CSS 11500 Port Aggregation

Similar Messages

• CSS 11500 Responds for any Port

  Hopefully this is an easy question but I am having a heck of a time finding an answer.
  We have multiple CSS 11500 clusters.  We have found that on all of them, if you try to open a session on any port to an IP address on the backend of the CSS, the CSS will complete the SYN-ACK-ACK session with the client.  This happens regardless of whether there is something on that IP address or not.
  Example:
  Front                           Back
  10.1.1.0/24 --- CSS --- 10.2.2.0/24
  Coming from any IP, if I try to telnet to ANY IP on the 10.2.2.0 subnet (whether or not there is an actual server on that IP) on any port (whether or not that port is open or not), the CSS will complete the initial connection.  I have verified this using telnet to numerous ports and viewing the transaction in a packet capture.
  Is there any way to shut this off?  This is causing some licensing issues for our security folks that use a vulnerability scanner licensed on number of IP addresses.
  Thanks for any input!

  Thanks for your reply Marvin.
  We actually use ACLs already - primarily for purposes of allowing backend servers to reach load-balanced services on the CSS they sit behind or for reverse proxy services. 
  I have tried specifically blocking access to backend IP addresses that are not used but oddly enough the CSS still replies and opens the initial TCP session just like any other.
  I think I'm going to have to open a TAC case on this one.  If they can't answer it, I may be forced to put all of these behind firewalls - which is doable but not ideal.

• Services with different IP address subnets over CSS 11500 series

  Hi all folks!
  I have two CSS 11500 series...
  In just a few months i will have ready a DRS (Disaster Recovery Site), where i will have 2 more servers to add to the environment.
  But this servers will be in a different subnet from that today i have for the servers who are configured in the current services of my CSS.
  So then the doubt i arises is:
  Is correct to add two new services with these servers, but using the IP addressing of the DRS site???, and including on the CSS a static route to this network, (of the DRS) in order to reach them?? is it correct, it will work well?
  This would be so....
               ________________LAN to LAN_____________________
               |                                                                                |
               |                                                                                |
  |------SITE A------|                                                        |------SITE B------|  
       [Firewall] ===============IPSEC============= [Firewall]               
             |                                                                                |
             |                                                                                |
  [CSS-A]-[CSS-B]                                                            [SWITCH]
         |          |                                                                     |         |         
       [SWITCH]                                                                    |         |                                                                 
  [srvA] [srvB] [srvC]                                                          [srvD] [srvE]
  So, at [CSS-A] & B, i will put a static route to firewall that know the subnet of site B through the IPSEC tunnel.
  So In the CSSs, i will add the new services for the Servers "D" & "E" with the IP address of Site B.
  This should be seen as well:
  !*************************** GLOBAL ***************************
  ip route 0.0.0.0 0.0.0.0 [IP FIREWALL]
  ip route SITE B [IP FIREWALL]
  !************************** SERVICE **************************
  service srvA
    ip address A.A.A.x
    port 8080
  service srvB
    ip address A.A.A.x+1
    port 8080
  service srvC
    ip address A.A.A.x+2
  port 8080
  service srvD
    ip address B.B.B.y
  port 8080
  service srvE
    ip address B.B.B.y+1
  port 8080
  I know that this practice is not the most desirable, in fact should use"Basic Global Server Load Balancing Site Redundancy Using the CSS with DNS", but I don't have much time to change the entire environment today, and in this first stage i have to begin with this poor but quick solution that i thought and i wanted to be validated if there is posibliidades this to work
  Within their experiences that they say? Will operate?
  Thanks in advance!
  Regards!
  Esteban =)

  Daniel!
  Sorry by delay!
  Thank you so much for you time for reply.
  You have given me a great help to this doubt!
  But..using "source group" let me know..
  I can´t undertand the really difference between NAT with ACls as you can see at this link: (http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a0080093dfc.shtml)
  and
  this other link, using NAT (from the piont 5), (http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080093dff.shtml)
  where the NAT is configured under a method different from the previous one..
  So.. for this scenario described above, which would you recommend using? I would think that the second is the most indicated truth? What do you think?
  Thanks in advance again!!!
  Have nice day!
  Regards.
  Esteban.

• Load balancing PPTP (Windows 2003) behind CSS 11500

  I am wondering if you can load balance PPTP service (TCP port 1723 and GRE) behind CSS 11500, please let me know if anyone as experience with this setup.
  Irfan
  [email protected]

  No. I dont think you can load balance PPTP service behind CSS 11500.

• Sorry Server for CSS 11500

  Hi,
  I have a question regarding sorry server configuration on the CSS 11500 series.
  Is there a way for the sorry server to ignore the URL path and always send the user traffic to the "root" page (e.g. index.html) of the sorry server web server?
  The problem I have is the redirection of the "root" page (url "/") that is configured for the normal traffic is causing the sorry page not to work since the URL path ("/psp/CUSTOMER1/?cmd=login") does not exist on the sorry page web server:
  service Sorry-Server
    protocol tcp
    port 8000
    keepalive type tcp
    ip address 192.168.2.254
    active
  service server1
    ip address 192.168.2.101
    protocol tcp
    keepalive type tcp
    port 8080
    active
  service server2
    ip address 192.168.2.102
    protocol tcp
    keepalive type tcp
    port 8080
    active
  owner Customer1
    content Content1
      vip address 192.168.1.101
      port 80
      protocol tcp
      url "/*"
      balance aca
      advanced-balance arrowpoint-cookie
      flow-timeout-multiplier 6
      add service server1
      add service server2
      primarySorryServer Sorry-Server
      active
    content Content1-Redirect
      redirect "/psp/CUSTOMER1/?cmd=login"
      vip address 192.168.1.101
      port 80
      protocol tcp
      url "/"
      active
  Thanks in advance for your help!
  Best regards,
  Harry

  Hi again,
  During a maintenance window I made the following change and that made things a bit better:
  service Sorry-Server
    type redirect
    keepalive type none
    redirect-string "192.168.2.254:8000"
    active
  However, since the redirect string points to a private address, Internet users are not able to access the URL.
  As a work-around I sent the redirect to a new content rule with a public address and then configured a second sorry page server:
  service Sorry-Server
    type redirect
    keepalive type none
    redirect-string "sorry.example.com:8000"
    active
  service Sorry-Server-2
    ip address 192.168.2.254
    protocol tcp
    port 8000
    keepalive type tcp
    active
  owner Customer1
    content Content2
      vip address x.x.x.x
      add service Sorry-Server-2
      port 8000
      protocol tcp
      active
  Is there a better way to do this?
  Best regards,
  Harry

• CSS 11500 url path rewrite and NAT

  Hi,
  We are evaluating a CSS 11500 and try to configure url path rewrite and NAT, but we have some problems.
  What we would like to do is the following:
  http://www.example.com/path1 -> http://host1:80
  http://www.example.com/path2 -> http://host1:8080
  http://www.example.com/path3 -> http://host2:80
  The address www.example.com is resolving to a valid internet address, whereas host1 and host2 resolves to private IP addresses.
  The client should always see the external url (e.g. http://www.example.com/path1/...) and the CSS should do the necessary translation.
  Any help would be very much appreciated!
  Regards,
  Harald

  Hello Experts, I'm new with this cisco stuff too(just got it 3 weeks ago), but here is some of my experience with cisco css 11501.
  First : Service ServerName, there is a port setting here, but from my experience, I think it is related with KeepAlive option, so, port is alternate way to know if the server alive or not.
  Second : When you send request to cisco css, the port option in content port will be the cisco css port to accept request, so, if you send a request to http://vip:8080/, all service must be in the same port too to balance the request, in this case, port 8080, if one service port 80, i'm sure the css will not hit the server.
  Third : To solve your problem...
  http://www.example.com/path1 -> http://host1:80 (ipA)
  http://www.example.com/path2 -> http://host1:80 (ipB)
  http://www.example.com/path3 -> http://host2:80
  if you are lazy to buy new nic, just set subinterface/ip alias on the host1, and make the webserver only bind to specific address, not to all interface...
  O yea, about your path1/path2/path3 -> /, hmm, i'm still asking in this forum about path changing cause until now, i haven't know how to do this, i know about apache rewrite module, and success do this, if only i know about this in cisco css too :-(
  I'm sorry if I make mistake, I'm just telling my experience...

• Do CSS 11500 series allow remote SPAN?

  Hi,
  I found SPAN (Switch port analyzer) is available on CSS 11500 series, but could only found destination must be local. Is it possible to do remote SPAN and make the destination be in another remote switch?
  And how many local span sessions are allowed?
  Thanks,
  Rgds
  Jorge

  Cisco WebNS Software Version 7.20 delivers support for a new Cisco CSS 11501 model and Cisco WebNS Software 7.20 supports SPAN the features.
  Switched Port Analyzer (SPAN) or port mirroring is useful for network analysis?a copy of the packets received or transmitted by a source port is sent to a designated destination port.
  Kindly go through these links to get detailed information:
  http://www.provantage.com/cisco-systems-css11503-ac~7CSCO288.htm
  http://www.cisco.com/en/US/products/hw/contnetw/ps792/prod_release_note09186a008077c440

• CSS 11500 sending RST

  I recently replaced a Local Director with a CSS 11500 (v 8.2). I have an application that uses port 80 to send SOAP heartbeats at 1 minute intervals to a web server to maintain state. For some reason the CSS randomly decides to send RST to the client even though the backend service is active. In other words the the web server is not sending a RST. Is this an issue with flows? Load balancing schema? I did not have this issue with the Local Director.

  no. This is not possible.
  Gilles.

• CSS 11500 booting only to Offline DM mode

  Hello,
  I setup a new CSS 11500 this morning, going through the steps of setting up the administrator password, IP address for the management console etc, but when continuing the CSS went straight to the offline DM menu. Now rebooting the unit it clears all the tests, loads the operational flash but continues to go straight to the DM menu regardless whether you press <y> or not at the prompt.
  I also tried connecting via telnet to the management console but get connection refused.
  Any ideas on why the CSS boots only to the DM menu?
  Thanks in advance,
  - Trevor

  Trevor,
  once if offdm, attached a laptop with FTP Server on it on the management port.
  Then from offdm, you can configure the CSS to boot from FTP server.
  Once the box is up and running again, make sure you have an image on disk.
  Finally, you don't need a PCMCIA flash and no you should no have received one.
  Regards,
  Gilles.

• Ether Channel (port aggregation)

  No matter LACP or PAgP is used, is it possible to do port aggregation on a Server with NIC 1 & NIC2 respectively connecting to different Switches which are then having the same uplink to higher level?
  as follows : -
  Server NIC # 1 ------ Switch #A ----\
  ---- LAN
  NIC # 2 -------Switch # B ---/
  My understanding is that it cannot, can it ?
  Rgds,
  Raymond.

  THanks, that's what i'd been understanding, yet, someone else post me this answer, Quote,
  For your case, the LAN switches won't care how you send out the packet, it just treat the two NICs as two NICs, your server need to deal with the packet/session aggregation. It works because we suppose your server don't have any STP issues.
  Kind Regards,
  Bong So
  Professional Services, Equant HK
  UNQuote
  I shall test ... the actual case is happening with our being installed IBM BladeCenter Server, having the NIC1 and NIC2 internally wired to CIGESM switch 1 and 2; and the NIC's are Broadcom capable of using Virtual adapters in either modes, one which is LACP.
  Thanks again.
  Raymond.

• What is the appropriate product name for CSS 11500 on Bug Toolkit

  Today I tried to search DDTs of CSS 11500 on Bug Toolkit (http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl), however I can not find out appropriate product name corresponding to CSS 11500.
  Before I had searched DDTs of CSS 11500 on Bug Toolkit many times, at that time, if my memory correct..
  I selected "Cisco CSS 11500 Series Content Services Switches" in the list of "Search for bugs in other Cisco software and hardware products" on Bug Toolkit.
  But I can not find this product name today.
  Do you know what product name appropriate for CSS 11500 on Bug Toolkit ?
  Your information would be appreciated.
  Best regards,

  Hi Gilles,
  Thank you for your cooperation.
  Today, I can find the CSS at "new Bug Toolkit".
  http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
  Select Product Category: Application Networking Services
  Select Product: Cisco CSS 11000 Series Content Services
  So I understand I should go "new Bug Toolkit" instead of old "Bug Toolkit" to
  search any DDTs for CSS 11500.
  Many thanks.
  Best regards,

• Multihoming with CSS 11500?

  Can I do load balancing between two internet ISP's (multihoming), from Internet to Web Server (inside traffic) and from Internal network to Internet (outside traffic) with a Cisco CSS 11500?

  you can connect the CSS to multiple ISP.
  With the ECMP feature, the CSS will forward the response back to where the connection came from.
  However, for outgoing connection, the CSS can't do loadbalancing over multiple ISP.
  Regards,
  Gilles.

• Cisco CSS 11500 and RDP

  Dear NetPros:
  Does anyone know that does Cisco CSS 11500 Series Content Services Switch support 'Session Caching of RDP Clients? session for roaming of disconnected sessions' features?
  Thanks
  Bernard

  The Cisco CSS 11500 is a compact modular platform, specifically designed to provide robust Layer 4-7 traffic management services for e-business applications in Internet and intranet data centers.
  This URl should help you:
  http://www.cisco.com/en/US/netsol/ns340/ns394/ns50/ns254/networking_solutions_package.html

• CSS 11500 - Change name device

  Hi,
  I need to change the device name (hostname) of my CSS 11500. How I can do that? I'm searching since some hours without result.

  to avoid having to retype the name after each reboot, you have to do a save_profile.
  Gilles.

• CSS 11500 config required

  Hi i have 2 CSS configued on active passive mode and 3 servers behind CSS for port 8080 service allowed. I want to allow my inside network to access these severs behind CSS for new port 3366...can anybody provide with the config for the same

  You need to configure the Service Interfaces for the servers again with the new port.lie the below example:-
  Existing Server config:-
  service Test-001_Int1_8080
  ip address <>
  port 8080
  protocol tcp
  keepalive type tcp
  active
  new Service interface config:-
  service Indy-001_Int1_3366
  ip address <>
  port 3366
  protocol tcp
  keepalive type tcp
  active
  then it is the new content rule and other config stuff..