Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSS11503 Front-End Back-End on Same Interface

CSS11503 using same GigaEthernet interface for front-end and back-end connections. Is it possible?

Cisco Employee

Re: CSS11503 Front-End Back-End on Same Interface


The answer is YES, you can have the CSS configured on a single VLAN on what is usually called one-arm.

It is important to make sure that traffic flows back thru the CSS wehn load balancing (as usually on this kind of setup servers are pointing to another L3 device as the gateway).

This is an example:

CSS Load Balancing Using One Interface Configuration Example:

Hope it helps!!

Diego M

New Member

Re: CSS11503 Front-End Back-End on Same Interface

Thank you. I will continue with this deployment.

My current configuration is attached, and was not working. I hope it will work when I change "add service SERVERX" with "add destination service SERVERX".

Cisco Employee

Re: CSS11503 Front-End Back-End on Same Interface

"add service" and "add destination service" is most likely the issue. "add service" is used for server originated connections. "add destination service" is for connections that hit a VIP and then are load balanced.


Re: CSS11503 Front-End Back-End on Same Interface

In a single-armed config, both web server/client PC are sitting on the single VLAN.

By default, the nature of the CSS is to "spoof" the client PC IP addresses to the web servers. Due to this spoofing, web servers thinks that they are actually talking to the client PCs. This is much helpful if you are a server operator needs to generate a report of who is accessing your web servers. This spoofing nature is admissible if we got 2 separate VLANs, one for Client PC and one for Web servers, that stops server' responses going to the client PCs directly by-passing the CSS. This widely deployed setup also known as 'routing mode' topology.

To change this default phenomenon happening (because we run on a single VLAN) , just use the 'add destination service' under group config. Now you commanded the CSS to stop this spoofing, instead forcing the CSS to use its own VIP address (configured under 'group'). This way web server' response packets never go to the client PCs but to the group VIP.

Packets never lost here. Hope this explains a bit.