Re: Add a new subnet to CSS11155

banlanc · ‎06-08-2004

Hi All,

Currently we are using CSS11155 to load balance the traffic for our server farm. The diagram as follow:

firewall (10.10.10.1/24)

|

CSS11155 (VIP: 10.10.10.100/24, VLAN1: 10.10.10.254/24)

|

Servers (Default Gateway: 10.10.10.1/24)

Now I want to add another subnet (192.168.1.0/24) to this diagram, in the meantime I also want to add another FW that use 192.168.1.0 subnet in front of CSS. The new topology will look like this:

FW1 (10.10.10.1/24) FW2 (192.168.1.1/24)

| |

CSS11155 (VIP: 10.10.10.100/24 VLAN1: 10.10.10.254/24)

| |

Servers1 Servers2

Can I configure to this way?

Thanks in advance.

Banlan

Gilles Dufour · ‎06-08-2004

You can configure it.

Now, I'm not sure what is the goal and purpose of it, so I can't tell you if this design will do it.

what will be the addressing of the servers in your new design ?

Gilles.

banlanc · ‎06-09-2004

Hi Gilles,

Thanks for your reply. Currently the firewall has one DMZ which connect to CSS and our server farm. The configuration is working fine, we don't want to change this configuration. Now we want to add another DMZ on same firewall, also we need the same CSS as a load balancer for the new server farm in this DMZ. Please check the diagram as follow: (Ignore the underscore, it is used for drawing purpose)

(DMZ1)10.10.10.1/24______FW______(DMZ2)192.168.1.1/24

______________________/__\_________________________

_____________________/____\________________________

VIP:10.10.10.100______CSS11155_____VIP:192.168.1.100

VLAN1:10.10.10.254____/______\____VLAN2:192.168.1.254

___________________/_______\______________________

SRVS Farm1(10.10.10.0/24)____SRVS Farm2(192.168.1.0/24)

Default GW:10.10.10.1/24________Default GW:192.168.1.1/24

Can we use this solution?

Banlan

Gilles Dufour · ‎06-11-2004

OK, now I understand what is the goal.

This should work - no problem.

you may need to configure 'ip uncong-bridging'

if you have traffic that should flow between servers in different DMZ.

Regards,

Gilles.

mattesonry · ‎06-11-2004

What does ip 'uncong-bridging' do?

rajnagpal · ‎08-04-2004

Hi,

The exact command is ip uncond-bridging. This command disallows the IPV4 routing table lookup from

overriding a bridging decision.

In other words, this is like ios reverse path verify. If a packet comes in and the source ip of the packet and the routing table do not agree that the port the packet came in from is the port the css would normally send packets out for that same source ip that the packet came from, this command makes it bridge or handle the packet regardless of that, otherwise the packet would be marked as DoS and dropped.

Regards,

Raj

robin.tan · ‎07-27-2004

Hi,

Currently I got the same requirement that is identical to what banlanc had previously posted. Are you able to share with me whether you had test and deploy this design and encounter any problem?

Based on the same IP Addresses scheme from Banlanc Design.

1. Do I need to configure default route on the CSS? If require, do I configure 1 or 2 default routes on the CSS?

Related to the 1st questions. I also wish to know how does the CSS handle the return traffic base on what was recommended and configure for the above default route issues.