06-04-2007 01:41 AM
Dear all,
Topology:
10.1.101.X/24 ---CSS11000--- 10.1.103.X/24(Server Farm)
Configuration:
########### Service ###########
service LBS_AP-11:11111
ip address 10.1.103.11
keepalive type tcp
keepalive port 11111
port 11111
active
service LBS_AP-12:11111
ip address 10.1.103.12
keepalive type tcp
keepalive port 11111
port 11111
active
########### Owner ###########
owner Customer-6
content LBS_AP-10:11111
vip address 10.1.103.10
add service LBS_AP-11:11111
add service LBS_AP-12:11111
port 11111
protocol tcp
active
Problem:
We notice that the traffic's Src IP address from the Client side(10.1.101.X)has been replaced by the CSS's VIP address = 10.1.103.10 (through Sniffer)
Is that correct or reasonable ?
The configuration was implemented by another Cisco Partner.
Our customer wants me to find out why they cannot see the Client's IP address as the Src IP address when the traffic is from 101.X to 103.X
Is there still anything that I have to provide to you experts, plz let me know this.
Appreciate ^__^
CSS# show version
Version: ap0610107a (6.10 Build 107)
Flash (Locked): 6.10 Build 107
Flash (Operational): 6.10 Build 107
Type: PRIMARY
Licensed Cmd Set(s): Standard Feature Set
06-04-2007 04:15 AM
the client nat is done when you have a group configured. - you forgot to provide this part of the config, but I'm certain you have a group in your config.
If the person who configured the CSS thought a group was needed, there might be a reason.
Most ofthen it is required when you have a one-armed scenario. It is being used to guarantee that the response from the server will go back to the CSS first and not directly to the client - which would break connectivity.
You should verify if indeed you're in one-armed.
In one-armed, you can get rid of the group if you can find another way to guarantee the response from the server to go to the CSS.
This can be done by changing the server default gateway or by configuring policy routing on the current default gateway.
Gilles.
06-04-2007 09:04 PM
Dear Gilles,
Yes, we do have a group statement as follow:
########## Group ##########
group LBS
vip address 10.1.103.10
add destination service LBS_AP-11:11111
add destination service LBS_AP-12:11111
active
###########################
The question is . . . when we remove the group statement as mentioned above, the patron can finally see the traffic definitely from the client side(101.X/24) and destined to the VIP(10.1.103.10).
But, unfortunately, there are some DB servers on the same side of the Server Farm(103.X) having no access to the VIP(10.1.103.10).
(They could & did access to the VIP when the group statment was configured.)
What can I do now for this situation?
I am totally confused with "sourcegroup", "one-armed scenario",& "ACL".
The patron said they want to see the true Src IP addresses from 101.X and still have the DBs on the 103.X network access to the VIP 10.1.103.10.
DBs IP Addresses range from 10.1.103.15 to 10.1.103.20, etc.
If there is still anything that I should provide to you experts, plz let me know that.
Appreciate ^__^
########## Relevant Configuration ##########
circuit VLAN101
redundancy
description "SC-SAA-3548 VLAN101"
ip address 10.1.101.30 255.255.255.0
circuit VLAN103
redundancy
description "SC-SAA-3548 VLAN103"
ip address 10.1.103.254 255.255.255.0
acl 20
clause 10 permit tcp any destination any
clause 20 permit any any destination any
apply circuit-(VLAN101)
apply circuit-(VLAN103)
Best Regards
Sincerely,
06-05-2007 12:02 AM
Dear Gilles,
I replaced the "add destination service" by "add service" statement, and it seems to work what we want.
"add service" statement NAT"s" the source IP & Port for flows originating from the server on the server farm side (103.X/24).
So we can get the real client's IP from 101.X/24 and have the DBs servers access to the VIP(10.1.103.10) without any trouble.
But ~~~~~~ >"<
The LBS_AP_11(12) has an application that needs to use it's original IP (10.1.103.11(12)) to access another Application Server ouside the CSS_SLB domain(10.8.128.X).
Can we use the ACL to bypass those traffic as follow?
########### ACL ###########
acl 30
clause 10 bypass any 10.1.103.0 255.255.255.0 destination 10.8.128.0 255.255.255.0
clause 20 permit any any destination any
apply circuit-(VLAN103)
Of course, we must remove the "circuit-(VLAN103)" from ACL#20 and add the new one "ACL#30".
Best Regards
Sincerey,
06-05-2007 01:29 AM
I'm not sure the bypass will work.
I thought it should but somebody said on this list very recently that it wasn't.
So, the proper solution that I use myself, is to setup an ACL to define when to use the group.
ie:
acl 30
clause 10 permit any 10.1.103.0 255.255.255.0 destination 10.8.128.0 255.255.255.0
clause 20 permit any 10.1.103.0 255.255.255.0 destination any sourcegroup
apply ....
Make sure to then remove all the 'add service ...' commands from under the group.
Gilles.
06-10-2007 11:08 PM
Dear,
Unfortunately, the "bypass" solution did not work as we expected.
This is a production environment, so the patron could not let us try & error too many times.
Probably the next time, when we have some spare equipment or another implementation project, we can try to find out the problem it is.
Thanks, Cisco & Gilles . . .
Very Appreciate ^__^
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: