09-21-2006 06:20 AM
I have a pair of CSS configured for Active-Active Virtual IP (VIP) and virtual interface redundancy. I was recently told that some servers on the backend VLAN need to talk to a client VIP. To ensure the CSS stays in a conversation I need to source NAT. Unfortunately the "client" users of the application cannot be subject to source NAT.
Long term I will be creating a new VLAN interface to split the servers up (waiting on cabling). As a short-term fix I want to implement a "one-armed" VIP as a temporary solution for server to server communication. Servers would point at this temporary VIP and a group used for source NAT.
My question is what VIP address do I use on the group? Do I use the Content rule VIP or configure different VIPs for the group? Also do I need unique group VIPs for each CSS when using this redundant configuration. I have axtra IP addresses available if I need to use them.
Example Configs
===============
CSS Number 1:
owner OneArmed
content ProdServers
protocol tcp
port 80
add service Prod1
add service Prod2
balance leastconn
vip address 192.168.1.10
active
!************************** CIRCUIT **************************
circuit VLAN1
ip address 192.168.0.5 255.255.255.0
ip virtual-router 1 priority 102 preempt
ip redundant-vip 1 192.168.0.10
!*************************** GROUP ***************************
group ProdServers
vip address 192.168.0.?? (192.168.0.10 or unique e.g. 192.168.0.20)
add destination service Prod1
add destination service Prod2
active
CSS Number 2:
owner OneArmed
content ProdServers
protocol tcp
port 80
add service Prod1
add service Prod2
balance leastconn
vip address 192.168.1.10
active
!************************** CIRCUIT **************************
circuit VLAN1
ip address 192.168.0.6 255.255.255.0
ip virtual-router 1 priority 101
!*************************** GROUP ***************************
group ProdServers
vip address 192.168.0.?? (192.168.0.10 or unique e.g. 192.168.0.21)
add destination service Prod1
add destination service Prod2
active
09-22-2006 05:46 AM
Hi,
If you have a very specific need in terms of natting and using a source group, you may want to consider applying a nat or source group via an ACL.
So if you only have 2 servers on the back end that you need to nat going outbound, you could configure an acl and apply it to the vlan it is inbound on and apply the source group on the acl. Here is a link on using acls:
http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_750/cmdrefgd/cmdaclc.htm
acl 1
clause 10 permit 10.1.1.1 255.255.255.255 destination any sourcegroup natserver
assuming the 10.1.1.1 is the server you want to nat and natserver is the name of the source group.
Just beware of using acls as they can be tricky and please understand that there is an implicit deny on all vlans when you enable the acls, so make sure you have atleast a "permit any any destination any" with all vlans applied to it..
Regards
Pete..
09-22-2006 06:58 AM
Thanks Pete. I already have an ACL configuration in my back pocket. However as you alluded to it is a maintenance headache. New servers require changes to the ACL's and/or an nql. I won't use them unless I have to.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: