CSS Design

Unanswered Question
Jan 2nd, 2008
User Badges:

Hi,


My network topology is as per the nwtopo.jpg file. Now in this if I want to do load balance for the server farm-2. How would my physcial and logical connectivity look like and how would my routing will happen..


Note:

For some security reasons I cannot change the gateway of the servers (on both the server farm) and both the server farms to be connected through a firewall.



Can someone give me inputs on this...


Regards



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Diego Vargas Wed, 01/02/2008 - 09:36
User Badges:
  • Cisco Employee,

Hi,


Well the main difference between serverfarm 1 and 2 is that serverfarm 2 is not local to the CSS, you need to make sure that the traffic flows back to the CSS before going to the client.


The common way to do this is by configuring source nating in the CSS, this will prevent asymmetric flows, this is exactly the same you are doing for serverfarm 1 where the default gateway cannot be changed.



This is how a flow to the VIP would work


1. Client to 192.168.10.171


2. CSS NAts and sends frame with source 192.168.10.171 destined to 192.168.20.x


3. Server will respond back to VIP 192.168.10.171


4. CSS answers to client request with source IP as the VIP


As for routed traffic to the servers there should be no problem, the CSS will not be in the middle on this case, so if you need to do direct management to your servers the CSS will not be involved and everything should work fine.


Hope it helps!!

rv_viji Wed, 01/02/2008 - 11:11
User Badges:

Hi,


Thanks for your response.


Do you mean to say that I use the same VIP address (192.168.10.171) for the other server farm too??


So my understanding is...


1. Traffic from client (behind the CORE network) enters through the outside interface of the firewall and through the firewall leg1 to 192.168.10.171 in CSS

2. Load Balanced traffic from CSS (192.168.10.171) goes to firewall leg2 through the same firewall leg1.

3. Servers respond back to CSS VIP (192.168.10.171) from firewall leg 2 through firewall leg1.

4. CSS then responds back to the client through the firewall leg1 and then through the outside leg connected to the CORE network.



If my understanding is right... is there any other better method of doing it??


Also do correct me if my understanding was wrong...


Regards


Diego Vargas Wed, 01/02/2008 - 11:25
User Badges:
  • Cisco Employee,

Hi,


Well actually you do need to use same VIP, I mentioned just as an example. You will need to define a VIP for your serverfarm.


With regards to the traffic flow, well traffic definitely needs to flow back thru the CSS, otherwise an asymmetric flow will be created.


Think about this.


1. Client sends a SYN to the VIP with source IP 10.1.1.1


2. CSS forward the request to the server without changin source IP.


3. Server gets a SYN coming from 10.1.1.1 so it will send a SYN/ACK destined to 10.1.1.1.


4. The client receives the SYN/ACK from the server IP but the request was done to the VIP, so the packet will be discarded.


This means that the packet always needs to flow back thru the CSS or this issue will show up.


There is actually a way to bypass the Load Balancer on the way back but it is not supported by the CSS.


The CSM has what is called DSR (Direct Server Return) and with IOS SLB you can do a Dispatch mode.


Those setups need the server to have an special configuration, then again the CSS will not support it.


Hope it clarifies your doubts!!



rv_viji Wed, 01/02/2008 - 11:35
User Badges:

Hi,


I understand the point about asymmetric flow.


But my question was whether the traffic flow with respect to my scenario will flow the way what I had understood?


However I got more things clarified from your reply (CSM and IOS SLB) thanks again..


Also do you have any doc or url on the best practice for a CSS design..




Regards


Actions

This Discussion