Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
903
Views
0
Helpful
4
Replies

ITD for servers LB on the same vlan

Go to solution
d_sergienko
Level 1
Level 1

‎08-16-2025 02:31 AM - edited ‎08-16-2025 02:40 AM

Hello,

I'm trying to setup a pretty simple solution for web servers load balancing using ITD on Nexus 93108TC-EX with NX-OS 10.3(6)M.

There is a Deployment guide  for Direct Server Response (ITD Service), and I'm following it with 3 exceptions:

  1. Ingress VLAN - is the same VLAN to access nodes in device-group
  2. VIP is used from the pool of the same network of this VLAN
  3. all setup must be inside VRF

Aforementioned Nexus is one of vPC pair, but as for now I'm configuring ITD only in one box.

Here is the config for this:

vrf context LB-225
  description ITD LoadBalancer for VLAN 225

interface Vlan225
  no shutdown
  vrf member LB-225
  no ip redirects
  ip address 192.168.225.253/24
  no ipv6 redirects

itd device-group WEB_FARM
  probe icmp
  vrf LB-225
  node ip 192.168.225.103 


itd WEB_DSR
  vrf LB-225
  device-group WSA_FARM
  virtual ip 192.168.225.250 255.255.255.255
  ingress interface Vlan225 
  failaction node reassign 
  load-balance method src ip
  no shut


itd statistics WEB_DSR

The problems I'm facing:

  1. For this to work, I need to bind ARP for VIP manually on all hosts which must communicate on VIP in this network. No ARP discovery/gratuitous ARP have seen with tcpdump inside this VLAN.
  2. If I set 'advertise enable' for 'virtuap ip' in the ITD service, the route for VIP is added with next-hop of the active node. After this service stops working. The 'virtual ip' with 'advertise disable' works quite ok. But still no proper ARP advertising.
  3. I'm not sure if this work if I setup the same on the 2nd vPC box because of static ARP binding.

Why do I need Direct Server Response mode inside the same VLAN: there is another device, FirePower, connected to current VLAN225, and it acts as a gw for all hosts in this network. FirePower is in routed mode. The idea is to utilize ITD inside nexus and not to mix this traffic with other Nexus tasks running in the global VRF.

I'm not sure if my design is optimal, and I'm open for any advices how to improve and fix ARP learning for ITD service VIP.

Thanks

D

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
d_sergienko
Level 1
Level 1

‎08-18-2025 04:48 AM

Hi all,

I've solved the problem myself. Now it works in DSR mode with the same VLAN for ingress and servers network with `advertising enable`. 

The root cause was vPC: it is critical to duplicate configuration on both vPC members, otherwise traffic may be dropped.

Regards,

D

View solution in original post

0 Helpful
4 Replies 4

Go to solution
M02@rt37
VIP
VIP

‎08-16-2025 02:58 AM

Hello @d_sergienko 

In DSR mode, idt doesn’t ARP for the VIP ; instead, servers must be configured with a loopback for the VIP and with no arp so that they can respond directly, while the Nexus only forwards the initial packets.

So, that’s why you don’t see gratuitous ARP for the VIP. If you enable 'advertise', Nexus inject a route pointing to one node, which breaks the DSR logic...

So, your design is not optimal because DSR requires a separation between the client ingress subnet and the server subnet, otherwise you’ll end up with exactly the ARP/manual static mapping issues you’re facing.

The best practice is to place the VIP in its own subnet/vlan, advertise it from the nexus, and let servers answer directly using the DSR loopback config.

--

Find cisco doc in pdf here from google:

https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://www.cisco.com/c/dam/en/us/td/docs/switches/datacenter/sw/design/itd_deployment/itd_dsr_deployment_guide.pdf&ved=2ahUKEwjVx6rxho-PAxVhSaQEHdEAHI0QFnoECDQQAQ&sqi=2&usg=AOvVaw3LXw...

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
d_sergienko
Level 1
Level 1
In response to M02@rt37

‎08-16-2025 03:04 AM - edited ‎08-16-2025 03:05 AM

Thanks for the prompt reply.

If I follow your advice, I have a risk of traffic blocking on FirePower level as the single TCP/UDP/... connection spans across multiple interfaces: one is used for outgoing packets, another one is used for return from the servers. I'm not sure if firewalls like this.

Is DSR better solution at all? Maybe I need to take a look on ITD NAT? Will it work better taking into account vPC setup and the need to maintain correct NAT connections table on both boxes?

0 Helpful

Go to solution
M02@rt37
VIP
VIP
In response to d_sergienko

‎08-16-2025 03:20 AM - edited ‎08-16-2025 03:20 AM

Ok @d_sergienko, Thanks for that clarification.

If you need full firepwer inspection, dsr is not ideal because return traffic bypass the firewall, breaking inspection and security features, whereas ITD NAT with session synchronization across vPC peers ensures that all trafic for a given flow hits the same firewall and NAT tables stay consistent, avoiding asymmetric routing issues.

So, dsr is only suitable if inspection can be sacrificed for performance, but in a vpc setup where stateful inspection and correct NAT handling are required, ITD NAT or a similar "session-aware" solution is the safer choice...

 

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
d_sergienko
Level 1
Level 1

‎08-18-2025 04:48 AM

Hi all,

I've solved the problem myself. Now it works in DSR mode with the same VLAN for ingress and servers network with `advertising enable`. 

The root cause was vPC: it is critical to duplicate configuration on both vPC members, otherwise traffic may be dropped.

Regards,

D

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card