09-28-2007 03:07 PM
Should be a simple question and I hope I have the answer, just want to see if someone can verify this will work. This is on a CSS 11501 with 8.2 code. Have to be sure the client data flows which are served by the same 2 servers but with different VIPS are correctly returned to the client. Assume all routing is correct. Thanks in advance for your feedback.
Client 1 SRC ip 192.168.1.2 SRC port UDP 4932 (random port)
DST ip 10.1.2.100 DST port UDP 1120
Client 2 SRC ip 172.16.12.12 SRC port UDP 8374 (random port)
DST ip 10.1.2.101 DST port UDP 1120
Client 1 must have return packet - SRC ip 10.1.2.100 SRC port 1120
DST ip 192.168.1.2 DST port 4932
Client 2 must have return packet - SRC ip 10.1.2.101 SRC port 1120
DST ip 172.16.12.12 DST port 8374
!************************* INTERFACE *************************
interface e1
phy 100Mbits-FD
bridge vlan 11
interface e2
phy 100Mbits-FD
bridge vlan 12
!************************** CIRCUIT **************************
circuit VLAN11
ip address 10.1.2.1 255.255.255.0
circuit VLAN12
ip address 10.2.1.1 255.255.255.0
!************************** SERVICE **************************
service service1-UDP1120
ip address 10.2.1.30
protocol udp
port 1120
active
service service2-UDP1120
ip address 10.2.1.31
protocol udp
port 1120
active
!*************************** OWNER ***************************
owner owned-by-me
content VIP100
protocol udp
add service service1-UDP1120
add service service2-UDP1120
port 1120
vip address 10.1.2.100
active
content VIP101
protocol udp
add service service1-UDP1120
add service service2-UDP1120
vip address 10.1.2.101
port 1120
active
09-28-2007 10:34 PM
The CSS sets up a Flow Control Block (FCB) in one direction only when a UDP packet is processed. The FCB for the return path will only be set up if the response packet arrives. Because of the uni-directional nature of UDP source A UDP content rule must have a corresponding source group to handle the return UDP traffic and to provide the mapping between the two sides of the UDP flow.
for example
content vip1
vip address 192.168.100.86
protocol udp
add service test1
add service test2
active
group outbound2
vip address 192.168.100.86
add service test1
add service test2
active
09-30-2007 12:54 AM
the problem here is that you want to have 2 different source nat.
So, the only way is to use ACL to define which group to use.
You first need to define 2 groups one for each VIP. Do not assign any service.
Then create an acl like this to tell the CSS when to use one group or the other.
acl 1
clause 10 permit udp
...
As you can see you need to know in advance which group to use - so one client will always receive traffic from the same vip.
Another solution is to do client nat when forwarding the client request to the server.
In this case, a FCB for the reverse path will also be setup. And the CSS will do the automatic reverse-nating when the server responds. The only drawback is that the server always see traffic coming from the same ip.
If you go for this solution, you need a group but instead of using 'add service' you use 'add destination service'.
Only 1 group is required.
Gilles.
10-01-2007 09:06 AM
Thanks Giles, only problem is that there is a requirement for the original source IP to hit the server. I will be doing nats a level above this as there are two public IPs that the clients will hit, so I will nat them to different VIPs in order to differentiate them. So would I use the natted VIP in the ACL to point to the source group? This may require several different nats. The question posed had two, actually there are about eight or nine I need to worry about.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide