Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Difference between Source & DESTINATION GROUP RULE in Cisco CSS

Hello All,

I am newbie for CSS. I know how flow works for normal CSS request without group rule. But whenever it comes to group rule I am pretty much

confuse about following:

- When we use source group rule & when we use destination group rule ?

- What is difference between them ?

- How the flow of data works in both of them?

Any help or explanation would be appreciated.

Thanks in advance,

Me too

Everyone's tags (1)
Cisco Employee

Re: Difference between Source & DESTINATION GROUP RULE in Cisco

the group rule determines in which direction you will do nat . consider

group USHA

  vip address

  add service Ushatest


add service says that if the server we defined with service Ushatest initiates a connection outbound through the CSS we will source nat the server address to
now consider
group DOT005
  add destination service dot008
  add destination service dot014
  vip address
we are saying that when a client hits a content rule to get loadbalanced to one of the services we will nat the client address to
in both cases nat is overloaded (pat) so many connections can be natted to the same address.
In the case where you have a content rule that loadbalances to a server and that server does not use the CSS as its default gateway w would use add destination service to get the return traffic back to the CSS.
In the case where a server is initiating the connection and we want to hide the server address we would use add service.

New Member

Re: Difference between Source & DESTINATION GROUP RULE in Cisco

Hi litrenta,

Great  explanation & thanks a lot... After reading what you have explained now its making some sense to  me on both.

So basically in add destination service we are changing the source ip in the packet from client/requestor's ip to CSS VIP ip

Similarly in add service we are changing Soruce ip in the return packet from server's IP to CSS VIP ip

Let me know if my understanding is correct.

Once again thank you very much for such information response.

CreatePlease login to create content