CSS using UDP

bs6825 · ‎09-28-2007

Should be a simple question and I hope I have the answer, just want to see if someone can verify this will work. This is on a CSS 11501 with 8.2 code. Have to be sure the client data flows which are served by the same 2 servers but with different VIPS are correctly returned to the client. Assume all routing is correct. Thanks in advance for your feedback.

Client 1 SRC ip 192.168.1.2 SRC port UDP 4932 (random port)

DST ip 10.1.2.100 DST port UDP 1120

Client 2 SRC ip 172.16.12.12 SRC port UDP 8374 (random port)

DST ip 10.1.2.101 DST port UDP 1120

Client 1 must have return packet - SRC ip 10.1.2.100 SRC port 1120

DST ip 192.168.1.2 DST port 4932

Client 2 must have return packet - SRC ip 10.1.2.101 SRC port 1120

DST ip 172.16.12.12 DST port 8374

!************************* INTERFACE *************************

interface e1

phy 100Mbits-FD

bridge vlan 11

interface e2

phy 100Mbits-FD

bridge vlan 12

!************************** CIRCUIT **************************

circuit VLAN11

ip address 10.1.2.1 255.255.255.0

circuit VLAN12

ip address 10.2.1.1 255.255.255.0

!************************** SERVICE **************************

service service1-UDP1120

ip address 10.2.1.30

protocol udp

port 1120

active

service service2-UDP1120

ip address 10.2.1.31

protocol udp

port 1120

active

!*************************** OWNER ***************************

owner owned-by-me

content VIP100

protocol udp

add service service1-UDP1120

add service service2-UDP1120

port 1120

vip address 10.1.2.100

active

content VIP101

protocol udp

add service service1-UDP1120

add service service2-UDP1120

vip address 10.1.2.101

port 1120

active

Syed Iftekhar Ahmed · ‎09-28-2007

The CSS sets up a Flow Control Block (FCB) in one direction only when a UDP packet is processed. The FCB for the return path will only be set up if the response packet arrives. Because of the uni-directional nature of UDP source A UDP content rule must have a corresponding source group to handle the return UDP traffic and to provide the mapping between the two sides of the UDP flow.

for example

content vip1

vip address 192.168.100.86

protocol udp

add service test1

add service test2

active

group outbound2

vip address 192.168.100.86

add service test1

add service test2

active

Gilles Dufour · ‎09-30-2007

the problem here is that you want to have 2 different source nat.

So, the only way is to use ACL to define which group to use.

You first need to define 2 groups one for each VIP. Do not assign any service.

Then create an acl like this to tell the CSS when to use one group or the other.

acl 1

clause 10 permit udp destination sourcegroup

...

As you can see you need to know in advance which group to use - so one client will always receive traffic from the same vip.

Another solution is to do client nat when forwarding the client request to the server.

In this case, a FCB for the reverse path will also be setup. And the CSS will do the automatic reverse-nating when the server responds. The only drawback is that the server always see traffic coming from the same ip.

If you go for this solution, you need a group but instead of using 'add service' you use 'add destination service'.

Only 1 group is required.

Gilles.

bs6825 · ‎10-01-2007

Thanks Giles, only problem is that there is a requirement for the original source IP to hit the server. I will be doing nats a level above this as there are two public IPs that the clients will hit, so I will nat them to different VIPs in order to differentiate them. So would I use the natted VIP in the ACL to point to the source group? This may require several different nats. The question posed had two, actually there are about eight or nine I need to worry about.