Forum Discussion
sysengrnz_12201
Nimbostratus
NimbostratusvCMP Host and Guest Communication
Hi All,
I'm having some difficulty with some pre-testing that I'm doing for a vCMP Host - Guest design and hoping somebody here could steer me in the right direction.
Basically, the deployment is very restrictive in terms of isolation so for each environment (UAT/PPD/PRD) we have presentation, abstraction and database networks.
Due to the restrictive nature of the deployment where each environment network needs to be firewalled off (L3 gateway for each subnet is the firewall), the only way I have found to achieve the isolation restrictions is to create 3 x RDs per administration partition referencing each environment and defining a unique RD default gateway for each subnet for each environment.
What I'm wanting to do is some pre-testing to verify my configuration by creating a self IP on the vCMP host in each VLAN for each environment and verify that the strict isolation requirements are working and that I can ping from a specific RD on the guest to an IP address in a different network on the vCMP host.
I can ping from the vCMP guest to each of the self IP addresses defined on the vCMP host, confirming that the VLANs are presented between vCMP host and guest.
The problem is that I never get an echo reply back from the vCMP host when trying to ping outside of the local route domain subnet.
- An example:
- UAT Presentation network is 192.168.8.0/24, can ping 192.168.8.1 on vCMP host (VLAN 180) (self IP 8.252, floating IP 8.254). I can ping from host to vADC and vADC to host ok. (route domain 8)
- UAT Abstraction network is 192.168.9.0/24, can ping 192.168.9.1 on vCMP host (VLAN 190) (self IP 9.252, floating IP 9.254). I can ping from host to vADC and vADC to host ok. (route domain 9)
What fails is pinging from route domain 8 to the vCMP host IP 192.168.9.1. If I tcpdump on the vCMP host, I see the echo request come in on the Presentation network interface on the vCMP host but never get a echo reply.
Update: I'm guessing but I think my issue is that I'm trying to route through a self IP/floating IP. The only way this would work is if I had a forwarding VIP setup in the appropriate zones and that IP address was used as next hop right? I don't think this could work as vCMP host is dedicated to vCMP only and isn't running LTM. Therefore I cannot define a forward VIP and this testing is flawed. Can somebody please verify that my comment is correct?
Would be hugely appreciated.
Cheers, Andy.
jstauffacher_11Cirrus
You are correct. Though, with all that seqmentation -- why not seperate vcmp guests?
sysengrnz_12201Thanks for verifying for me :). Unfortunately I have a design constraint in which I have to make do with the existing b2100 blades purchased. We're migrating away from 4 software Linux load balancers (which are deployed single leg in each of the logical segments). The current deployment was simple to meet the isolation requirements as any traffic inter-network must pass through firewall to get to other segments. PRD is a separate guest so is much simpler but it's the second guest which consists of approx 7 non-prd environments that needed the segmentation. The additional complexity comes in as the environment merged so there is competing architectures (legacy corporate has a flat address space so single RD fits in nicely to existing way of doing things) but the merged environments follow the strict isolation requirement so I've been having a lot of fun figuring out the flows. I guess without having a dedicated guest per environment and no ability to scale up without new blades/compute being purchased, this is the only way to meet the requirement, if reachitecting isn't an option?