Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Direct access to servers behind a CSS

Hopefully I am not repeating a thread but am trying to clarify something.

We are trying to come up with a network design template that we can reuse later down the line.

Have been looking for best practices on the setting up of a CSS 11500 and have found some but nothing that quite matches what I have in mind. It there is one please point it out to me.

We are trying to use the CSS to load balance to some web servers, these web servers also have to be accessed

and managed remotely, the initial plan was the network diagram below. The web servers have two interfaces a public VLAN X and a private VLAN Y. The LB sends the traffic to the public VIP to the private interface. I have gotten it working

with the client nat but the config seems overly complex and we lose visibility. Not a deal breaker if this is what is commonly done, just feel that there is a better way. Instincts could be wrong.

I have read that you can just go straight thru the load balancer to the servers but also saw a thread where it was mentioned not to send all traffic thru the CSS since it was mainly designed to deal with http type traffic and had issues with long persistent flows, maybe I read it wrong but it would make sense to me only to send the traffic to the servers that need to be load balanced thru the CSS and everything else go direct.

What do most designers have their servers do? Should I send out a pair of router to do route mapping? Redunancy and the VPN router is not managed by us. Remove the public interface and put a static route entry pointing to the CSS for the web servers network? Or leave it the way it is? Any insight would be great, than you for your time.


-----------------VLAN X-VPN-[More Servers]



[CSS][WEB][Accessing Servers]



----------- VLAN Y

Cisco Employee

Re: Direct access to servers behind a CSS

I think you listed every possible solution.

It would be nice to be able to say that one is the best option, but unfortunately this is not the case.

It all depends on your traffic and application.

Do you expect long lived persistent connections going directly to the server ?

If yes, do you know the destination port or is it random ?

You can always adjust the timeout for long lived connection if you know the destination port. You can do this with the 'flow permanent' command.

One thing you can do is create a vip for each server separately [use private ip addresse for the servers and a public ip for the vip].

Then you can catch the traffic for each server and use the 'flow-timeout-multiplier' to set the idle timeout.

I think if you can do this it is the best option.

I only recommend to bypass the CSS if you use protocols that are not supported by the CSS like IPSEC or if the level of traffic that you sent directly to the servers is so high that it could potentially kill or slow down the CSS.

In this case client nat is required or a router doing policy routing.

I hope this helps.