ONTAP Discussions

Router discovery

nsitps1976
4,884 Views

I have found that I can route into an iSCSI subnet eventhough the /etc/rc file does not have a default gateway for that particular subnet– The subnet (vlan) does however have an interface on a L3 device to allow routing, I am confused as the filer has not been configured with this address, however,it can route off the subnet.

Can anyone explain this? Does this have something to do with the routed command and entry in the rc file? – RIP is not present on this network so router discovery can’t be the culprit??? 

1 ACCEPTED SOLUTION

shaunjurr
4,884 Views

Hi,

1. Routing "in" to your iscsi subnet is a matter of the default gateway for that subnet talking to your iscsi interface.  If the router gets a packet for a locally connected subnet, it will send it to the IP in that net.  This has nothing to do with the filer settings.  The return packets will exit out the filer interface that has the default route and you will get "asymetric routing".  You will have to blackhole traffic into the iscsi net on the router to stop this.

2. Your traceroute example should only work if "options ip.match_any_ifaddr" is set to "on". Turning this off will stop traffic from going out interfaces with an IP that isn't the same as the traffic source.

3. If you want to stop iscsi into interfaces that you don't want to offer iscsi on, then disable iscsi on those interfaces with "iscsi interface disable <interface>"

View solution in original post

4 REPLIES 4

BrendonHiggins
4,884 Views

Are you saying the filer CLI can be used to ping the iSCSI port?  Or that a remote host can come in on the management port and is routed via the filer to the filers iSCSI port.

The 1st is what I expect to happen and the 2nd would be very strange.  Use tracert (traceroute) to confirm the hopes the host is using.  Please post the results to explain what is happening in more detail.

Cheers

Bren

nsitps1976
4,884 Views

There are 2 vlans configured on a single VIF, one vlan is a pure layer2 iSCSI vlan for host to storage access, there is no gateway configured on this vlan as we do not want (for security) to be able to route in / out of this vlan.

The 2nd vlan if for management access / snapmirror replication and it is this vlan which has the default route listed in /etc/rc.

The networks are:

10.220.211.0/24 = iSCSI network

10.220.194.0/29 = mgmt network, with a default route 10.220.194.150

The traceroute below is from a source address on the iSCSI network (10.220.211.0) to a remote network, note the path taken is via the default route for the mgmt network (10.220.194.0).

Filer1> traceroute -s 10.220.211.11 10.220.210.3

traceroute to 10.220.210.3 (10.220.210.3) from 10.220.211.11, 30 hops max, 40 byte packets

1  10.220.194.150 (10.220.194.150)  1.000 ms  1.000 ms  0.000 ms

2  host1.xxx.net (10.220.210.3)  1.000 ms *  0.000 ms

Filer1>

shaunjurr
4,885 Views

Hi,

1. Routing "in" to your iscsi subnet is a matter of the default gateway for that subnet talking to your iscsi interface.  If the router gets a packet for a locally connected subnet, it will send it to the IP in that net.  This has nothing to do with the filer settings.  The return packets will exit out the filer interface that has the default route and you will get "asymetric routing".  You will have to blackhole traffic into the iscsi net on the router to stop this.

2. Your traceroute example should only work if "options ip.match_any_ifaddr" is set to "on". Turning this off will stop traffic from going out interfaces with an IP that isn't the same as the traffic source.

3. If you want to stop iscsi into interfaces that you don't want to offer iscsi on, then disable iscsi on those interfaces with "iscsi interface disable <interface>"

nsitps1976
4,884 Views

Thanks for the help - "options ip.match_any_ifaddr" is what I was after.

Public