Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
607
Views
0
Helpful
4
Replies

Limitation on source group with services using ip address range

ct_yau
Level 1
Level 1

‎03-21-2005 06:18 PM

Hello,

I have an interface on CSS which I regard as public and another interface I regard as private. On the private interface is a server farm with private ip addresses. Since the server admin guys insisted the servers need to access internet just for Windows Update, I made a source group to NAT the private addresses to public addresses to allow the servers to access internet.

I defined services for use by the source group. Since keepalive is not important in this case, I set keepalive none to ,I hope so, save system resources.

I have server 192.168.1.1-5 (5 servers) and 192.168.1.11-14 (4 servers), so I made a service with ip address 192.168.1.1 range 5 and another service 192.168.1.11 range 4.

But then I found that the two services cannot be put in the same source group. It is because of the different range in the service definition.

I can get it work if I define services with single ip address, but then I will have a long configuration with repetative information. And I think this may be using more system resources.

I can also get it work if I include 192.168.11.15 and define two services both with a range of 5 ip addresses. But 192.168.11.15 is not actually there.

Why is there such a limitation on source group, or services with ip address range? Is there the same limitation for content rules? Or am I getting it all wrong and should do the configuration in other ways?

Advices will be welcomed.

CT Yau

Hong Kong

Labels:
0 Helpful
4 Replies 4

skumar1969
Level 1
Level 1

‎03-22-2005 01:45 AM

nil

0 Helpful

skumar1969
Level 1
Level 1

‎03-22-2005 01:54 AM

Yes you are correct. There is a limitation while adding services into source groups.

You can create as many services that share an ip range (eg. a /24 subnet range). But the trouble starts when you add them into source groups. You can not add them into a source group NOR you can add them under different source groups as well.

You mentioned that you can use single ip adress instead of range for the services...but it is not true as you will be stuck when you add them into source groups.

I can think of these following options in your case.

Option 1

Change the ip range on the servers. Use 2 different IP ranges one for those 5 servers and another for those 4 servers.

Create 2 services for each range.

Create 2 groups and add the services.

service server-out-192.168.1.1-5

ip address 192.168.1.1 range 5

active

service server-out-172.168.1.11-14

ip address 192.168.1.11 range 4

active

group server-out-192.168.1.11-14

vip address x.x.x.1

add server-out-192.168.1.1-5

active

group server-out-172.168.1.11-14

vip address x.x.x.2

add server-out-172.168.1.11-14

active

Option 2

Create a service that includes all the ip addresses starting from 192.168.1.1 through .14 using the range keyword.

Now you need to create one source group with a VIP. Add the service to the source group.

If you do not want to cover the unassigned ip addresses just move them up and use consecutive ones.

service server-out-192.168.1.1-14

ip address 192.168.1.1 range 14

active

group server-out-192.168.1.11-14

vip address x.x.x.x

add service server-out-192.168.1.1-14

active

thanks

0 Helpful

ct_yau
Level 1
Level 1
In response to skumar1969

‎03-22-2005 03:03 AM

Thanks for the infomation.

What I finally did was exactly your option 1. By this I have to use two different VIP. This is not a problem in general.

What I meant by using services with single ip addresses is:

service server-out-192.168.1.1

ip address 192.168.1.1

active

service server-out-192.168.1.2

ip address 192.168.1.2

active

service server-out-192.168.1.3

:

:

service server-out-192.168.1.14

ip address 192.168.1.14

active

group server-out-192.168.x

vip address x.x.x.x

add service server-out-192.168.1.1

add service server-out-192.168.1.2

:

:

add service server-out-192.168.1.14

active

This works because all service added in the source group has the same no. of ip address (1 in this case). If I create two services with range 5, the two services can be added to the same source group. But if I create one service with range 5 and one with range 4, I cannot add the two services into the same group.

So I was surprised by the existence of such limitation. I guess it maybe because of the ASIC design. But in real-life application I don't see why such limitation is necessary. For a service with ip address with the 'range' keyword, the keepalive only works on the first ip address. But in my application I don't need keepalive.

I have not tried on content rules but I believe same limitation would apply.

CT Yau

Hong Kong

0 Helpful

skumar1969
Level 1
Level 1
In response to ct_yau

‎03-22-2005 03:30 AM

That is weird. Why wouldn't they allow services with odd combinations of ip addrss range to be added under source gr....it rings me ntohing...certainly it could be a bug. Lets wait if someone on this forum comes out with any relevant answer.

thanks

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card