Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
620
Views
0
Helpful
3
Replies

Placement of CSS11501 in network

Go to solution
ct_yau
Level 1
Level 1

‎08-05-2004 03:11 AM

My shop bought two CSS11501 from a local Cisco reseller to set up a web server farm for intranet applications. When I talked with the pre-sales technical people at the beginning, they told me that placement of the CSS is flexible and can be any point in the network, I then thought the CSS would be accessing the web servers using their own ip addresses on behalf of the clients and bridging up the server-side and the client-side flows. But, at implementation time, the after-sales technical people told me the default gateway of the web servers must be set to the CSS, and the CSS must be in the same segment of the servers. It is a big difference from that depicted by the pre-sales. Finally, things got done and when I use "show flows" I found the web servers are replying directly to the clients instead of to the CSS, that is why the servers' default gateway must be the CSS.

Is it a must for the CSS to be placed within the network path between clients and servers?

Is there configuration options that allow the CSS to be not along the network path, such as on a separate segment of its own with network access to both the servers and clients? That will be more convenience for me to use the same pair of CSS to support more server farms, each on different segments, for new applications.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rajnagpal
Level 1
Level 1

‎08-05-2004 04:58 PM

It is definitely possible to have the CSS in a different network path and be on a separate segment of its own, howwever you need to take into consideration that the site that the customers would be typing in their browser should resolve to a VIP address on the CSS and then the CSS can forward that request to the servers.

VLANs on the CSS are used for logical distinction and if you can not have the web servers being load balanced by the CSS point to the circuit IP address of the web server as their default gateway and the web server's responds to client's request directly then the flow would break. TO avoid this situation we do have a workaround on the CSS and that is to use Source Groups.

1. Topology reasons: The CSS is in a one armed configuration and the CSS needs to NAT the client source IP address to its own so that the server responds to the CSS and not directly to the Client.

2. The second reason is source-group NATing. This is used so that your servers can generate traffic. The CSS will NAT your servers source IP to it's own IP address so that

your server's traffic can be routed with a public IP.

The following link provides details regarding the usage of groups in one armed configuration:

http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080093dff.shtml

The following link provides information regarding configuration of Source Groups:

http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_720/bsccfggd/sgacleql.htm

Go through the above documents as they would be helpful in trying to configure what you want to achieve.

I would get a better description if you would provide me your topology and implementation details. Anyway the documents would provide you more insight.

Regards,

Rajesh

View solution in original post

0 Helpful
3 Replies 3

Go to solution
rajnagpal
Level 1
Level 1

‎08-05-2004 04:58 PM

It is definitely possible to have the CSS in a different network path and be on a separate segment of its own, howwever you need to take into consideration that the site that the customers would be typing in their browser should resolve to a VIP address on the CSS and then the CSS can forward that request to the servers.

VLANs on the CSS are used for logical distinction and if you can not have the web servers being load balanced by the CSS point to the circuit IP address of the web server as their default gateway and the web server's responds to client's request directly then the flow would break. TO avoid this situation we do have a workaround on the CSS and that is to use Source Groups.

1. Topology reasons: The CSS is in a one armed configuration and the CSS needs to NAT the client source IP address to its own so that the server responds to the CSS and not directly to the Client.

2. The second reason is source-group NATing. This is used so that your servers can generate traffic. The CSS will NAT your servers source IP to it's own IP address so that

your server's traffic can be routed with a public IP.

The following link provides details regarding the usage of groups in one armed configuration:

http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080093dff.shtml

The following link provides information regarding configuration of Source Groups:

http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_720/bsccfggd/sgacleql.htm

Go through the above documents as they would be helpful in trying to configure what you want to achieve.

I would get a better description if you would provide me your topology and implementation details. Anyway the documents would provide you more insight.

Regards,

Rajesh

0 Helpful

Go to solution
ct_yau
Level 1
Level 1
In response to rajnagpal

‎08-05-2004 08:26 PM

Thank you! It hits the spot.

The document in the first doc link you provided mentions the CSS performs better in-line than one-armed.

Because of this, I will want to use the in-line configuration at first and add some one-armed configuration when adding new services and the ports on the CSS are running out. Is that feasible? Can both one-armed and in-line configurations be used on the same pair of CSS?

0 Helpful

Go to solution
rajnagpal
Level 1
Level 1
In response to ct_yau

‎08-06-2004 10:01 AM

Hi,

It is possible to have an inline configuration and a one-Armed configuration on the same CSS.

CSS is a flow based switch, so one should be more concerned about how flows are setup on the CSS. If the client makes a request that hits the CSS and the CSS has to now make a back end connection with the web server to respond to client's request, then one needs to make sure that the web server does not respond to the clients directly bypassing the CSS.

You can find information about flows and its usage on the CSS from the document whose link is attached below:

http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_administration_guide_chapter09186a0080176bd1.html

I hope this would address your concerns.

Regards,

Rajesh

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card