Services with different IP address subnets over CSS 11500 series

estebanpini · ‎05-12-2011

Hi all folks!

I have two CSS 11500 series...

In just a few months i will have ready a DRS (Disaster Recovery Site), where i will have 2 more servers to add to the environment.

But this servers will be in a different subnet from that today i have for the servers who are configured in the current services of my CSS.

So then the doubt i arises is:

Is correct to add two new services with these servers, but using the IP addressing of the DRS site???, and including on the CSS a static route to this network, (of the DRS) in order to reach them?? is it correct, it will work well?

This would be so....

________________LAN to LAN_____________________

| |

|------SITE A------| |------SITE B------|

[Firewall] ===============IPSEC============= [Firewall]

| |

[CSS-A]-[CSS-B] [SWITCH]

| | | |

[SWITCH] | |

[srvA] [srvB] [srvC] [srvD] [srvE]

So, at [CSS-A] & B, i will put a static route to firewall that know the subnet of site B through the IPSEC tunnel.

So In the CSSs, i will add the new services for the Servers "D" & "E" with the IP address of Site B.

This should be seen as well:

!*************************** GLOBAL ***************************

ip route 0.0.0.0 0.0.0.0 [IP FIREWALL]

ip route SITE B [IP FIREWALL]

!************************** SERVICE **************************

service srvA
ip address A.A.A.x
port 8080

service srvB
ip address A.A.A.x+1

port 8080

service srvC
ip address A.A.A.x+2
port 8080

service srvD
ip address B.B.B.y
port 8080

service srvE
ip address B.B.B.y+1
port 8080

****************************************************************

I know that this practice is not the most desirable, in fact should use"Basic Global Server Load Balancing Site Redundancy Using the CSS with DNS", but I don't have much time to change the entire environment today, and in this first stage i have to begin with this poor but quick solution that i thought and i wanted to be validated if there is posibliidades this to work

Within their experiences that they say? Will operate?

Thanks in advance!

Regards!

Esteban =)

Daniel Arrondo Ostiz · ‎05-13-2011

Hi Esteban,

There is nothing wrong with this topology, it will work fine.

However, there is one thing you need to take into account. You need to make sure that the traffic from the servers back to the clients is going through the CSS so tha the NAT from the real server IP to the content rule IP can be done. If traffic goes back to the clients directly, connections will break.

There are a few ways to achieve this, some more complicated than others, but the most common ones are:

Use policy-based-routing to send the traffic to the CSS. In this case, however, since there are two hops between the servers and the CSS, you would have to configure PBR on each of the FW, which can become a bit messy
Configure the CSS to apply NAT to the client IP by using a source-group. This way, the servers would see the request as coming from an IP owned by the CSS, so they would just need a route back to it.

I hope this helps

Daniel

estebanpini · ‎05-17-2011

Daniel!

Sorry by delay!

Thank you so much for you time for reply.

You have given me a great help to this doubt!

But..using "source group" let me know..

I can´t undertand the really difference between NAT with ACls as you can see at this link: (http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a0080093dfc.shtml)

and

this other link, using NAT (from the piont 5), (http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080093dff.shtml)

where the NAT is configured under a method different from the previous one..

So.. for this scenario described above, which would you recommend using? I would think that the second is the most indicated truth? What do you think?

Thanks in advance again!!!

Have nice day!

Regards.

Esteban.

Daniel Arrondo Ostiz · ‎05-19-2011

Hi Esteban,

Both are perfectly valid methods. The main difference is that, if you use ACLs to specify the NAT, you have a lot more granularity, because you can define different NAT configurations based on combinations of source/destination IP addresses. As a drawback, it's also more cumbersone to configure.

With normal source groups, you can just define the NAT address to be used based on the server to which the connection is going to be sent to. This is more limited in terms of possibilities, but it's also much easier to configure.

For your setup, I don't think you need any complicated NAT configuration, because you are just trying to send the return traffic back to the CSS, so I would recommend you to just use source groups for the configuration, forgetting completely about the ACLs

Regards

Daniel