cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
412
Views
0
Helpful
4
Replies

Problem connecting locally to VIP address

branfarm1
Level 4
Level 4

Hi there. I have a problem that I'm having difficulties solving. I inherited a network design that I think is responsible for the problem but I'm hoping someone out there can help me out. Here's what I've got:

web-servers: dual NIC's with one NIC on a "local" VLAN (10.10.0.0/24), and the other NIC on the load-balancer backend VLAN (10.10.4.0/24)

Load-balancers: back-end VLAN (10.10.4.0/24), front-end in DMZ 10.10.8.0/24). Default-gateway goes to DMZ firewalls.

The problem I'm running into is that I can only configure it so that I can either connect directly to each web-server or I can only connect to the load-balanced vip address -- it's one or the other. I'm fairly certain that this is because since proper load-balancing requires all traffic to go through the load-balancer, the default gateway on my web servers is the Load-balancer.

I'm trying to configure it so that I can have access to the load-balanced VIP addresses from the local VLAN (10.10.0.0/24). How do I make that work though? I've tried using groups, but that didn't seem to work. One thing I haven't tried yet is to create a vip address for VLAN1. I've attached my config for review.

Thanks for your help!

1 Accepted Solution

Accepted Solutions

Gilles Dufour
Cisco Employee
Cisco Employee

you can change the default gateway of the server to be a router in the local vlan.

This will give you access to the servers directly.

Then, to get access to the vip, you need to configure a group with a group address belonging to the server subnet (10.10.4.x).

Like this, servers do not need to use a gw to respond to the CSS.

Give that a try and let me know if it works.

Gilles.

View solution in original post

4 Replies 4

Gilles Dufour
Cisco Employee
Cisco Employee

you can change the default gateway of the server to be a router in the local vlan.

This will give you access to the servers directly.

Then, to get access to the vip, you need to configure a group with a group address belonging to the server subnet (10.10.4.x).

Like this, servers do not need to use a gw to respond to the CSS.

Give that a try and let me know if it works.

Gilles.

Thanks for the response. Couple of questions though... how will changing the default gateway of the servers affect the traffic already being load-balanced by the 10.10.8.x VIP's? Also, the 10.10.4.x network only exists between the servers and the load-balancers... it is not routed at all. Should I still create a group address in there?

Thanks!

The group will do client nat.

So, all traffic going the LB will be nated with the 10.10.4.x address.

The servers will see traffic coming from that address and will respond to it without the need of a router.

It's the only solution to make your design work.

The other approach would be to change the design and just use a single NIC.

dual nic is always a source of issue with loadbalancers.

Gilles.

Thanks for your help Gilles -- this worked great. I ended up configuring a group and adding service destinations. What's a scenario when you would create a group and use services, instead of service destinations?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: