CSS 11503 basic setup, help needed.

Discussion in 'Cisco' started by Josh Ozura, May 9, 2005.

  1. Josh Ozura

    Josh Ozura Guest

    I am trying to set up a CSS11503 for some simple load balancing of 4
    web servers. I'm not sure if I am looking at the wrong cisco
    documentation but I can't seem to find a tutorial that outlines the
    begining to end process. Is there such a document out there and if so
    I would greatly appreciate if someone could point me to it. As an idea
    of what I am trying to do: 4 web servers (http and https) on non
    consecutive IP's all load balanced from one VIP.

    Thanks for your help and time.

    Josh
     
    Josh Ozura, May 9, 2005
    #1
    1. Advertising

  2. Josh Ozura

    Eddie Guest

    create four services

    Service webserver1
    IP adress x.x.x.x

    Dot his for all four webservers



    The create 2 rule's one four port 80 and one for port 443

    Owner Webservers

    Rule xxxxxxxxx
    ip address x.x.x.x ( ip address for the outside)
    port 443
    bla bla (see cisco docs for options..)
    add service webserver1
    add service webserver2
    add service webserver3
    add service webserver4

    Rule xxxxxxxxx
    ip address x.x.x.x ( ip address for the outside)
    port 80
    bla bla
    add service webserver1
    ,,,,,,
    .....
    ....


    see also:
    http://www.cisco.com/en/US/products...configuration_guide_book09186a008011761a.html

    Also use sticky parameters if you use transaction servers..

    good luck..


    "Josh Ozura" <> schreef in bericht
    news:...
    >I am trying to set up a CSS11503 for some simple load balancing of 4
    > web servers. I'm not sure if I am looking at the wrong cisco
    > documentation but I can't seem to find a tutorial that outlines the
    > begining to end process. Is there such a document out there and if so
    > I would greatly appreciate if someone could point me to it. As an idea
    > of what I am trying to do: 4 web servers (http and https) on non
    > consecutive IP's all load balanced from one VIP.
    >
    > Thanks for your help and time.
    >
    > Josh
    >
     
    Eddie, May 9, 2005
    #2
    1. Advertising

  3. Josh Ozura

    Josh Ozura Guest

    This is what i have as the config

    !Generated on 05/09/2005 17:37:00

    !Active version: sg0750004


    configure

    !************************** CIRCUIT **************************

    circuit VLAN1

    ip address xxx.xxx.204.253 255.255.255.0

    ip address xxx.xxx.205.253 255.255.255.0

    ip address xxx.xxx.206.253 255.255.255.0

    ip address xxx.xxx.207.253 255.255.255.0

    !************************** SERVICE **************************

    service web1

    ip address xxx.xxx.204.130

    active

    service web2

    ip address xxx.xxx.204.131

    active

    service web3

    ip address xxx.xxx.204.150

    active

    service web4

    ip address xxx.xxx.204.151

    active

    !*************************** OWNER ***************************

    owner webservers

    content web_http

    protocol tcp

    vip address xxx.xxx.204.250

    port 80

    balance leastconn

    add service web1

    add service web2

    active

    content web_https

    protocol tcp

    vip address xxx.xxx.204.250

    port 443

    when I try to go to xxx.xxx.204.250, it returns a conneciton timed out
    error. I can ping the ip address on the switch and I can ping my ip
    from the switch but i cannot connect via http. any thoughts?

    Thanks.
     
    Josh Ozura, May 9, 2005
    #3
  4. Josh Ozura

    Eddie Guest

    I think you need to apply your circuit to an acl.

    acl 1
    clause 10 permit any any destination any
    apply circuit-(VLAN1)

    You can try above, this will let through all traffic.
    if that works modify the acl to only permit port 80 and 443.




    "Josh Ozura" <> schreef in bericht
    news:...
    > This is what i have as the config
    >
    > !Generated on 05/09/2005 17:37:00
    >
    > !Active version: sg0750004
    >
    >
    > configure
    >
    > !************************** CIRCUIT **************************
    >
    > circuit VLAN1
    >
    > ip address xxx.xxx.204.253 255.255.255.0
    >
    > ip address xxx.xxx.205.253 255.255.255.0
    >
    > ip address xxx.xxx.206.253 255.255.255.0
    >
    > ip address xxx.xxx.207.253 255.255.255.0
    >
    > !************************** SERVICE **************************
    >
    > service web1
    >
    > ip address xxx.xxx.204.130
    >
    > active
    >
    > service web2
    >
    > ip address xxx.xxx.204.131
    >
    > active
    >
    > service web3
    >
    > ip address xxx.xxx.204.150
    >
    > active
    >
    > service web4
    >
    > ip address xxx.xxx.204.151
    >
    > active
    >
    > !*************************** OWNER ***************************
    >
    > owner webservers
    >
    > content web_http
    >
    > protocol tcp
    >
    > vip address xxx.xxx.204.250
    >
    > port 80
    >
    > balance leastconn
    >
    > add service web1
    >
    > add service web2
    >
    > active
    >
    > content web_https
    >
    > protocol tcp
    >
    > vip address xxx.xxx.204.250
    >
    > port 443
    >
    > when I try to go to xxx.xxx.204.250, it returns a conneciton timed out
    > error. I can ping the ip address on the switch and I can ping my ip
    > from the switch but i cannot connect via http. any thoughts?
    >
    > Thanks.
    >
     
    Eddie, May 10, 2005
    #4
  5. Josh Ozura

    Josh Ozura Guest

    I added the ACL 1 entry as recomended and still nothing. I even
    removed service web2 from the port 80 rule to try and just send it to
    one server i knew was up and yet nothing. i have read and reread the
    docs but something just isnt correct. *pulls out hair* I will sleep on
    it and see if I can figure out something tomorrow. Thanks for the help
    guys.
     
    Josh Ozura, May 10, 2005
    #5
  6. Josh Ozura

    Josh Ozura Guest

    Here is what i have now. I am not so much worried about load balancing
    as I cant even get anything returned. All 3 parties can ping each
    other but still no joy. The CSS seems to be upping its counter
    everytime I try to connect to the VIP with a webbrowser but it still
    timesout. Just to clarify, the client makes a request to the VIP, the
    CSS then sends a request to the webserver, when content is returned, it
    sends it to the client, is that how i have it set up?

    !Generated on 05/11/2005 16:04:51

    !Active version: sg0750004

    configure

    !*************************** GLOBAL ***************************

    ip route 0.0.0.0 0.0.0.0 xxx.xxx.204.1 1

    !************************** CIRCUIT **************************

    circuit VLAN1

    ip address xxx.xxx.204.253 255.255.255.0

    !************************** SERVICE **************************

    service web1

    ip address xxx.xxx.204.130

    active

    service web2

    ip address xxx.xxx.204.131

    active

    service web3

    ip address xxx.xxx.204.150

    active

    service web4

    ip address xxx.xxx.204.151

    active

    !*************************** OWNER ***************************

    owner webservers

    content web_http

    protocol tcp

    vip address xxx.xxx.204.250

    port 80

    balance leastconn

    add service web1

    active

    content web_https

    protocol tcp

    vip address xxx.xxx.204.250

    port 443

    add service web1

    add service web2

    active

    !**************************** ACL ****************************

    acl 1

    clause 10 permit any any destination any

    apply circuit-(VLAN1)
     
    Josh Ozura, May 11, 2005
    #6
  7. Josh Ozura

    Eddie Guest

    Josh

    Is see you use only 1 Vlan..

    I think you have to create a different Vlan for your web servers front end.

    So add a new Circuit.

    Circuit VLAN 2

    and assign a VLAN 2 address to your Web Server Services. ( and of course
    your servers)





    "Josh Ozura" <> schreef in bericht
    news:...
    > Here is what i have now. I am not so much worried about load balancing
    > as I cant even get anything returned. All 3 parties can ping each
    > other but still no joy. The CSS seems to be upping its counter
    > everytime I try to connect to the VIP with a webbrowser but it still
    > timesout. Just to clarify, the client makes a request to the VIP, the
    > CSS then sends a request to the webserver, when content is returned, it
    > sends it to the client, is that how i have it set up?
    >
    > !Generated on 05/11/2005 16:04:51
    >
    > !Active version: sg0750004
    >
    > configure
    >
    > !*************************** GLOBAL ***************************
    >
    > ip route 0.0.0.0 0.0.0.0 xxx.xxx.204.1 1
    >
    > !************************** CIRCUIT **************************
    >
    > circuit VLAN1
    >
    > ip address xxx.xxx.204.253 255.255.255.0
    >
    > !************************** SERVICE **************************
    >
    > service web1
    >
    > ip address xxx.xxx.204.130
    >
    > active
    >
    > service web2
    >
    > ip address xxx.xxx.204.131
    >
    > active
    >
    > service web3
    >
    > ip address xxx.xxx.204.150
    >
    > active
    >
    > service web4
    >
    > ip address xxx.xxx.204.151
    >
    > active
    >
    > !*************************** OWNER ***************************
    >
    > owner webservers
    >
    > content web_http
    >
    > protocol tcp
    >
    > vip address xxx.xxx.204.250
    >
    > port 80
    >
    > balance leastconn
    >
    > add service web1
    >
    > active
    >
    > content web_https
    >
    > protocol tcp
    >
    > vip address xxx.xxx.204.250
    >
    > port 443
    >
    > add service web1
    >
    > add service web2
    >
    > active
    >
    > !**************************** ACL ****************************
    >
    > acl 1
    >
    > clause 10 permit any any destination any
    >
    > apply circuit-(VLAN1)
    >
     
    Eddie, May 12, 2005
    #7
  8. Josh Ozura

    Josh Ozura Guest

    Ok, so here is my current configuration.

    !Generated on 05/13/2005 16:04:24

    !Active version: sg0750004

    configure

    !*************************** GLOBAL ***************************

    cdp run

    cdp timer 120

    sntp primary-server xxx.xxx.207.100 version 3

    dns primary xxx.xxx.204.16

    ip management route xxx.xxx.207.0 255.255.255.0 xxx.xxx.154.209

    ip route 0.0.0.0 0.0.0.0 xxx.xxx.204.1 1

    !************************* INTERFACE *************************

    interface 1/1

    trunk

    vlan 1

    default-vlan

    !************************** CIRCUIT **************************

    circuit VLAN1

    ip address xxx.xxx.204.253 255.255.255.0

    ip virtual-router 1 priority 200 preempt

    ip redundant-vip 1 xxx.xxx.204.250

    !************************** SERVICE **************************

    service server1

    ip address xxx.xxx.204.100

    active

    !*************************** OWNER ***************************

    owner webservers

    content L3_webservers_LC

    add service server1

    vip address xxx.xxx.204.250

    active

    !**************************** ACL ****************************

    acl 1

    clause 10 permit any any destination any

    apply circuit-(VLAN1)


    It still wasn't working but looked like it should based off of the docs
    I have been reading from cisco. the counters indicating rule hits were
    working but still nothing. I turned on debug for everything and then
    issued a show log command. This is what i get when I try to hit the
    VIP:

    MAY 16 09:52:15 1/1 160 FLOWMGR-7:
    DoS SYN attack: xxx.xxx.207.83:2366->xxx.xxx.204.250:80
    synCnt: 3, initSeq: 79126084

    Any ideas on why it thinks I am trying to start a DoS attack?
     
    Josh Ozura, May 16, 2005
    #8
  9. Josh Ozura

    Josh Ozura Guest

    ok, i added the following content rule:

    content L5_test
    vip address xxx.xxx.204.250
    protocol tcp
    port 80
    url "/*"
    add service server1
    active

    then tried a conneciton and got the following from the log:
    MAY 16 14:16:37 1/1 225 FLOWMGR-7:
    While spoofing a connection backend, too many SYNs had to be sent to
    the server.

    xxx.xxx.204.100:80->xxx.xxx.207.83:2907
     
    Josh Ozura, May 16, 2005
    #9
  10. Josh Ozura

    ogie_velo

    Joined:
    Mar 4, 2008
    Messages:
    1

    Try to configure the "group ... command"
     
    ogie_velo, Mar 4, 2008
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    1
    Views:
    2,594
    www.BradReese.Com
    Oct 2, 2005
  2. nabla
    Replies:
    2
    Views:
    2,038
  3. amigan
    Replies:
    3
    Views:
    903
    BoneHed
    Nov 14, 2006
  4. Cisco 11503 (CSS) NAT

    , Feb 21, 2007, in forum: Cisco
    Replies:
    4
    Views:
    918
    Martin Bilgrav
    Mar 5, 2007
  5. linguafr
    Replies:
    0
    Views:
    457
    linguafr
    Jul 20, 2007
Loading...

Share This Page