CSS 11501

Discussion in 'Cisco' started by P1, Jun 2, 2009.

  1. P1

    P1 Guest

    I found myself needing to put this device to use. I have an existing
    network setup and need to implement this load balancer, but this thing
    is very complex with many modes of operation and features found on
    switches, routers and firewalls.

    After a day of reading through documentation and examples, I'm
    thoroughly confused.

    My current setup is simple:
    http://uvdevnull.110mb.com/net1.pdf

    I need to implement load balancing of 2 servers in VLAN2 (.21 and .22)
    and 2 servers in VLAN3 (.31 and .32)

    This is what I have so far in my CSS config:

    !**************** INTERFACE ****
    interface e1
    bridge vlan 2

    interface e5
    bridge vlan 3

    !**************** CIRCUIT ****
    circuit VLAN2
    ip address 172.16.2.3 255.255.255.0

    circuit VLAN3
    ip address 172.16.3.3 255.255.255.0

    !**************** SERVICE ****
    service srv4
    ip address 172.16.2.21
    keepalive type tcp
    keepalive port 80
    active
    service srv5
    ip address 172.16.2.22
    keepalive type tcp
    keepalive port 80
    active

    !***************** OWNER *****
    owner vlan2_servers

    content app1
    vip address 172.16.2.100
    add service srv4
    add service srv5
    balance leastconn
    port 80
    protocol tcp
    active

    (eof)

    Will this work just by connecting port 1 of the CSS to the VLAN2 section
    on the switch? I imagine not, so I'm wandering what the best way to do
    this would be, whether it's a different config or different
    interconnections.

    Thanks,
    Paul

    PS. Yes, I've been on a posting spree. When it rains, it pours :)
     
    P1, Jun 2, 2009
    #1
    1. Advertising

  2. P1

    P1 Guest

    P1 wrote:
    > I found myself needing to put this device to use. I have an existing
    > network setup and need to implement this load balancer, but this thing
    > is very complex with many modes of operation and features found on
    > switches, routers and firewalls.
    >
    > After a day of reading through documentation and examples, I'm
    > thoroughly confused.
    >
    > My current setup is simple:
    > http://uvdevnull.110mb.com/net1.pdf
    >
    > I need to implement load balancing of 2 servers in VLAN2 (.21 and .22)
    > and 2 servers in VLAN3 (.31 and .32)
    >
    > This is what I have so far in my CSS config:
    >
    > !**************** INTERFACE ****
    > interface e1
    > bridge vlan 2
    >
    > interface e5
    > bridge vlan 3
    >
    > !**************** CIRCUIT ****
    > circuit VLAN2
    > ip address 172.16.2.3 255.255.255.0
    >
    > circuit VLAN3
    > ip address 172.16.3.3 255.255.255.0
    >
    > !**************** SERVICE ****
    > service srv4
    > ip address 172.16.2.21
    > keepalive type tcp
    > keepalive port 80
    > active
    > service srv5
    > ip address 172.16.2.22
    > keepalive type tcp
    > keepalive port 80
    > active
    >
    > !***************** OWNER *****
    > owner vlan2_servers
    >
    > content app1
    > vip address 172.16.2.100
    > add service srv4
    > add service srv5
    > balance leastconn
    > port 80
    > protocol tcp
    > active
    >
    > (eof)
    >
    > Will this work just by connecting port 1 of the CSS to the VLAN2 section
    > on the switch? I imagine not, so I'm wandering what the best way to do
    > this would be, whether it's a different config or different
    > interconnections.
    >
    > Thanks,
    > Paul
    >
    > PS. Yes, I've been on a posting spree. When it rains, it pours :)


    Or do I assign one more port per VLAN and connect the CSS between the
    Firewall and Switch?
     
    P1, Jun 2, 2009
    #2
    1. Advertising

  3. P1 wrote:
    > P1 wrote:
    >> I found myself needing to put this device to use. I have an existing
    >> network setup and need to implement this load balancer, but this thing
    >> is very complex with many modes of operation and features found on
    >> switches, routers and firewalls.
    >>
    >> After a day of reading through documentation and examples, I'm
    >> thoroughly confused.
    >>
    >> My current setup is simple:
    >> http://uvdevnull.110mb.com/net1.pdf
    >>
    >> I need to implement load balancing of 2 servers in VLAN2 (.21 and .22)
    >> and 2 servers in VLAN3 (.31 and .32)
    >>
    >> This is what I have so far in my CSS config:
    >>
    >> !**************** INTERFACE ****
    >> interface e1
    >> bridge vlan 2
    >>
    >> interface e5
    >> bridge vlan 3
    >>
    >> !**************** CIRCUIT ****
    >> circuit VLAN2
    >> ip address 172.16.2.3 255.255.255.0
    >>
    >> circuit VLAN3
    >> ip address 172.16.3.3 255.255.255.0
    >>
    >> !**************** SERVICE ****
    >> service srv4
    >> ip address 172.16.2.21
    >> keepalive type tcp
    >> keepalive port 80
    >> active
    >> service srv5
    >> ip address 172.16.2.22
    >> keepalive type tcp
    >> keepalive port 80
    >> active
    >>
    >> !***************** OWNER *****
    >> owner vlan2_servers
    >>
    >> content app1
    >> vip address 172.16.2.100
    >> add service srv4
    >> add service srv5
    >> balance leastconn
    >> port 80
    >> protocol tcp
    >> active
    >>
    >> (eof)
    >>
    >> Will this work just by connecting port 1 of the CSS to the VLAN2
    >> section on the switch? I imagine not, so I'm wandering what the best
    >> way to do this would be, whether it's a different config or different
    >> interconnections.


    If you will make sure return traffic hits CSS - why not? You can either
    change default gateway on srv4 and 5 to point to 172.16.2.3 or do full
    NAT on CSS and translate source IPs to 172.16.2.3.

    > Or do I assign one more port per VLAN and connect the CSS between the
    > Firewall and Switch?


    Or you can do that :)

    Load balancers are first and foremost NAT device. You have to figure out
    what mode do you want to use - bridged (transparent) or routed, how
    traffic gets from client to VIP, how traffic gets from VIP to the real
    server, how return traffic gets back to load balancer (unless you are
    doing direct server return), and last leg - from LB back to client.

    Chances are you will be doing destination NAT - changing destination IP
    from VIP to real server IP. You may need to change source if LB is not
    in the direct path of return traffic. Everything else is just bells and
    whistles :)

    Regards,
    Andrey.
     
    Andrey Tarasov, Jun 3, 2009
    #3
  4. P1

    P1 Guest

    Andrey Tarasov wrote:
    > P1 wrote:
    >> P1 wrote:
    >>> I found myself needing to put this device to use. I have an existing
    >>> network setup and need to implement this load balancer, but this
    >>> thing is very complex with many modes of operation and features found
    >>> on switches, routers and firewalls.
    >>>
    >>> After a day of reading through documentation and examples, I'm
    >>> thoroughly confused.
    >>>
    >>> My current setup is simple:
    >>> http://uvdevnull.110mb.com/net1.pdf
    >>>
    >>> I need to implement load balancing of 2 servers in VLAN2 (.21 and
    >>> .22) and 2 servers in VLAN3 (.31 and .32)
    >>>
    >>> This is what I have so far in my CSS config:
    >>>
    >>> !**************** INTERFACE ****
    >>> interface e1
    >>> bridge vlan 2
    >>>
    >>> interface e5
    >>> bridge vlan 3
    >>>
    >>> !**************** CIRCUIT ****
    >>> circuit VLAN2
    >>> ip address 172.16.2.3 255.255.255.0
    >>>
    >>> circuit VLAN3
    >>> ip address 172.16.3.3 255.255.255.0
    >>>
    >>> !**************** SERVICE ****
    >>> service srv4
    >>> ip address 172.16.2.21
    >>> keepalive type tcp
    >>> keepalive port 80
    >>> active
    >>> service srv5
    >>> ip address 172.16.2.22
    >>> keepalive type tcp
    >>> keepalive port 80
    >>> active
    >>>
    >>> !***************** OWNER *****
    >>> owner vlan2_servers
    >>>
    >>> content app1
    >>> vip address 172.16.2.100
    >>> add service srv4
    >>> add service srv5
    >>> balance leastconn
    >>> port 80
    >>> protocol tcp
    >>> active
    >>>
    >>> (eof)
    >>>
    >>> Will this work just by connecting port 1 of the CSS to the VLAN2
    >>> section on the switch? I imagine not, so I'm wandering what the best
    >>> way to do this would be, whether it's a different config or different
    >>> interconnections.

    >
    > If you will make sure return traffic hits CSS - why not? You can either
    > change default gateway on srv4 and 5 to point to 172.16.2.3 or do full
    > NAT on CSS and translate source IPs to 172.16.2.3.
    >
    >> Or do I assign one more port per VLAN and connect the CSS between the
    >> Firewall and Switch?

    >
    > Or you can do that :)
    >
    > Load balancers are first and foremost NAT device. You have to figure out
    > what mode do you want to use - bridged (transparent) or routed, how
    > traffic gets from client to VIP, how traffic gets from VIP to the real
    > server, how return traffic gets back to load balancer (unless you are
    > doing direct server return), and last leg - from LB back to client.
    >
    > Chances are you will be doing destination NAT - changing destination IP
    > from VIP to real server IP. You may need to change source if LB is not
    > in the direct path of return traffic. Everything else is just bells and
    > whistles :)
    >
    > Regards,
    > Andrey.


    Hi Andrey,
    How are the two modes, bridged vs routed, different? How do you
    configure the modes?

    Here's my physical diagram:
    http://uvdevnull.110mb.com/net2.pdf

    And my latest config:

    !**************** INTERFACE ****
    interface e1
    bridge vlan 2

    interface e2
    bridge vlan 3

    interface e5
    bridge vlan 2

    interface e6
    bridge vlan 3

    !**************** CIRCUIT ****
    circuit VLAN2
    ip address 172.16.2.3 255.255.255.0

    circuit VLAN3
    ip address 172.16.3.3 255.255.255.0

    !**************** SERVICE ****
    service srv4
    ip address 172.16.2.21
    keepalive type tcp
    keepalive port 80
    active
    service srv5
    ip address 172.16.2.22
    keepalive type tcp
    keepalive port 80
    active

    !***************** OWNER *****
    owner vlan2_servers

    content app1
    vip address 172.16.2.100
    add service srv4
    add service srv5
    balance leastconn
    port 80
    protocol tcp
    active

    (eof)

    Interestingly enough, with this setup, without using any VIP addresses,
    only existing IPs of the servers, I'm able to connect to servers in
    VLAN3 from outside, but not from servers on VLAN2. However, I'm able to
    ping servers on VLAN3 from servers on VLAN2. Servers on VLAN2 have
    172.16.2.1 as their gateway and servers on VLAN3 have 172.16.3.1 as
    theirs. What kind of NATing is the CSS doing at this point? What mode
    is it in? I was under the impression that in the current setup, the CSS
    would only work as a LAN switch, not NATing anything. I guess I don't
    have a fundamental understanding of how this device actually works :(

    Thanks,
    Paul
     
    P1, Jun 4, 2009
    #4
  5. P1

    P1 Guest

    P1 wrote:
    > Andrey Tarasov wrote:
    >> P1 wrote:
    >>> P1 wrote:
    >>>> I found myself needing to put this device to use. I have an existing
    >>>> network setup and need to implement this load balancer, but this
    >>>> thing is very complex with many modes of operation and features
    >>>> found on switches, routers and firewalls.
    >>>>
    >>>> After a day of reading through documentation and examples, I'm
    >>>> thoroughly confused.
    >>>>
    >>>> My current setup is simple:
    >>>> http://uvdevnull.110mb.com/net1.pdf
    >>>>
    >>>> I need to implement load balancing of 2 servers in VLAN2 (.21 and
    >>>> .22) and 2 servers in VLAN3 (.31 and .32)
    >>>>
    >>>> This is what I have so far in my CSS config:
    >>>>
    >>>> !**************** INTERFACE ****
    >>>> interface e1
    >>>> bridge vlan 2
    >>>>
    >>>> interface e5
    >>>> bridge vlan 3
    >>>>
    >>>> !**************** CIRCUIT ****
    >>>> circuit VLAN2
    >>>> ip address 172.16.2.3 255.255.255.0
    >>>>
    >>>> circuit VLAN3
    >>>> ip address 172.16.3.3 255.255.255.0
    >>>>
    >>>> !**************** SERVICE ****
    >>>> service srv4
    >>>> ip address 172.16.2.21
    >>>> keepalive type tcp
    >>>> keepalive port 80
    >>>> active
    >>>> service srv5
    >>>> ip address 172.16.2.22
    >>>> keepalive type tcp
    >>>> keepalive port 80
    >>>> active
    >>>>
    >>>> !***************** OWNER *****
    >>>> owner vlan2_servers
    >>>>
    >>>> content app1
    >>>> vip address 172.16.2.100
    >>>> add service srv4
    >>>> add service srv5
    >>>> balance leastconn
    >>>> port 80
    >>>> protocol tcp
    >>>> active
    >>>>
    >>>> (eof)
    >>>>
    >>>> Will this work just by connecting port 1 of the CSS to the VLAN2
    >>>> section on the switch? I imagine not, so I'm wandering what the
    >>>> best way to do this would be, whether it's a different config or
    >>>> different interconnections.

    >>
    >> If you will make sure return traffic hits CSS - why not? You can
    >> either change default gateway on srv4 and 5 to point to 172.16.2.3 or
    >> do full NAT on CSS and translate source IPs to 172.16.2.3.
    >>
    >>> Or do I assign one more port per VLAN and connect the CSS between the
    >>> Firewall and Switch?

    >>
    >> Or you can do that :)
    >>
    >> Load balancers are first and foremost NAT device. You have to figure
    >> out what mode do you want to use - bridged (transparent) or routed,
    >> how traffic gets from client to VIP, how traffic gets from VIP to the
    >> real server, how return traffic gets back to load balancer (unless you
    >> are doing direct server return), and last leg - from LB back to client.
    >>
    >> Chances are you will be doing destination NAT - changing destination
    >> IP from VIP to real server IP. You may need to change source if LB is
    >> not in the direct path of return traffic. Everything else is just
    >> bells and whistles :)
    >>
    >> Regards,
    >> Andrey.

    >
    > Hi Andrey,
    > How are the two modes, bridged vs routed, different? How do you
    > configure the modes?
    >
    > Here's my physical diagram:
    > http://uvdevnull.110mb.com/net2.pdf
    >
    > And my latest config:
    >
    > !**************** INTERFACE ****
    > interface e1
    > bridge vlan 2
    >
    > interface e2
    > bridge vlan 3
    >
    > interface e5
    > bridge vlan 2
    >
    > interface e6
    > bridge vlan 3
    >
    > !**************** CIRCUIT ****
    > circuit VLAN2
    > ip address 172.16.2.3 255.255.255.0
    >
    > circuit VLAN3
    > ip address 172.16.3.3 255.255.255.0
    >
    > !**************** SERVICE ****
    > service srv4
    > ip address 172.16.2.21
    > keepalive type tcp
    > keepalive port 80
    > active
    > service srv5
    > ip address 172.16.2.22
    > keepalive type tcp
    > keepalive port 80
    > active
    >
    > !***************** OWNER *****
    > owner vlan2_servers
    >
    > content app1
    > vip address 172.16.2.100
    > add service srv4
    > add service srv5
    > balance leastconn
    > port 80
    > protocol tcp
    > active
    >
    > (eof)
    >
    > Interestingly enough, with this setup, without using any VIP addresses,
    > only existing IPs of the servers, I'm able to connect to servers in
    > VLAN3 from outside, but not from servers on VLAN2. However, I'm able to
    > ping servers on VLAN3 from servers on VLAN2. Servers on VLAN2 have
    > 172.16.2.1 as their gateway and servers on VLAN3 have 172.16.3.1 as
    > theirs. What kind of NATing is the CSS doing at this point? What mode
    > is it in? I was under the impression that in the current setup, the CSS
    > would only work as a LAN switch, not NATing anything. I guess I don't
    > have a fundamental understanding of how this device actually works :(
    >
    > Thanks,
    > Paul


    Is this CSS trying to route between 172.16.2.0 and 172.16.3.0?
    That is not my intention. The firewall is set up to do this, including
    appropriate ACLs, etc. Can I just have the CSS pass traffic to the
    firewall without messing with it? My only intention is to have the CSS
    balance two servers on each subnet for connections from outside, but do
    not interfere with any traffic between the internal subnets. Is that
    possible?
     
    P1, Jun 4, 2009
    #5
  6. P1 wrote:
    > P1 wrote:
    >> Andrey Tarasov wrote:
    >>> P1 wrote:
    >>>> P1 wrote:
    >>>>> I found myself needing to put this device to use. I have an
    >>>>> existing network setup and need to implement this load balancer,
    >>>>> but this thing is very complex with many modes of operation and
    >>>>> features found on switches, routers and firewalls.
    >>>>>
    >>>>> After a day of reading through documentation and examples, I'm
    >>>>> thoroughly confused.
    >>>>>
    >>>>> My current setup is simple:
    >>>>> http://uvdevnull.110mb.com/net1.pdf
    >>>>>
    >>>>> I need to implement load balancing of 2 servers in VLAN2 (.21 and
    >>>>> .22) and 2 servers in VLAN3 (.31 and .32)
    >>>>>
    >>>>> This is what I have so far in my CSS config:
    >>>>>
    >>>>> !**************** INTERFACE ****
    >>>>> interface e1
    >>>>> bridge vlan 2
    >>>>>
    >>>>> interface e5
    >>>>> bridge vlan 3
    >>>>>
    >>>>> !**************** CIRCUIT ****
    >>>>> circuit VLAN2
    >>>>> ip address 172.16.2.3 255.255.255.0
    >>>>>
    >>>>> circuit VLAN3
    >>>>> ip address 172.16.3.3 255.255.255.0
    >>>>>
    >>>>> !**************** SERVICE ****
    >>>>> service srv4
    >>>>> ip address 172.16.2.21
    >>>>> keepalive type tcp
    >>>>> keepalive port 80
    >>>>> active
    >>>>> service srv5
    >>>>> ip address 172.16.2.22
    >>>>> keepalive type tcp
    >>>>> keepalive port 80
    >>>>> active
    >>>>>
    >>>>> !***************** OWNER *****
    >>>>> owner vlan2_servers
    >>>>>
    >>>>> content app1
    >>>>> vip address 172.16.2.100
    >>>>> add service srv4
    >>>>> add service srv5
    >>>>> balance leastconn
    >>>>> port 80
    >>>>> protocol tcp
    >>>>> active
    >>>>>
    >>>>> (eof)
    >>>>>
    >>>>> Will this work just by connecting port 1 of the CSS to the VLAN2
    >>>>> section on the switch? I imagine not, so I'm wandering what the
    >>>>> best way to do this would be, whether it's a different config or
    >>>>> different interconnections.
    >>>
    >>> If you will make sure return traffic hits CSS - why not? You can
    >>> either change default gateway on srv4 and 5 to point to 172.16.2.3 or
    >>> do full NAT on CSS and translate source IPs to 172.16.2.3.
    >>>
    >>>> Or do I assign one more port per VLAN and connect the CSS between
    >>>> the Firewall and Switch?
    >>>
    >>> Or you can do that :)
    >>>
    >>> Load balancers are first and foremost NAT device. You have to figure
    >>> out what mode do you want to use - bridged (transparent) or routed,
    >>> how traffic gets from client to VIP, how traffic gets from VIP to the
    >>> real server, how return traffic gets back to load balancer (unless
    >>> you are doing direct server return), and last leg - from LB back to
    >>> client.
    >>>
    >>> Chances are you will be doing destination NAT - changing destination
    >>> IP from VIP to real server IP. You may need to change source if LB is
    >>> not in the direct path of return traffic. Everything else is just
    >>> bells and whistles :)
    >>>
    >>> Regards,
    >>> Andrey.

    >>
    >> Hi Andrey,
    >> How are the two modes, bridged vs routed, different? How do you
    >> configure the modes?
    >>
    >> Here's my physical diagram:
    >> http://uvdevnull.110mb.com/net2.pdf
    >>
    >> And my latest config:
    >>
    >> !**************** INTERFACE ****
    >> interface e1
    >> bridge vlan 2
    >>
    >> interface e2
    >> bridge vlan 3
    >>
    >> interface e5
    >> bridge vlan 2
    >>
    >> interface e6
    >> bridge vlan 3
    >>
    >> !**************** CIRCUIT ****
    >> circuit VLAN2
    >> ip address 172.16.2.3 255.255.255.0
    >>
    >> circuit VLAN3
    >> ip address 172.16.3.3 255.255.255.0
    >>
    >> !**************** SERVICE ****
    >> service srv4
    >> ip address 172.16.2.21
    >> keepalive type tcp
    >> keepalive port 80
    >> active
    >> service srv5
    >> ip address 172.16.2.22
    >> keepalive type tcp
    >> keepalive port 80
    >> active
    >>
    >> !***************** OWNER *****
    >> owner vlan2_servers
    >>
    >> content app1
    >> vip address 172.16.2.100
    >> add service srv4
    >> add service srv5
    >> balance leastconn
    >> port 80
    >> protocol tcp
    >> active
    >>
    >> (eof)
    >>
    >> Interestingly enough, with this setup, without using any VIP
    >> addresses, only existing IPs of the servers, I'm able to connect to
    >> servers in VLAN3 from outside, but not from servers on VLAN2.
    >> However, I'm able to ping servers on VLAN3 from servers on VLAN2.
    >> Servers on VLAN2 have 172.16.2.1 as their gateway and servers on VLAN3
    >> have 172.16.3.1 as theirs. What kind of NATing is the CSS doing at
    >> this point? What mode is it in? I was under the impression that in
    >> the current setup, the CSS would only work as a LAN switch, not NATing
    >> anything. I guess I don't have a fundamental understanding of how
    >> this device actually works :(
    >>
    >> Thanks,
    >> Paul

    >
    > Is this CSS trying to route between 172.16.2.0 and 172.16.3.0?
    > That is not my intention. The firewall is set up to do this, including
    > appropriate ACLs, etc. Can I just have the CSS pass traffic to the
    > firewall without messing with it? My only intention is to have the CSS
    > balance two servers on each subnet for connections from outside, but do
    > not interfere with any traffic between the internal subnets. Is that
    > possible?


    Here is whitepaper with overview of CSS architecture -
    http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_white_paper09186a0080136856.shtml

    Given your requirements, you will have to use one-armed mode (by the
    way, no bridged mode on this box, I mixed it with ACE). Here is the
    example (just ignore redundancy stuff)

    http://www.cisco.com/en/US/products...s_configuration_example09186a00802206a3.shtml

    I couldn't find configuration example for full NAT, so it's quite
    possible that CSS doesn't do that. You will have to use CSS as default
    gateway for your servers in that case. Also, since CSS doesn't support
    contexts, you will need two boxes - one for each VLAN to keep traffic
    separated.

    Regards,
    Andrey.
     
    Andrey Tarasov, Jun 5, 2009
    #6
  7. P1

    Guest

    On Jun 4, 11:00 pm, Andrey Tarasov <> wrote:
    > P1 wrote:
    > > P1 wrote:
    > >> Andrey Tarasov wrote:
    > >>> P1 wrote:
    > >>>> P1 wrote:
    > >>>>> I found myself needing to put this device to use. I have an
    > >>>>> existing network setup and need to implement this load balancer,
    > >>>>> but this thing is very complex with many modes of operation and
    > >>>>> features found on switches, routers and firewalls.

    >
    > >>>>> After a day of reading through documentation and examples, I'm
    > >>>>> thoroughly confused.

    >
    > >>>>> My current setup is simple:
    > >>>>>http://uvdevnull.110mb.com/net1.pdf

    >
    > >>>>> I need to implement load balancing of 2 servers in VLAN2 (.21 and
    > >>>>> .22) and 2 servers in VLAN3 (.31 and .32)

    >
    > >>>>> This is what I have so far in my CSS config:

    >
    > >>>>> !**************** INTERFACE ****
    > >>>>> interface e1
    > >>>>>   bridge vlan 2

    >
    > >>>>> interface e5
    > >>>>>   bridge vlan 3

    >
    > >>>>> !**************** CIRCUIT ****
    > >>>>> circuit VLAN2
    > >>>>>   ip address 172.16.2.3 255.255.255.0

    >
    > >>>>> circuit VLAN3
    > >>>>>   ip address 172.16.3.3 255.255.255.0

    >
    > >>>>> !**************** SERVICE ****
    > >>>>> service srv4
    > >>>>>   ip address 172.16.2.21
    > >>>>>   keepalive type tcp
    > >>>>>   keepalive port 80
    > >>>>>   active
    > >>>>> service srv5
    > >>>>>   ip address 172.16.2.22
    > >>>>>   keepalive type tcp
    > >>>>>   keepalive port 80
    > >>>>>   active

    >
    > >>>>> !***************** OWNER *****
    > >>>>> owner vlan2_servers

    >
    > >>>>>   content app1
    > >>>>>     vip address 172.16.2.100
    > >>>>>     add service srv4
    > >>>>>     add service srv5
    > >>>>>     balance leastconn
    > >>>>>     port 80
    > >>>>>     protocol tcp
    > >>>>>     active

    >
    > >>>>> (eof)

    >
    > >>>>> Will this work just by connecting port 1 of the CSS to the VLAN2
    > >>>>> section on the switch?  I imagine not, so I'm wandering what the
    > >>>>> best way to do this would be, whether it's a different config or
    > >>>>> different interconnections.

    >
    > >>> If you will make sure return traffic hits CSS - why not? You can
    > >>> either change default gateway on srv4 and 5 to point to 172.16.2.3 or
    > >>> do full NAT on CSS and translate source IPs to 172.16.2.3.

    >
    > >>>> Or do I assign one more port per VLAN and connect the CSS between
    > >>>> the Firewall and Switch?

    >
    > >>> Or you can do that :)

    >
    > >>> Load balancers are first and foremost NAT device. You have to figure
    > >>> out what mode do you want to use - bridged (transparent) or routed,
    > >>> how traffic gets from client to VIP, how traffic gets from VIP to the
    > >>> real server, how return traffic gets back to load balancer (unless
    > >>> you are doing direct server return), and last leg - from LB back to
    > >>> client.

    >
    > >>> Chances are you will be doing destination NAT - changing destination
    > >>> IP from VIP to real server IP. You may need to change source if LB is
    > >>> not in the direct path of return traffic. Everything else is just
    > >>> bells and whistles :)

    >
    > >>> Regards,
    > >>> Andrey.

    >
    > >> Hi Andrey,
    > >> How are the two modes, bridged vs routed, different?  How do you
    > >> configure the modes?

    >
    > >> Here's my physical diagram:
    > >>http://uvdevnull.110mb.com/net2.pdf

    >
    > >> And my latest config:

    >
    > >> !**************** INTERFACE ****
    > >> interface e1
    > >>   bridge vlan 2

    >
    > >> interface e2
    > >>   bridge vlan 3

    >
    > >> interface e5
    > >>   bridge vlan 2

    >
    > >> interface e6
    > >>   bridge vlan 3

    >
    > >> !**************** CIRCUIT ****
    > >> circuit VLAN2
    > >>   ip address 172.16.2.3 255.255.255.0

    >
    > >> circuit VLAN3
    > >>   ip address 172.16.3.3 255.255.255.0

    >
    > >> !**************** SERVICE ****
    > >> service srv4
    > >>   ip address 172.16.2.21
    > >>   keepalive type tcp
    > >>   keepalive port 80
    > >>   active
    > >> service srv5
    > >>   ip address 172.16.2.22
    > >>   keepalive type tcp
    > >>   keepalive port 80
    > >>   active

    >
    > >> !***************** OWNER *****
    > >> owner vlan2_servers

    >
    > >>   content app1
    > >>     vip address 172.16.2.100
    > >>     add service srv4
    > >>     add service srv5
    > >>     balance leastconn
    > >>     port 80
    > >>     protocol tcp
    > >>     active

    >
    > >> (eof)

    >
    > >> Interestingly enough, with this setup, without using any VIP
    > >> addresses, only existing IPs of the servers, I'm able to connect to
    > >> servers in VLAN3 from outside, but not from servers on VLAN2.  
    > >> However, I'm able to ping servers on VLAN3 from servers on VLAN2.  
    > >> Servers on VLAN2 have 172.16.2.1 as their gateway and servers on VLAN3
    > >> have 172.16.3.1 as theirs.  What kind of NATing is the CSS doing at
    > >> this point?  What mode is it in?  I was under the impression that in
    > >> the current setup, the CSS would only work as a LAN switch, not NATing
    > >> anything.  I guess I don't have a fundamental understanding of how
    > >> this device actually works :(

    >
    > >> Thanks,
    > >> Paul

    >
    > > Is this CSS trying to route between 172.16.2.0 and 172.16.3.0?
    > > That is not my intention.  The firewall is set up to do this, including
    > > appropriate ACLs, etc.  Can I just have the CSS pass traffic to the
    > > firewall without messing with it?  My only intention is to have the CSS
    > > balance two servers on each subnet for connections from outside, but do
    > > not interfere with any traffic between the internal subnets.  Is that
    > > possible?

    >
    > Here is whitepaper with overview of CSS architecture -http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_white_...
    >
    > Given your requirements, you will have to use one-armed mode (by the
    > way, no bridged mode on this box, I mixed it with ACE). Here is the
    > example (just ignore redundancy stuff)
    >
    > http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_config...
    >
    > I couldn't find configuration example for full NAT, so it's quite
    > possible that CSS doesn't do that. You will have to use CSS as default
    > gateway for your servers in that case. Also, since CSS doesn't support
    > contexts, you will need two boxes - one for each VLAN to keep traffic
    > separated.
    >
    > Regards,
    > Andrey.




    You are better off using a 2 armed mode with VIP's in the long run.
    Full NAT as you are calling it is achieved by using source groups-

    http://www.cisco.com/en/US/docs/app...guration/content_lb/guide/SGrp.html#wp1149782
     
    , Jun 9, 2009
    #7
  8. wrote:

    >> Here is whitepaper with overview of CSS architecture -http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_white_...
    >>
    >> Given your requirements, you will have to use one-armed mode (by the
    >> way, no bridged mode on this box, I mixed it with ACE). Here is the
    >> example (just ignore redundancy stuff)
    >>
    >> http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_config...
    >>
    >> I couldn't find configuration example for full NAT, so it's quite
    >> possible that CSS doesn't do that. You will have to use CSS as default
    >> gateway for your servers in that case. Also, since CSS doesn't support
    >> contexts, you will need two boxes - one for each VLAN to keep traffic
    >> separated.


    > You are better off using a 2 armed mode with VIP's in the long run.


    I'm pretty sure CSS and "in the long run" can't be used in the same
    sentence :)

    > Full NAT as you are calling it is achieved by using source groups-
    >
    > http://www.cisco.com/en/US/docs/app...guration/content_lb/guide/SGrp.html#wp1149782


    Not really. Source groups do NAT for connections initiated by servers.
    Full NAT is when client source IPs are translated into IP owned by load
    balancer.

    Regards,
    Andrey.
     
    Andrey Tarasov, Jun 10, 2009
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Miles Freedman

    Cisco CSS 11501, take out of service

    Miles Freedman, Oct 16, 2003, in forum: Cisco
    Replies:
    4
    Views:
    6,659
    vensatnar
    Apr 29, 2011
  2. Ahmad Cheikh Moussa

    CSS 11501 config example

    Ahmad Cheikh Moussa, May 3, 2004, in forum: Cisco
    Replies:
    0
    Views:
    1,214
    Ahmad Cheikh Moussa
    May 3, 2004
  3. Guy
    Replies:
    3
    Views:
    4,035
  4. nimbus004

    css 11501 problem

    nimbus004, Oct 20, 2005, in forum: Cisco
    Replies:
    1
    Views:
    599
    www.networking-forum.com
    Oct 20, 2005
  5. Replies:
    0
    Views:
    612
Loading...

Share This Page