SLC 8000 Dual EthernetWhat can I use the two interfaces for on the SLC 8000?

Revision 1 – November 20, 2017

Introduction

• Due to customer requests, when the SLC was designed, it included two Ethernet connections

• There are numerous reasons a device may have more than one Ethernet port

• Few devices support all of the possible functions that multiple Ethernet ports can provide

• Which functions are supported depend on the role of the device, itself

• This document will introduce some of the most useful functions theSLC supports

Initial Implementation

• When the SLC was first introduced, the two interfaces supported one function

• They were intended to provide a primary interface to access the SLCfrom all subnets via a default gateway, as any single interface device would

• The secondary interface would operate independently from the primary in that packets would not pass between the two interfaces.

• Since a given network devices cannot have more than one “default”gateway, any subnets outside of the secondary interface’s would have to be expressed as explicit routes

Initial Implementation• A simple expression of this would look like this.

Internet

SLC 8000

Router Router

Router

Eth1

Eth2

RouterRouter

Router

Router

Initial Implementation

• In the previous page, no IP addresses were included, because it was intended to show the setup from a physical perspective

• The networks that come off each Ethernet port are independent and not connected to each other in any way

• This was the initial concept of a “management” network

• The Primary interface uses the “default” gateway, which means any address not on the same subnet as the Primary interface OR defined in a specific static route would be sent to the IP address of the “default” gateway

• This is why the “Internet” is on that network

Initial Implementation• Now, let’s add IP addresses to the devices to further illustrate the

setup

Internet

SLC 8000

Router Router

Router

Eth1

Eth2

RouterRouter

Router

Router

Eth1 172.18.21.21Eth2 192.168.1.10

172.18.21.1

192.168.1.1192.168.2.1192.168.3.1192.168.4.1

172.19.21.1172.20.21.1

Initial Implementation

• In the previous page’s example, the SLC would have a network configuration of:

Eth1 IP – 172.18.21.21Eth1 Subnet Mask – 255.255.0.0

Eth2 IP – 192.168.1.10Eth2 Subnet Mask – 255.255.255.0

Default Gateway – 172.18.21.1

Initial Implementation

• Now if no other configuration was made, communication fromdevices connected to the Eth2 side would not work

• Why? Because the default gateway would be used for any source IPthat was not on the same subnet as Eth1

• A packet coming into Eth2 from a non-192.168.1.x address would berouted out Eth1 because that is what a default gateway does

• In order for packets from the subnets off Eth2 to be properly routed back to Eth2, those subnets must be associated with a router on Eth2’s subnet. In other words, 192.168.1.1

• This must be done using static routes

Initial Implementation

• Using the diagram as an example, there are three subnets beyond the 192.168.1.0 network

• Each needs to be expressed as a static route on the SLC for it to knowwhere to route the packet

• Otherwise, it will send it “by default” out Eth1 because the default gateway is on its subnet

• Packet routing is not, by default, reflexive

• It does not consider the interface that received a packet in determining where to send a return packet because packets are independent of each other

Initial Implementation

• These routes tell the SLC that a packet to any of the three listed subnets should be forwarded to the gateway address 192.168.1.1

• Since that address is on the same subnet as Eth2, the packet will be sent out that interface

Destination Gateway Genmask192.168.2.0 192.168.1.1 255.255.255.0192.168.3.0 192.168.1.1 255.255.255.0192.168.4.0 192.168.1.1 255.255.255.0

• Routes for the subnets off Eth2 would look like:

Initial Implementation

• That is the simplest implementation of the two Ethernet interfaces

• Static routes to specific subnets on the Eth2 side

• All of the rest of the subnets then fall under the default gateway on the Eth1 side

Initial Implementation

• Keep in mind that the SLC is not a router

• It was not intended to manage traffic between multiple subnets

• As such, it was initially implemented to not support any sort of functionality that resembled roles that should be handled by a router

• However, as the SLC evolved, we did implement some basic functions that would allow some degree of redundancy and failover

• One was Linux Interface Bonding

• This tutorial will not cover that, since it fundamentally treats two Ethernet interfaces as a single interface.

• This tutorial will focus on the interfaces operating independently

Further Enhancements• When we added some router like functions to the SLC, we opened up

the door to some deployment issues for those who were either not familiar with routing or not responsible for that aspect of the network infrastructure onto which the SLC would be installed

• This is problematic because as soon as you make the SLC act like a router, it has to interact with existing “real” routers on the network in order to function properly and avoid conflicts and loops

• This means that whoever is responsible for the actual routers on the network needs to be aware of the SLCs, their configuration, and how the “real” routers need to be configured to account for their presence

• Failure to do so can create loops and potential security holes if the infrastructure team is not consulted, in advance

Further Enhancements

• The first such function that was implemented on the SLC was IP Forwarding

• Enabling this function allows packets from one interface to be routed to another

• Referring back to the example diagram, the SLC has now become a router with gateway addresses of 172.18.21.21 and 192.168.1.10 for Eth1 and Eth2, respectively

• The problem is, it is not likely that any hosts on the network haveeither of those addresses configured as their default gateways

Further Enhancements

• Instead, clients on the various subnets would have their local “real” router configured as they gateway

• That means that, if the SLC was being used to forward packets, downstream routers would have to know that the SLC was acting as a router and have entries on their routing tables noting as such

• This might be handy if you wanted to link the subnets off of Eth1 with the subnets off Eth2

• That would be doable, but the SLC is not a router and would not be the best tool for that function

• “Real” routers are both hardware and software optimized forforwarding packets

Alternate Gateway

• All of the enhanced functions of the SLC’s Ethernet settings are not proprietary to the SLC

• They are open standard tools that exist in Linux

• Any such functions that are implemented on the SLC operate within the logical limitation of the specific function

• One such feature that we refer to as “Alternate Gateway” uses a Linuxfeature called “Dead Gateway Detection”

• Alternate Gateway is one option when both Eth1 and Eth2 are connected to networks connect to each other, somewhere downstream

Alternate Gateway• For instance, if we modify the network example so both segments

connect to the Internet

Internet

SLC 8000

Router Router

Router

Eth1

Eth2

RouterRouter

Router

Router

Eth1 172.18.21.21Eth2 192.168.1.10

172.18.21.1

192.168.1.1192.168.2.1192.168.3.1192.168.4.1

172.19.21.1172.20.21.1

Alternate Gateway

• The default gateway will route all traffic going to Internet IP addresses through 172.18.21.1 off the Eth1 interface because only packets going to 192.168.2.0, 192.168.3.0, and 192.168.4.0 have explicit routes through Eth2

• This is what happens when you create a loop on the network

• Since you cannot just randomly choose to send a packet out one interface or another, packets are sent to the interfaced determined to be the “default”

• The Alternate Gateway function exists to provide a path for packets when the default gateway is not forwarding packets

Alternate Gateway

• The first thing to aware of is that the functionality about to bedescribed does not work when the physical link is down on Eth1 because of an unplugged Ethernet cable or the switch to which the SLC is connected is powered off

• Link down issues are handled separately by Linux and such situations are not supported by the SLC beyond that which can be handled under Interface Bonding

Alternate Gateway• The intended scenario for Alternate Gateway assumes that a

particular host should always be pingable from Eth1

Internet

SLC 8000

Router Router

Router

Eth1

Eth2

RouterRouter

Router

Router

Eth1 172.18.21.21Eth2 192.168.1.10

172.18.21.1

192.168.1.1192.168.2.1192.168.3.1192.168.4.1

172.19.21.1172.20.21.1

Ping Google.com

Alternate Gateway• One of the routers stops forwarding packet for any reason

Internet

SLC 8000

Router Router

Router

Eth1

Eth2

RouterRouter

Router

Router

Eth1 172.18.21.21Eth2 192.168.1.10

172.18.21.1

192.168.1.1192.168.2.1192.168.3.1192.168.4.1

172.19.21.1172.20.21.1

Ping Google.com fails

Alternate Gateway

• If the SLC is configured with an Alternate Gateway, it will have the following information:

Alternate – The IP address of the gateway on the other interface (192.168.1.1 in this case)IP Address to Ping – an address not on the same subnet as Eth1, up to an including Internet addresses/hostsEthernet Port for Ping – if Eth1 is the primary and the subnet of the default gateway, select Eth1Delay Between Pings – the interval between the pingsNumber of Failed Pings – Number of times in a row that a ping gets no reply before switching interfaces

Alternate Gateway• Packets will now be routed out Eth2 via 192.168.1.1

Internet

SLC 8000

Router Router

Router

Eth1

Eth2

RouterRouter

Router

Router

Eth1 172.18.21.21Eth2 192.168.1.10

172.18.21.1

192.168.1.1192.168.2.1192.168.3.1192.168.4.1

172.19.21.1172.20.21.1

Alternate Gateway• The SLC will continue to ping the host over Eth1

Internet

SLC 8000

Router Router

Router

Eth1

Eth2

RouterRouter

Router

Router

Eth1 172.18.21.21Eth2 192.168.1.10

172.18.21.1

192.168.1.1192.168.2.1192.168.3.1192.168.4.1

172.19.21.1172.20.21.1

Ping Google.com fails

Alternate Gateway• If the pings start to get responses, the SLC will switch the default

gateway back to the primary (172.18.21.1, in this example)

Internet

SLC 8000

Router Router

Router

Eth1

Eth2

RouterRouter

Router

Router

Eth1 172.18.21.21Eth2 192.168.1.10

172.18.21.1

192.168.1.1192.168.2.1192.168.3.1192.168.4.1

172.19.21.1172.20.21.1

Ping Google.com

Alternate Gateway

• Note that all of the previous information is from the perspective of the SLC and how it is configured to communicate with the network

• Traffic that originates on the network from hosts on the various subnets is the responsibility of both the configuration of those hosts and the routers that provide the paths to other hosts, including the SLC

• This is why it extremely important to be aware of the behavior of the rest of the network with regards to how and where it routes IP traffic

• No configuration on the SLC can overcome an infrastructure configuration that does not account for the SLC’s presence

Unsupported Functionality

• Routers and Linux hosts configured as routers can be configured to do many things with regard to multiple interfaces

• The SLC, not being a router, only supports a subset of those functions, as it is not the intention of the SLC to be a router

• The most significant of these functions not supported by the SLC is “Rule Based Routing”

• Rule Based Routing is usually implemented on either true routers or multi-homed servers, of which the SLC is neither

• As such, any packet handling behavior that requires Rule Based Routing would not be supported on the SLC