Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSS - src and dst in the same vlan

Hi guys,

I need LB something like this in routed mode:

first data flow:

[client]->[vip1-c(css)]->[www1/www2]

and second (backend) flow is:

[www1/www2]->[vip2-c(css)]->[www3/www4]

vip1,2-c = VIP address on client side

www1,2,3,4 = all servers are in the same VLAN

problematic is second data flow (www1/2 -> vip2 -> www3/4(because www3/4 are in the same VLAN as www1/2).

I have two solution for this:

1. migrate www1/2 and www3/4 to the independent VLANs (this can be design problem in existing topology)

2. communication from www1/2 with destination to www3/4 translate to IP address located on the CSS using group, but I'm not sure if it's possible, or how it's possible to configure on the CSS.

group gr1

add service www1

add service www2

add destination service www3

add destination service www4

vip address ip-from-client-side(for example vip2-c)

active

it's possible to use this configuration?

martin

4 REPLIES
Cisco Employee

Re: CSS - src and dst in the same vlan

The group is a good solution.

However, the way it was configured is incorrect.

You either specify the source or destination.

So, if you want to nat all traffic from www1 and www2 you leave the 'add server www1' commands and remove the 'add destination service www3'.

Or you can nat all traffic going to www3 and www4. In this case, you remove the 'add service www1' and keep the others.

Another way of doing this would be to remove all 'add ..' commands and use an acl to specify when to use the group using the option 'sourcegroup gr1' inside the acl.

Gilles.

New Member

Re: CSS - src and dst in the same vlan

thanks gilles,

I forgot an acl with group option. thanks.

martin

New Member

Re: CSS - src and dst in the same vlan

Gilles,

I have one guestion about using acl with group option (www1 and www3 are in the same vlan).

data flow: www1 -> vip -> www3

src address will be www1 and dst addr in the acl will be vip address? that means, *source address* (www1) for the backend communication (css -> www3) will be translated. right?

or dst address should be www3? (I think, first example is right and this isn't).

martin

Cisco Employee

Re: CSS - src and dst in the same vlan

the acl are always applied inbound.

So the dst should the VIP.

Also, when matching a vip, use the option "content" instead of using the ip address.

ie:

acl 1

clause 10 permit any destination content sourcegroup gr1

Gilles.

146
Views
5
Helpful
4
Replies