Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > CSS 11503 basic setup, help needed.

Reply
Thread Tools

CSS 11503 basic setup, help needed.

 
 
Josh Ozura
Guest
Posts: n/a
 
      05-09-2005
I am trying to set up a CSS11503 for some simple load balancing of 4
web servers. I'm not sure if I am looking at the wrong cisco
documentation but I can't seem to find a tutorial that outlines the
begining to end process. Is there such a document out there and if so
I would greatly appreciate if someone could point me to it. As an idea
of what I am trying to do: 4 web servers (http and https) on non
consecutive IP's all load balanced from one VIP.

Thanks for your help and time.

Josh

 
Reply With Quote
 
 
 
 
Eddie
Guest
Posts: n/a
 
      05-09-2005
create four services

Service webserver1
IP adress x.x.x.x

Dot his for all four webservers



The create 2 rule's one four port 80 and one for port 443

Owner Webservers

Rule xxxxxxxxx
ip address x.x.x.x ( ip address for the outside)
port 443
bla bla (see cisco docs for options..)
add service webserver1
add service webserver2
add service webserver3
add service webserver4

Rule xxxxxxxxx
ip address x.x.x.x ( ip address for the outside)
port 80
bla bla
add service webserver1
,,,,,,
.....
....


see also:
http://www.cisco.com/en/US/products/...08011761a.html

Also use sticky parameters if you use transaction servers..

good luck..


"Josh Ozura" <(E-Mail Removed)> schreef in bericht
news:(E-Mail Removed) oups.com...
>I am trying to set up a CSS11503 for some simple load balancing of 4
> web servers. I'm not sure if I am looking at the wrong cisco
> documentation but I can't seem to find a tutorial that outlines the
> begining to end process. Is there such a document out there and if so
> I would greatly appreciate if someone could point me to it. As an idea
> of what I am trying to do: 4 web servers (http and https) on non
> consecutive IP's all load balanced from one VIP.
>
> Thanks for your help and time.
>
> Josh
>



 
Reply With Quote
 
 
 
 
Josh Ozura
Guest
Posts: n/a
 
      05-09-2005
This is what i have as the config

!Generated on 05/09/2005 17:37:00

!Active version: sg0750004


configure

!************************** CIRCUIT **************************

circuit VLAN1

ip address xxx.xxx.204.253 255.255.255.0

ip address xxx.xxx.205.253 255.255.255.0

ip address xxx.xxx.206.253 255.255.255.0

ip address xxx.xxx.207.253 255.255.255.0

!************************** SERVICE **************************

service web1

ip address xxx.xxx.204.130

active

service web2

ip address xxx.xxx.204.131

active

service web3

ip address xxx.xxx.204.150

active

service web4

ip address xxx.xxx.204.151

active

!*************************** OWNER ***************************

owner webservers

content web_http

protocol tcp

vip address xxx.xxx.204.250

port 80

balance leastconn

add service web1

add service web2

active

content web_https

protocol tcp

vip address xxx.xxx.204.250

port 443

when I try to go to xxx.xxx.204.250, it returns a conneciton timed out
error. I can ping the ip address on the switch and I can ping my ip
from the switch but i cannot connect via http. any thoughts?

Thanks.

 
Reply With Quote
 
Eddie
Guest
Posts: n/a
 
      05-10-2005

I think you need to apply your circuit to an acl.

acl 1
clause 10 permit any any destination any
apply circuit-(VLAN1)

You can try above, this will let through all traffic.
if that works modify the acl to only permit port 80 and 443.




"Josh Ozura" <(E-Mail Removed)> schreef in bericht
news:(E-Mail Removed) oups.com...
> This is what i have as the config
>
> !Generated on 05/09/2005 17:37:00
>
> !Active version: sg0750004
>
>
> configure
>
> !************************** CIRCUIT **************************
>
> circuit VLAN1
>
> ip address xxx.xxx.204.253 255.255.255.0
>
> ip address xxx.xxx.205.253 255.255.255.0
>
> ip address xxx.xxx.206.253 255.255.255.0
>
> ip address xxx.xxx.207.253 255.255.255.0
>
> !************************** SERVICE **************************
>
> service web1
>
> ip address xxx.xxx.204.130
>
> active
>
> service web2
>
> ip address xxx.xxx.204.131
>
> active
>
> service web3
>
> ip address xxx.xxx.204.150
>
> active
>
> service web4
>
> ip address xxx.xxx.204.151
>
> active
>
> !*************************** OWNER ***************************
>
> owner webservers
>
> content web_http
>
> protocol tcp
>
> vip address xxx.xxx.204.250
>
> port 80
>
> balance leastconn
>
> add service web1
>
> add service web2
>
> active
>
> content web_https
>
> protocol tcp
>
> vip address xxx.xxx.204.250
>
> port 443
>
> when I try to go to xxx.xxx.204.250, it returns a conneciton timed out
> error. I can ping the ip address on the switch and I can ping my ip
> from the switch but i cannot connect via http. any thoughts?
>
> Thanks.
>



 
Reply With Quote
 
Josh Ozura
Guest
Posts: n/a
 
      05-10-2005
I added the ACL 1 entry as recomended and still nothing. I even
removed service web2 from the port 80 rule to try and just send it to
one server i knew was up and yet nothing. i have read and reread the
docs but something just isnt correct. *pulls out hair* I will sleep on
it and see if I can figure out something tomorrow. Thanks for the help
guys.

 
Reply With Quote
 
Josh Ozura
Guest
Posts: n/a
 
      05-11-2005
Here is what i have now. I am not so much worried about load balancing
as I cant even get anything returned. All 3 parties can ping each
other but still no joy. The CSS seems to be upping its counter
everytime I try to connect to the VIP with a webbrowser but it still
timesout. Just to clarify, the client makes a request to the VIP, the
CSS then sends a request to the webserver, when content is returned, it
sends it to the client, is that how i have it set up?

!Generated on 05/11/2005 16:04:51

!Active version: sg0750004

configure

!*************************** GLOBAL ***************************

ip route 0.0.0.0 0.0.0.0 xxx.xxx.204.1 1

!************************** CIRCUIT **************************

circuit VLAN1

ip address xxx.xxx.204.253 255.255.255.0

!************************** SERVICE **************************

service web1

ip address xxx.xxx.204.130

active

service web2

ip address xxx.xxx.204.131

active

service web3

ip address xxx.xxx.204.150

active

service web4

ip address xxx.xxx.204.151

active

!*************************** OWNER ***************************

owner webservers

content web_http

protocol tcp

vip address xxx.xxx.204.250

port 80

balance leastconn

add service web1

active

content web_https

protocol tcp

vip address xxx.xxx.204.250

port 443

add service web1

add service web2

active

!**************************** ACL ****************************

acl 1

clause 10 permit any any destination any

apply circuit-(VLAN1)

 
Reply With Quote
 
Eddie
Guest
Posts: n/a
 
      05-12-2005
Josh

Is see you use only 1 Vlan..

I think you have to create a different Vlan for your web servers front end.

So add a new Circuit.

Circuit VLAN 2

and assign a VLAN 2 address to your Web Server Services. ( and of course
your servers)





"Josh Ozura" <(E-Mail Removed)> schreef in bericht
news:(E-Mail Removed) ups.com...
> Here is what i have now. I am not so much worried about load balancing
> as I cant even get anything returned. All 3 parties can ping each
> other but still no joy. The CSS seems to be upping its counter
> everytime I try to connect to the VIP with a webbrowser but it still
> timesout. Just to clarify, the client makes a request to the VIP, the
> CSS then sends a request to the webserver, when content is returned, it
> sends it to the client, is that how i have it set up?
>
> !Generated on 05/11/2005 16:04:51
>
> !Active version: sg0750004
>
> configure
>
> !*************************** GLOBAL ***************************
>
> ip route 0.0.0.0 0.0.0.0 xxx.xxx.204.1 1
>
> !************************** CIRCUIT **************************
>
> circuit VLAN1
>
> ip address xxx.xxx.204.253 255.255.255.0
>
> !************************** SERVICE **************************
>
> service web1
>
> ip address xxx.xxx.204.130
>
> active
>
> service web2
>
> ip address xxx.xxx.204.131
>
> active
>
> service web3
>
> ip address xxx.xxx.204.150
>
> active
>
> service web4
>
> ip address xxx.xxx.204.151
>
> active
>
> !*************************** OWNER ***************************
>
> owner webservers
>
> content web_http
>
> protocol tcp
>
> vip address xxx.xxx.204.250
>
> port 80
>
> balance leastconn
>
> add service web1
>
> active
>
> content web_https
>
> protocol tcp
>
> vip address xxx.xxx.204.250
>
> port 443
>
> add service web1
>
> add service web2
>
> active
>
> !**************************** ACL ****************************
>
> acl 1
>
> clause 10 permit any any destination any
>
> apply circuit-(VLAN1)
>



 
Reply With Quote
 
Josh Ozura
Guest
Posts: n/a
 
      05-16-2005
Ok, so here is my current configuration.

!Generated on 05/13/2005 16:04:24

!Active version: sg0750004

configure

!*************************** GLOBAL ***************************

cdp run

cdp timer 120

sntp primary-server xxx.xxx.207.100 version 3

dns primary xxx.xxx.204.16

ip management route xxx.xxx.207.0 255.255.255.0 xxx.xxx.154.209

ip route 0.0.0.0 0.0.0.0 xxx.xxx.204.1 1

!************************* INTERFACE *************************

interface 1/1

trunk

vlan 1

default-vlan

!************************** CIRCUIT **************************

circuit VLAN1

ip address xxx.xxx.204.253 255.255.255.0

ip virtual-router 1 priority 200 preempt

ip redundant-vip 1 xxx.xxx.204.250

!************************** SERVICE **************************

service server1

ip address xxx.xxx.204.100

active

!*************************** OWNER ***************************

owner webservers

content L3_webservers_LC

add service server1

vip address xxx.xxx.204.250

active

!**************************** ACL ****************************

acl 1

clause 10 permit any any destination any

apply circuit-(VLAN1)


It still wasn't working but looked like it should based off of the docs
I have been reading from cisco. the counters indicating rule hits were
working but still nothing. I turned on debug for everything and then
issued a show log command. This is what i get when I try to hit the
VIP:

MAY 16 09:52:15 1/1 160 FLOWMGR-7:
DoS SYN attack: xxx.xxx.207.83:2366->xxx.xxx.204.250:80
synCnt: 3, initSeq: 79126084

Any ideas on why it thinks I am trying to start a DoS attack?

 
Reply With Quote
 
Josh Ozura
Guest
Posts: n/a
 
      05-16-2005
ok, i added the following content rule:

content L5_test
vip address xxx.xxx.204.250
protocol tcp
port 80
url "/*"
add service server1
active

then tried a conneciton and got the following from the log:
MAY 16 14:16:37 1/1 225 FLOWMGR-7:
While spoofing a connection backend, too many SYNs had to be sent to
the server.

xxx.xxx.204.100:80->xxx.xxx.207.83:2907

 
Reply With Quote
 
ogie_velo ogie_velo is offline
Junior Member
Join Date: Mar 2008
Posts: 1
 
      03-04-2008
Quote:
Originally Posted by Josh Ozura
ok, i added the following content rule:

content L5_test
vip address xxx.xxx.204.250
protocol tcp
port 80
url "/*"
add service server1
active

then tried a conneciton and got the following from the log:
MAY 16 14:16:37 1/1 225 FLOWMGR-7:
While spoofing a connection backend, too many SYNs had to be sent to
the server.

xxx.xxx.204.100:80->xxx.xxx.207.83:2907

Try to configure the "group ... command"
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Importing a certiticate server on CSS 11503 with SSL module from RSA KEON server nabla Cisco 2 03-30-2010 02:17 PM
setting system name on a css 11503 linguafr Cisco 0 07-20-2007 01:47 AM
Cisco 11503 (CSS) NAT kimovski@gmail.com Cisco 4 03-05-2007 10:57 AM
CSS 11503 Gig over Copper Ports - Talk to Fast Ethernet? amigan Cisco 3 11-14-2006 03:48 PM
URL rewriting on the Cisco Content Switch CSS 11503 j208@gmx.net Cisco 1 10-02-2005 06:35 PM



Advertisments