cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
700
Views
9
Helpful
6
Replies

What do source groups, when not used with ACLs for NAT, really do?

sheidelbach
Level 1
Level 1

Might sound like a really basic question, but I've only ever used source groups in conjunction with ACLs for NATing the source IP address of packets as they pass through the CSS.

I got handed this 7 page CSS config with the need to explain what everything does (apparently the guy that set it up left). I got explainations for everything, it's a one-armed config with lots of various options config (but that is another story) and a source group configured and I have not managed to find a really good explaination I'll be able to use to explain what it does.

I read through the explaination in: http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_710/bsccfggd/sgacleql.htm but that did not help much.

The config of the source group is:

~~~~~GROUP~~~~~

Group mcss

vip address 131.141.252.8

add destination service Server-5

active

~~~~~SERVICE~~~~

protocol tcp

port 80

ip address 131.141.108.100

keepalive type none

active

The group VIP address is the same as the VIP address used in the services that are configured, and the mask used with that VLAN is 255.255.255.0 so the content/group VIP and the service VIP are on different subnets (in case that matters).

I'm basically hoping for some good data, links, typed up information, etc, that explain what this is used for, why it's needed, how it effects traffic flow/translation, etc when it is used etc.

That has to be on CCO somewhere, but have not managed to find it yet.

Anybody have any data that could help?

Thanks!

1 Accepted Solution

Accepted Solutions

your problem is that you think an ACL is required.

It's not.

We usually use the ACL when we want some clients to be batted and others not.

It is also used when some clients need to be nated with address A and the rest uses address B.

But when you need the same behavior for all the clients, you don't need the ACL.

The source group config alone is enough to do client nat.

None of your statement are correct.

Again, #1 is incorrect becaus the ACL is not required. All clients going to this server will be nated.

#2 is also incorrect because the behavior I describe is not related to the fact that this is a one armed config. This is the same behavior all the time.

However, because this is a one-armed config, it is usually necessary to do client nat.

Gilles.

View solution in original post

6 Replies 6

Gilles Dufour
Cisco Employee
Cisco Employee

the source group is always used to do source address nating.

You can use it inside an ACL or not.

If not, all traffic hitting the service defined inside the source group will be nated.

If you configure the server with the command 'add destination service' the source group is being used for connection initiated by a client going to a vserver.

If you are using the command 'add service' the source group is used for connection initiated by the real servers themselves.

The source group is required in one-armed mode to guarantee that the server response will go back to the CSS.

This is explained on CCO at different location.

One of them is :

http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_command_reference_chapter09186a00800e4824.html

Gilles.

Gilles,

Cool. I've used source groups for NATing the source IP address of client addresses before, and ACLs are used to point to them in that case.

In this case, a server in the farm would make the request to the VIP and the source address of the server would be translated to the VLAN interface of the CSS interface when it is on it's way out, or would it be translated to the VIP address on the way out? I'm thinking the VIP address, but just checking.

Thanks!

jfoerster
Level 4
Level 4

Hi Skip,

if I under stood it right your content rule says that the VIP is 131.141.252.8. So your group config is responsibel for source-IP-Natting. This causes a packet which looks infront of the CSS to look like this

SRC 1.2.3.4 DST 131.141.252.8. After passing the CSS it should look like this in case of the service described above is used:

SRC 131.141.252.8 DST 131.141.108.100

This is another way to do "normal" source-natting without the need to configure ACLs. I guess the reason why you need to source-nat is known as you know how to configure it with ACLs. In case that this is not known a short and dirty explanation.

You need to make the real server think that the request is comming from the CSS as you do not have to put the routing in a way that the response-traffic from the server reaches the CSS.

Hope that helps and explained what is happening there...

Best Regards,

Joerg

But I only thought the source IP NATing for client requests happened when you had statements in ACLs pointing to the source group (I've done this before) and in this case I don't have any ACLs pointing to the source group.

I think I left out a critical part of the config, the Content rule VIP. OK Here is what we have:

~~~~~GROUP~~~~~

Group mcss

vip address 131.141.252.8

add destination service Server-5

active

~~~~~SERVICE~~~~

Server1

protocol tcp

port 80

ip address 131.141.108.100

keepalive type none

active

~~~~~~~~~~~Owner~~~~~

owner ME

content Layer4

protocol tcp

port 80

url "/*"

add service Server1

vip address 131.141.252.8

active

And there is nothing in any ACL pointing to the source group & this is a one-armed config.

So which statement are correct for client requests:

---------------------------------------------------

1) There will be no NATing of the source IP address from client-2-server requests due to no ACLs pointing to the source group. Pretty much, the source group is not really used for those requests. The destination address in the IP packet changes from the VIP address(131.141.252.8) to the Server1's address (131.141.108.100) after it goes thought the CSS, but the source IP address stays the same.

or

2) Because this is a one-armed config, even though there are no ACLs pointing to the source group, it is still used for source IP NATing. Resulting in a an incomming packet of S=1.2.3.4, D=131.141.252.8 (the VIP), looking like S=131.141.252.8 (the VIP), D=131.141.108.100 (real server address).

If #2 is correct due to this being a one-armed config, I would think the same translation would happen with server requests and would answer all the questions I think. Correct?

Thanks!

Skip

Hi Skip,

source-natting is only taking place if the service Server-5 is choosen and than 131.141.252.8 will be put as client IP-Address.

Regards,

Joerg

your problem is that you think an ACL is required.

It's not.

We usually use the ACL when we want some clients to be batted and others not.

It is also used when some clients need to be nated with address A and the rest uses address B.

But when you need the same behavior for all the clients, you don't need the ACL.

The source group config alone is enough to do client nat.

None of your statement are correct.

Again, #1 is incorrect becaus the ACL is not required. All clients going to this server will be nated.

#2 is also incorrect because the behavior I describe is not related to the fact that this is a one armed config. This is the same behavior all the time.

However, because this is a one-armed config, it is usually necessary to do client nat.

Gilles.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: