Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Communications behind CSS11501

Hello all,

I have two 11501s that are currently running in ASR mode. All is working great with that. I now have a need for some of the servers to communicate with each other behind the CSS's as well.

So, I have traffic from:

a)Internet to VIP address 192.168.2.129

b)Internal to VIP and host IPs

c)Host IPs to Internal

and now

d)Host IP to VIP address.

(Without -d-, parts a-c work just fine)

When I activate the config for the source groups, users will get intermittant delays. What could I be doing wrong. Below is my current config minus the actives for the server to server config stuff.

Any help would be appreciated!!

Todd.

**********************************

******* Configurations ***********

**********************************

************

CSS-1

************

circuit VLAN3

ip address 192.168.2.8 255.255.255.0

ip virtual-router 128 priority 110 preempt

ip virtual-router 93 priority 120 preempt

ip redundant-interface 93 192.168.2.10

ip redundant-vip 128 192.168.2.129

circuit VLAN5

ip address 172.16.1.8 255.255.255.0

ip virtual-router 95 priority 120 preempt

ip redundant-interface 95 172.16.1.1

!************************** SERVICES *************************

service reports1

ip address 172.16.1.122

redundant-index 32

active

service reports2

ip address 172.16.1.123

redundant-index 44

active

!*************************** OWNER ***************************

Owner Front-side

content reports

protocol tcp

port 443

balance leastconn

vip address 192.168.2.129

add service reports1

add service reports2

redundant-index 144

advanced-balance sticky-srcip-dstport

active

content reports80

port 80

protocol tcp

vip address 192.168.2.129

add service reports1

add service reports2

balance leastconn

redundant-index 152

active

owner back-side

content back-side-reports

vip address 172.16.1.97

add service reports1

add service reports2

protocol tcp

port 80

balance leastconn

redundant-index 100

!*************************** GROUP ***************************

group rpts

add destination service reports1

add destination service reports2

vip address 172.16.1.97

redundant-index 200

************

CSS-2

************

ircuit VLAN3

ip address 192.168.2.9 255.255.255.0

ip virtual-router 128

ip virtual-router 93 priority 110

ip redundant-interface 93 192.168.2.10

ip redundant-vip 128 192.168.2.129

circuit VLAN5

ip address 172.16.1.9 255.255.255.0

ip virtual-router 95 priority 110

ip redundant-interface 95 172.16.1.1

!************************* SERVICES **************************

Services

service reports1

ip address 172.16.1.122

redundant-index 32

active

service reports2

ip address 172.16.1.123

redundant-index 44

active

!*************************** OWNER ***************************

Owner front-side

content reports

port 443

protocol tcp

balance leastconn

vip address 192.168.2.129

add service reports1

add service reports2

redundant-index 144

advanced-balance sticky-srcip-dstport

active

content reports80

protocol tcp

port 80

vip address 192.168.2.129

add service reports1

add service reports2

balance leastconn

redundant-index 152

active

owner back-side

content back-side-reports

add service reports2

vip address 172.16.1.97

add service reports1

protocol tcp

port 80

balance leastconn

redundant-index 100

!*************************** GROUP ***************************

group rpts

add destination service reports1

add destination service reports2

vip address 172.16.1.97

redundant-index 200

1 REPLY
New Member

Re: Communications behind CSS11501

Todd,

What you need is to add the same services to groups and "add service" and as "add destination service". Unfortunately you cant do this, its not a legal config.

The way around this is to use access lists on the CSS, where you can define which traffic will use a group and in which direction.

Be aware that CSS acl's are like IOS acl's in that there is an implicit deny at the end of every list. But unlike IOS, there is also an implicit deny LIST applied to all circuits that dont have a list specifically applied. So you need to create "permit any any" lists for circuits where you dont need the group controls, if any.

Peter

259
Views
0
Helpful
1
Replies