Re: Configuring 2nd LAN cards to isolate inter-system traffic

Carl Houseman · ‎09-14-2006

I've got two HPUX-11.11 vPars in an RP7420, each has 2 LAN cards. The 2nd LAN card in each has never been configured. I'm sure the intent of my predecessor was to create a private connection between the two to keep the NFS traffic between these two vPars off the office switch/LAN. (Curiously, both LAN cards are cabled as if to have the private connection... but if there's no IP configuration, there's no communication, right?)

So I did some searching here and googled but didn't find much. I can configure these adapters in netconf, putting the 2nd LAN card of each in a separate IP network. After that what?

Goals:

a) LAN traffic between the two vPars prefers the 2nd LAN card on each.

b) If either of the 2nd LAN cards fail, vPar-to-vPar traffic falls back to the primary LAN cards.

c) If either of the primary LAN cards fail, traffic to the office LAN can route across the 2nd LAN card to the other vPar and out to the world and back.

Pointers to tutorials, manuals, welcome.

thanks,
Carl

Carl Houseman · ‎09-14-2006

More details:

vPar 1:
root: ioscan -funC lan
Class I H/W Path Driver S/W State H/W Type Description
==========================================================================
lan 0 1/0/1/1/0/4/0 igelan CLAIMED INTERFACE HP A6794-60001 PCI
1000Base-T
lan 1 1/0/14/1/0 igelan CLAIMED INTERFACE HP A6825-60101 PCI
1000Base-T Adapter
root: ifconfig lan0
lan0: flags=1843
inet 10.1.1.9 netmask ffff0000 broadcast 10.1.255.255
root: ifconfig lan1
ifconfig: no such interface

vPar 2:
root: ioscan -funC lan
Class I H/W Path Driver S/W State H/W Type Description
==========================================================================
lan 0 0/0/8/1/0/4/0 igelan CLAIMED INTERFACE HP A6794-60001 PCI
1000Base-T
lan 1 0/0/14/1/0 igelan CLAIMED INTERFACE HP A6825-60101 PCI
1000Base-T Adapter
root: ifconfig lan1
lan1: flags=1843
inet 10.1.1.15 netmask ffff0000 broadcast 10.1.255.255
root: ifconfig lan0
ifconfig: no such interface

IT_2007 · ‎09-14-2006

If I understand correctly, you want to use the spare network card for failover. correct?

If this is so, then you have to aggregate and configure spare LAN card for LAN_MONITOR in /etc/rc.config.d/hp_apaportconf

HP_APAPORT_INTERFACE_NAME[0]=lan3
HP_APAPORT_CONFIG_MODE[0]=LAN_MONITOR

HP_APAPORT_INTERFACE_NAME[1]=lan7
HP_APAPORT_CONFIG_MODE[1]=LAN_MONITOR

IT_2007 · ‎09-14-2006

Also you won't be able to access if you lose Public LAN connectivity since private IP isn't registered in DNS.

Carl Houseman · ‎09-14-2006

Failover is not the primary goal. The primary goal is traffic segregation. If I can do that and have failover as well, that would be great.

Looking at my ioscan results, I wonder, am I really seeing 4 NICs ? Or is that just 3? Aren't these two views of the same hardware?

lan 1 0/0/14/1/0 (vPar 1)
lan 1 1/0/14/1/0 (vPar 2)

And if so, I'm wondering what happened to my 4th NIC which has a cable plugged in to it.

IT_2007 · ‎09-14-2006

>>>Looking at my ioscan results, I wonder, am I really seeing 4 NICs ? Or is that just 3? Aren't these two views of the same hardware?

lan 1 0/0/14/1/0 (vPar 1)
lan 1 1/0/14/1/0 (vPar 2)

And if so, I'm wondering what happened to my 4th NIC which has a cable plugged in to it.
<<<<

If you look closely, they are two different hardware paths.

vpar1 - Cell board 0 path
vpar2 - cell board 1 path

If you want to use send NIC card for NFS or backup purpose then you can do it. Just add proper entries in netconf file and bring up network interface card. But you won't be able to use it for failover configuration.

Carl Houseman · ‎09-14-2006

After I bring up the 2nd cards how do I assign a preference for NFS traffic or whatever I want to be using that path? How does HP-UX choose?

(sorry, haven't searched/googled on that specific topic yet)

IT_2007 · ‎09-14-2006

Usually, second network interface to be used for Netbackup so that data network wouldn't get overloaded. There is no easy way to use second network card only for NFS share unless you script IP address in the application.

Better way to achieve high speed, port aggregation means you will get higher throughput using one network using two LAN cards. You run two network cables to switch and configure port aggregation at host and switch level.

Prasanth B · ‎09-14-2006

Hi

While assigning an IP address to the second NIC, assign a name as well. Add the name and IP into DNS or hosts file. While using NFS use the Name assigned to the second NIC and HPUX will route the traffic automatically.

From second Vpar do

mount -F nfs name_assigned_to_second_nic:/test /test

make sure that the host can resolve name_assigned_to_second_nic properly

-PB

Take life as it comes

Eric Lemmers · ‎09-14-2006

Carl,

You can't achieve all the goals at the same time unfortunately..

A separate lan for you NFS traffic is possible. Just create a private lan, export the file system and give only access to the private IP on the client side..
After this you can't use the private lan adapters for any fail over capability to the office lan unfortunately. The APA software that has to be used for automatic adapter fail over can't be used in that way.

Greetings,

Eric

Carl Houseman · ‎09-15-2006

Can I not do something with multiple default routes to cause failover?

i.e. if primary default route fails, secondary one which uses the other vPar as its default gateway kicks in.

This possibility came to my attention because I found that if a TCP connection went unanswered, something in HP-UX would try to ping the (default route) gateway, and if unsucccessful would stop using that gateway altogether (gateway was a firewall that wasn't responding to ping, so I had to allow ping to prevent this behavior).

So I reason that if it can't get to the default gateway of default route #1, it will ignore it and start using the gateway of default route #2.

The only question is how to make sure that default route #1 is always preferred over default route #2.

IT_2007 · ‎09-15-2006

Can I not do something with multiple default routes to cause failover?

i.e. if primary default route fails, secondary one which uses the other vPar as its default gateway kicks in.

This possibility came to my attention because I found that if a TCP connection went unanswered, something in HP-UX would try to ping the (default route) gateway, and if unsucccessful would stop using that gateway altogether (gateway was a firewall that wasn't responding to ping, so I had to allow ping to prevent this behavior).

So I reason that if it can't get to the default gateway of default route #1, it will ignore it and start using the gateway of default route #2.

The only question is how to make sure that default route #1 is always preferred over default route #2.
-------================+++++++++++

Default means one not more than one. you can't have more than one default route. If you want failover functionality then better use port aggregation so that you would achieve higher throughput and failover.

Carl Houseman · ‎09-15-2006

In any multi-homed system you can have multiple default routes.

The problem is the failover to the secondary default route will only happen for traffic which is destined for a different network from either primary or secondary NICs. I'd have to put both NICs on a different IP network from the usual office LAN to make it work.

So short term I guess I'll just settle for keeping NFS traffic off the main switch/LAN.

Strange that there's not much to be found for "multi-homed HP-UX".

Jonathan Fife · ‎09-15-2006

You could always kludge it and write a script that checks to see if the primary route is reachable and if not performs the route commands to disable the original default and assign a new default to the 2nd nic.

I've had problems in the past assigning a default route to a secondary lan card higher up the chain than the first (ie. setting a default route for lan2 when there is a lan0), but hopefully YMMV.

Jon

Decay is inherent in all compounded things. Strive on with diligence

Carl Houseman · ‎09-15-2006

As I said earlier, the default route is disabled automagically if its gateway isn't responding to ping. Don't know where that's documented, but it caught me by surprise.

Jonathan Fife · ‎09-15-2006

Well then your job is half-done :)

Write a script to monitor if the default route is disabled and if so remove it and add a default route through the other vPar.

Decay is inherent in all compounded things. Strive on with diligence

Carl Houseman · ‎09-15-2006

I think I should be able to have both default routes in place all the time (HP-UX permits it). A higher metric on the secondary one should prevent its use unless the primary is being ignored.

Problem is, for traffic to use ANY default gateway I have to make that traffic come from another network. And that means putting a router between my main network and the networks of either NIC in both machines. That would need to be a gigabit router which I don't currently have.

So I guess I'm just segregating the NFS traffic until the failover becomes important enough. :(

Carl Houseman · ‎09-19-2006

Thanks everyone. Looks like I'll just segregate the NFS traffic for now.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Configuring 2nd LAN cards to isolate inter-system traffic

Configuring 2nd LAN cards to isolate inter-system traffic