DDOS Source Based Routing ?

Hope this helps

Data Domain systems do not generate or respond to any of the network routing

management protocols (RIP, EGRP/EIGRP, and BGP). The only routing implemented on a

Data Domain system is based upon the internal route table, in which the administrator

may define a specific network or subnet that a physical interface (or interface group)

uses.

Data Domain systems use source-based routing, which means that outbound network

packets that match the subnet of multiple interfaces are routed only over the physical

interface from which they originated.

Routing for connections initiated from the Data Domain system, such as for replication,

depends on the source address used for interfaces on the same subnet. To force traffic

for a specific interface to a specific destination (even if that interface is on the same

subnet as other interfaces), configure a static routing entry between the two systems: this

static routing overrides source routing.

Just to clarify that DD does not have any Routing mechanism and if you really need to do routing then you will have to create static routes.

i am asking about source based routing not working,  if you are commenting you do know what that is right ?

Apologies for the delayed reply - was on vacation.

It's far from something I am massively familiar with but...

I think when we refer to "source routing" we are basically talking about RPF, this can be set in strict, loose etc... We had enforced "strict" and that can catch people unawares, this is entirely to do with static routes on the DD.

What I think you are hoping to leverage is "source routing" where you state in the packet 'what path you want it to take'.

I don't think DD can leverage that, we don't appear to support the 2 IP header options that would state the path without a route on the DD to force it.

Source based (on DD) refers to RPF and that it will always try to reply on the path you want where a static route exists, when there is no static route, then it will use the only stated route - which is the default gateway and so you DO get a reply (with your 5.7.2.0) but it's not the path you want - with strict RPF you would get no reply because there was an attempt by EMC to protect the DD by implementing this strict RPF into asymmetric routing environments.

I have to agree that it's easy to confuse the 2 entirely different methods in the admin guide but from the other thread, it seems that what you see and experience on your DD, entirely supports this being the case.

As I say, this is not something I've played with much, so apologies if I've gone 'off piste' on your question.

Note; will post this here and in your other thread topic - you can reply on either if you have further questions.

Looking for better understanding of ifgroup default group

Regards, Jonathan

Jonathan,

thank you for replying. I have spent entire week going back and forth with DD support.  They did bring up RPF but it's not the same as SBR, at least what i consider SBR.

I gave support this example.  As you can see there are multiple interfaces and each interface is on a different subnet. If i have a client on DMZ network (not the same subnet as DD interface though) and it tried to talk to interface eth4a, without a static route in place the request tries to go out my default gateway interface (eth1a). Problem is that eth1a is on a different network, firewall'ed away from DMZ, so my request never gets back to the client.  What SBR does on VNX and Isilon is that unless i have a static route in place,  reply will go out the same interface request came in through. This is what i was hoping SBR on DD would do as well.  Support pretty much told me that SBR on DD does not work like that and when i pressed for explanation what SBR does on DD ..i was told that if the client is on the same subnet as my DD interface, then the reply will go back out the same interface it came in.  So if my client is on 10.199.102.0/24 subnet and it talks to eth4a interface, then DD will reply back using eth4a interface.   I don't understand how that's SBR, if there is no routing happening whatsoever, you are simply replying to a device on layer 2 network, nothing to route.

Anyway, i was told to go back to setting static routes ( I have 40 of those).

Neil,

According to DD engineering ( and we did escalate pretty high), Data Domain does not have SBR. Basically it works just like any other *nix platform, unless you have a static route in place it will reply using your default gateway. Of course if your client is on the same subnet as your DD interface, it will reply through that interface.  Data Domain does not have the same routing functionality like you have in Celerra/VNX with packet reflect and SBR on Isilon.  So i ended up setting static routes.

hi Dynamox,

Just reading through the above issues you were experiencing with SBR on DD - we seem to be experiencing very similar issues at the moment and wondering whether you had any further updates or had to resolve the issue with multiple static routes?

Thanks in advanace

Neil