cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1330
Views
0
Helpful
2
Replies

DCNM 11 no remote authentication works in 172.17./16 or 172.18./16 network

Danny Sandner
Level 1
Level 1

Hey folks,

I run into a big problem with DCNM 11.

Situation:
I have two bare metal servers installed with DCNM as native-HA. Both have IP addresses for eth0 (management) and eth1 (Switch Management).

DCNM1 eth0 has 10.10.11.1/24
DCNM2 eth0 has 10.10.11.2/24
DCNM VIP has 10.10.11.3/24

Our Radius Server has 172.17.0.100/16

Problem:
If I configure the AAA Radius Server and test the authentication, no packets are leaving the DCNM. If I configure LDAP (10.10.20.1/24), packets are leaving DCNM.

 

Reason:

DCNM has two virtual network adapters named "docker0" and "docker_gwbridge". IP Address of "docker0" is 172.17.0.1/16. This is the reason, why my radius request are not going out of the DCNM. It is routed internally. Does anyone have a solution for that problem? It would be nice, if you can configure both networks in setup,too.

DCNM routing table:
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         gateway         0.0.0.0         UG    0      0        0 eth0
10.10.11.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.10.99.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
link-local      0.0.0.0         255.255.0.0     U     1002   0        0 eth0
link-local      0.0.0.0         255.255.0.0     U     1007   0        0 eth1
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
172.18.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker_gwbridge

Best regards
/Hugo

2 Replies 2

Danny Sandner
Level 1
Level 1

As workaround, I configured a script in both servers to add a host route. This works for me, but a general solution will be preferred. Configure the route only with "route add...." will add a temporary route. After rebooting the server, the route is deleted. This is why I add the route int the script.

 

[root@dcnm01 ~]# vi /etc/rc.local
insert: "/sbin/ip route add 172.17.0.100/32 via 10.10.11.254 dev eth0"
[root@dcnm01 ~]# chmod +x /etc/rc.d/rc.local

 

[root@dcnm02 ~]# vi /etc/rc.local
insert:  "/sbin/ip route add 172.17.0.100/32 via 10.10.11.254 dev eth0"
[root@dcnm02 ~]# chmod +x /etc/rc.d/rc.local

 /Hugo

Release Notes of DCNM 11.1.1 said, the bug is fixed, but it isn't.

 

CSCvk02433

Subnet 172.17 and 172.18/16 cannot be reached from DCNM

(https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvk02433)

 

I installed DCNM 11.1.1 in native HA, same problem. Docker IP addresses are in subnet 172.17.0.0/16 and 172.18.0.0/16

 

/Danny

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: