In our new pre-production environment we have several servers connected to a 3750 switch, which is then connected to a CSS 11503. Upstream the CSS is then connected to an ASA firewall pair. The CSS VIPs are 10.22.1.0/24 on the "outside" and the servers have 10.21.1.0/24 addresses on the inside. The CSS inside & server 3750 switchports are all on the same VLAN. There is no PAT/NAT configured (except for the VIP being translated to a chosen server IP I suppose).
Whilst the clients will connect to the servers via the VIPs what we want is for each server to also be able to talk to other servers via a VIP. This is because some of the servers provide a service (LDAP actually) that we would like to be load balanced.
Now, what is curious, is that *this works* in our production environment where the servers are *directly* attached to the 8 port switch module in the CSS. However in this new environment, where the 3750 is between the servers and the CSS, it doesn't (actually you can ping the VIP sucessfully but nothing else works).
I have seen other postings on NetPro where people are trying similar things, like: http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Networking%20Solutions&topic=Application%20Networking&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd81312 and http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Emerging%20Technologies&topic=Content%20Networking&CommCmd=MB?cmd=display_location&location=.1dd72fd0
The relevant CSS config I think (there are lots more services etc but they are all similar) is:
ip address 10.21.1.100 255.255.255.0
ip address 10.22.1.1 255.255.255.0
keep alive ssokeepalive
keepalive port 7777
keepalive frequency 10
keepalive maxfailure 2
ip address 10.21.1.6
keepalive type named ssokeepalive
vip address 10.22.1.12
add service pulldp001
i.e. VIP 10.22.1.12 will be directed to the server 10.21.1.6 (only the one shown above).
Q1) My first question is: is server to server communication via an outside VIP possible?!
Q2) Given that this seems to work our production environment without the 3750s any idea what areas of config could be wrong on the 3750 or the servers? (we've tried default routes of both the 3750 and the ISS inside address but that hasn't worked). Note the ping from a server works but when we try, say, "telnet 10.22.1.12 7777" that doesn't connect.
Q3) Let's assume that the servers run more than one service, e.g. an HTTP and an LDAP service. If a server can communicate with another server using its VIP, will it work from one server up to the CSS/VIP and back to itself? (of course it may or may not actually return to itself depending on the load etc)
I can provide full configs on Monday if required.
Hope these aren't dumb questions! Many thanks!
PS. the CSS is running 7.50 at the moment but could upgrade to 8.2 if required