02-17-2012 11:14 AM
Hi everyone,
I'm trying to design a CSS configuration that allows servers in the same vlan to be the source and destination of load-balanced traffic. My thought is to add two new vlans, one for the VIPs and one for the servers, then NAT the source IPs going from the LB to the servers.
Is this the right way to do it?
I've never NATted using CSSs, so I wanted to verify what I'm thinking.
Our current config trunks the vlans -
interface 1/1
trunk
vlan 1
default-vlan
vlan 555
interface 1/2
trunk
vlan 1
default-vlan
vlan 555
circuit vlan555
redundancy
ip address ...
So I would add the new vlans -
interface 1/1
trunk
vlan 1
default-vlan
vlan 555
vlan 771
vlan 772
interface 1/2
trunk
vlan 1
default-vlan
vlan 555
vlan 771
vlan 772
circuit vlan555
redundancy
ip address ...
circuit vlan771
ip address ...
circuit vlan772
ip address ...
Then I'd create my service, owner and content -
service vlan772-server1
protocol tcp
port 443
keepalive port 443
keepalive type tcp
ip address ..
active
service vlan772-server2
protocol tcp
port 443
keepalive port 443
keepalive type tcp
ip address ...
active
owner mywebserver
content vlan771-vip1
vip address ...
protocol tcp
port 443
add service vlan772-server1
add service vlan772-server2
active
Then I'd add a source group?
source group mysourcegroup
vip address <vlan771 ip> <range>
add destination vlan772-server1
add destination vlan772-server2
Is that it? Am I even close?
Cheers,
Ryan
02-17-2012 12:16 PM
Hi Ryan,
The config looks in good shape, the only thing is that since you'll be doing LB from/to a server that is already defined as a service within the CSS your source group should use "add service" instead of add destination service,. also depending on your servers' default gateway it would be better if you use a NAT IP address from the 772 VLAN so that both hosts will think they're L2 adjacent to it and L3 routed won't be required.
source group mysourcegroup
vip address
add service vlan772-server1
add service vlan772-server2
HTH
__ __
Pablo
source group mysourcegroup
vip address
add service vlan772-server1
add service vlan772-server2
02-20-2012 05:35 AM
Hi Ryan,
Rather than applying source nat to the server-initated connections when they come out of the server vlan and into the VIPs one (which I'm not sure even if it would work), you should just go for a one-arm design, with the VIPs in the same vlan as the servers and with source NAT applied to the connections.
I would recommend you to have a look at the link below. It shows a configuration example for the same topology you are trying to use.
I hope this helps
Daniel
02-20-2012 08:34 AM
Thank you both for your answers. I will update this discussion as soon as I have implemented. :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide