10. Layer 2 Connectivity Issues Part 5
Common layer two Issues and Best Practices it is very common to experience misconfiguration at layer two. Sometimes it’s related to Vlan. You should configure Vlan ten on this particular network device, but accidentally you configured Vlan Eleven, or sometimes it is related to eight two one Q or Tagging. You’re supposed to enable tagging on this particular switch port or this particular big IP interface. But accidentally you configure an untag interface. Or sometimes it is already configured 802 one Q. But instead of adding these four Vlans, you only add three Vlans. So the Vlans are not matching on this layer to the Vice switch and let’s say your big IP device.
Okay, so these are the common misconfiguration. Sometimes it’s Vlan based, sometimes it is 802 or tag interface based, and sometimes it is also related to some other protocols such as LACP or some other arp related map address learning issues. Now, we also have some recommendations and suggestions in order for you to troubleshoot more effectively. This is to verify arp resolution on a big IP device or even neighboring devices such as layer two switch or even layer three devices. We also recommend that you have to verify the interface status.
From there you will have an idea if the interface is not just up or down, that is more on the physical status, but also what type of interface is configured on that particular port, is it tagged or untag? What Vln is associated with, and many others. And of course please check the configuration. Now this will make an advantage for the Cli because from the cli you will have an easy view. What is the configuration of not just objects but also interfaces for High Availability? It is highly recommend or part of our best practice to enable map masquerading. We’ve already talked about how Mac masquerading works and this is to experience low network impact during a failover process.
So it is also used for High Availability optimization. And last, and this is probably the most important, it is always recommended to create a proper documentation. Documentation is very important and even if you already have a documentation, it is always best to update it very frequently. If there is a new configuration or if you have a new Vlan or new available links, update your documentation. This will always help you to troubleshoot not only in your layer two two networks, but also layer one up to the application on the OSI model and will help you troubleshoot your entire network.
11. Layer 3 Connectivity Issues Part 1
Now let’s move to layer three connectivity issues. We have here server one that is connected to routers interface e one with an IP address of 170 216 810 21. We also have a server two which is connected to routers e two interface with an IP address of 170 80, 216 721. Now in your exam you will be asked something like this. You have a diagram and which of the following is correct. Now there is a story behind where you are designing a small data center environment and you’re starting with two servers. Now they will provide you with options obviously, and based from the options you have to analyze and understand which of the options has the most sense.
Now let’s start. The first option here is they don’t need a router that is connected in between server one and server two because they are in the same subnet. Now if you are a beginner in networking, you will still need to convert this to binary and analyze if they are correctly in the same subnet or different subnet. Okay, we will do that in a bit. We also have the second option where server two should be reachable by the first entry of servers one’s routing table. So this is the routing table of server one and this is the first entry. It’s a default gateway towards 2170 216 8254. And unfortunately there is no 170 216 8254 in our diagram.
So amongst all option, probably this has the least sense of all because I don’t see two, five, four, or maybe it’s not shown here. There is another interface connected to a layer three device with that IP address, but we can remove this in our options. Okay, that is definitely not correct. Now the third and fourth option is server two should be reachable by the second entry of servers one’s routing table. Now to understand this better, we’ll have to analyze by converting these IP address of servers one and server two to binary. Well, partially we’re not going to convert all objects to binary, but let’s figure out which is the network side and the host side.
We’ll start with servers one IP address, it’s 170 216 and we’re going to start converting on the third and fourth octet because the first two octets, it’s not really the focus of our analysis because we’re trying to deal with 21 and the first and second their ratio of eight to 16. So let’s just copy the first and second octave. I’m going to start converting again the third octave to binary. So we have eight is very simple if you want to convert it to binary. We already know that if this is set to one, this is 128 and 19224 and sorry, this is one to eight, this is 64, this is 32, this is 16. Okay, so eight is this one and the rest is zero. So we’ve already talked about that in the first section, which is the networking partner.
And this is dot eight. We have 1010 is eight plus two. So we’ll just copy the first five binary. And this is eight already. Plus two, we will add 1010 is here. So this is 172 1610. Okay. Now this is slash 21. We’re going to use these prefix later. For now, let’s just convert the third and fourth of ten to binary. For server number two, I will use 170 2160. And this is seven. So seven is before eight, eight is 10 zero. Now before that it was one, one, one. Again, if one one one plus one binary, we’re going to move another binary integer and make it 10 zero. It become four anyway. So this is seven on 20 is 16. Plus 416 will be the fourth of.
It coming from the lip on plus four is this. So servers one, server one and two binary conversion of third and fourth of is here. Now let’s look at the prefix. We are using 21 on both server one and server two, meaning the divider of network and host will be this is already 16. Eight plus eight is 16, 17, 18, 19, 20, 21. So this is where we do the divider. And again, this is the network side. This is the host side. If you look at the network side, 172 and 16, they are matching. How about 0001 versus all zeros? Are they matching, yes or no? Of course no. Because servers one network is supposed to be 170, 216, 80. So the network again of server one is 170 216 80.
That’s its network address while the server’s two network address is 170 216 00:21. So option A is incorrect. Option B, we’ve already talked about. This is also incorrect. Now our answer will be either option C or option D. Okay? Now let’s try to figure out. It says on the option C, the route that it will be used is the second entry and which is 172, dot 16, dot zero, dot zero, gateway to 172, dot 16 eight, dot one, which is this IP address of the router. And look@the. net, mask 245-24-5245, dot zero. Now maybe you’re thinking this is slash 24, okay? And this is slash 21. They are not matching.
Okay, remember guys, if you are creating routes, the netmask that you’re configuring in your router or in this case in a server doesn’t need to match the network or the prefix or the netmask of your destination. In this case, the destination is server too. You don’t need to know. This is 21. What you’re configuring here is the range of IP address for this route, meaning the network range for 170 2160 for the second entry will be up to 170, 2160, 2255. Why is that? Because the range is only focusing on the fourth octave. That’s what it means. You see the zero here? That means any IP address on the fourth octave. Now if we use 255-2550, that means any IP address on the third and fourth octave.
Now let’s do the third entry. Third entry is 172 dot 16, dot seven, dot zero to 172 dot 16, dot seven, dot two five. Five. Okay, so this is the range of the third object. If you look at the IP address of server number two, where will it fall? This range or this range? Again, it doesn’t need to be slash 21 even this is slash 32. As long as it falls on the range of IP address of the destination, which is server two, that would be valid. But again, to answer the question is which range this IP address would fall? Is it this range, option C, or this range option D? And it’s very obvious it is options D range. Because of the third octet, we have seven value on the third object. Same with the server to IP address.
12. Layer 3 Connectivity Issues Part 2
Now in our second example, we’ll be using our big IP appliance and in its internal network we have three servers. This servers is listening to port 80 and they are added in a pool called Http underscore pool. And this pool is associated to the virtual server. Now, the issue is as the client sends requests to the virtual server and it’s actually a web application, it is reported that sometimes clients experiencing downtime but majority they can access the web applications without problem. So meaning sometimes it’s working, sometimes not, but for the most part or majority it is working. Now in your exam you will be provided some options. Options for this example, you may get something like it is a load balancing issue.
Well, if your client is experiencing downtime or inaccessibility to the application, load balancing has nothing to do with this. All right? So that’s something that you need to take note of. It may also provide you related to help monitoring. Maybe one of the servers is marked offline. Let’s say this server is marked offline. Well, if this server is marked offline, what will happen is the big IP will stop sending traffic to this third server. Why? Because the big IP detects it is offline. So the big IP will not even attempt pouring the traffic to this church river and your client will not experience downtime. Now, the most probable cause here is that there is no help monitor configured or associated to this pool.
No monitor, okay, that is the first 1. Second is it has something to do with our routing table. And we have routing table for all servers, servers one, two and three. Now let’s look servers one routing table, it says all traffic, it will be sent back to the big IP. So here’s how it works. Clients send Http requests, the big IP process it, do the load balancing and select one server. Let’s say it selected server one. Now the servers one receive the traffic, process it and it’s now ready for response. It’s about to send Http request, but to who? The source is this. Assuming that we don’t enable Snap, the server will say hey, your network ten 130, I can send it back via the big IP which is self IP address 170 216, 131.
This default gateway. Now this is the same case with server three. Server three receive the Http request and send it back to Dvip shelf IP address 172, dot 16 one, dot 31. How about with server two? As you see here, we have three route entries. The first entry is this is default gateway, meaning all routes 17000, 225-525-5255 will be sent back to the peak IP, the self IP address of 170, 216, 131. Now, we also have the second entry which is 10100, 210, ten 255255. Okay, and it send, it will send back to the big IP, self IP address. This is what’s really happening in server One and server Three. But look at the third entry. This is the range of 1010 10 to ten 10 1255.
Okay, now if you think about it, the reason why the return traffic is not getting back to the source, which is the client, it is because once the server to receive it, the Http request and process it, it is sent to an IP address that doesn’t exist 172 16 133. Because it’s not configured in our big IP. No, it’s somewhere else. Okay, now maybe you’re thinking we understand this is an issue, but we still have the first and second route entry. Why is the server not using this? Well, in any routing configuration, whether it’s a router of the Earth free switch or in this case, this is a Linux server, it will always choose the most specific route entry.
In this case, since the source is 1010 130, it falls I know it falls on these three entries, but it’s more specific to the third entry. As you see, the first, second and third octet is matching with the client. So the big IP not big IP, the server. It will say, hey, it falls on this route entry and I will forward the return traffic to 170 216 133. So in short, it will bypass the first and second entry. Now back to the question what is the issue of these web application access from the client? It is something related to help monitors. There is no help monitor associated to the pool. And server two has an incorrect route entry because 170 216 133 does exist in our big IP device.
13. Layer 3 Connectivity Issues Part 3
All right, so in our third example, we have a client that is trying to access the web application but it’s not successful. He also verified that he can ping the virtual server. And before that, we have only one server, 172, 1621, listening to port 80. And this is added to a pool called pool one. It’s just a pool which is one pool member. And this pool is associated to our virtual server with an IP address of 1010 100 listening to port 18. Again, the client sends traffic or Http requests to this virtual server, but it’s unsuccessful. Okay? And we also have a floating self IP address configured on both external and internal network. On the internal network we have 170, 216, 133.
Also take note that this server, this web application server is only allowing Http requests from an IP range of ten dot, ten dot one dot zero slash 24, which is which is the IP range of ten dot ten dot one dot zero to ten dot ten dot one dot two five five. And obviously this IP address of the client is within that range. Now, what is causing this issue? Now I’m back here in our big IP cli. We’re in the advanced shell or the Linux batch. I will introduce you to a command called TCP Dump. This is a packet capture tool that is available to most, if not all, Linux operating system. This allows us to display TCP IP and other packets that’s being transmitted and received. Now I’m going to start typing. TCP dump. I use the tab completion.
This is a valid Linux command. Now I’m not going to hit Enter because there are flags and options that we would like to understand. The first option is the I means interface and you may specify one two. This is the interface number or interface name of our internal network. We can also use under I is the internal Vlan name. Either internal or one two will provide us the same results. Now we would like to capture only to the destination 170, 216, 21. This is the node of the first server, or should I say the IP address of the first server which is also the node. And if I hit Enter, this will start doing packet capture. And you see that we are already receiving a capture here. This is Icmp. Equity request.
It’s doing this because our big IP is sending Icmp to this node because we’re using Icmp help monitor to cancel, just use control C. Now what I am going to do is I will also add the port. I’m going to specify port 80 because this is the traffic that we want to capture on the internal side of our big IP device. Now I’m going to hit Enter and it start capturing.But there is no traffic yet, so we’re going to generate traffic. I’m here in the Windows client. All I need to do is hit refresh and as you see, we are getting the result. It is sending traffic to the server 170 216 21. Listening to Http and look at our source IP address. It’s 172 dot 16 one dot 33.
What is one dot 33? This is the floating self IP of the floating self IP address of our big IP device from the internal network. Now, the reason why the server is not responding is because it’s not receiving a traffic from ten 1010 range. It’s receiving traffic from this specific IP address. Now, what I’m going to do is I’m going to hit control C. And there’s something that I would like to also introduce. This is the dash N and another N. This allows us to not translate the IP address to names. As you can see here we are using Http as a port name, not the number. And here we’re using Globe as the client port. We’re not seeing the number, although this is a number port number.
Now using the N will stop translating both the IP address and the port. Now let’s go back again to the Windows client PC. I’m going to hit refresh again. All right, let’s do it again, refresh. And as you can see, we’re still sending from 170 216, 133 to our full member. 170 216 21, listening to port 80. This time we are seeing old numbers again. We are not seeing names like the one from the previous. We are seeing all numbers from the IP address and from the port. Now, as I mentioned, the reason why the servers or the server, that specific server, we only have one full member anyway. The reason why this full member is not sending back the Http response, because it’s not accepting this IP address, it’s not from the range of ten 10 to 25.
And the reason we have this IP address, because the virtual server Http underscore Vs has enabled Snap or the source network address. Translation. Now we verified from our advanced shell in our big Ipcli that what’s causing the issue is because Snap is enabled. So this server is not seeing the source IP address as 1010 130, but it’s seeing the source address or source IP address as the floating IP address of the big IP device. So as it hits this pull member, it will say hey, you are 172 dot 16 one dot 33. I’m not accepting any connections from you. So there will be no response back to the big IP. So therefore the client doesn’t see a successful web Http connections. In short, it’s the Snap that’s causing the issue.