Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
319
Views
0
Helpful
2
Replies

Source Groups and Active-Active redundancy

glncalence
Level 1
Level 1

‎09-21-2006 06:20 AM

I have a pair of CSS configured for Active-Active Virtual IP (VIP) and virtual interface redundancy. I was recently told that some servers on the backend VLAN need to talk to a client VIP. To ensure the CSS stays in a conversation I need to source NAT. Unfortunately the "client" users of the application cannot be subject to source NAT.

Long term I will be creating a new VLAN interface to split the servers up (waiting on cabling). As a short-term fix I want to implement a "one-armed" VIP as a temporary solution for server to server communication. Servers would point at this temporary VIP and a group used for source NAT.

My question is what VIP address do I use on the group? Do I use the Content rule VIP or configure different VIPs for the group? Also do I need unique group VIPs for each CSS when using this redundant configuration. I have axtra IP addresses available if I need to use them.

Example Configs

===============

CSS Number 1:

owner OneArmed

content ProdServers

protocol tcp

port 80

add service Prod1

add service Prod2

balance leastconn

vip address 192.168.1.10

active

!************************** CIRCUIT **************************

circuit VLAN1

ip address 192.168.0.5 255.255.255.0

ip virtual-router 1 priority 102 preempt

ip redundant-vip 1 192.168.0.10

!*************************** GROUP ***************************

group ProdServers

vip address 192.168.0.?? (192.168.0.10 or unique e.g. 192.168.0.20)

add destination service Prod1

add destination service Prod2

active

CSS Number 2:

owner OneArmed

content ProdServers

protocol tcp

port 80

add service Prod1

add service Prod2

balance leastconn

vip address 192.168.1.10

active

!************************** CIRCUIT **************************

circuit VLAN1

ip address 192.168.0.6 255.255.255.0

ip virtual-router 1 priority 101

!*************************** GROUP ***************************

group ProdServers

vip address 192.168.0.?? (192.168.0.10 or unique e.g. 192.168.0.21)

add destination service Prod1

add destination service Prod2

active

Labels:
0 Helpful
2 Replies 2

pknoops
Level 3
Level 3

‎09-22-2006 05:46 AM

Hi,

If you have a very specific need in terms of natting and using a source group, you may want to consider applying a nat or source group via an ACL.

So if you only have 2 servers on the back end that you need to nat going outbound, you could configure an acl and apply it to the vlan it is inbound on and apply the source group on the acl. Here is a link on using acls:

http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_750/cmdrefgd/cmdaclc.htm

acl 1

clause 10 permit 10.1.1.1 255.255.255.255 destination any sourcegroup natserver

assuming the 10.1.1.1 is the server you want to nat and natserver is the name of the source group.

Just beware of using acls as they can be tricky and please understand that there is an implicit deny on all vlans when you enable the acls, so make sure you have atleast a "permit any any destination any" with all vlans applied to it..

Regards

Pete..

0 Helpful

glncalence
Level 1
Level 1
In response to pknoops

‎09-22-2006 06:58 AM

Thanks Pete. I already have an ACL configuration in my back pocket. However as you alluded to it is a maintenance headache. New servers require changes to the ACL's and/or an nql. I won't use them unless I have to.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents