Default Gateway for each Interface?

Jason Meyer · ‎04-24-2012

Apologies for my lack of networking knowledge.

I have 2 C660s, 2 IEAs, and 1 M660 that I need to move the management interface on due to a subnet going away.

I have three physical network cables on three different subnets. External, Internal, and Management.

On our M660 I have moved the management network to a new subnet.

The problem is getting to the management port and the SPAM quarantine (running on internal) from the same workstation.

I can currently get to the management interface if I setup a static route for my workstations to use the management subnet's default gateway. But then I can't get to the SPAM quarantine that is running on a different subnet.

How do I fix this so that I can get to both the management interface and the spam quarantine from the same workstation?

Jason

Donald Nash · ‎04-25-2012

You're running into an unfortunate shortcoming in the operation of the BSD-derived networking stack used by IronPort. There is only one default gateway, and it is only reachable via the interface that's on the same IP subnet. You cannot have separate default routes on each interface. The interface used to transmit a packet is chosen based solely on a routing decision. If the destination address is on the same subnet as a local interface, then that interface is used. Otherwise, the routing table is consulted to find the closest match for the destination address. In a typical setup for an end-node system (i.e. not a router), the only thing in the routing table is the default route. What's notably absent here is what is not used for picking the interface: the source address on the packet. It is easy to think naively that if the source address of the outgoing packet matches the address on an interface, then that interface would be used to transmit the packet. But that's not how it works. Only the destination matters, and the interface that's chosen is the one that's closest to the destination.

This leads to all kinds of headaches, especially if, like us, your networking guys enforce uRPF. In this case, transmitting the packet on an interface other than the one whose address matches the source address of the packet will result in the router dropping the packet as having been spoofed. I went round and round with this a few years ago trying to have the management port on a separate subnet and yet still be reachable from the rest of our campus network. It was only reachable on its own subnet, and uRPF turned out to be the problem. Traffic from my workstation to the management port took the right path, but the return flow had to follow the default route and thus was transmitted on the Data 1 interface instead, resulting in a uRPF violation.

Without seeing a diagram of your network and what you're trying to do, I can't be certain that this is the problem. But it certainly matches the symptoms I saw. If I'm guessing correctly about what's going on, then I'm afraid you can't get there from here.

++Don

Jason Meyer · ‎04-25-2012

Don, really appreciate your input.

What I have done thus far:

Since everyone needs to get to the SPAM quarantine I left that with using port 80 redirected to 443 on Data 2 physical our Internal Network and enabled Management on port 82 redirected to port 83 as a 2nd path to the management services. If an IronPort admin can't get to management via the management network they can get to it on this interface by specifying the different port.

Since just the IronPort admins need to get to the management services I left that with using port 80 redirected to 443 on Management physical but since this is on a different subnet than our default gateway I needed to setup a destination route for my workstation to get this to work, which then breaks my access to the SPAM quarantine.

Previously we were doing this with a NAT on a firewall so we didn't need the destination route on the IronPort and I am still looking for a way to do this without the NAT on the firewall.

Again, Don really appreciate your input, it helps my understanding of what is possible and what isn't and what I don't know.

Jason

gregskigregski · ‎06-04-2012

Just FYI we are running both Inbound and Outbound IP Interfaces on the same subnet and we receive up to 5,000 messages per hour and send out around 3,000 and the C series appliances don't skip a beat. We do have management running on a separate subnet. Just saying, two network cables rather than three, lol.