Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
771
Views
0
Helpful
7
Replies

CSS 11154 Starter Question

dwalsh
Level 1
Level 1

‎04-15-2005 04:36 AM

Hello,

I have a fairly basic question, I think. I'm very new to the whole CSS stuff, and was just wondering if someone could provide a quick config.

My enviornment:

- One CSS11154

- Two web servers running Helix

- The two servers are sitting on our DMZ off of our PIX. They are not NATed and we don't want them to be.

My objective:

To provide simple load balancing to the two servers.

I've reviewed some of the config stuff on Cisco's site, but truthfully, it's not very well documented. Or perhaps it's just confusing to me. It's made all that much harder in that the CSS 11154 seems to have been a discontinued unit since Dec of 2003. I can't find any documentation related to it.

Anyway, if someone could lay out and explain a simple config, I'd sure appreciate it.

TIA,

Dave

Labels:
0 Helpful
7 Replies 7

Gilles Dufour
Cisco Employee
Cisco Employee

‎04-15-2005 05:27 AM

if you take the "CSS basic configuration guide" I believe this is well explained and fairly simple.

Here is a link to the guide.

http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_guide_chapter09186a008017591d.html#wp1037654

Follow the instruction step-by-steps.

Degine your server with the 'service' config.

Create an owner and a content rule and associate it with the services just created.

For physical connection, connect one CSS port to the Pix, 1 port to server A and 1 port to server B.

Put all the physical ports in the same vlan and only use 1 circuit vlan with 1 subnet.

All you need is 1 ip for the CSS and 1 Virtual ip.

You don't need to change the config on the servers.

You need to change your dns server to point to the vip and add a rule in your firewall to permit traffic to the vip.

Gilles.

0 Helpful

dwalsh
Level 1
Level 1
In response to Gilles Dufour

‎04-21-2005 12:20 PM

Hi Gilles,

OK, I think I'm starting to get the hang of this. However, I'm confused about one thing:

I want the two servers to still be available on the Internet. They'll also be on the DMZ with a fully public IP address. They need to be because they will be remotely managed and I can't have the remote management team hitting a VIP. It wouldn't give predictible results (i.e. they'd never know what server they're going to reach).

So, I guess my question is that I don't want to NAT the hosts, but I do want to LB them. I'd like for them to remain on the regular DMZ with a reachable and real IP address.

Thanks,

Dave

0 Helpful

dtodd
Level 1
Level 1
In response to dwalsh

‎04-22-2005 05:12 AM

Hi Dave:

I guess it's better to see what your configuration is like. You can email me off line if you would like to keep your information private.

The CSS does NAT by design and I have not seen to many designs where people do not enable nat on the CSS between the public/private side of the CSS. What are your concerns for natting?

IF you put the servers behind the CSS the CSS WILL ONLY PASS traffic that is configured in the services. If you need these devices accessible via other protocols I would recommend that you connect a FW interface or a a back end interface to the DMZ. The CSS is best used ONLY to LB www related traffic (dns, ra, etc).

Drop me a line with your concerns if you would like. Please include the post information in the subject line so I do not filter it incorrectly.

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to dwalsh

‎04-22-2005 11:42 AM

Dave,

you can still put your servers behind the CSS.

2 ways for doing this.

1 - you use a private subnet for the servers and create a vip for each server to nat from public to private.

2 - you use "bridging mode".

The CSS is connected to the firewall and the servers are connected to the CSS.

You put all physical interfaces into a single vlan and the CSS will bridge the physical ports.

You don't have to change anything on the server.

They still use the firewall as default gateway.

Regards,

Gilles.

- please take a moment to rate this answer.

0 Helpful

dwalsh
Level 1
Level 1
In response to Gilles Dufour

‎04-25-2005 04:30 AM

Thanks Gilles,

Just one question though on #2:

If I put the FW as the DG, will they still be able to LB? I thought I'd have to put the CSS as the DG so that all return traffic would get properly processed by the CSS for LBing.

Regards,

Dave

0 Helpful

mvsiew
Level 1
Level 1
In response to dwalsh

‎05-17-2005 12:27 AM

Hai Dave,

Option 2: Physically the servers are connected to the CSS, when request come from Internet via the Pix destined to the VIP defined in CSS and finally forwarded to the server base on the LB mode defined. The reply packet is still passed through the CSS to reach the default gateway which is the Pix. So CSS will receive full flow information and performing LB is no issue at all. I have tried this before.

Regards

Meng Vei

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee

‎05-17-2005 05:10 AM

if the CSS is bridging the server vlan and the pix vlan, the traffic will have to go through the CSS even if the servers are using the pix as default gateway.

So the CSS will see the response from the servers.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card