06-08-2007 08:16 AM
Hi Gilles,
I have my setup still in the design stage.
I am going to deploy a simple L4 loadbalancing. I have my clients sitting behind the CSS11501 trying to access my 4 weblogic servers.
So my config would look like
!*************************** GLOBAL ***************************
ip route 0.0.0.0 0.0.0.0 192.168.1.100 1
!************************* INTERFACE *************************
interface e12
bridge vlan 10
!************************** CIRCUIT **************************
circuit VLAN1
ip address 192.168.1.50 255.255.255.0
circuit VLAN10
ip address 10.10.10.50 255.255.255.0
!************************** SERVICE **************************
service www-server1
ip address 10.10.10.1
keepalive type http
active
service www-server2
ip address 10.10.10.2
keepalive type http
active
service www-server3
ip address 10.10.10.3
keepalive type http
active
service www-server4
ip address 10.10.10.4
keepalive type http
active
!*************************** OWNER ***************************
owner Sample
content web-servers
protocol tcp
port 80
add service www-server1
add service www-server2
add service www-server3
add service www-server4
vip address 192.168.1.1
active
Now i would create 4 more content rules for load balancing within my servers
content service-1-backend
protocol tcp
port 1111
add service www-server2
add service www-server3
add service www-server4
vip address 10.10.10.5
active
content service-2-backend
protocol tcp
port 1111
add service www-server1
add service www-server3
add service www-server4
vip address 10.10.10.6
active
content service-3-backend
protocol tcp
port 1111
add service www-server1
add service www-server2
add service www-server4
vip address 10.10.10.7
active
content service-4-backend
protocol tcp
port 1111
add service www-server2
add service www-server3
add service www-server4
vip address 10.10.10.8
active
this means that service1's src ip would remain its original ip so if it gets mapped to service2, for the backend communication, service2 can talk directly back to service1 - is there any reason this wouldn't work?
Earlier you had asked me to use "Client is configured with the command 'group'.You can use it in combination with an ACL to limit the client nat function to server-to-server traffic."
Now i am a little new to the CSS if you explain these accesslist in m context it would be great.
-Hoogen
06-10-2007 11:51 AM
the problem is not how you configure the CSS.
You would have the same issue with any other device doing destination nat back to the original subnet.
Device A communicate with NAT-IP C.
So, when Deivce B responds to A directly, bypassing the nating device [css or not], device A does not accept the packet from B since it is expecting a packet from C and the communication is closed.
you need client nat.
Gilles.
06-11-2007 09:59 PM
Hi Gilles
As per your update i have created a config as per my understanding. would be possible for you to verify this?
CS100# configure
CS100(config)# acl 1
CS100(config-acl[1])# clause 50 permit any any destination any
CS100(config-acl[1])# apply circuit-(VLAN10)
CS100(config-acl[1])# ex
CS100(config)# acl enable
CS100(config)# group clients-group1
CS100(config-group[clients-group])# vip address 10.10.10.11
CS100(config-group[clients-group])# act
CS100(config)# group clients-group2
CS100(config-group[clients-group])# vip address 10.10.10.12
CS100(config-group[clients-group])# act
CS100(config)# group clients-group3
CS100(config-group[clients-group])# vip address 10.10.10.13
CS100(config-group[clients-group])# act
CS100(config)# group clients-group4
CS100(config-group[clients-group])# vip address 10.10.10.14
CS100(config-group[clients-group])# act
CS100(config)# acl disable
CS100(config)# acl 1
CS100(config-acl[1])# clause 10 permit any 10.10.10.0 255.255.255.0
destination 10.10.10.0 255.255.255.0
CS100(config-acl[1])# clause 15 permit any 10.10.10.2 255.255.255.255
destination any sourcegroup clients-group1
CS100(config-acl[1])# clause 16 permit any 10.10.10.3 255.255.255.255
destination any sourcegroup clients-group1
CS100(config-acl[1])# clause 17 permit any 10.10.10.4 255.255.255.255
destination any sourcegroup clients-group1
CS100(config-acl[1])# clause 25 permit any 10.10.10.1 255.255.255.255
destination any sourcegroup clients-group2
CS100(config-acl[1])# clause 26 permit any 10.10.10.3 255.255.255.255
destination any sourcegroup clients-group2
CS100(config-acl[1])# clause 27 permit any 10.10.10.4 255.255.255.255
destination any sourcegroup clients-group2
CS100(config-acl[1])# clause 35 permit any 10.10.10.2 255.255.255.255
destination any sourcegroup clients-group3
CS100(config-acl[1])# clause 36 permit any 10.10.10.1 255.255.255.255
destination any sourcegroup clients-group3
CS100(config-acl[1])# clause 37 permit any 10.10.10.4 255.255.255.255
destination any sourcegroup clients-group3
CS100(config-acl[1])# clause 45 permit any 10.10.10.2 255.255.255.255
destination any sourcegroup clients-group4
CS100(config-acl[1])# clause 46 permit any 10.10.10.3 255.255.255.255
destination any sourcegroup clients-group4
CS100(config-acl[1])# clause 47 permit any 10.10.10.1 255.255.255.255
destination any sourcegroup clients-group4
CS100(config-acl[1])# remove circuit-(VLAN10)
CS100(config-acl[1])# apply circuit-(VLAN10)
CS100(config-acl[1])# ex
CS100(config)# acl enable
Thank You
Hoogen
06-12-2007 05:40 AM
Hoogen,
you absolutely want to make this complicated :-).
The CSS will do PAT to be correct, so you can use 1 nat_ip for all your servers.
so the config becomes simply
acl 1
clause 46 permit any 10.10.10.0 255.255.255.0 destination
clause 99 permit any any destination any
apply circuit-(VLAN10)
Gilles.
06-12-2007 07:02 AM
HI Gilles,
Thanx a ton again. Well I am pretty new to this kind of deployment we stopped selling another kind of load balancer and started selling Cisco's recently. This is just my third deployment and the first one where i got a request from the customer that he needs his servers in the internal vlan to be load balanced.
Now coming back to what i did, i thought that i needed to create a new ip that servers should talk to when talking to other servers in the same vlan. So what i did was that i created a client-group1 when server1 talks to the other servers 2,3 and 4 it talks to and a VIP address of 10.10.10.11. And if server 1,3,4 talks to server2 the VIP would be 10.10.10.12.
Now as you have suggested my understanding is that I should be doing this way
CS100(config)# group clients-group1
CS100(config-group[clients-group])# vip address 10.10.10.11
CS100(config-group[clients-group])# act
acl 1
clause 46 permit any 10.10.10.0 255.255.255.0 destination any sourcegroup clients-group1
clause 99 permit any any destination any
apply circuit-(VLAN10)
In the above configuration if server 1(10.10.10.1) wants to talk to server 2,3,4 the VIP to contact would be 10.10.10.11 and also if server 2 (10.10.10.2) wants to talk to servers 1,3,4 it the VIP addr would be 10.10.10.11.
Please correct me if my understanding is wrong.
-Hoogen
06-13-2007 08:19 AM
Hi Gilles,
Have I got it right atlast?
Thanks,
Hoogen
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide