topic Re: sourcegroups and bypassing on CSS in Application Networking

sourcegroups and bypassing on CSS

aliver — Tue, 30 Aug 2005 05:42:52 GMT

Good day!

there are 2 servers with ip 192.168.33.230 and 192.168.33.231 and two clients.

We are need create cluster with service FTP,when one client make ftp to first server and if it fail change to second server, and second client vice versa (i.e. load balansing servers by clients)

if I create two contents, for example 192.168.32.10 and 11 for two clients its not work because i need sorcegroup for servers to do ftp-data connection with the same address as cluster address and i cannot create two different sourcegroups for the same servers.

What I do wrong?

well, I temporary forgot about balansing and to do one cluster with service 192.168.33.230 and primary sorry-server 192.168.33.231 and sourcegroup with vip 192.168.32.11. Now we are need communicate each server with outside server 10.10.10.10. with done sourcegroup its not work and I want bypass traffic from servers to outside server from NATing using ACL, but its not work and i see on outside server coming packets from address 192.168.32.11, i.e. group address( I cannot see any matches on clause 30 and 40 acl 5, only clause 100). I tried remove servers from group and stay only acls, but its not work too.

there my config

service ftp1

ip address 192.168.33.230

port 21

keepalive type tcp

keepalive port 21

keepalive frequency 30

keepalive retryperiod 2

redundant-index 210

active

service ftp2

ip address 192.168.33.231

port 21

keepalive type tcp

keepalive port 21

keepalive frequency 30

keepalive retryperiod 2

redundant-index 211

active

-------

content clust-ftp2

protocol tcp

vip address 192.168.32.11

add service ftp1

primarySorryServer ftp2

port 21

redundant-index 221

application ftp-control

active

----

group ftp

vip address 192.168.32.11

add service ftp1

add service ftp2

active

-----

acl 5

clause 30 bypass any 192.168.33.230 255.255.255.254 destination 10.10.10.10 255.255.255.255

clause 40 permit any 192.168.33.230 255.255.255.254 destination any sourcegroup ftp

clause 100 permit any any destination any

apply circuit-(VLAN100)

How to resolve this task?

thanks!

Re: sourcegroups and bypassing on CSS

Gilles Dufour — Tue, 30 Aug 2005 13:55:44 GMT

Sorry but I don't understand the logic of this design.

Why do you want a client to try another server if the first one fails ?

This concept is valid if you have no loadbalancer, but with a CSS, you can use probe to detect a server that is down and new connections will automatically go the next server.

So, I don't see why an FTP connection to your content rule would fail and why a connection to a 2nd rule would work.

If an FTP connection to the vip fails, this will be because the 2 servers are down.

If the 2 servers are down for 1 rule, they should be down for the other rules.

I would say, keep it simple with 1 content rule.

The best designs are the simplest ones.

Gilles.

Re: sourcegroups and bypassing on CSS

aliver — Wed, 31 Aug 2005 04:40:49 GMT

>>This concept is valid if you have no loadbalancer, but with a CSS, you can use probe to detect a server that is down and new connections will automatically go the next server.

well,its just so i want.

but question is not in my design!

Question - why my acl to bypass and sourcegroup is not working? if i want to NAT only specific traffic from servers.

thanks.

Re: sourcegroups and bypassing on CSS

jfoerster — Wed, 31 Aug 2005 04:55:29 GMT

Hi,

where is the 10.x.y.z ip-address located? What is the circuit your traffic enters the CSS? Why did you not apply the ACL to all ciruits and give it a try? Next if the traffic hits a rule the CSS is not able to decide which destination is chosen. This should not be any problem in your case as the service are in the range of 192.168.x.y.

kind Regards,

Joerg

Re: sourcegroups and bypassing on CSS

aliver — Wed, 31 Aug 2005 05:11:27 GMT

Hello

10.x.y.z is located in other side of CSS,but not in the same subnet

10.x.y.z

uplink router

CSS

192.168.x.y (server side)

I just want pass traffic from servers to some IPs in 10.x.y.z directly (not NATing), to others IPs with NATing. And dont understand why its not work via acl?

ACL with sourcegroup is apply to server circuit only.

To other citcuits apllies other ACLs (Let even permit any destination any)

thanks.

Re: sourcegroups and bypassing on CSS

Gilles Dufour — Wed, 31 Aug 2005 09:00:00 GMT

answer : the bypass option does not apply to source group but only content rules.

Again, I don't see the need for 2 content rules.

Please explain why you need 2 content rule and why a client would have to try 1 vip and then the other ???

If 2 rules are not needed [as I believe] then your config is not required and everything is simple and easy.

Gilles.

Re: sourcegroups and bypassing on CSS

aliver — Wed, 31 Aug 2005 09:28:52 GMT

>>answer : the bypass option does not apply to source group but only content rules.

OK, how to configure CSS to not NAT specific traffic,but NAT the rest one?

and what about this: http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a008029cab6.html#wp1150203

there in example used bypass option in ACL. Or I dont something understand?

2 content rules i need not for one client!

I my design the first client must always communicate with first server and if first server fail switch to second server, second client always communicate with second server and if second server fail switch to first. Thats why i tried do it using two content rules, first for first and second for second client.

But because of ftp-data connection and using only one sourcegroup (with ip = vip of any content rules) for it i cannot use 2 content rules.

Re: sourcegroups and bypassing on CSS

Gilles Dufour — Wed, 31 Aug 2005 09:52:02 GMT

this part of the documentation might not be perfectly clear, but what it says is that clause 2 of the acl is not using the 'sourcegroup' option so there is no client nat and it is using bypass, so traffic will not match any rule, so no destination nat.

As you can see in this same acl, clause 3 is what you need to do.

At step #1, define your group with no services assigned.

At step #3, create an acl to define which traffic should use the sourcegroup.

Now, I have a better understanding of your design requirement.

However, I still believe this design comes from a time when there was no loadbalancer.

I would personally prefer to have all my users going to 1 ip and share the 2 servers all the time.

With the current config, the CSS is useless.

Having half your clients going to ip1 and the other half to ip2 and 2 servers, you can do this without a CSS or any loadbalancer.

This is just an advice from my own experience.

Gilles.

Re: sourcegroups and bypassing on CSS

aliver — Thu, 01 Sep 2005 12:20:27 GMT

Thanks for quick reply, Gilles!

I'll try this.