Cisco Support Community
Community Member

One-armed Design, Source NAT Question

Hi folks,

I've inherited two CSS's in a one-armed design configuration and am after a bit of help:

Currently they perform source NAT, which is not what we want as our Web-Servers need to track/log the Source-Addresses.

My question relates to whether this source nat behaviour is the default or whether I can change it by altering the design:

If I change the design by creating a new VLAN, new circuit, attach the Load Balancer and the new web_servers to this VLAN, set the web_servers' default gateway to be the load balancer. Will this achieve the desired result?

Any help is appreciated.



Cisco Employee

Re: One-armed Design, Source NAT Question


Source NAT is not required for a one-arm deployment. Source NAT is being leveraged to guarantee symmetric traffic patterns to and from the server farm. Another option is to employ Policy Based Routing (PBR) to achieve symmetric flows.

One-arm designs are typically deployed to maintain the throughput between servers, meaning only traffic requiring load balancing will cross the LB device. I would suggest you determine if the server/application requirements that drove the initial design still exist before making any modifications.

Take care,


Community Member

Re: One-armed Design, Source NAT Question

Thanks for your reply Chris.

I am/was slightly confused as I was under the impression that source nat was the default behaviour of the CSS - I didn't see any commands in the config, which seem to have been entered in order to configure it.

However, since posting I've upgraded the secondary CSS unit we have from 3.10 to 6.10 and it works as I was hoping for. Only the 'type nci-direct-return' command has been removed from all the services.

Is it possible that the default behaviour of the previous version was to source nat, but this is no longer the case in the newer version?

As for server/application behaviour, logging the source address is what we need to do. In order to achieve this, all I've had to do so far is upgrade the unit and change the default gateway of the web servers to be the CSS.

Thanks for your help,


Community Member

Re: One-armed Design, Source NAT Question

OK, I can now see why the 'type nci-direct-return' command has disappeared: it requires the enhanced licence - seems like the licence needs to be upgraded as well after upgrading the firmware.

I wonder if the source nat behaviour is due to this command...

Community Member

Re: One-armed Design, Source NAT Question

So 'type nci-direct-return' is the culprit and turns on 'NAT Peering'.

The documentation I found on this command wasn't the clearest.

Now, how to get that license upgraded back to the Enhanced version.....

CreatePlease to create content