FAQ: Can the MGMT and WAN Interfaces both be on the same Network?

This configuration is possible but not recommended.

It is not recommended to have both MGMT and WAN on the same network, and this should only be done when separation of the traffic by interface is not required and the MGMT Filter is disabled.

If you elect to have both MGMT and WAN on the same network, it is critical that you disable the MGMT Filter, which is a firewall between the two interfaces and enabled by default.  The MGMT Filter can be disabled via:

1. ForumOS CLI command - from enabled mode run "network config mgmt-filter"

2. WebAdmin interface - on the System>>Configuration>>Network page you can adjust the MGMT Filter drop down.  Please not that this change may cause you to lose access to the WebAdmin interface, so serial console access to the CLI is recommended before you make this or any other changes to the MGMT settings.

 

If you elect to have both the MGMT and WAN on the same subnet and still want to direct traffic to one interface or the other, this may ultimately cause problems for either runtime traffic, admin traffic, or both.

See: https://helpdesk.forumsys.com/entries/72162806-FAQ-Sentry-WebAdmin-and-CLI-are-Inaccessible

Here is an example to help clarify this:

1. Suppose your network address is 10.10.10.0/255.255.255.0/255

2. Your choices are:

MGMT = 10.10.10.10
WAN = 10.10.10.11
Gateway = 10.10.10.1

3. Your routing table will look like this:

10.10.10.0 * 255.255.255.0 NET MGMT
10.10.10.0 * 255.255.255.0 NET WAN
11.11.11.0 * 255.255.255.0 NET WAN
0.0.0.0 10.10.10.1 0.0.0.0 NET MGMT

The routing table shows the 3 routes setup based on the interfaces you have and their addresses. It also contains a static route where the choice is to use WAN for traffic to/from 11.11.11.0 network

4. Scenario:

Suppose you want all traffic to/from 11.11.11.0 to use the WAN interface. The problem with this is that in order to get to 11.11.11.0 the WAN interface will have to use the gateway 10.10.10.1 which is attached to the MGMT interface. This will require that you setup your default route on the WAN and not the MGMT even when both are on the same network.

 

An alternative configuration is to use the WAN interface for both admin and runtime traffic - and to not use the MGMT interface at all.  This is common for POC/test/dev environments or less complex network environments.

Ultimately using the MGMT and WAN on different subnets, in either One Port Mode or Inline Dual IP, is the recommended network configuration for Forum Sentry. Please see the attached Hardware Installation Guide for more information on the network topology options in Sentry.

 

In conclusion, the only reason to have multiple NICs configured for the same network is do some sort of load balancing, bridging, etc... when it is not important which interface is used.  This type of routing is rare with Forum Sentry. In the majority of deployments the MGMT and WAN traffic is supposed to be separated and having two NICs on the same network can cause routing issues.

0 Comments

Article is closed for comments.