Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Source Groups and Active-Active redundancy

I have a pair of CSS configured for Active-Active Virtual IP (VIP) and virtual interface redundancy. I was recently told that some servers on the backend VLAN need to talk to a client VIP. To ensure the CSS stays in a conversation I need to source NAT. Unfortunately the "client" users of the application cannot be subject to source NAT.

Long term I will be creating a new VLAN interface to split the servers up (waiting on cabling). As a short-term fix I want to implement a "one-armed" VIP as a temporary solution for server to server communication. Servers would point at this temporary VIP and a group used for source NAT.

My question is what VIP address do I use on the group? Do I use the Content rule VIP or configure different VIPs for the group? Also do I need unique group VIPs for each CSS when using this redundant configuration. I have axtra IP addresses available if I need to use them.

Example Configs

===============

CSS Number 1:

owner OneArmed

content ProdServers

protocol tcp

port 80

add service Prod1

add service Prod2

balance leastconn

vip address 192.168.1.10

active

!************************** CIRCUIT **************************

circuit VLAN1

ip address 192.168.0.5 255.255.255.0

ip virtual-router 1 priority 102 preempt

ip redundant-vip 1 192.168.0.10

!*************************** GROUP ***************************

group ProdServers

vip address 192.168.0.?? (192.168.0.10 or unique e.g. 192.168.0.20)

add destination service Prod1

add destination service Prod2

active

CSS Number 2:

owner OneArmed

content ProdServers

protocol tcp

port 80

add service Prod1

add service Prod2

balance leastconn

vip address 192.168.1.10

active

!************************** CIRCUIT **************************

circuit VLAN1

ip address 192.168.0.6 255.255.255.0

ip virtual-router 1 priority 101

!*************************** GROUP ***************************

group ProdServers

vip address 192.168.0.?? (192.168.0.10 or unique e.g. 192.168.0.21)

add destination service Prod1

add destination service Prod2

active

2 REPLIES
Bronze

Re: Source Groups and Active-Active redundancy

Hi,

If you have a very specific need in terms of natting and using a source group, you may want to consider applying a nat or source group via an ACL.

So if you only have 2 servers on the back end that you need to nat going outbound, you could configure an acl and apply it to the vlan it is inbound on and apply the source group on the acl. Here is a link on using acls:

http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_750/cmdrefgd/cmdaclc.htm

acl 1

clause 10 permit 10.1.1.1 255.255.255.255 destination any sourcegroup natserver

assuming the 10.1.1.1 is the server you want to nat and natserver is the name of the source group.

Just beware of using acls as they can be tricky and please understand that there is an implicit deny on all vlans when you enable the acls, so make sure you have atleast a "permit any any destination any" with all vlans applied to it..

Regards

Pete..

New Member

Re: Source Groups and Active-Active redundancy

Thanks Pete. I already have an ACL configuration in my back pocket. However as you alluded to it is a maintenance headache. New servers require changes to the ACL's and/or an nql. I won't use them unless I have to.

129
Views
0
Helpful
2
Replies
CreatePlease to create content