Reccomendation on best method for SCA Deployment ?

Unanswered Question
Mar 14th, 2004
User Badges:
  • Cisco Employee,

We need to migrate from an existing one-armed NON-Transparent Proxy Deployment to one of the following designs in an effort to give us transparency at the server level ( ie see the client ip addresses )


The Choices seem to be as follows :


One-Armed Transparent Proxy


http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_sca/sca_420/sca_ap_b.htm#1005981


or


Transparent Local Listen


http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_sca/sca_420/sca_ap_b.htm#1009050


The second option seems to be the easiest. Any reccomendations ?




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Mon, 03/15/2004 - 01:23
User Badges:
  • Cisco Employee,

be aware that a router is needed between the client and the CSS.

The reason is that a the CSS requires 2 static route for each subnet that wants to reach the CSS.

1 route points at the router and 1 route points at the SCA - this is because the SCA uses the client ip address.

For locally attached clients, the CSS will always chose the local interface instead of the SCA to forward the response from the server - thus breaking the connections.


So what most people do is have a router in front of the CSS and configure a default route pointing at the router and another default route pointing at the SCA.


One problem with this design [2 static routes] is that connections initiated by the server [ie dns request] could be forwarded to the SCA as well.

The SCA will drop this traffic.

The solution is to configure ACL to tell the CSS to prefer the router for connections initiated by the servers.


These 2 rules applies whatever method you chose above. [personally I don't think one is easier than the other].


Regards,


Gilles.

d.parks Mon, 03/15/2004 - 06:20
User Badges:
  • Bronze, 100 points or more

There is one option that you may want to consider that would not require any network re-work. In newer versions of the accelerator code, there is a setting that will enable the SCA to insert the client IP address into an HTTP header. With a minor change in the webserver log, it can be adjusted to grab the address out of the HTTP header instead of the IP header.

Actions

This Discussion