Re: CSS Configuration Question

rob.leugers · ‎01-19-2005

I have a customer who would like to be able to hit the load-balanced web page from a web server that is being balanced by the same content rule. This is due to some apps the customer is planning on deploying on the web servers that need to hit the general url.

Is this a possibility? If so, how would one configure this? I am running a css 11503 code version 7.30.0.05.

Gilles Dufour · ‎01-19-2005

this is feasible.

However, you need to take precautions to avoid the response to be sent directly from one server to the other.

You should use an acl and a sourcegroup to do client nat when traffic comes from a server.

Something like this:

group client-nat

vip x.x.x.x

active

!

acl 1

clause 10 permit any destination content sourcegroup client-nat

clause 99 permit any any destination any

apply all

The clause 10 tells the CSS that traffic from to the VIP defined in the content rule specified should be nated with ip in source group client-nat.

Regards,

Gilles

rob.leugers · ‎01-19-2005

Thanks. We'll spin this up in a test environment.

j.theunissen · ‎04-04-2005

Gilles,

We have the same problem here. Can you tell where I should add these commands? Are these global settings or do you have to add them to the services?

Thanks for your help.

Regards,

Thijn

rob.leugers · ‎04-04-2005

Here are the relevant parts of my production configuration:

interface 1/1

trunk

vlan 6

vlan 10

group QA-nat

vip address 10.100.10.100

redundant-index 41

active

group development-nat

vip address 10.100.6.53

redundant-index 40

active

!**************************** ACL ****************************

acl 10

clause 10 permit any 10.100.6.0 255.255.255.0 destination 10.100.6.53 sourcegroup development-nat

clause 20 permit any any destination any

apply circuit-(VLAN6)

acl 20

clause 10 permit any 10.100.10.0 255.255.255.0 destination 10.100.10.100 sourcegroup QA-nat

clause 20 permit any any destination any

apply circuit-(VLAN10)

This is configured, tested and works quite well in my environment.

Gilles Dufour · ‎04-04-2005

this won't work all the time.

You should really match the content rule and not the ip in the content rule.

ie:

clause 10 permit 10.100.10.0 255.255.255.0 destination content sourcegroup ....

Regards,

Gilles.

mchockalingam · ‎04-04-2005

I have a similar problem but the content is accessed based on the VIP address. The server 10.56.3.40 is trying to access the content from 10.56.3.50,60 and 70. But it is trying to access it based on the VIP address which is 10.56.10.11.

Will this traffic be affected to?

Gilles Dufour · ‎04-06-2005

not sure to understand what you mean byt "will the traffic be affected" ?

if 2 servers are in the same vlan and communicate via a vip on the css, you need to implement client nat to avoid the server response to bypass the css.

If you decide to use acl, you need to match the content name and not the ip address otherwise it won't work.

Gilles.

copat · ‎04-06-2005

Gilles,

Is this method only useful in cases where you want a back-end server to be able to use the VIP in question? I have similar use for this function, but don't want to restrict the content rule to use by only the back-end servers within the rule itself.

From what you've laid out, it appears that the clause 99 will permit all other traffic to use the content rule as per normal, no?

- Chris

Gilles Dufour · ‎04-06-2005

Chris,

what I wanted to show is that if you want to apply a source group for traffic sent to a VIP, you should match this vip by specifying the content name and not the ip address.

If you have multiple rule sharing the same ip, you need an acl entry for each rule.

Matching the ip will not work.

This is true for whatever client ip address is being used.

Regards,

Gilles.