CSS11503

Answered Question
Aug 12th, 2008

please look at the diagram attached, CSS 11503 has one connection to switch and has the same VLAN as router IP, 3 servers' default gateway is 10.1.1.1, on the CSS, the default gateway also point to 10.1.1.1.

3 services are added into CSS to be balanced: 10.1.1.11, 10.1.1.12 and 10.1.13 ,the VIP is 10.1.1.10

My questions are:

1. is the transparent mode for CSS? and what is the disadvantage compare with route mode? I know for CSS 111XX, transparent mode is not recommended, what about CSS 11503?

2. for incoming traffic need to access 10.1.1.10, which is the VIP for 3 servers, traffic been load balanced, how about the return traffic? I think server will bypass the CSS and go direcrtly to Router, I heard "group" can help to solve this problem, can some one show me the configuration ?

I have this problem too.
0 votes
Correct Answer by Syed Iftekhar Ahmed about 8 years 3 months ago

Its one-arm mode design

1. There are no issues in using one-arm mode with 11500 series CSS. Main disadvantage with this mod is that you loose client information (you need to source nat the client traffic before it hits the real server to make sure the return traffic passes through the CSS). Advantages are that only Loadbalanced traffic will pass through the CSS. All other traffic Server initiated trffic, Direct server access traffic will not choke the CSS.

2. As I mentioned earlier return traffic needs to pass through the CSS. Source nat (using group command) ensures that return traffic hits back the css.

Source nat is configured as follows

group Servers

vip address 10.10.10.6

add destination service 1

add destination service 2

add destination service 3

active

In another post I asked you to take a look at

http://www.cisco.com/warp/public/117/one_armed_bandit.pdf

Page 5 of the above doc explains in detail how and why its implemented.

Syed Iftekhar Ahmed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Syed Iftekhar Ahmed Tue, 08/12/2008 - 09:58

Its one-arm mode design

1. There are no issues in using one-arm mode with 11500 series CSS. Main disadvantage with this mod is that you loose client information (you need to source nat the client traffic before it hits the real server to make sure the return traffic passes through the CSS). Advantages are that only Loadbalanced traffic will pass through the CSS. All other traffic Server initiated trffic, Direct server access traffic will not choke the CSS.

2. As I mentioned earlier return traffic needs to pass through the CSS. Source nat (using group command) ensures that return traffic hits back the css.

Source nat is configured as follows

group Servers

vip address 10.10.10.6

add destination service 1

add destination service 2

add destination service 3

active

In another post I asked you to take a look at

http://www.cisco.com/warp/public/117/one_armed_bandit.pdf

Page 5 of the above doc explains in detail how and why its implemented.

Syed Iftekhar Ahmed

vinerichard Mon, 08/18/2008 - 04:35

Hello,

Is there a way of implementing a one-arm design with SNAT, but also keep the source IP present in the packet so the web server knows the real IP (not the CSS VIP)?

With the BIG IP F5 there is a feature called X-Forwarded that can be enabled. Does this or similar exist on the CSS?

Many thanks

Syed Iftekhar Ahmed Mon, 08/18/2008 - 10:49

In CSM/ACE its possible to insert a HTTP Header (typically x-forwarded-for) with source NAT.

Unfortunately CSS does not give you a way to insert a header with the client ip.

One workaround could be to use PBR on the Switch instead of source NAT on CSS.

Syed Iftekhar Ahmed

Actions

This Discussion