Load Balance traffic for outside users as well as internal server traffic

hoogen_82 · ‎06-08-2007

Hi Gilles,

I have my setup still in the design stage.

I am going to deploy a simple L4 loadbalancing. I have my clients sitting behind the CSS11501 trying to access my 4 weblogic servers.

So my config would look like

!*************************** GLOBAL ***************************

ip route 0.0.0.0 0.0.0.0 192.168.1.100 1

!************************* INTERFACE *************************

interface e12

bridge vlan 10

!************************** CIRCUIT **************************

circuit VLAN1

ip address 192.168.1.50 255.255.255.0

circuit VLAN10

ip address 10.10.10.50 255.255.255.0

!************************** SERVICE **************************

service www-server1

ip address 10.10.10.1

keepalive type http

active

service www-server2

ip address 10.10.10.2

keepalive type http

active

service www-server3

ip address 10.10.10.3

keepalive type http

active

service www-server4

ip address 10.10.10.4

keepalive type http

active

!*************************** OWNER ***************************

owner Sample

content web-servers

protocol tcp

port 80

add service www-server1

add service www-server2

add service www-server3

add service www-server4

vip address 192.168.1.1

active

Now i would create 4 more content rules for load balancing within my servers

content service-1-backend

protocol tcp

port 1111

add service www-server2

add service www-server3

add service www-server4

vip address 10.10.10.5

active

content service-2-backend

protocol tcp

port 1111

add service www-server1

add service www-server3

add service www-server4

vip address 10.10.10.6

active

content service-3-backend

protocol tcp

port 1111

add service www-server1

add service www-server2

add service www-server4

vip address 10.10.10.7

active

content service-4-backend

protocol tcp

port 1111

add service www-server2

add service www-server3

add service www-server4

vip address 10.10.10.8

active

this means that service1's src ip would remain its original ip so if it gets mapped to service2, for the backend communication, service2 can talk directly back to service1 - is there any reason this wouldn't work?

Earlier you had asked me to use "Client is configured with the command 'group'.You can use it in combination with an ACL to limit the client nat function to server-to-server traffic."

Now i am a little new to the CSS if you explain these accesslist in m context it would be great.

-Hoogen

Gilles Dufour · ‎06-10-2007

the problem is not how you configure the CSS.

You would have the same issue with any other device doing destination nat back to the original subnet.

Device A communicate with NAT-IP C.

So, when Deivce B responds to A directly, bypassing the nating device [css or not], device A does not accept the packet from B since it is expecting a packet from C and the communication is closed.

you need client nat.

Gilles.

hoogen_82 · ‎06-11-2007

Hi Gilles

As per your update i have created a config as per my understanding. would be possible for you to verify this?

CS100# configure

CS100(config)# acl 1

CS100(config-acl[1])# clause 50 permit any any destination any

CS100(config-acl[1])# apply circuit-(VLAN10)

CS100(config-acl[1])# ex

CS100(config)# acl enable

CS100(config)# group clients-group1

CS100(config-group[clients-group])# vip address 10.10.10.11

CS100(config-group[clients-group])# act

CS100(config)# group clients-group2

CS100(config-group[clients-group])# vip address 10.10.10.12

CS100(config-group[clients-group])# act

CS100(config)# group clients-group3

CS100(config-group[clients-group])# vip address 10.10.10.13

CS100(config-group[clients-group])# act

CS100(config)# group clients-group4

CS100(config-group[clients-group])# vip address 10.10.10.14

CS100(config-group[clients-group])# act

CS100(config)# acl disable

CS100(config)# acl 1

CS100(config-acl[1])# clause 10 permit any 10.10.10.0 255.255.255.0

destination 10.10.10.0 255.255.255.0

CS100(config-acl[1])# clause 15 permit any 10.10.10.2 255.255.255.255

destination any sourcegroup clients-group1

CS100(config-acl[1])# clause 16 permit any 10.10.10.3 255.255.255.255

destination any sourcegroup clients-group1

CS100(config-acl[1])# clause 17 permit any 10.10.10.4 255.255.255.255

destination any sourcegroup clients-group1

CS100(config-acl[1])# clause 25 permit any 10.10.10.1 255.255.255.255

destination any sourcegroup clients-group2

CS100(config-acl[1])# clause 26 permit any 10.10.10.3 255.255.255.255

destination any sourcegroup clients-group2

CS100(config-acl[1])# clause 27 permit any 10.10.10.4 255.255.255.255

destination any sourcegroup clients-group2

CS100(config-acl[1])# clause 35 permit any 10.10.10.2 255.255.255.255

destination any sourcegroup clients-group3

CS100(config-acl[1])# clause 36 permit any 10.10.10.1 255.255.255.255

destination any sourcegroup clients-group3

CS100(config-acl[1])# clause 37 permit any 10.10.10.4 255.255.255.255

destination any sourcegroup clients-group3

CS100(config-acl[1])# clause 45 permit any 10.10.10.2 255.255.255.255

destination any sourcegroup clients-group4

CS100(config-acl[1])# clause 46 permit any 10.10.10.3 255.255.255.255

destination any sourcegroup clients-group4

CS100(config-acl[1])# clause 47 permit any 10.10.10.1 255.255.255.255

destination any sourcegroup clients-group4

CS100(config-acl[1])# remove circuit-(VLAN10)

CS100(config-acl[1])# apply circuit-(VLAN10)

CS100(config-acl[1])# ex

CS100(config)# acl enable

Thank You

Hoogen

Gilles Dufour · ‎06-12-2007

Hoogen,

you absolutely want to make this complicated :-).

The CSS will do PAT to be correct, so you can use 1 nat_ip for all your servers.

so the config becomes simply

acl 1

clause 46 permit any 10.10.10.0 255.255.255.0 destination / sourcegroup clients-group1

clause 99 permit any any destination any

apply circuit-(VLAN10)

Gilles.

hoogen_82 · ‎06-12-2007

HI Gilles,

Thanx a ton again. Well I am pretty new to this kind of deployment we stopped selling another kind of load balancer and started selling Cisco's recently. This is just my third deployment and the first one where i got a request from the customer that he needs his servers in the internal vlan to be load balanced.

Now coming back to what i did, i thought that i needed to create a new ip that servers should talk to when talking to other servers in the same vlan. So what i did was that i created a client-group1 when server1 talks to the other servers 2,3 and 4 it talks to and a VIP address of 10.10.10.11. And if server 1,3,4 talks to server2 the VIP would be 10.10.10.12.

Now as you have suggested my understanding is that I should be doing this way

CS100(config)# group clients-group1

CS100(config-group[clients-group])# vip address 10.10.10.11

CS100(config-group[clients-group])# act

acl 1

clause 46 permit any 10.10.10.0 255.255.255.0 destination any sourcegroup clients-group1

clause 99 permit any any destination any

apply circuit-(VLAN10)

In the above configuration if server 1(10.10.10.1) wants to talk to server 2,3,4 the VIP to contact would be 10.10.10.11 and also if server 2 (10.10.10.2) wants to talk to servers 1,3,4 it the VIP addr would be 10.10.10.11.

Please correct me if my understanding is wrong.

-Hoogen

hoogen_82 · ‎06-13-2007

Hi Gilles,

Have I got it right atlast?

Thanks,

Hoogen