In Group configuration we have the option of using add service and add destination service.
In what scenario each has to be used.
Any examples, links available
Thanks in Advance
If you use 'add service', the CSS would then use/spoof the ip addresses of the browser-PC when it communicates with the Server farm that it load balances. Its called destination NAT-ing.
If you use the 'destination service' instead, the CSS uses client side ?circuit' address (browser-PC segment) of the CSS when it communicates with the Servers it load balances. Its called Source NAT-ing.
The question is in what situations do we use these type 'services'. The answer would be when CSS used in 'bridging' mode, you would use a destination service. And by now you would know in 'Routing mode' we would use the simple 'add service'.
Regarding the 'circuit address' being used as source address when CSS talks to the Servers, there is a is no clear document that can confirm this statement. I found it in the Lab I done yesterday after someone in this forum told me that he was seeing in his CSS installation. Because, most of the Cisco documents and the Training materials I read, just says that it should be the VIP address under the group address would be used as the source address when it talks to the Servers.
The explanation is a little bit incorrect.
The function of a group is to do source nating. ALWAYS. Whatever the function 'add service' or 'add destination service'.
The nated ip will be the configured vip address for the group. It's never a circuit ip address or something else.
The difference between the 2 functions is that 'add service' will nat the source ip address of traffic initiated by the server.
The function 'add destination service' will nat the source ip of traffic sent to the server.
We use 'add destination service' when we want to guarantee that the server will send its response back to the CSS and we can't have the routing table adjusted to guarantee this.
We use 'add service' when a server opens connection to the Internet and we want it to looks like coming from a particular ip.
Just to clarify; if I understand your explanation, you don't HAVE to use a group?
If you don't use a group -- and therefore a VIP -- then what SrcIP/Ports does the service see? Flipside, what does the CSS see?
Sorry for being dense on this,
a group is not mandatory. We only use it for particular cases mentioned previously.
If you do not have a group, the CSS will forward the traffic from clients to the server without changing the client ip [source ip address] and just replacing the vip address of the content rule with the server ip address [this is the destination ip].
When you do 'add service' and from the CSS perspecive, CSS never alters the source address of the incoming packets actually they are left untouched when they are forwarded to the servers. It rather does a change of destination address, meaning it is a destination-NATing.
Correct me if I am wrong.
Sorry to correct you again, but the function that changes the destination ip is the content rule.
Remove your group and you will still see the same nating.
A group with 'add service' is for connection initiated by the SERVER and to nat the SERVER ip address [in this case the source].
So, if you have a network like this :
Internet ------ CSS -------- Server
With 'add service' when the server sends a SYN, it will exist on the Internet vlan with a source ip being the group-VIP address instead of the server ip address.
With the command 'add destination service' we nat traffic going to the server.
So, with the same scenario, if a client on the Internet sends traffic to a VIP and the CSS forwards the traffic to the server, the CSS will change the destination ip [vip] with the server ip [this is the results of configuring a content rule] and it will also nat the client ip using the group_vip address [this is the result of the group config].
So, as I said, the group is for source nating.
We are using "add service" in our group config block and hits in the apache logs of the services are showing the vip of the group, not the client source ip address.
If I take the group out, the client source ip returns.
give us the full config and I can tell you why, but 'add service' should not change client ip address.
Only 'add destination service'.
as I said, the 'add service' is only for connections initiated by the server.
In your case, the nating is happening because of this ACL :
clause 21 permit tcp any destination any sourcegroup hs_external
It means, all TCP traffic should be nated.
This acl is applied on the internet interface, so it means all tcp traffic coming from internet should be nated.
You can remove the 'add service' statement without suspending or removing the group and you will see the CSS will keep on nating the client ip.
Remove the acl clause 21 and the nating will stop.
Thanks for clarifying the difference between add service and add destination service in group configuration of CSS.
Client ---CSS - Server A & B
Source NAT configuration is done in CSS by group & add destination service
When client initiates the request, s= Client & D= CSS VIP Address .
CSS then changes the s= CSS VIP Address & D = Server A or B
Do we need to do client originated NAT to make this configuration work
Thanks in advance
I think I mentioned it in one of my post on this discussion. It is not required to do client nat. So the group config is not necessary.
But one important rule of loadbalancing in general is that the loadbalancer must see the client request [in order to loadbalance to the appropriate server] but it must also see the server response [because the client expect a response from the vip, not the server].
Therefore, if you can't guarantee that the server response will go through the CSS, it is sometimes necessary to do client nat.