Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
617
Views
0
Helpful
4
Replies

One-armed Design, Source NAT Question

ddarby1
Level 1
Level 1

‎01-08-2008 09:36 AM

Hi folks,

I've inherited two CSS's in a one-armed design configuration and am after a bit of help:

Currently they perform source NAT, which is not what we want as our Web-Servers need to track/log the Source-Addresses.

My question relates to whether this source nat behaviour is the default or whether I can change it by altering the design:

If I change the design by creating a new VLAN, new circuit, attach the Load Balancer and the new web_servers to this VLAN, set the web_servers' default gateway to be the load balancer. Will this achieve the desired result?

Any help is appreciated.

Thanks,

Dan

Labels:
0 Helpful
4 Replies 4

chrobrie
Cisco Employee
Cisco Employee

‎01-08-2008 11:29 AM

Dan,

Source NAT is not required for a one-arm deployment. Source NAT is being leveraged to guarantee symmetric traffic patterns to and from the server farm. Another option is to employ Policy Based Routing (PBR) to achieve symmetric flows.

One-arm designs are typically deployed to maintain the throughput between servers, meaning only traffic requiring load balancing will cross the LB device. I would suggest you determine if the server/application requirements that drove the initial design still exist before making any modifications.

Take care,

Chris

0 Helpful

ddarby1
Level 1
Level 1
In response to chrobrie

‎01-09-2008 07:56 AM

Thanks for your reply Chris.

I am/was slightly confused as I was under the impression that source nat was the default behaviour of the CSS - I didn't see any commands in the config, which seem to have been entered in order to configure it.

However, since posting I've upgraded the secondary CSS unit we have from 3.10 to 6.10 and it works as I was hoping for. Only the 'type nci-direct-return' command has been removed from all the services.

Is it possible that the default behaviour of the previous version was to source nat, but this is no longer the case in the newer version?

As for server/application behaviour, logging the source address is what we need to do. In order to achieve this, all I've had to do so far is upgrade the unit and change the default gateway of the web servers to be the CSS.

Thanks for your help,

Dan

0 Helpful

ddarby1
Level 1
Level 1
In response to ddarby1

‎01-09-2008 08:02 AM

OK, I can now see why the 'type nci-direct-return' command has disappeared: it requires the enhanced licence - seems like the licence needs to be upgraded as well after upgrading the firmware.

I wonder if the source nat behaviour is due to this command...

0 Helpful

ddarby1
Level 1
Level 1
In response to ddarby1

‎01-09-2008 09:01 AM

So 'type nci-direct-return' is the culprit and turns on 'NAT Peering'.

The documentation I found on this command wasn't the clearest.

Now, how to get that license upgraded back to the Enhanced version.....

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents