10-18-2010 08:57 AM
Hi there,
I currently use CSS11500's at two of my sites and I'm able to use source-groups to achieve site load-balancing behind a single VIP. So basically I have a VIP that has servers in both the local site and remote site. Is something like this possible with the CSM? I suppose there's the nat server or nat client commands, but I'd like to be able to maintain original client IP address if possible, or at least maintain the original client IP for connections that stay local to the site.
Thanks,
Brandon
10-18-2010 12:15 PM
Hello Brandon-
It is not directly possible to pick and choose what servers are natted on the CSM like the CSS and ACE can do.
In the CSM, you configure nat under the serverfarm specifically.
Ex.
serverfarm Client_Nat_Example
nat server
nat client REMOTENAT
real 10.10.10.1
inservice
natpool REMOTENAT 172.16.35.5 172.16.35.5 netmask 255.255.255.0
If you were to devide up the traffic prior to hitting a serverfarm (maybe use a policy that matches specific subnets for your clients), then you could nat to only certain servers.
Ex.
access-list 2 permit 5.5.0.0 0.0.255.255
serverfarm Client-Nat-Example
nat server
nat client REMOTENAT
real 10.10.10.1
inservice
serverfarm No_Nat
nat server
no nat client
real 20.20.20.1
inservice
natpool REMOTENAT 172.16.35.5 172.16.35.5 netmask 255.255.255.0
policy client_remote
serverfarm Client_Nat_Example
client-group 2
vserver HTTP
virtual 172.16.35.7 tcp www
slb-policy client_remote
serverfarm No_Nat
persistent rebalance
inservice
With this config, the CSM checks global access list 2, anything that matches a source of 5.5.x.x subnet would go to the serverfarm with the remote servers. Anything that does not match 5.5.x.x would use the default serverfarm under the vip (No_Nat serverfarm). This is not optimal, but there is no parity between CSM and CSS when it comes to per-server NAT.
10-18-2010 08:23 PM
Thanks Chris,
So something like what I was describing would be possible with the ACE module -- is that right?
10-19-2010 09:39 AM
Yes, with the ACE modules or appliance, you can nat more selectively than CSS or CSM. With HTTP flows, the ACE can also insert the origonal source ip of the client into the http header so that you can maintain the client's IP for logging reasons.
10-19-2010 10:11 AM
Sorry to beat a dead horse, as it were, but just one more clarification -- does this feature only apply to HTTP flows or will it work with any generic L4 flow?
10-19-2010 10:29 AM
Inserting the source IP is for HTTP only. To be clear - ACE can actually insert, remove, or modify any HTTP header. ACE does have the ability to loadbalance based on almost any L4-L7 data fully, but the engine that does the HTTP modification is specific to that protocol.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide