D&C Lug - Home Page
Devon & Cornwall Linux Users' Group

[ Date Index ][ Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Routing Strangeness



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday 31 May 2002 5:53 pm, Simon Waters wrote:

This is driving me *mad*.  I think i'm missing something really simple
but i've been staring at it too long.

Can you sleep on it?

3 days now ;)

The CS150's default gateway is 172.16.0.3

Okay, although the switches config seems a bit mysterious to me.

It's not really just a switch, it's a hybred switch, router, PIX, and load 
balancer - what used to be a very good product from arrowpoint 
communications, and was bought out by Cisco, who procedded to make a mess of 
it in version 5 of the Software ;p


anglerfish:~# ip route show
172.16.0.100 dev eth1  scope link
172.16.0.0/24 dev eth1  proto kernel  scope link  src 172.16.0.4
172.16.0.0/24 dev eth0  proto kernel  scope link  src 172.16.0.3
unreachable 123.123.123.0/24  scope host
123.123.123.0/24 dev eth0  proto kernel  scope link  src 123.123.123.1
10.2.0.0/16 dev eth2  proto kernel  scope link  src 10.2.0.1
10.1.0.0/16 dev eth3  proto kernel  scope link  src 10.1.0.1
default via 172.16.0.1 dev eth1

What does ifconfig look like?


anglerfish:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:03:47:AB:DF:D6
         inet addr:172.16.0.3  Bcast:172.16.255.255  Mask:255.255.255.0
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:19804013 errors:0 dropped:0 overruns:0 frame:0
         TX packets:95 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:100
         RX bytes:187332058 (178.6 MiB)  TX bytes:4878 (4.7 KiB)
         Interrupt:7

eth0:1    Link encap:Ethernet  HWaddr 00:03:47:AB:DF:D6
         inet addr:123.123.123.1  Bcast:80.255.255.255  Mask:255.255.255.0
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         Interrupt:7

eth1      Link encap:Ethernet  HWaddr 00:03:47:AB:DF:D7
         inet addr:172.16.0.4  Bcast:172.16.255.255  Mask:255.255.255.0
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:605944 errors:0 dropped:0 overruns:0 frame:0
         TX packets:33329771 errors:0 dropped:0 overruns:1 carrier:0
         collisions:0 txqueuelen:100
         RX bytes:83651791 (79.7 MiB)  TX bytes:3858652266 (3.5 GiB)
         Interrupt:5 Base address:0x2000

eth2      Link encap:Ethernet  HWaddr 00:02:B3:35:E7:C8
         inet addr:10.2.0.1  Bcast:10.255.255.255  Mask:255.255.0.0
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:28383865 errors:0 dropped:0 overruns:0 frame:0
         TX packets:13286977 errors:0 dropped:0 overruns:1521 carrier:0
         collisions:0 txqueuelen:100
         RX bytes:3467432433 (3.2 GiB)  TX bytes:3064601550 (2.8 GiB)
         Interrupt:5 Base address:0x4000

eth3      Link encap:Ethernet  HWaddr 00:02:B3:35:E7:C9
         inet addr:10.1.0.1  Bcast:10.255.255.255  Mask:255.255.0.0
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:19633323 errors:0 dropped:0 overruns:0 frame:22
         TX packets:7107726 errors:0 dropped:0 overruns:82 carrier:0
         collisions:0 txqueuelen:100
         RX bytes:1399165083 (1.3 GiB)  TX bytes:1459282816 (1.3 GiB)
         Interrupt:5 Base address:0x6000

lo        Link encap:Local Loopback
         inet addr:127.0.0.1  Mask:255.0.0.0
         UP LOOPBACK RUNNING  MTU:16436  Metric:1
         RX packets:492 errors:0 dropped:0 overruns:0 frame:0
         TX packets:492 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:53246 (51.9 KiB)  TX bytes:53246 (51.9 KiB)


Am I misreading it but you said incoming connections to
123.123.123.246 but it looks like the box is 123.123.123.1 from
the configuration, or possibly it has all gone right over my
head. Which boxes are 123.123.123.246 and which 123.123.123.1
and can they ping each other?

123.123.123.246 doesn't exist anywhere except being hit on netfilters 
PREROUTING nat table and DNAT'ting to the CS150's VIP, which 
multiprlexes/load bvlances to internal services, using S/DNAT:

CS150(config)# sh running-config
!Generated MAY 31 11:42:30

configure


!*************************** GLOBAL ***************************
 ip record-route
 restrict telnet
 restrict ftp
 arp 172.16.0.3 00-03-47-ab-df-d6 ethernet-2
 arp 172.16.0.4 00-03-47-ab-df-d7 ethernet-3

 sshd server-keybits 1024

 ip route 0.0.0.0 0.0.0.0 172.16.0.3 1

!************************** CIRCUIT **************************
circuit VLAN1

 ip address 172.16.0.2 255.255.255.0

!************************** SERVICE **************************
service WWW-Panther
 ip address 10.2.1.7
 protocol tcp
 keepalive type http
 port 80
 keepalive frequency 255
 active

service WWW-Wolf
 ip address 10.2.1.6
 protocol tcp
 port 80
 keepalive type http
 active

!*************************** OWNER ***************************
owner AnlX
 email-address support@xxxxxxxx

 content WEBUSERS-HTTP
   protocol tcp
   balance aca
   add service WWW-Panther
   add service WWW-Wolf
   port 80
   vip address 172.16.0.100
   active


ok, so now thats all out the way, and i've lost my brain somewhere, does
that *sound* like it should work???

Sounds rather complex, and as if traffic will go over eth0 three
times more than it needs to, or did I miss something?

it needs to for one main reason, most of which are the arrowpoints fault:

- for load balancing to work, the arrowpoint needs to have flows goign in one 
port and out of another so it can actually map the flows.

- we can't put the arrowpoint in front of the servers as arrowpoint then 
proceeds to block arps, and nothing seems to make it let them through.  
althoguh this is a bug, and i've reported it to cisco, they have not got a 
release date for WebNS 5p2, which may well be a long time as WebNS5 has only 
just been released, ARGH.

- the traffic needs to be filtered before it hits the cs150.

I've been over and over in my head with this, and it seems the only logical 
sane way to make it work with the damnned CS150, which *needs* to be used 
sadly, because of the customers requirments.

The load isn't really a problem, as they are all eepro100 NIC's, on a beefy 
dual 1.4GhZ PCI64 mobo with 1gb ram, and it's handling relativly little 
traffic (only around 8mbit/sec *max*)

~ Theo, who has lost his packets!

- -- 

Theo Zourzouvillys
http://zozo.org.uk/

Your society will be sought by people of taste and refinement.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE896/F448CrwpTn6YRAouzAKCIpDOUxNVyYzlSU5jzb8k6f03C7gCdFB8X
AOb+7tDaAQT7LOK1wXjAZ5o=
=Vd1j
-----END PGP SIGNATURE-----


--
The Mailing List for the Devon & Cornwall LUG
Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the
message body to unsubscribe.


Lynx friendly