Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
501
Views
0
Helpful
4
Replies

Problem connecting locally to VIP address

Go to solution
branfarm1
Level 4
Level 4

‎05-19-2008 05:34 AM

Hi there. I have a problem that I'm having difficulties solving. I inherited a network design that I think is responsible for the problem but I'm hoping someone out there can help me out. Here's what I've got:

web-servers: dual NIC's with one NIC on a "local" VLAN (10.10.0.0/24), and the other NIC on the load-balancer backend VLAN (10.10.4.0/24)

Load-balancers: back-end VLAN (10.10.4.0/24), front-end in DMZ 10.10.8.0/24). Default-gateway goes to DMZ firewalls.

The problem I'm running into is that I can only configure it so that I can either connect directly to each web-server or I can only connect to the load-balanced vip address -- it's one or the other. I'm fairly certain that this is because since proper load-balancing requires all traffic to go through the load-balancer, the default gateway on my web servers is the Load-balancer.

I'm trying to configure it so that I can have access to the load-balanced VIP addresses from the local VLAN (10.10.0.0/24). How do I make that work though? I've tried using groups, but that didn't seem to work. One thing I haven't tried yet is to create a vip address for VLAN1. I've attached my config for review.

Thanks for your help!

Labels:
Preview file
4 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎05-19-2008 06:46 AM

you can change the default gateway of the server to be a router in the local vlan.

This will give you access to the servers directly.

Then, to get access to the vip, you need to configure a group with a group address belonging to the server subnet (10.10.4.x).

Like this, servers do not need to use a gw to respond to the CSS.

Give that a try and let me know if it works.

Gilles.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎05-19-2008 06:46 AM

you can change the default gateway of the server to be a router in the local vlan.

This will give you access to the servers directly.

Then, to get access to the vip, you need to configure a group with a group address belonging to the server subnet (10.10.4.x).

Like this, servers do not need to use a gw to respond to the CSS.

Give that a try and let me know if it works.

Gilles.

0 Helpful

Go to solution
branfarm1
Level 4
Level 4
In response to Gilles Dufour

‎05-19-2008 06:50 AM

Thanks for the response. Couple of questions though... how will changing the default gateway of the servers affect the traffic already being load-balanced by the 10.10.8.x VIP's? Also, the 10.10.4.x network only exists between the servers and the load-balancers... it is not routed at all. Should I still create a group address in there?

Thanks!

0 Helpful

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee
In response to branfarm1

‎05-19-2008 06:54 AM

The group will do client nat.

So, all traffic going the LB will be nated with the 10.10.4.x address.

The servers will see traffic coming from that address and will respond to it without the need of a router.

It's the only solution to make your design work.

The other approach would be to change the design and just use a single NIC.

dual nic is always a source of issue with loadbalancers.

Gilles.

0 Helpful

Go to solution
branfarm1
Level 4
Level 4
In response to Gilles Dufour

‎05-31-2008 12:26 PM

Thanks for your help Gilles -- this worked great. I ended up configuring a group and adding service destinations. What's a scenario when you would create a group and use services, instead of service destinations?

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card