Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

CSS - Can a real server be several Layer-3 hops away from the VIP

Unanswered Question
May 9th, 2003
User Badges:
  • Silver, 250 points or more

Can a CSS11500 load balance and health check real servers that are several Layer-3 hops away from the VIP on the CSS. All documentation and examples always show the servers connected to the CSS as Layer-2

If yes are there any limitations using a CSS in this mode

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
d.parks Fri, 05/09/2003 - 06:22
User Badges:
  • Bronze, 100 points or more

Yes, the CSS can work with services that are not L2 or L3 adjacent.

Unless the CSS is in-line from a traffic perspective, you'll likely need to create a source group to NAT the clients' addresses before the traffic hits the server(s). This forces return traffic back through the CSS.

The main limitation of this configuration is that the servers lose visibility of the clients' real IP addresses. All connections will appear to come from the CSS.

drussell Fri, 05/09/2003 - 06:23
User Badges:

It is certainly possible, but it has more risk than not doing it.

If you are not using source groups, the source address of the packets going to the real server will be the client's actual address. When the server replies the packets have to go back through the CSS to get to the client to un-NAT the VIP address.

Using a source group to NAT the client's address could get around this if the path to the client doesn't go back to the CSS.

I have had pretty good luck with real servers on subnets that had two paths out - one via the router and one via the CSS. As long as the real serves used the CSS as the default gateway everything worked well and traffic to other servers did not have to be handled by the CSS.

jfoerster Fri, 05/09/2003 - 06:29
User Badges:
  • Bronze, 100 points or more

Hi Bob,

from my point of view there are only some rules to be watched but it should be possible to do. One thing that MUST be: The outgoing interface towards the realserver MUST be used for the traffic that returns from the server afaik because of the CSS has to watch the flows. (can be easily done if u use a trunk as there is for the CSS afaik no difference if the traffic leaves on VLAN x and returns on VLANy unless both VLANs do connect on the same port).

The next thing that is a MUST is:

Routing has to ensure that the CSS is in the flow back from the servers and not bypassed. OR you have to do source-natting so that the server is thinking that the CSS is asking him something.

Regarding the monitoring there is no difference if you are using keepalive scripts for monitoring the service.

Hope that helps and answers your question...

Kind Regards,



This Discussion