Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Marco32
Contributor

MDS with 2 interface, asymmetric routing issue

Hi there,

I’m trying to fix in my lab best configuration for MDS R81.10 HA that have strict security policy for interface access.

Architecture is like this:

  • bond1 (configured as leading interface) that can be reached only by appliance that have to be managed by various CMA. IP are like 192.168.1.2/24 CMA1 , 192.168.1.3/24 CMA2 , 192.168.1.4/24 CMA3
  • eth0 (configured as leading interface too) that can be reached only for SmartConsole/ssh access. IP is 10.0.0.1/24

Customer security policy don’t want that 192.168.1.0/24 can be reached for administration traffic, SmartConsole.

Routing is configured with default gateway pointing to 192.168.1.1 on bond1 interface and with a static route to management subnet through the eth0.

 

If I connect to 10.0.0.1 with SmartConsole I can access MDS environment but if I try to connect to active server of CMA my pc start a new session pointing to CMD IP (ex. 192.168.1.2) and this can’t be valid for security policy.

 

My question is, there is a way to access CMA with SmartConsole through the eth0 and not through the bond1? Otherwise I have asymmetric routing issue.

 

Regards

M

0 Kudos
4 Replies

If you connect to 10.0.0.1/<DomainName> (or connect to the MDS and pick the domain when it asks you which domain you want to connect to), it should connect SmartConsole to that CMA.

0 Kudos
Marco32
Contributor

Hi Bob,

yes I know, but the my client start a new session to the IP 191.168.1.x ...and that network can't be reached from management network (where I have SmartConsole).

There's a way to access only from this inerface?

0 Kudos

It is not supported to have more than 1 leading interface.

You can deploy new Windows jumpserver (with installed SmartConsole) which will be inside 192.168.1.0/24. Second interface on this new Windows jumpserver can be within 10.0.0.0/24 

Kind regards,
Jozko Mrkvicka
0 Kudos
Marco32
Contributor

Thanks all,

documentation says that you need at least one leading interface. In my lab, infact, I created 2 different leading interface.

The bond1 interface (that have the VIP of the Domain) need to be accessed only by gateway

The eth0 intercase need to be the only one used from SmartConsole

There's a way to permit this configuration?

0 Kudos