cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
582
Views
0
Helpful
3
Replies

SMTP, RADIUS, and source groups on CSS 11503

emilyharris
Level 1
Level 1

I'm reviewing this doc:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/content_lb/guide/SGrp.html

I need to have my (to-be) load balanced SMTP servers authenticate against RADIUS, which is on the public side of the CSS 11503. We use UDP for RADIUS, and don't want to change - we need the IPs to authenticate against RADIUS and be "sticky", ie source and destination stay the same.

I figured that I could have a source-group for SMTP as follows:

-----

service smtp1

ip address 172.x.x.51

active

service smtp2

ip address 172.x.x.52

active

-------

group SMTP

vip 111.x.x.50

add service smtp1

add service smtp2

active

-------

Then do my content rules, based on protocol; we need 25 and 465, but for simplicity I'll do one:

owner MAIL

content smtp

protocol tcp

port 25

vip address 111.x.x.50

add service smtp1

add service smtp2

active

------------

So, first: does that take care of my outbound traffic 100%, or am I missing an ACL somewhere to make it happen?

Then, I figured for RADIUS, I do the same thing, but with the UDP port. Something like:

group RADIUS1

vip 111.x.x.51

add service smtp1

active

group RADIUS2

vip 111.x.x.52

add service smtp2

active

And then do TWO content rules, one per SMTP server with the two different RADIUS vips.

The goal here is to properly load balance SMTPs, have incoming and outgoing be one IP, which is standard. However, each individual SMTP server needs a "sticky" type of connection on UDP to authenticate to the RADIUS server(s), so the authentication reply from RADIUS goes to the right place.

The problem is that the doc I am reading says "a service may belong to only one group at a time".

How do I get out of this pickle?

Thank you!

1 Accepted Solution

Accepted Solutions

looking good.

Except you want to put the 'eq 1812' before the sourcegroup option.

Otherwise this is correct.

Gilles.

View solution in original post

3 Replies 3

Gilles Dufour
Cisco Employee
Cisco Employee

the source nating is based only on source ip address.

So, you can't have the same server belonging to 2 different groups. Even if you create multiple services where the ip is the same but not the port, you can't have these services in different group.

But one group should take care of all your outbound connections - no need for acl.

ACL are needed in the case you want to sometimes nat and sometimes not. Or in the case you want to use different nating depending on the protocol or destination.

So, I believe your solution would need to use ACL.

Use the option 'sourcegroup' to select a group.

Gilles.

Thanks, Gilles. Of course, I'm still confused on how to implement it. I guess it would be 3 source groups, as follows:

group smtp-out

vip address 111.x.x.50

active

group radius1-out

vip address 111.x.x.51

active

group radius2-out

vip address 111.x.x.52

active

And then in my ACL do four different rules, something like:

acl 30

clause 20 permit udp 172.x.x.51 255.255.255.255 destination any sourcegroup radius1-out eq 1821

clause 30 permit udp 172.x.x.52 255.255.255.255 destination any sourcegroup radius2-out eq 1821

clause 40 permit tcp 172.x.x.51 255.255.255.255 destination any sourcegroup smtp-out eq 25

clause 50 permit tcp 172.x.x.52 255.255.255.255 destination any sourcegroup smtp-out eq 25

clause 99 permit any any destination any

apply circuit-(VLAN172)

Am I in the right ballpark? Or course I need the content rules with the associated VIPs for the other direction; also additional ACLs for other SMTP (secure) ports; and I'll condense each SMTP IP into one rule for two machines on the 3rd octet.

Anyway, it seems so complicated - I wish there was a sexier way to do it.

Let me know if this is the right track; I appreciate your input very much!

looking good.

Except you want to put the 'eq 1812' before the sourcegroup option.

Otherwise this is correct.

Gilles.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: