Hi there...we have several server "clusters" sitting behind a CSS 11501, eg) 2 web servers, 2 LDAP servers, etc... If a webserver wants to talk to the LDAP server, he is unable to do so using the front end VIP...is there a reason for that? I can't seem to figure it out...we want all servers that need to talk to other servers behind the CSS to use the front end VIP's for HA and redundancy in case one is down for maintenance or whatever... do I need to create some backend VIP's?
Any suggestions? This is probably a lot simpler than I am making it out to be....
You need to translate the ip of webserver before it hits the Vip. Under current setup when Ldap servers recieve traffic from web servers, the source address in the packet is "web server local ip" now the return traffic is delivered to webserver directly (bypassing CSS). You need to make sure that return traffic should be forwarded to CSS and CSS should send it back to Webservers.
You need to configure source group to achieve that.
ok...so if I am getting this correctly, the VIP you have used above, is this a VIP from the OUTSIDE address space? And then which ever services are added will NAT through that address? I believe I also have to create a content rule after that as well? Using the same VIP and services?
Can the webservers and LDAP servers NAT through the same address? Or do I need to create a second group with a different VIP for them?
Thanks again for your assistance! I think I'm almost there!
the problem is that when a server access the vip, the traffic is sent to another server and the response goes directly to the first one without going through the CSS. This is because both client and server are one the backend side.
It is important that the traffic goes back to the CSS so that it can perform nating vip ip <> server ip.
One solution to guarantee that this happens is to do client nat.
To avoid doing client nat for all traffic, you can use acl.
First create a group.
Then configure an acl to define when to use the group. You want to match server opening connection to vip.
clause 10 permit ip x.x.x.x/x destination content owner/rule sourcegroup clientnat
Introduction This article will help you understand the steps on how to
download the UCS licenses from the Cisco Systems website and then
installing it on the UCS. The redacted (blue lines) just covers up
certain numbers for privacy please do not take them...
Introduction This article will help you understand and educate the
customer on how to clear their "expired licenses"
(license-graceperiod-expired) from their UCS-M. If a customer just
purchased a license and needs a step by step guide on how to download
==================== VIC FNIC driver does not support Virtual Volumes (
second level LUN ID ) An enhancement request has been created to track
this feature - CSCux64473 UPDATE - 12-14-2016 We made some traction on
the enhancement request - The Fix is in t...