Cisco CSS, multiple public vlans, trouble with two default static routes

Discussion in 'Cisco' started by Gnews, Mar 3, 2004.

  1. Gnews

    Gnews Guest

    I have a Cisco CSS 11150 that I'm using with two public networks and
    one private network, and therefore
    there are two default static routes defined, one for each public
    network. The problem is that a portion of the time
    traffic unexpectedly goes through the wrong circuit, as I'll describe
    in more detail below.

    For example if I have servers ending in IP .23 through .33 on one of
    the public VLAN's, and I'm at the CSS
    console, I'm only able to ping servers ending in IP .33, .31, .29,
    ..27, .25, and .23. The other IPs in that range
    such as .32, .30, .28, .26, .24 don't respond to a ping.

    In the portions of configs below I've kept the network masks of the
    two public networks but I changed the IPs
    to 214.50.230.128/25 and 214.50.230.48/28

    ip route 0.0.0.0 0.0.0.0 214.50.230.129 1
    ip route 0.0.0.0 0.0.0.0 214.50.232.49 1

    !************************* INTERFACE *************************
    interface e1
    description "Xover for 230 network"
    phy 100Mbits-FD

    interface e2
    phy 100Mbits-FD
    description "Xover for 232 network"
    bridge vlan 4

    interface e3
    description "private IP server machine"
    bridge vlan 2
    phy 100Mbits-FD

    interface e4
    description "private IP server machine"
    bridge vlan 2
    phy 100Mbits-FD

    !************************** CIRCUIT **************************
    circuit VLAN1

    ip address 214.50.230.136 255.255.255.192
    no redirects

    circuit VLAN4

    ip address 214.50.232.63 255.255.255.240
    no redirects

    circuit VLAN2

    ip address 192.168.1.1 255.255.255.0

    service website1
    ip address 192.168.1.50
    protocol tcp
    port 80
    active

    service website2
    ip address 192.168.1.51
    protocol tcp
    port 80
    active

    owner website
    vip address 214.50.230.152
    content www.website.com
    protocol tcp
    port 80
    add service website1
    add service website2
    active

    The above website works fine as is, the two private machines serve up
    the traffic, but I have added the
    following statements as well for good measure:

    group www.website.com
    vip address 214.50.230.152
    add service website1
    add service website2
    active

    Now when I do ``show group www.website.com'' I get some nice summary
    of counters and Alive status

    I'm already well at the point where by I'm unable to ping some of the
    servers as described above, probably
    a direct result of having two default static routes. The IPs I
    mentioned above are all accessible through
    interface e1, which goes to the first public network, I would expect
    them to all be pingable from the CSS. It
    seems that about half the time, depending on the IP, the outgoing
    packets or flows get routed through the
    second ``ip route'' statement, instead of the first.

    I'll now continue by describing the rest of the configuration and the
    overall intent of the CSS working on these
    two public networks. The only purpose of the second public network
    being connected to the CSS is to handle
    a single service, shown here:

    service applicationServer
    ip address 214.50.232.58
    protocol tcp
    port 2500
    active

    owner one-armed

    content serv
    protocol tcp
    port 5000
    vip address 214.50.232.54
    add service applicationServer
    active

    group servitems
    add destination service applicationServer
    vip address 214.50.232.54
    active

    Connections from the Internet that arrive at 214.50.232.54 now get
    sent through the e2 interface to the
    server with IP 214.50.232.58. As a result of this one armed
    configuration, the .58 machine only sees traffic
    coming from the CSS itself, and has no idea which public IPs
    originating on the Internet that it is talking to.

    That seems to work just fine, so long as I keep that second ``ip
    route'' statement shown above in the
    configuration. The moment I remove that out, this one armed service
    refuses to take requests.

    Finally, the pings above bother me and seem to suggest the crux of the
    problem already, and in particular
    to this next set of configurations for the last thing I'd like to
    accomplish here. For this last configuration I'm
    sending outgoing emails from those two private IP machines mentioned
    above, but doing so via a public VIP
    defined on the first public network. The idea is to only route this
    traffic out through interface e1, which
    doesn't seem to happen. Instead, both public circuits, int e1, and int
    e2, are chosen about half the time, again
    depending on the destination IP, for establishing a flow.

    group outbound
    vip address 214.50.230.142
    active

    acl 2
    clause 10 permit tcp 192.168.1.0 255.255.255.0 destination any eq 25
    sourcegroup outbound
    apply circuit-(VLAN2)

    Similarly, I have started with permitting all traffic to VLAN1 and
    VLAN4 before doing an acl enable, and
    I've since refined the whitelist access for those much more in an
    effort to improve the outgoing route situation.

    But the end result is the same, when I attempt a mail connection from
    a private machine, and I use
    ``show flows'' on the CSS to see which interface it attempts to use,
    shown here:

    On the machine,
    [root@private1 root]# telnet mx4.mail.yahoo.com 25
    Trying 216.155.197.63...


    On the CSS,
    # show flows 216.155.197.63

    Src Address SPort Dst Address DPort NAT Dst Address Prt InPort
    OutPort
    --------------- ----- --------------- ----- --------------- ---
    --------- ---------
    216.155.197.63 25 214.50.230.142 18126 192.168.1.50 TCP e2
    e4

    It didn't work and was using interface e2 which was not what I
    expected, since the outbound VIP is defined
    as on the first public network, the one that uses e1. Seems to be the
    double ip route issue, just like for
    the pings described above.

    Here is an IP that works,

    [root@private1 root]# telnet mailb.microsoft.com 25
    Trying 131.107.3.122...
    Connected to mailb.microsoft.com.
    220 inet-imc-04.redmond.corp.microsoft.com Microsoft.com ESMTP Server
    Tue, 2 Mar 2004 16:41:38 -0800

    On the CSS,
    # show flows 131.107.3.122

    Src Address SPort Dst Address DPort NAT Dst Address Prt InPort
    OutPort
    --------------- ----- --------------- ----- --------------- ---
    --------- ---------
    131.107.3.122 25 214.50.230.142 18146 192.168.1.50 TCP e1
    e4

    Here it shows it went out through interface e1, no problem. It worked
    fine.

    Again, another one,

    [root@private11 root]# telnet mailc.microsoft.com 25
    Trying 131.107.3.121...

    On the CSS,
    # show flows 131.107.3.121

    Src Address SPort Dst Address DPort NAT Dst Address Prt InPort
    OutPort
    --------------- ----- --------------- ----- --------------- ---
    --------- ---------
    131.107.3.121 25 214.50.230.142 18157 192.168.1.50 TCP e2
    e4

    Again, int e2 is involved, no wonder it didn't go through.

    Same for maila.microsoft.com, with IP 131.107.3.125, didn't work.

    131.107.3.122 worked
    131.107.3.125 no
    131.107.3.121 no
    131.107.3.126 worked
    216.155.197.63 no

    Also I realize that yahoo or hotmail mail servers have a tendancy to
    not accept connections, this situation is
    not that, it seems to be directly related to the way that every other
    IP pinged above did not respond and the
    two outgoing default static routes as they relate to the public
    circuits on int e1 and int e2.

    Does anyone have a work around for this? Most of the documentation
    I've reviewed such as one for ACL and
    Source Groups usually just show one public VLAN, and one or more
    private VLANs. I have yet to come across
    a diagram that described two public VLANs, and specified routes to
    each of them. Was it just not meant to be?

    --
    Cisco CSS Home Page
    http://www.cisco.com/warp/public/cc/pd/si/11000/index.shtml

    How to Configure ACLs on the CSS 11000/11500 and Use Them with Source
    Groups
    http://www.cisco.com/warp/public/117/acl.html
     
    Gnews, Mar 3, 2004
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page