.234.1)

I was in the process of migrating all our machines from the 192.168.2.xand 10.50.x.x subnet, and during that stage I had used an unsupported hack to give the Cisco two IPs on one interface, so that I could run both IP ranges on the same segment simultaneously during the transition. SSH into the linux cluster worked beautifully, but I had doubts about the overall wisdom in keeping that unsupported hack in place, which is why I put the cluster on the 10.50.x.x subnet (along with the workstations) and got myself into the present non-working situation.

Given the fact that the above works, I know that *one* solution is to create a VLAN on my switch, give it 192.168.2.x addresses, and place the cluster in it as the only host. The Cisco can use 802.1Q to tag VLAN packets, so that would be an officially supported solution.

The only reason I dislike doing this is that I would have to configure VLANs on my switch (never done that, rather not have to) and, worse, the cluster would now only work on a specific port, which I know will trip someone up in the future (likely me). 

So, here's an actual linux question: is there a way to configure the Linux box with an 192.168.2.x address, leave my switch as it (no VLANs configured), but instruct the Linux box to only respond and reply with 802.1Q tagged packets on a particular VLAN? I think this would get everything to play nicely again, without me having to add VLANs to my switch.

Any thoughts about whether this is a good idea (or am I just trying to shoot myself in the foot again by being abnormal)?

-- Marcio






________________________________
From: Sean Rees <seanrees at gmail.com>
To: Northern Colorado Linux Users Group <nclug at lists.nclug.org>
Sent: Mon, April 26, 2010 4:28:12 PM
Subject: Re: [NCLUG] Question about IP forwarding

I believe the issue here is one of return path. When traffic returns from 192.168.235.0/24, it does not need to transit your ASA in order to reach its destination in 10.50.0.0/16 as 10.50.0.2 bridges both networks. I'm sort of swinging in the dark (or caffeine-induced haze) here, but this could be your issue:

Traffic to 192.168.235.0/24:

[10.50.x.x NODE] --(default route)--> ASA --(static route)--> 10.50.2.10/192.168.235.1 -> [192.168.235.0 NODE]

Traffic from 192.168.235.0/24:
[192.168.235.0 NODE] -> 192.168.235.1/10.50.2.10 --(same subnet)--> [10.50.x.x NODE]

This would explain why individual node-based static routes work.

A possible solution would be to hang 192.168.235.0/24 directly off your ASA for routing.

-sr.


On Apr 26, 2010, at 16:07, Marcio Luis Teixeira wrote:

> 
> 
>> I assume you have something keeping you from adding it as a static
> 
>> route on all of the workstation clients?
> 
> Actually, that's the current solution. Luckly my users are savvy enough that I can tell them to make that change themselves on their workstations, so it's not a particularly big deal.
> 
> It's more of those things that's bothering me because it shows me there is something I do not understand. And that bugs me. I want to fix it right and learn from the situation :)
> 
> I'm installing wireshark on the workstation itself now to see what the conversation looks like from that end.
> 
> -- Marcio
> 
> 
> 
> _______________________________________________
> NCLUG mailing list      NCLUG at lists.nclug.org
> 
> To unsubscribe, subscribe, or modify 
> your settings, go to: 
> http://lists.nclug.org/mailman/listinfo/nclug

_______________________________________________
NCLUG mailing list      NCLUG at lists.nclug.org

To unsubscribe, subscribe, or modify 
your settings, go to: 
http://lists.nclug.org/mailman/listinfo/nclug

More information about the NCLUG mailing list