cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1387
Views
8
Helpful
8
Replies

CSS11503: Do I need redundant-vips?

dcayer
Level 1
Level 1

What advantage is there to setting up my VIPs as redundant-vips on the circuit?

I would rather use a static route on the upstream router/firewall pointing the VIPs to the CSS virtual-interface. This makes the CSS circuit configuration simpler (i.e.: only one redundant-interface).

8 Replies 8

aolabisi
Level 1
Level 1

VIPs are usually used for providing services. Redundant interfaces are for network connectivity / routing.

You need redundant VIPs if you're doing ASR, or some type of failover for content rules.

I know failover for my content rules works without having the corresponding VIP defined as a "redundant-vip" under the client-facing VRRP group in the circuit configuration section. (failover works because my upstream gateway/firewall has a static route for my VIP via my CSS redundant interface IP).

The question is: will ASR work if my content rule VIPs are not within the IP subnets defined on my CSS circuits/VLANs?

For example, our gateway/firewall has a static route for my VIP (192.168.1.100) via 172.20.30.254 (VR on my CSS):

!********************* GLOBAL *********************

ip route 0.0.0.0 0.0.0.0 172.20.30.1 1

!******************* INTERFACE *******************

interface 1/1

isc-port-one

interface 3/1

description "client-facing VLAN"

bridge vlan 30

interface 3/2

description "www server VLAN"

bridge vlan 31

!******************** CIRCUIT ********************

circuit VLAN30

description "client-facing VLAN"

ip address 172.20.30.252 255.255.255.255

ip virtual-router 30 priority 220 preempt

ip redundant-interface 30 172.20.30.254

ip critical-service 30 www1

ip critical-service 30 www2

ip critical-service 30 Upstream-Router

circuit VLAN31

description "www server VLAN"

ip address 172.20.31.2 255.255.255.255

ip virtual-router 31 priority 220 preempt

ip redundant-interface 31 172.20.31.1

ip critical-service 31 www1

ip critical-service 31 www2

ip critical-service 31 Upstream-Router

!******************** SERVICE ********************

service Upstream-Router

ip address 172.20.30.1

type redundancy-up

active

service www1

ip address 172.20.31.65

redundant-index 1

active

service www2

ip address 172.20.31.66

redundant-index 2

active

!********************* OWNER *********************

owner web_site

content web_cluster1

add service www1

add service www2

vip address 192.168.1.100

redundant-index 3

active

!********************* GROUP *********************

group web_cluster1

vip address 192.168.1.100

add service www1

add service www2

redundant-index 4

active

Will ASR (statefull failover) work for client connections to my VIP?

your vip is not part of the configured vlan.

So anyway, you can't configure vip redundancy.

ie:

Pompon(config-circuit-ip[VLAN499-192.168.11.8])# ip redundant-vip 7 17.1.1.1

%% Address outside of allowed range.

So in your case you have no other choice than pointing a static route to the redundant-interface ip address.

I believe ASR should work with your VIP in this case.

But I was never tested.

Regards,

Gilles.

Thanks Gilles.

I'll test my ASR configuration in the lab next week.

I'm anxious to see what the "show rule" output will display for "IP Redundancy" (i.e.: Master/Backup or Not Redundant?).

Daniel,

Have you tested this in your lab? What I found out is:

This kind of set up (VIP is outside of client circuit) will work with redundancy, but not ASR, means not session failover. Since session failover needs redundant-index, which in terms needs vip been associated with a VRID, but you can't, since it is outside of client circuit subnet:

content web_test

protocol tcp

port 80

add service web1

add service web2

vip address 192.168.30.100

redundant-index 101

when I tried to active this rule:

css-lab1(config-owner-content[NASD-web_test])# active

%% VIP address needs to be associated with a virtual router.

When tried to associate this vip to a VR:

css-lab1(config-circuit-ip[VLAN902-150.123.148.178])# ip redundant-vip 102 192.168.30.100

%% Address outside of allowed range.

Gilles, any way to around this problem? or if you want to use ASR, vip must be on the client circuit?

Thanks,

Yatao

Thanks, Brad. That works.

the url doesn't seem to be available anymore - I have a similar problem & could do with some help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: