Cisco Cisco Email Security Appliance X1050 Troubleshooting Guide

Contributed by Cisco TAC Engineers.
Aug 07, 2014

How do I force which source interface in a given subnet is used on a Cisco Email Security Appliance?

Environment: Cisco Email Security Appliance (ESA) all versions of AsyncOS

The behavior for Auto is fairly simple when each subnet has only one IP address.  If your environment
requires that a specific interface be used for delivery and you have multiple IPs in a subnet, you can use
netmasks to force which interface is used.  Here is how:

Normally, you would configure all IPs in a subnet to use the same netmask, like so:

Currently configured interfaces:

Interface1 (10.0.0.1/24: interface1.example.com)

1. 

Interface2 (10.0.0.2/24: interface2.example.com)

2. 

Interface3 (10.0.0.3/24: interface3.example.com)

3. 

If you wanted 10.0.0.1 to be the primary delivery interface, you would change the netmask on the other two
addresses to be 255.255.255.255, leaving 10.0.0.1 with the real netmask of 255.255.255.0 like so:

Currently configured interfaces:

Interface1 (10.0.0.1/24: interface1.example.com)

1. 

Interface2 (10.0.0.2/32: interface2.example.com)

2. 

Interface3 (10.0.0.3/32: interface3.example.com)

3. 

To edit the netmask for each interface, use the commands:

interfaceconfig −> edit −> interface name or number −> change this setting:

Netmask (Ex: "255.255.255.0" or "0xffffff00"):

[255.255.255.0]> 255.255.255.255

Changing the netmask to 255.255.255.255 has no negative impact, so long as one IP remains on the real
netmask.  AsyncOS already does this for each subnet.  By changing this in interfaceconfig, you are simply
forcing which interface has the real netmask instead of allowing this to be automated.