Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Help with CSS configuration issue

My question is about configuring the CSS 11151 for server load balancing including some provision for communication with each of the servers (services), independent of the load balancing method. Here are the details.

We are building a test IDC for dedicated web hosting. We will use one Cisco CSS 11151 and several servers (as well as a firewall, etc). Web requests will be processed by the CSS using round robin. However, in addition to the need for servicing web requests, there are situations in which the web owner or the IDC administrator needs to communicate with a specific server.

That need exists for doing administrative functions like troubleshooting. It also exists for the web owner to deliver content and configure the web server. I understand that there are several different ways to configure the CSS to support this kind of access (see below) but I don't know what the trade-offs are, nor do I know what the commons practices are. So I am not sure which configuration(s) to use. Any experience to share? What is being done in the real world?

Configuration Alternatives I Am Aware Of:

1) In the (web) owner's rule add an additional individual pass-through VIP for each service. That VIP (or its NATed IP) is exposed only to the web owner.

2) Use an additional content rule for each service (L5 content rule) so that particular types of requests, e.g. FTP, are directed to particular servers.

  • Application Networking

Re: Help with CSS configuration issue

If you don't get a suitable response to your post, you may wish to speak with your Cisco design engineer at your local Cisco office. You can locate your local Cisco representative from this URL: or email me at for further assistance in locating the correct person in your area.

If anyone else in the forum has some real world advice or experience, please reply to this thread.

Thank you for posting.

New Member

Re: Help with CSS configuration issue

There are a lot of solutions here. In our network we use pcanywhere to access our servers. Every server has two network cards. One network card is connected to css, another one is connected to internal network segment. Internal network segment has no route to internet. We use vpn solution to access that network. So, there are only web/ftp/commercial traffic are going through CSS. Configuration of CSS is more simple and you have ability to implement out of band management for your servers.

Also, you can just create L5 content rules for each server and open some ports for your administrative applications.

New Member

Re: Help with CSS configuration issue

I would recommended not using the separate Virtual IP through the CSS for the administrative tasks on the webservers.

The CSS also consists of a hardware switching module;which enables you to configure different circuit VLANs.

For administrative purposes on the webservers one can directly connect to its real IP address , which is configured as the IPs of the serverside_circuit_VLANS.

eg: circuit VLAN10_CSS_IN (Virtual IPs out of this VLAN)

ip address

Circuit VLAN20_serverside

ip address

So, you can directly telnet or http to servers addresses for administration and avoid CSS configuration of new content rules etc.

New Member

Re: Help with CSS configuration issue

Here is another way to hack this where you can use your domain name and port number to differentiate which server where you would like to connect.

If you are limited on public IP addresses and need to administrate your back-end servers remotely, then you can create a layer4 content rule for each single server you would like to access.

This means you can create a content rule using the same IP address as your main load balancing VIP, and then you can assign a different port number each one of these new rules. Per rule, the one service on the backend can map to whichever port you like, like 23.

So the end result of this method can be telnetting to on port 1010, and having that request map to port 23 on your backend servers.

Hope that helps!



This widget could not be displayed.