Solved: Re: CSS 11503 One-arm Design and Server Default Gateway

tom.gill · ‎05-15-2007

Our problem is determining the correct default gateway for our web servers. All IP addresses are in the same subnet (VIP, interfaces, and servers). Should the servers default gateway be the L3 switch, or the CSS?

Thanks!

Tom

joquesada · ‎05-16-2007

Dear Tom,

You understood this one perfectly!

You can still have a one-arm setup and not use groups to NAT the client's IP address, but you must make sure that the servers send the reply back to the CSS, and by experience I can tell you it is really difficult to control the routing on a subnet when two or more devices are able to make routing decisions.

The best way to go, and the one that would avoid you several head aches, is to configure an inline setup.

Kindest regards,

Jose.

View solution in original post

joquesada · ‎05-15-2007

Hi Tom,

If you have one arm mode, you might have problems with asymmetric flows, due that the CSS behaves similar to a firewall when it comes to flows, as it needs to see both sides of the flow ( client and server side ) in order to handle things correctly. Having this kind of setup, and even when the server pointing to the CSS as its default gateway, ICMP redirects might force the traffic to change dynamically.

You can put as default gateway the L3 switch, but you need to force the traffic that has been load balanced by the CSS to go back to the CSS, otherwise the flow would fail. You can do this by using a group on the CSS, adding the service with the following command: 'add destination service xxxx'. This would NAT the client's IP address for the VIP that you use on the group and would force the flow to go back to the CSS.

Another thing that you can do is to use the CSS as the server's DG, but you must make sure that all L3 devices, including the CSS have ICMP redirects turned off on this subnet. If you have a firewall on this subnet, you would need to turn off proxy ARP as well.

I hope you find this helpful. Thanks!

Regards,

Jose Quesada.

tom.gill · ‎05-16-2007

Thanks for the reply.

Correct me if I'm wrong, but as I understand it a group will translate the service addresses to the VIP. I don't see how this would translate the client's source address. Am I understanding this correctly?

I have been looking at this config, and I don't see any groups configured. It makes me wonder what these servers are using for default gateway. http://www.cisco.com/en/US/partner/products/hw/contnetw/ps792/products_configuration_example09186a008016c8e5.shtml

Thanks again!

Tom

tom.gill · ‎05-16-2007

Jose,

I now see what you are talking about. I read about the difference between 'add service' and 'add destination service' when configuring a group.

So does this mean the only way to maintain the clients address as the source is to place the CSS inline and have the servers use it for the default gateway?

I appreciate all your help.

Tom

joquesada · ‎05-16-2007

Dear Tom,

You understood this one perfectly!

You can still have a one-arm setup and not use groups to NAT the client's IP address, but you must make sure that the servers send the reply back to the CSS, and by experience I can tell you it is really difficult to control the routing on a subnet when two or more devices are able to make routing decisions.

The best way to go, and the one that would avoid you several head aches, is to configure an inline setup.

Kindest regards,

Jose.

thumpercisco · ‎05-17-2007

I hope I help by letting you know my config for this scenario:

I use the desination service in my group

My servers use the default gateway of the upstream router

When I sniff the connection the client ip address only connects to VIP, the client never sees the server IP and the server only sees the VIP.

The servers use the same default address as the load balancer global static route I have configured for the upstream router:

ip route 0.0.0.0 0.0.0.0 192.168.20.1(upsteam router IP)