Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

CSS - Can a real server be several Layer-3 hops away from the VIP

Can a CSS11500 load balance and health check real servers that are several Layer-3 hops away from the VIP on the CSS. All documentation and examples always show the servers connected to the CSS as Layer-2

If yes are there any limitations using a CSS in this mode


Re: CSS - Can a real server be several Layer-3 hops away from th

Yes, the CSS can work with services that are not L2 or L3 adjacent.

Unless the CSS is in-line from a traffic perspective, you'll likely need to create a source group to NAT the clients' addresses before the traffic hits the server(s). This forces return traffic back through the CSS.

The main limitation of this configuration is that the servers lose visibility of the clients' real IP addresses. All connections will appear to come from the CSS.

Community Member

Re: CSS - Can a real server be several Layer-3 hops away from th

It is certainly possible, but it has more risk than not doing it.

If you are not using source groups, the source address of the packets going to the real server will be the client's actual address. When the server replies the packets have to go back through the CSS to get to the client to un-NAT the VIP address.

Using a source group to NAT the client's address could get around this if the path to the client doesn't go back to the CSS.

I have had pretty good luck with real servers on subnets that had two paths out - one via the router and one via the CSS. As long as the real serves used the CSS as the default gateway everything worked well and traffic to other servers did not have to be handled by the CSS.


Re: CSS - Can a real server be several Layer-3 hops away from th

Hi Bob,

from my point of view there are only some rules to be watched but it should be possible to do. One thing that MUST be: The outgoing interface towards the realserver MUST be used for the traffic that returns from the server afaik because of the CSS has to watch the flows. (can be easily done if u use a trunk as there is for the CSS afaik no difference if the traffic leaves on VLAN x and returns on VLANy unless both VLANs do connect on the same port).

The next thing that is a MUST is:

Routing has to ensure that the CSS is in the flow back from the servers and not bypassed. OR you have to do source-natting so that the server is thinking that the CSS is asking him something.

Regarding the monitoring there is no difference if you are using keepalive scripts for monitoring the service.

Hope that helps and answers your question...

Kind Regards,


CreatePlease to create content