Re: CSS 11050 and non-web traffic.

t.baranski · ‎07-30-2002

Just ran across something in the CSS documentation that has me somewhat concerned. Among other things, I'd like to configure CSS to handle our IDS traffic, which uses a proprietary port. I figured CSS would be able to handle this traffic if the content rule is simply layer 3 or layer 4, but reading about the "application" command has me wondering if my assumption was accurate, as it says something about CSS rejecting the data stream if it can't be interpreted.

Is it possible for CSS to do basic layer 4 forwarding of such traffic? If so, does it have to be configured for "application bypass", or will the default suffice?

Thanks for any help.

lynchp · ‎08-02-2002

Hi,

No problem with load balancing non http traffic. You just configure the correct port under the content rule. Was I think is meant by the comment in the documentation is that we can not load balance stuff like ipsec etc etc because we can not build a flow for them. This is at the ip layer and a different protocol to TCP or UDP.

You do not need to config any application command under the content rule,.

Cheers

Phil

Cisco Systems

t.baranski · ‎08-05-2002

Thanks for the help... Very much appreciated.

ngorenko · ‎08-05-2002

It is question toPhil: (I just would like to clarify for myself). CSS can make LB of traffic based TCP or UDP transport, if the application uses pure IP packet, it is not possible to configure LB for such kind of traffic, is it correct?

lynchp · ‎08-06-2002

What it comes down it is if we can not build a flow for the protocol we can not load balance it. The CSS can route it it just can load balance / nat the packet.

In the doco's there is a list of supported protocols.

http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/getstart/specs.htm#xtocid240399

Cheers

Phil

Cisco Systems

drussell · ‎08-06-2002

Yes it is possible to load balance custom applications.

For example, I am load balancing a gateway application that used TCP port 8598.

While you can't do L5-L7 aware load balancing, round robin, least conn and ACA can be used:

content CICS_Trans_GW_1

vip address 10.3.110.21

protocol tcp

port 8598

balance leastconn

add service SVR3007

add service SVR3027

add service SVR3039

active

I think that the previous post is just saying that if you cannot specify the protocol and port of an application then the CSS cannot recognize it as a flow and you cannot write a content rule. (Phil pls correct me if I misunderstood your comment)

Here is a link to a new tech tip on flows: http://www.cisco.com/warp/public/117/css_flows.html

David Russell

CCIE #5751

ThroughPoint

lynchp · ‎08-14-2002

David is correct

Gilles Dufour · ‎08-20-2002

David, Phil

I think that the question was whether or not we can loadbalance something that is not TCP or UDP. ie: ospf uses IP protocol 89.

So, this would be a layer 3 loadbalancing based on ip address only and this should be feasible.

Gilles.

CCIE #3878

Cisco Systems

darren.page · ‎08-26-2002

The CSS can load balance 'any' ip protocol with a layer3 rule. The only caveat is that the services assigned to the content rule must only have an icmp keepalive. If you specify a tcp port number as the keepalive, the CSS will perform the outbound nat / port redirection to that tcp port, which will cause things to break - This is not in the documentation !

Darren Page

CCIE #1429.