CSS 11503 One armed config

All,
I got a question on the one armed config.
Cisco says use "destination service" under the source group to change the default NAT behaviour of the CSS, because the servers' default gateways are set to the router IP address and the source IP address of the load balanced request is not on the local subnet. I understand this way you avoid the packets reaching the router directly when they head back to the client, bypassing the CSS.
Now the question I got here is that, what if I set the Servers' default gateway to the CSS rather than the Router. This way you are actually forcing the packets destined for remote networks to go through the CSS DG.. Should I need the source group anyway here. I think I don?t. Someone please clarify. Much appreciated?
thanks

if you set the default gateway to be the CSS, then there is no need for the source group.
However, if you have traffic going directly to the servers, they will go client-->router-->server-->CSS [breaks - because asymetric flow].
If you never access the server directly, you're ok. OR you can set a route on the router forcing the traffic through the CSS.
Gilles.

Similar Messages

  • CSS 11503 One-arm Design and Server Default Gateway

    Our problem is determining the correct default gateway for our web servers. All IP addresses are in the same subnet (VIP, interfaces, and servers). Should the servers default gateway be the L3 switch, or the CSS?
    Thanks!
    Tom

    Hi Tom,
    If you have one arm mode, you might have problems with asymmetric flows, due that the CSS behaves similar to a firewall when it comes to flows, as it needs to see both sides of the flow ( client and server side ) in order to handle things correctly. Having this kind of setup, and even when the server pointing to the CSS as its default gateway, ICMP redirects might force the traffic to change dynamically.
    You can put as default gateway the L3 switch, but you need to force the traffic that has been load balanced by the CSS to go back to the CSS, otherwise the flow would fail. You can do this by using a group on the CSS, adding the service with the following command: 'add destination service xxxx'. This would NAT the client's IP address for the VIP that you use on the group and would force the flow to go back to the CSS.
    Another thing that you can do is to use the CSS as the server's DG, but you must make sure that all L3 devices, including the CSS have ICMP redirects turned off on this subnet. If you have a firewall on this subnet, you would need to turn off proxy ARP as well.
    I hope you find this helpful. Thanks!
    Regards,
    Jose Quesada.

  • CSS one arm config

    CSS 11506
    Is it possible to pass Client's IP address
    to the Backend servers in One arm config.
    It is so that we can get stats on Web Server
    Thanks in advance

    Unfortunately CSS does not support HTTP header insertion.
    You can either perforn PBR at the Real Server's Default gateway or use CSS as default gateway of Real Servers.
    Thanks
    Syed Iftekhar Ahmed

  • One Arm config Domain Name Content rule

    Hi Guys
    How does domain name content rule works in one arm config.
    What do we put in source groups as VIP address.
    Does it need host headers in WebServer as a requirement.
    How does the client request gets completed.
    Any help much appriciated..

    Thanks for your reply Jim,
    This is what I am trying to do in a One arm config topology
    ( As the CSS guide ( cntntgd.pdf ) says under Configuring a Domain Name content rule)
    The CSS allows you to use a domain name in place of, or in conjunction with, a
    VIP address in a content rule. Using a domain name in a content rule enables you
    to:
    Enable service provisioning to be independent of IP-to-domain namemappings
    Provision cache bandwidth as needed based on domain names
    So I am trying to create a content rule with a domain name instead of VIP address. For ex.
    content domainRule3
    protocol tcp
    port 80
    url "//domain.com/*"
    add service Serv1
    active
    group servers
    add destination service Serv1
    VIP address  ???????? ( what shd we put in here )
    In this case what do we put as VIP address in source groups and how does the traffic flows from Client to actual Server in One arm topology. I am trying this topology where we have multiple sites configured with the same IP address with host headers
    My assumption is that I shd configure DNS servers with VIP address for domain.com and use that as VIP address in source group. But how does the actual traffic flows from client to servers
    Many thanks.

  • One Armed Config for multiple C classes

    Hi,
    I am trying to implement one armed config in the existing network for several c classes.  Do I need to configure multiple Circuit vlan IP addresses corresponding to different C classes or one Circuit VLAN IP is sufficient.
    Can I configure VIP in a different C class than Circuit VLan IP.
    I intend to use Source groups to get the traffic from servers back to CSS.
    Many thanks in advance.
    SS

    Two options are all ok.
    1. The CSS will allow you to create a secondary address on the circuit.
    for example,
    circuit VLAN2
    ip address 148.1.2.1 255.255.255.0
    ip address 148.1.3.1 255.255.255.0
    2. You could also create another interface "circuit" on the CSS and assign it with  the new subnet IP. Then trunk the vlan to core network.
    If you uses one arm mode, then you can use either source "groups" to get the traffic from servers back to CSS or PBR from switch.
    You can configure VIP in a different C class than Circuit VLan IP. However, you need to control the routing tables of all other devices. Generally speaking, I would not recommend this setup to the customer.

  • One-armed config

    We've done a one-armed setup in our production env using CSS11506(s) and have no issues. We're bring up a smaller setup using CSS 11150(s) and was wondering if they work just as well, performance wise, with a one-armed config?
    Thanks
    chad

    I think it should work just fine. The same configuration would work for CSS 11000 series switches.
    Check the config document:
    http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080093dff.shtml

  • CSS one-armed-config and SMTP reverse lookup problems?

    I was wondering if there would be potential reverse lookup problems from other company's when we try to send mail to their mail Domains.
    If I configure failover for our mail server, I am thinking if we are sending mail, there could be a reverse-lookup issue, because our mail server would be configured with public IP Addresses other than what the MX record points to in DNS.
    If we originate mail from our inside users, it will originate from the service IP address and not the VIP address.
    Is this a valid concern?

    The main advantage of this configuration is that the web servers will receive the IP address of the client that made the request. This is often required by web servers' administrators for accounting purposes.
    In a one-armed configuration only, the network port ( Enet0) is used on the SCA. Only this specific port can be used for this setup. Encrypted and decrypted traffic will go through the same link
    http://www.cisco.com/en/US/products/hw/contnetw/ps2083/products_configuration_example09186a00801bbf4e.shtml

  • Two circuit vlan in one-armed config mode

    Hello.
    My client needs to add another vlan to the CSS because he is getting short on ip address. So he decided to add vlan 5, removed the default route to 192.168.12.1 and added two static routes.
    However nothing is working now and I can't figure out why.
    The initial config was:
    !*************************** GLOBAL ***************************
    ip route 0.0.0.0 0.0.0.0 192.168.12.1 1
    !************************* INTERFACE *************************
    interface 1/1
    trunk
    vlan 12
    interface 1/2
    admin-shutdown
    !************************** CIRCUIT **************************
    circuit VLAN12
    ip address 192.168.12.22 255.255.255.0
    !************************** SERVICE **************************
    service www-hux1
    port 80
    protocol tcp
    ip address 192.168.12.24
    keepalive type tcp
    keepalive frequency 10
    keepalive port 80
    active
    service www-hux2
    ip address 192.168.12.25
    port 80
    protocol tcp
    keepalive frequency 10
    keepalive port 80
    keepalive type tcp
    active
    !*************************** OWNER ***************************
    owner HS
    billing-info "ahp"
    email-address [email protected]
    content rule1
    protocol tcp
    port 80
    add service www-hux2
    vip address 192.168.12.27
    add service www-hux1
    balance aca
    active
    In the new config this is what's different:
    !*************************** GLOBAL ***************************
    ip route 192.168.5.0 255.255.255.0 192.168.5.1 1
    ip route 192.168.12.0 255.255.255.0 192.168.12.1 1
    !************************* INTERFACE *************************
    interface 1/1
    trunk
    vlan 5
    vlan 12
    interface 1/2
    admin-shutdown
    !************************** CIRCUIT **************************
    circuit VLAN5
    ip address 192.168.5.20 255.255.255.0
    circuit VLAN12
    ip address 192.168.12.22 255.255.255.0
    Can you see what's wrong in here?
    I almost forgot to teel that the default gateway of real servers is the CSS
    Thanks,
    Joao Carvalho

    Ok. I think I got the problem. The destination of the packet sent by the CSS is a public ip address and none of the static routes matches that.
    Now my problem is how can I influence the next hop based on source ip address, in a CSS?
    Thanks,
    Joao

  • CSS11500 one arm design configuration assistance.

    Is it possible to configure the CSS11500 as single arm design? if yes how to configure the source nat on the CSS11500, it is not possibe for me to change the default gateway as well as configure CSS as inline.
    Regards

    yes you can configure CSS in one armed mode. You would do the nat with a group config ie:
    service yada
    ip address 192.168.20.40
    active
    content yadayada
    vip address 192.168.20.55
    add service yada
    group yadayadayada
    vip address 192.168.20.55
    add destination service yada

  • CSM-S mode -One-Arm-vs- routed

    We currently have an environment with CSS running in routed mode. We are building a new data center with 6509s and CSM-S. My question is what is the best mode to run the CSM-S in routed or one-arm and why?

    Gilles,
    What do you recommend when the traffic flows from the load balanced server are significant?
    ie: you are using Oracle application and database servers, load balancing http and https to the app servers. There is significant traffic flow from the app server to the database servers, such that the load balancer in a 2-armed configuration(particularly a CSS11501 w/ 8 10/100 interfaces and a single 1000Base-T interface) would be a significant bandwidth bottleneck.
    Also, if Cisco usually does not recommend one-armed config.... why does the latest Server Farm Security Solution Reference Network Design v2.0 (http://www.cisco.com/warp/public/732/systems/docs/dcsrndbk.pdf) recommend a one-armed configuration for the CSS?

  • One armed bandit and one port to another

    I was trying to setup a CSS in one-armed bandit mode for the first time per the URL below. But I want to be able to have arbitrary ports on the "real" servers. E.g. use https://hooty.com as the VIP but on the backend take you to hoot1.hooty.com port 8443 say while http://hooty.com would direct you to hoot1.hoot.com port 8080. Must the port number on the VIP equal the port number on the real server in one-armed-bandit mode?
    http://www.cisco.com/warp/public/117/one_armed_bandit.html
    group Servers1
    vip address 26.19.98.45
    add destination service oldwww:80
    active
    group Servers2
    vip address 26.19.98.45
    add destination service oldwww:443
    css-n1-1(config)# group Servers2
    css-n1-1(config-group[Servers2])# active
    %% An active source group with that address already exists

    The port number of the vip does not have to to be the same as the real server.
    You can set the port you want for the real server with the 'port' command under the service definition.
    This is true for one-armed or any other type of setup.
    The problem in your config is that you can't create 2 groups using the same vip ip address.
    So, simply configure all your servers under one group.
    ie:
    group Servers1
    vip address 26.19.98.45
    add destination service oldwww:80
    add destination service oldwww:443
    active
    Gilles.

  • CSS One Arm Configuration with VIP(non-shared)/IP Interface Redundancy

    With Reference to the following CCO documentation;
    1). "How to Configure the CSS to Load Balance Using 1 Interface"
    In this example, the Real Server's (10.10.10.2 etc) gateway are pointed to the router's gateway(10.10.10.1) and used the 'add destination service' command to NAT the RealServer's IP address back to the VIP (10.10.10.6).
    2). "Understanding and Configuring VIP and Interface Redundancy on the CSS11000".
    In the interface redundancy configuration, the gateway of the Real Server are configured as the CSS11000's Interface Redundancy Address (192.168.1.1), not the Router's gateway.
    Can anyone help to advise on the preferred one arm configuration with VIP/IP redundancy?
    (i). Is the reason for configuring the gateway of the Real Server to CSS11000's Interface Redundancy Address in 2) same as using 'add destination service' command in 1)? That is to make sure that the return path from Real Server back to Client passes through the CSS and is NAT back to the VIP.
    (ii). To configure VIP(non-shared)/IP Interface redundancy(Active/Backup Mode) in a one arm configuration, my understanding is that there are 2 methods of configuration. Is it correct? Which method is preferred?
    Method a)
    1.Configure the Real Server's gateway to Router's Gateway
    2.Configure 'add destination service' command on the CSS to NAT the RealServer's IP address back to the VIP
    3.Configure VIP(non-shared) redundancy for the VIP on the CSS
    4.IP Interface Redundancy on the CSS is not required as the Real Server's gateway is already pointing to the Router's gateway. (Assuming that HSRP redundancy is already running on the Router)
    Method b)
    1. Configure the Real Server's gateway to the CSS's IP Interface Redundancy IP Address
    2. Configure IP Interface Redundancy on the CSS (as the Real Server's gateway)
    3. Configure VIP(non-shared) redundancy for the VIP on the CSS

    if you use method a) (server gateway is the router) you need the CSS to nat
    the source ip address of the client in order to force the server to send traffic back to the CSS.
    The issue then is that the server does not see the IP address of real client.
    The server only see connections with source IP address = CSS ip address.
    With method b) you don't have the above problem, but connection initiated by the servers are sent to the CSS that will then send it to the router.
    You have a performance issue because the traffic will cross 2 times the one-armed interface.
    If this is a new design, it is strongly recommended not to use one-armed setup.
    Regards,
    Gilles.

  • CSS redundancy on one-armed configuration

    Can we configure box-to-box redundancy on a one-armed configuration or do we have to use the 'Active-active stateful failover ASR' ?
    We are using CSS 11500.

    you can use box-to-box.
    However, the vip/interface redundancy is much more interesting.
    With the combination of ASR you have stateful redundancy that you do not have with box-to-box.
    Also, box-to-box redundancy as a single point of failure since you can have only 1 cable for the redundancy protocol between the 2 CSS.
    If this connection fails, both CSS will become active and you get into lot of troubles.
    Regards,
    Gilles.

  • Please verify the CSS and SCA configuration for one-armed transparent mode

    I have a problem to configure one-armed transparent mode. I cannot access the server with "https://9.9.9.1" even "http://9.9.9.1:80" and "http://9.9.9.1:81" operational. looks CSS cannot communicate properly with SCA.
    I couldn't figure out from CCO sample configuration. please correct the attached configuraiton.
    Thanks,
    ** connectivity ********
    <client>----<router>----<CSS>---<SCA>,<Server>
    - client=7.7.7.100
    - router's e0/0=7.7.7.1, e0/1=8.8.8.3(connect to VLAN2 of CSS)
    - SCA=11.11.11.100, connect to VLAN3 of CSS
    - server=10.147.153.12 and 10.147.153.15 on the same box, connect to VLAN4 of CSS
    ** configuration *********
    CSS11050# sh run
    !Generated on 01/01/2079 00:00:47
    !Active version: ap0500105
    configure
    !*************************** GLOBAL ***************************
    acl enable
    ip route 0.0.0.0 0.0.0.0 11.11.11.100 1
    ip route 7.7.7.100 255.255.255.255 8.8.8.3 1
    ip route 7.7.7.200 255.255.255.255 8.8.8.3 1
    !************************* INTERFACE *************************
    interface e2
    bridge vlan 2
    interface e3
    bridge vlan 3
    interface e4
    bridge vlan 4
    interface e5
    bridge vlan 4
    !************************** CIRCUIT **************************
    circuit VLAN1
    ip address 9.9.9.2 255.255.255.0
    circuit VLAN2
    ip address 8.8.8.2 255.255.255.0
    circuit VLAN3
    ip address 11.11.11.1 255.255.255.0
    circuit VLAN4
    ip address 10.147.153.1 255.255.255.0
    !************************** SERVICE **************************
    service ING_SVC_12
    protocol tcp
    ip address 10.147.153.12
    active
    service ING_SVC_15
    protocol tcp
    ip address 10.147.153.15
    active
    service ING_SVC_SCA
    port 443
    protocol tcp
    ip address 11.11.11.100
    type transparent-cache
    no cache-bypass
    active
    service upstream
    ip address 8.8.8.3
    type transparent-cache
    active
    !*************************** OWNER ***************************
    owner ING_OWNER
    content cnt_443
    add service ING_SVC_SCA
    protocol tcp
    port 443
    vip address 9.9.9.1
    active
    content cnt_80
    add service ING_SVC_12
    add service ING_SVC_15
    protocol tcp
    port 80
    url "/*"
    vip address 9.9.9.1
    active
    content cnt_81
    add service ING_SVC_12
    add service ING_SVC_15
    vip address 9.9.9.1
    protocol tcp
    port 81
    url "/*" <-- If I configure url "/secure/*", not working "http://9.9.9.1:81" from client.
    active
    !**************************** ACL ****************************
    acl 1
    clause 10 permit any any destination any
    apply circuit-(VLAN1)
    acl 2
    clause 10 permit any any destination any
    apply circuit-(VLAN2)
    acl 3
    clause 10 permit any any destination any
    apply circuit-(VLAN3)
    acl 4
    clause 10 permit any any destination any
    apply circuit-(VLAN4)
    ING_SCA# sh run
    # Cisco SCA Device Configuration File
    # Written: Sun Feb 6 01:12:54 2106 MST
    # Inxcfg: version 4.1 build 200211151311
    # Device Type: CSS-SCA
    # Device Id: S/N 11aca8
    # Device OS: MaxOS version 4.1.0 build 200211151311 by reading
    ### Mode ###
    mode one-port
    ### Interfaces ###
    interface network
    auto
    end
    interface server
    auto
    end
    ### Device ###
    ip address 11.11.11.100 netmask 255.255.255.0
    hostname ING_SCA
    timezone "MST7MDT"
    ### Password ###
    password idle-timeout 15
    ### SNTP ###
    sntp interval 86400
    ### Static Routes ###
    ip route 0.0.0.0 0.0.0.0 11.11.11.1 metric 1
    ### RIP ###
    no rip
    ### DNS ###
    no ip name-server
    no ip domain-name
    ### Telnet ###
    telnet enable
    ### Web Management ###
    web-mgmt port 80
    no web-mgmt enable
    ### SNMP Subsystem ###
    no snmp
    ### SSL Subsystem ###
    ssl
    server ING create
    ip address 9.9.9.1
    localport 443
    remoteport 81
    key default
    cert default
    secpolicy default
    sslv2 enable
    sslv3 enable
    tlsv1 enable
    session-cache size 20480
    session-cache timeout 300
    session-cache enable
    no clientauth enable
    clientauth verifydepth 1
    clientauth error cert-other-error fail
    clientauth error cert-not-provided fail
    clientauth error cert-has-expired fail
    clientauth error cert-not-yet-valid fail
    clientauth error cert-has-invalid-ca fail
    clientauth error cert-has-signature-failure fail
    clientauth error cert-revoked fail
    sharedcipher error failhtml
    ephemeral error failhtml
    no httpheader client-cert
    no httpheader server-cert
    no httpheader session
    no httpheader pre-filter
    httpheader prefix "SSL"
    ephrsa
    keepalive frequency 5
    keepalive maxfailure 3
    no keepalive enable
    end
    end

    the problem is the routing.
    You need a route for the client pointing to the SCA like this
    ip route 7.7.7.100 255.255.255.255 11.11.11.100 1
    This is so the reply from the server to the client goes back to the SCA first
    for encryption.
    Gilles.

  • Trying to run CSS11503 08.10.0.02 one-armed DNAT+SNAT with UDP 921

    Is there a way to perform DNAT + SNAT and portmap disable on the CIsco CSS 11503. I need to do a DNAT in a one-armed configuration and the to SNAT for UDP traffic with SRC Port 9211 and DST Port 9211. I don't need loadbalancing but only NAT. Is there a way to solve this issue with ACL. Any help will be appreciated...
    Thanks

    if you want to do DNAT, you have to it a content rule.
    The vip will be nated to the service address.
    Then you need a group to nat the client ip.
    Finally, you need to use the command 'portmap disable' under the group to avoid port mapping.
    Gilles.

Maybe you are looking for