Help with CSS configuration issue

toniatkinson · ‎07-25-2001

My question is about configuring the CSS 11151 for server load balancing including some provision for communication with each of the servers (services), independent of the load balancing method. Here are the details.

We are building a test IDC for dedicated web hosting. We will use one Cisco CSS 11151 and several servers (as well as a firewall, etc). Web requests will be processed by the CSS using round robin. However, in addition to the need for servicing web requests, there are situations in which the web owner or the IDC administrator needs to communicate with a specific server.

That need exists for doing administrative functions like troubleshooting. It also exists for the web owner to deliver content and configure the web server. I understand that there are several different ways to configure the CSS to support this kind of access (see below) but I don't know what the trade-offs are, nor do I know what the commons practices are. So I am not sure which configuration(s) to use. Any experience to share? What is being done in the real world?

Configuration Alternatives I Am Aware Of:

1) In the (web) owner's rule add an additional individual pass-through VIP for each service. That VIP (or its NATed IP) is exposed only to the web owner.

2) Use an additional content rule for each service (L5 content rule) so that particular types of requests, e.g. FTP, are directed to particular servers.

ciscomoderator · ‎08-01-2001

If you don't get a suitable response to your post, you may wish to speak with your Cisco design engineer at your local Cisco office. You can locate your local Cisco representative from this URL:

http://www.cisco.com/warp/public/779/servpro/contact.html or email me at np-moderator@external.cisco.com for further assistance in locating the correct person in your area.

If anyone else in the forum has some real world advice or experience, please reply to this thread.

Thank you for posting.

oshpak · ‎10-30-2001

There are a lot of solutions here. In our network we use pcanywhere to access our servers. Every server has two network cards. One network card is connected to css, another one is connected to internal network segment. Internal network segment has no route to internet. We use vpn solution to access that network. So, there are only web/ftp/commercial traffic are going through CSS. Configuration of CSS is more simple and you have ability to implement out of band management for your servers.

Also, you can just create L5 content rules for each server and open some ports for your administrative applications.

verbeena · ‎11-08-2001

I would recommended not using the separate Virtual IP through the CSS for the administrative tasks on the webservers.

The CSS also consists of a hardware switching module;which enables you to configure different circuit VLANs.

For administrative purposes on the webservers one can directly connect to its real IP address , which is configured as the IPs of the serverside_circuit_VLANS.

eg: circuit VLAN10_CSS_IN (Virtual IPs out of this VLAN)

ip address 10.225.133.2 255.255.255.248

Circuit VLAN20_serverside

ip address 10.225.133.9 255.255.255.248

So, you can directly telnet or http to servers addresses 10.225.133.10-10.225.133.14 for administration and avoid CSS configuration of new content rules etc.

perherna · ‎02-19-2002

Here is another way to hack this where you can use your domain name and port number to differentiate which server where you would like to connect.

If you are limited on public IP addresses and need to administrate your back-end servers remotely, then you can create a layer4 content rule for each single server you would like to access.

This means you can create a content rule using the same IP address as your main load balancing VIP, and then you can assign a different port number each one of these new rules. Per rule, the one service on the backend can map to whichever port you like, like 23.

So the end result of this method can be telnetting to www.yourdomain.com on port 1010, and having that request map to port 23 on your backend servers.

Hope that helps!

Cheers,

Perry.