CSS SLB within same VLAN

Unanswered Question
Mar 1st, 2004
User Badges:

Hi -


We have a need to load-balance requests within the same VLAN, but need to make sure it only happens then. We have multiple web servers all members of the same subnet, these servers are grouped differently in 5 different VIPS whose IPs are also part of the same subnet.


Example: We need server A, who is a member of VIP Z, to talk to VIP Y and be load-balanced. These servers and VIPs are all part of the same subnet. however, when that same server A talks to host C somewhere else we don't want it to be translated.


We'll obviously need to use groups and ACLs, but would we be using 'add service XX' in the group command or the 'add destination service XX' command? Should we NAT these connections as a new IP address, or just fake out the dest VIP so that it thinks the sender's MAC is the CSS?


Anyone have a sample config from doing this before?


Thanks!

chad


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
stevehall Mon, 03/01/2004 - 15:32
User Badges:

Chad,


If the only clients to VIP Y are the servers, and not Internet clients, then just make a group with the following:


group vip-y-group

vip address

add destination service vip-y-server1

add destination service vip-y-server2

active


This will enable clients to access VIP Y even though they are on the same subnet.


If clients to VIP Z are also coming in through the same vlan, you will need a group for servers on that VIP as well.


group vip-z-group

vip address

add destination service vip-z-service1

add destination service vip-z-service2

active


This will not NAT the servers when they initiate outbound connections. It will only affect the client IP address on connections that are directed to the services in the group.


If you need mor explanation, then post in your global, service, owner and group (if any) config. I can elaborate more after seeing that.



But at this point, I don't think you will need ACLs.


you might want to look at the following link as well (If you haven't already)

http://www.cisco.com/en/US/customer/products/hw/contnetw/ps789/products_configuration_example09186a0080093dff.shtml




-Steve

cbuzzard Mon, 03/01/2004 - 16:16
User Badges:

Thanks for the info, Steve. I have looked at a couple of online references including that one, but they all seem to be just a percentage of what I'm looking to do. It's probably a combination of them all put together, but because these VIPs are production websites I want to make sure I don't have to try this a second time. To make it make more sense I'll paste in what I'm trying to do below.


First, I have these 2 content VIPs:


content www-LT-80

vip address 10.28.128.30

protocol tcp

port 80

url "/*"

advanced-balance arrowpoint-cookie

arrowpoint-cookie browser-expire

add service lt-bw02-80

add service lt-bw04-80

add service lt-bw06-80

add service lt-bw08-80

add service lt-bw10-80

add service lt-bw12-80

add service lt-bw14-80

add service lt-bw16-80

add service lt-bw18-80

add service lt-bw20-80

add service lt-bw22-80

add service lt-bw24-80

add service lt-bw26-80

add service lt-bw28-80

add service lt-bw30-80

add service lt-bw32-80

balance leastconn

active


content rc-LT-80

vip address 10.28.128.38

protocol tcp

port 80

url "/*"

advanced-balance arrowpoint-cookie

arrowpoint-cookie browser-expire

balance leastconn

add service rc-pub08-80

add service rc-pub06-80

add service rc-pub04-80

add service rc-pub02-80

active


Second, these are the services in each VIP respectively. I'll only paste 1 service from each VIP, all the others are the same just with incrementing IPs:


service lt-bw02-80

ip address 10.28.128.51

protocol tcp

port 80

string wwwltbw2

keepalive type script ap-kal-httptag "10.28.128.51 /keepalive.asp www.lendingtree.com"

keepalive frequency 15

active


service rc-pub02-80

ip address 10.28.128.171

protocol tcp

port 80

string rcpub02

keepalive type script ap-kal-httptag "10.28.128.171 /keepalive.asp rc.lendingtree.com"

keepalive frequency 15

active


Goal to achieve:


I need the lt-bwXX-80 services that are members of the first VIP to be able to talk to the second (RC) VIP and be load-balanced. The caveat is that when these lt-bwXX-80 services talk to other hosts through the CSS I do not want them being NATted at all, for reporting reasons their IPs need to stay the same. To touch on your earlier comment, all of these VIPs are also load-balanced to the Internet for web browsing. Basically, I need some form of address translation, whether it be IP or MAC, but only on specific to/from relationships.


Does that help make it more clear? Thanks in advance for any assistance.


Chad


stevehall Mon, 03/01/2004 - 16:33
User Badges:

Chad,


If you use the VIP-Y group I stated earlier, then the lt-bwXX-80 services will only have the source IP NATed when they access the content rule Y.


In this case, any client accessing VIP Y will have the client IP NATed. This is typically not an issue.


If you really want to make it complicated, you can do the following....


CSS config.....



nql x-servers

ip address 10.28.128.51



group vip-y-nat

vip address 10.28.128.171

active


acl 1

clause 10 permit any nql x-servers destination content owner/rc-pub02-80 sourcegroup vip-y-nat

clause 20 permit any any destination any

apply all




then globally....


acl enable



you should have console access when enabling ACLs. Be aware that ALL vlans need an ACL applied to them if you are enabling ACLs. Any VLAN without an ACL will not accept incoming traffic!


Does that make sence? I use NQLs so when the IPs change, you can update the nql without suspending the ACL, causing potential downtime. It is much easier to maintain.


-Steve

cbuzzard Thu, 03/04/2004 - 07:19
User Badges:

Hi Steve,


I've been going through the information provided and playing with this a little in a lab. How does the below scenario look?


We want any host in our 10.28.128.0/24 subnet that connects to a local (IP address) VIP of 'LendingTree_Web/rc-LT-80' to be load-balanced. In doing this we must perform some form of NAT since the clients and VIP are all in the same network.


1. Create a new group for the client machines. In all documentation I see that the source group has the same IP as the content rule, but is this necessary? I don't want to place any services in this group because I don't want them being source NATted when they communicate outbound, just when they talk to local VIPs. Should this new group be a completely new IP address to the environment since we're not NATting the service outbound connections?


group Testclients

vip address 10.28.128.29

active


2. We currently have ACLs enabled on our CSS(s) with ANY ANY rules at clause 50. If we add the below clause to our ACL would be saying that when any source in the 128 subnet connects to this specific content rule to source NAT the connection as 10.28.128.29? This should cause all traffic to now go through the CSS and create proper flows, right?


clause 25 permit any 10.28.128.0 255.255.255.255 destination content LendingTree_Web/rc-LT-80 sourcegroup Testclients


We could then add more of these clauses with additional destination content rules behind the same source group NAT, right?



Thanks!

chad


Actions

This Discussion