IBM DataPower boxes have several ethernet interfaces and can be
misconfigured in a variety of ways. Recently I looked into the configuration of network interfaces on these appliances and IBM's documentation is lacking in some essential details. So I thought I would write a post about what I found.
Like most systems with multiple network interfaces, once you define a default gateway on a DataPower box, it implicitly adds a default route of
0.0.0.0 for that interface. IBM recommend only having a single default route per DataPower appliance, this is because multiple default routes make for nondeterministic (unpredictable) routing. By default, DataPower will have one route per interface which matches the subnet for that interface's IP address. For example, if the interface's IP address is
192.168.1.2 and the subnet mask is
255.255.255.0 then there will be an implicit route added to that interface which will be
192.168.1.0/24 and the gateway for this subnet is going to be the local IP address itself because the assumption is that all hosts in this subnet are reachable within 1 network
Adding a default gateway to an interface adds another route, this is the special match-all route of
0.0.0.0 and means that you're telling the device that any IP address can be reached through that interface. When a DataPower is making an outbound connection to a back-end server for example, it will look through the entire routing table for the most specific, matching route defined. If the destination address is not on the local network of one of the device's interfaces and each interface has a default gateway defined, then there will be a match-all route of
0.0.0.0 for every interface. Since these routes are equally specific (or equally generic in this case) then the device chooses one at random for that outbound connection. This can be bad, especially if two or more interfaces are actually on different network segments and one cannot physically route to all possible addresses. This would result in intermittent connectivity issues which are very difficult to diagnose.
One suggested design pattern is to define a single default gateway on just one interface. So outbound connections without an explicit route will go via that interface as a fall-back. This would normally be the (external) interface facing consumers of the DataPower's services. This would allow the device to respond to hosts that it does not have an explicit route for, which makes sense in a SOA architecture because you want to expose services that can be used by any client and you won't necessarily know how to route to them, so you assume that if they can reach you by that interface then you can route back to them via the same interface. Then you need to define explicit routes on the other interfaces for all servers/clients you want to be able to talk to. This configuration means that any unknown host coming into you you on the (external) interface with the default gateway defined will get a response and any known client/server can be reached through whatever interfaces you put explicit routes on.
Another option is to use static routes to separate management traffic from transactional traffic. This prevents bulk I/O operations like backups or log dumps from causing congestion on the interfaces processing transactions or servicing your customers' requests and this is the method I use on the appliances I manage. This is achieved by setting static routes on one management interface to the known LAN segments where management traffic will either originate or be sent. I've listed some of those likely sources below.
Having static routes defined on the management interface for the LAN segments covering the hosts in the list above means that any outbound connections to those IPs will go via the management interface. It also means that once you remove the default gateway from the management interface, DataPower will only respond to hosts connecting to the management interface if a static route exists for them in the routing table.
The key to not making a mess of this is to ensure that firstly you have easy access to the DataPower serial port and/or you ensure that the host you're connecting from is in the static route list for the management interface before you remove the default gateway.
The commands to actually make these changes are shown below, this group of commands will work no matter where you are in the command hierarchy as calling
top places you at the top of the command tree.
top config int mgt0 ip route 10.1.1.0/24 192.168.1.10 0 no default gateway
The commands above add a route on interface
mgt0 to subnet
10.1.1.255) with a gateway of
192.168.1.10 and a cost of
0. This would mean that any host in that address range will be reached from DataPower through interface
mgt0 and only inbound traffic from that subnet will be responded to on that interface.