[NCLUG] Question about IP forwarding

Marcio Luis Teixeira marciot at yahoo.com
Mon Apr 26 18:27:50 MDT 2010


>> Given the fact that the above works, I know that *one* solution is
>> to create a VLAN on my switch, give it 192.168.2.x addresses, and

> Switch?  Or router?  Switches are layer 2 meaning ethernet address
> based meaning no IP addresses.

I have a Cisco ASA connected to a switch (the switch isn't in my diagram). What I meant to say was create a VLAN on the switch, then create a new virtual interface on the Cisco ASA on that VLAN which would have a 192.178.2.x address. The NFS/cluser node would be the only device on that VLAN.

> Can you just run a second subnet on your network, just as you did
> before?  It is basically a vlan.  But without the dot1q tagging and
> the high fallut'n names.

Yes. I was doing this before and it worked. The Cisco ASAs, however, are crippled -- Cisco doesn't allow you to assign multiple addresses on one interface and to route between the two. I had used a hack I found online to trick the Cisco ASA into doing precisely that. Works pretty good, but we were seeing other issues (possibly unrelated) which lead me to have second thoughts about using the unsupported hack.

Cisco's official position on this, as far as I can tell, is that you should use 801.1Q VLANs rather than running two subnets on the same segment. Or buy one of their more expensive routers that supports interfaces with two IP addresses without VLANs.

(in other words, I think they either want to sell you a fancy managed switch, or buy a more expensive router... take your pick ... either way $$$$)

> For machines configured with an additional IP address and subnet this
> means that packets destined for an address on that subnet route
> automatically to the local network device.  If all of your machines
> were on the local network then I don't think your cisco needs to know
> about it.  They would send the packets between them as local traffic.

You're saying have two IP addresses on the NFS/cluster machine, but also on each of the individual workstations that needed to access the cluster nodes?

Yes, that would work, but at that point I would have to modify the config on each individual machine, so at that point I might as well just do the static route trick I know works.

I think the key here is that if I want the workstations to work *without* configuration changes, the Cisco router must be involved, as it is the only gateway the workstations know about. The trick is to make it so return packets make it back through the Cisco router, rather than taking a shortcut.

-- Marcio


      




More information about the NCLUG mailing list