Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

CSS Design


My network topology is as per the nwtopo.jpg file. Now in this if I want to do load balance for the server farm-2. How would my physcial and logical connectivity look like and how would my routing will happen..


For some security reasons I cannot change the gateway of the servers (on both the server farm) and both the server farms to be connected through a firewall.

Can someone give me inputs on this...


Cisco Employee

Re: CSS Design


Well the main difference between serverfarm 1 and 2 is that serverfarm 2 is not local to the CSS, you need to make sure that the traffic flows back to the CSS before going to the client.

The common way to do this is by configuring source nating in the CSS, this will prevent asymmetric flows, this is exactly the same you are doing for serverfarm 1 where the default gateway cannot be changed.

This is how a flow to the VIP would work

1. Client to

2. CSS NAts and sends frame with source destined to 192.168.20.x

3. Server will respond back to VIP

4. CSS answers to client request with source IP as the VIP

As for routed traffic to the servers there should be no problem, the CSS will not be in the middle on this case, so if you need to do direct management to your servers the CSS will not be involved and everything should work fine.

Hope it helps!!

New Member

Re: CSS Design


Thanks for your response.

Do you mean to say that I use the same VIP address ( for the other server farm too??

So my understanding is...

1. Traffic from client (behind the CORE network) enters through the outside interface of the firewall and through the firewall leg1 to in CSS

2. Load Balanced traffic from CSS ( goes to firewall leg2 through the same firewall leg1.

3. Servers respond back to CSS VIP ( from firewall leg 2 through firewall leg1.

4. CSS then responds back to the client through the firewall leg1 and then through the outside leg connected to the CORE network.

If my understanding is right... is there any other better method of doing it??

Also do correct me if my understanding was wrong...


Cisco Employee

Re: CSS Design


Well actually you do need to use same VIP, I mentioned just as an example. You will need to define a VIP for your serverfarm.

With regards to the traffic flow, well traffic definitely needs to flow back thru the CSS, otherwise an asymmetric flow will be created.

Think about this.

1. Client sends a SYN to the VIP with source IP

2. CSS forward the request to the server without changin source IP.

3. Server gets a SYN coming from so it will send a SYN/ACK destined to

4. The client receives the SYN/ACK from the server IP but the request was done to the VIP, so the packet will be discarded.

This means that the packet always needs to flow back thru the CSS or this issue will show up.

There is actually a way to bypass the Load Balancer on the way back but it is not supported by the CSS.

The CSM has what is called DSR (Direct Server Return) and with IOS SLB you can do a Dispatch mode.

Those setups need the server to have an special configuration, then again the CSS will not support it.

Hope it clarifies your doubts!!

Cisco Employee

Re: CSS Design

Just to clarify, VIP can be different.

New Member

Re: CSS Design


I understand the point about asymmetric flow.

But my question was whether the traffic flow with respect to my scenario will flow the way what I had understood?

However I got more things clarified from your reply (CSM and IOS SLB) thanks again..

Also do you have any doc or url on the best practice for a CSS design..


CreatePlease to create content