2 questions about CSS11503

Unanswered Question
Jun 21st, 2009

First I would like to understand of command “port” and “protocol” in CSS, for example, I have a few web servers need to be load balanced, what is the difference among these configuration:

Config1(protocol and port are configured in both service and content rule)

service Server1

ip address 10.1.1.1

protocol tcp

port 80

active

service Server2

ip address 10.1.1.2

protocol tcp

port 80

active

owner L3_Owner

content L3_Rule

add service Server1

add service Server2

vip address 10.1.1.3

protocol tcp

port 80

active

Config2(protocol and port are configured in service only)

service Server1

ip address 10.1.1.1

protocol tcp

port 80

active

service Server2

ip address 10.1.1.2

protocol tcp

port 80

active

owner L3_Owner

content L3_Rule

add service Server1

add service Server2

vip address 10.1.1.3

active

Config3(protocol and port are configured in content rule only)

service Server1

ip address 10.1.1.1

active

service Server2

ip address 10.1.1.2

active

owner L3_Owner

content L3_Rule

add service Server1

add service Server2

vip address 10.1.1.3

protocol tcp

port 80

active

Second, if our server need more than 1 port to be open, for example, out web server need to listen 80, 8080, and 443, how to configure that in CSS?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Sun, 06/21/2009 - 23:42

The port and protocol commands inside the content rule act as filters.

So only traffic of protocol type ... and to port ... will match the content rule.

The port command inside the service, acts a a nat command. It tells the CSS to rewrite the destination to the one configured under the service.

The easiest solution is to not configure any port under the content rule and services.

Like this, the CSS will accept connection to ANY port and just LB without changing the destination port.

So port 80 traffic will be sent to port 80 and port 443 to port 443.

You can then limit traffic coming in with an ACL if you do not want to LB will ports (ie: 23).

But personally, I prefer to have a content rule for each port.

It gives you the possibility to easily adjust the config for a specific port if needed.

Gilles.

Actions

This Discussion