(Read the whole article before making any changes to your environment)
I wanted to share with you some of my experience when configuring the DataPower appliances from scratch.
As you know, during the DataPower initialization process, there is a wizard available that will make the initial configuration a lot easier. That wizard asks you a few questions about your network and then directs you to the WebGUI, so you can accept the license terms. Most of the times, since the WebGUI is already up and running, people will never come back to the configuration of the management interface to adjust it as they should, in order to avoid unexpected behaviors in the future. But what adjustment am I talking about here?
The static route of course! Right, you do not need to configure it in order to make the WebGUI or any other management service, such as SSH and SOMA, to work fine, however you do need to adjust it in order to prevent DataPower from using such interface for application data traffic.
I wanted to share with you some of my experience when configuring the DataPower appliances from scratch.
As you know, during the DataPower initialization process, there is a wizard available that will make the initial configuration a lot easier. That wizard asks you a few questions about your network and then directs you to the WebGUI, so you can accept the license terms. Most of the times, since the WebGUI is already up and running, people will never come back to the configuration of the management interface to adjust it as they should, in order to avoid unexpected behaviors in the future. But what adjustment am I talking about here?
The static route of course! Right, you do not need to configure it in order to make the WebGUI or any other management service, such as SSH and SOMA, to work fine, however you do need to adjust it in order to prevent DataPower from using such interface for application data traffic.
The trick here is the following, whenever you see a default route configured for the management interface, you may be under the risk of DataPower not behaving the way you are expecting it to. For example in this case:
xg45# show route
Destination Device Int Type Device Int Gateway Metric Route Type Route Protocol
----------- --------------- ---------- ------- ------ ---------- --------------
0.0.0.0/0 Ethernet mgt0 10.206.137.1 0 remote netmgmt
0.0.0.0/0 Ethernet eth11 10.206.137.1 0 remote netmgmt
10.206.137.0/24 Ethernet mgt0 0.0.0.0 0 local local
10.206.137.0/24 Ethernet eth11 0.0.0.0 0 local local
----------- --------------- ---------- ------- ------ ---------- --------------
0.0.0.0/0 Ethernet mgt0 10.206.137.1 0 remote netmgmt
0.0.0.0/0 Ethernet eth11 10.206.137.1 0 remote netmgmt
10.206.137.0/24 Ethernet mgt0 0.0.0.0 0 local local
10.206.137.0/24 Ethernet eth11 0.0.0.0 0 local local
The destination 0.0.0.0/0 is the default route. As you can see, there are two default routes in the example above, one being used by the mgt0 interface and the other being used by the eth11. The default route is added to the routing table every time that there is a default gateway defined in the interface. So as soon as you remove the default gateway, the default route will disappear from the route table:
xg45# show route
Destination Device Int Type Device Int Gateway Metric Route Type Route Protocol
----------- --------------- ---------- ------- ------ ---------- --------------
Destination Device Int Type Device Int Gateway Metric Route Type Route Protocol
----------- --------------- ---------- ------- ------ ---------- --------------
0.0.0.0/0 Ethernet eth11 10.206.137.1 0 remote netmgmt
10.206.137.0/24 Ethernet mgt0 0.0.0.0 0 local local
10.206.137.0/24 Ethernet eth11 0.0.0.0 0 local local
10.206.137.0/24 Ethernet mgt0 0.0.0.0 0 local local
10.206.137.0/24 Ethernet eth11 0.0.0.0 0 local local
By removing that, you are explicitly telling DataPower to never use the management interface for any outbound traffic. It also means that, as soon as you remove the default gateway, you *may* lose access to the box, as it will not know how to reply back to you [if you are not on the same subnet of the device (/24) or the management service is not configured for all network interfaces (0.0.0.0)]. Technically you are not really losing access, your requests are reaching the box, but the box does not know how to get back to you.
So, how to fix that? By adding a static route is the answer. Before removing the default gateway details from the management interface configuration, make sure to configure a static route that will teach the box how to reach you back.
If your terminal is configured with static IP address and you want to restrict the DataPower management interface to talk only to you, the following command should do the trick:
xg45(config-if[mgt0])# ip route 10.206.14.160/32 10.206.137.1
<ip route> invokes the command to create the static route
<10.206.14.160/32> is the final destination of the responses, or the IP address of your terminal
<10.206.137.1> is the network gateway to be used to reach the final destination
And the final result:
xg45(config-if[mgt0])# show route
Destination Device Int Type Device Int Gateway Metric Route Type Route Protocol
----------- --------------- ---------- ------- ------ ---------- --------------
Destination Device Int Type Device Int Gateway Metric Route Type Route Protocol
----------- --------------- ---------- ------- ------ ---------- --------------
0.0.0.0/0 Ethernet eth11 10.206.137.1 0 remote netmgmt
10.206.14.160/32 Ethernet mgt0 10.206.137.1 0 remote netmgmt
10.206.137.0/24 Ethernet mgt0 0.0.0.0 0 local local
10.206.137.0/24 Ethernet eth11 0.0.0.0 0 local local
10.206.14.160/32 Ethernet mgt0 10.206.137.1 0 remote netmgmt
10.206.137.0/24 Ethernet mgt0 0.0.0.0 0 local local
10.206.137.0/24 Ethernet eth11 0.0.0.0 0 local local
As you can see above, the configuration of the final destination uses the CIDR notation. The /32 means that such static route will only work for such specific IP address (subnet mask 255.255.255.255). If you want to configure a static route to reach an specific subnet, you can use different CIDRs to accomplish it. For example, you know that a specific subnet is safe and want to allow all terminals on that subnet to manage the box, you could use 10.206.14.0/24 (subnet mask 255.255.255.0).
Now going back to the unexpected behaviors we mentioned earlier, when there is more than one default route, there is no default route, makes sense? :-) With that said, if no static route is configured, DataPower will randomly select any ethernet interface that has a default route set up and you will start seeing application data traffic coming out of the management interface, and management traffic coming out of the application data interface at random basis. Sometimes you are going to experience intermittent connectivity issues, as the gateway configured for the management interface may not know how to route the request to the application backend and vice-versa.
In addition to what has been discussed so far, static routes can do much more! For example, you may want to use one of the various ethernet interfaces available in the appliance to segment traffic to different networks, but this a topic for another post. :-)
Reference: IBM WebSphere DataPower SOA Appliance Handbook - http://www.amazon.com/IBM-WebSphere-DataPower-Appliance-Handbook/dp/0137148194
great!
ReplyDeleteHow to remove the default gateway
ReplyDeletei tried the command no ip route but i am getting the below error
% Subnet Route Removal failed, because subnet route was not found.
Hey Hydro, to remove the default gateway using the CLI, you can try the following:
Deletexi50# co
Global configuration mode
xi50(config)# interface mgt0
Interface configuration mode (mgt0 )
xi50(config-if[eth4])# show default-gateway
default IPv4 gateway: 192.168.10.254
default IPv6 gateway: (none)
xi50(config-if[eth4])# no ip default-gateway
Operation succeeded
xi50(config-if[eth4])# show default-gateway
default IPv4 gateway: (none)
default IPv6 gateway: (none)
Before applying these commands, make sure you have connectivity with the appliance through other interfaces or by being in the same subnet. I don't want you to lose access to it (it is explained in detail in this article how to avoid that). But as long as you have access to it through the serial interface for example, you should be safe to play with it as much as you want.
[if you are not on the same subnet of the device (/24) or/and the management service is not configured for all network interfaces (0.0.0.0)]
ReplyDeleteWhy this point is "or/and" ?
Good catch! That was probably something I forgot to fix while editing the post, can't remember of my thought now back then. It is updated now, I kept the "or". Thank you!
Delete