Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
835
Views
5
Helpful
5
Replies

Using CSM to load-balance two sites

branfarm1
Level 4
Level 4

‎10-18-2010 08:57 AM

Hi there,

I currently use CSS11500's at two of my sites and I'm able to use source-groups to achieve site load-balancing behind a single VIP.  So basically I have a VIP that has servers in both the local site and remote site.   Is something like this possible with the CSM? I suppose there's the nat server or nat client commands, but I'd like to be able to maintain original client IP address if possible, or at least maintain the original client IP for connections that stay local to the site.

Thanks,

Brandon

Labels:
0 Helpful
5 Replies 5

chrhiggi
Level 3
Level 3

‎10-18-2010 12:15 PM

Hello Brandon-

It is not directly possible to pick and choose what servers are natted on the CSM like the CSS and ACE can do.

In the CSM, you configure nat under the serverfarm specifically.

Ex.

serverfarm Client_Nat_Example

nat server
nat client REMOTENAT
real 10.10.10.1

  inservice

natpool REMOTENAT 172.16.35.5 172.16.35.5 netmask 255.255.255.0

If you were to devide up the traffic prior to hitting a serverfarm (maybe use a policy that matches specific subnets for your clients), then you could nat to only certain servers.

Ex.

access-list 2 permit 5.5.0.0 0.0.255.255

serverfarm Client-Nat-Example

nat server
nat client REMOTENAT
real 10.10.10.1

  inservice

serverfarm No_Nat

nat server
no nat client

real 20.20.20.1

  inservice

natpool REMOTENAT 172.16.35.5 172.16.35.5 netmask 255.255.255.0

policy client_remote

serverfarm Client_Nat_Example

client-group 2

vserver HTTP
  virtual  172.16.35.7 tcp www

  slb-policy client_remote
  serverfarm No_Nat

  persistent rebalance
  inservice

With this config, the CSM checks global access list 2, anything that matches a source of 5.5.x.x subnet would go to the serverfarm with the remote servers. Anything that does not match 5.5.x.x would use the default serverfarm under the vip (No_Nat serverfarm).  This is not optimal, but there is no parity between CSM and CSS when it comes to per-server NAT.

0 Helpful

branfarm1
Level 4
Level 4
In response to chrhiggi

‎10-18-2010 08:23 PM

Thanks Chris,

So something like what I was describing would be possible with the ACE module -- is that right?

0 Helpful

chrhiggi
Level 3
Level 3
In response to branfarm1

‎10-19-2010 09:39 AM

Yes, with the ACE modules or appliance, you can nat more selectively than CSS or CSM. With HTTP flows, the ACE can also insert the origonal source ip of the client into the http header so that you can maintain the client's IP for logging reasons.

0 Helpful

branfarm1
Level 4
Level 4
In response to chrhiggi

‎10-19-2010 10:11 AM

Sorry to beat a dead horse, as it were, but just one more clarification -- does this feature only apply to HTTP flows or will it work with any generic L4 flow?

0 Helpful

chrhiggi
Level 3
Level 3
In response to branfarm1

‎10-19-2010 10:29 AM

Inserting the source IP is for HTTP only.  To be clear - ACE can actually insert, remove, or modify any HTTP header. ACE does have the ability to loadbalance based on almost any L4-L7 data fully, but the engine that does the HTTP modification is specific to that protocol.

Customers Also Viewed These Support Documents