Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
636
Views
1
Helpful
4
Replies

CSS11503 Front-End Back-End on Same Interface

oinojosa12
Level 1
Level 1

‎03-04-2008 11:59 AM

CSS11503 using same GigaEthernet interface for front-end and back-end connections. Is it possible?

Labels:
0 Helpful
4 Replies 4

Diego Vargas
Cisco Employee
Cisco Employee

‎03-04-2008 12:43 PM

Hi,

The answer is YES, you can have the CSS configured on a single VLAN on what is usually called one-arm.

It is important to make sure that traffic flows back thru the CSS wehn load balancing (as usually on this kind of setup servers are pointing to another L3 device as the gateway).

This is an example:

CSS Load Balancing Using One Interface Configuration Example:

http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080093dff.shtml

Hope it helps!!

Diego M

0 Helpful

oinojosa12
Level 1
Level 1
In response to Diego Vargas

‎03-04-2008 02:15 PM

Thank you. I will continue with this deployment.

My current configuration is attached, and was not working. I hope it will work when I change "add service SERVERX" with "add destination service SERVERX".

Preview file
2 KB
0 Helpful

Kristopher Martinez
Cisco Employee
Cisco Employee
In response to oinojosa12

‎03-05-2008 07:04 PM

"add service" and "add destination service" is most likely the issue. "add service" is used for server originated connections. "add destination service" is for connections that hit a VIP and then are load balanced.

skumar1969
Level 1
Level 1
In response to Kristopher Martinez

‎03-06-2008 09:11 PM

In a single-armed config, both web server/client PC are sitting on the single VLAN.

By default, the nature of the CSS is to "spoof" the client PC IP addresses to the web servers. Due to this spoofing, web servers thinks that they are actually talking to the client PCs. This is much helpful if you are a server operator needs to generate a report of who is accessing your web servers. This spoofing nature is admissible if we got 2 separate VLANs, one for Client PC and one for Web servers, that stops server' responses going to the client PCs directly by-passing the CSS. This widely deployed setup also known as 'routing mode' topology.

To change this default phenomenon happening (because we run on a single VLAN) , just use the 'add destination service' under group config. Now you commanded the CSS to stop this spoofing, instead forcing the CSS to use its own VIP address (configured under 'group'). This way web server' response packets never go to the client PCs but to the group VIP.

Packets never lost here. Hope this explains a bit.

Thanks

0 Helpful
Customers Also Viewed These Support Documents