CSS 11503 One armed config
All,
I got a question on the one armed config.
Cisco says use "destination service" under the source group to change the default NAT behaviour of the CSS, because the servers' default gateways are set to the router IP address and the source IP address of the load balanced request is not on the local subnet. I understand this way you avoid the packets reaching the router directly when they head back to the client, bypassing the CSS.
Now the question I got here is that, what if I set the Servers' default gateway to the CSS rather than the Router. This way you are actually forcing the packets destined for remote networks to go through the CSS DG.. Should I need the source group anyway here. I think I don?t. Someone please clarify. Much appreciated?
thanks
if you set the default gateway to be the CSS, then there is no need for the source group.
However, if you have traffic going directly to the servers, they will go client-->router-->server-->CSS [breaks - because asymetric flow].
If you never access the server directly, you're ok. OR you can set a route on the router forcing the traffic through the CSS.
Gilles.
Similar Messages
-
CSS 11503 One-arm Design and Server Default Gateway
Our problem is determining the correct default gateway for our web servers. All IP addresses are in the same subnet (VIP, interfaces, and servers). Should the servers default gateway be the L3 switch, or the CSS?
Thanks!
TomHi Tom,
If you have one arm mode, you might have problems with asymmetric flows, due that the CSS behaves similar to a firewall when it comes to flows, as it needs to see both sides of the flow ( client and server side ) in order to handle things correctly. Having this kind of setup, and even when the server pointing to the CSS as its default gateway, ICMP redirects might force the traffic to change dynamically.
You can put as default gateway the L3 switch, but you need to force the traffic that has been load balanced by the CSS to go back to the CSS, otherwise the flow would fail. You can do this by using a group on the CSS, adding the service with the following command: 'add destination service xxxx'. This would NAT the client's IP address for the VIP that you use on the group and would force the flow to go back to the CSS.
Another thing that you can do is to use the CSS as the server's DG, but you must make sure that all L3 devices, including the CSS have ICMP redirects turned off on this subnet. If you have a firewall on this subnet, you would need to turn off proxy ARP as well.
I hope you find this helpful. Thanks!
Regards,
Jose Quesada. -
CSS 11506
Is it possible to pass Client's IP address
to the Backend servers in One arm config.
It is so that we can get stats on Web Server
Thanks in advanceUnfortunately CSS does not support HTTP header insertion.
You can either perforn PBR at the Real Server's Default gateway or use CSS as default gateway of Real Servers.
Thanks
Syed Iftekhar Ahmed -
One Arm config Domain Name Content rule
Hi Guys
How does domain name content rule works in one arm config.
What do we put in source groups as VIP address.
Does it need host headers in WebServer as a requirement.
How does the client request gets completed.
Any help much appriciated..Thanks for your reply Jim,
This is what I am trying to do in a One arm config topology
( As the CSS guide ( cntntgd.pdf ) says under Configuring a Domain Name content rule)
The CSS allows you to use a domain name in place of, or in conjunction with, a
VIP address in a content rule. Using a domain name in a content rule enables you
to:
Enable service provisioning to be independent of IP-to-domain namemappings
Provision cache bandwidth as needed based on domain names
So I am trying to create a content rule with a domain name instead of VIP address. For ex.
content domainRule3
protocol tcp
port 80
url "//domain.com/*"
add service Serv1
active
group servers
add destination service Serv1
VIP address ???????? ( what shd we put in here )
In this case what do we put as VIP address in source groups and how does the traffic flows from Client to actual Server in One arm topology. I am trying this topology where we have multiple sites configured with the same IP address with host headers
My assumption is that I shd configure DNS servers with VIP address for domain.com and use that as VIP address in source group. But how does the actual traffic flows from client to servers
Many thanks. -
One Armed Config for multiple C classes
Hi,
I am trying to implement one armed config in the existing network for several c classes. Do I need to configure multiple Circuit vlan IP addresses corresponding to different C classes or one Circuit VLAN IP is sufficient.
Can I configure VIP in a different C class than Circuit VLan IP.
I intend to use Source groups to get the traffic from servers back to CSS.
Many thanks in advance.
SSTwo options are all ok.
1. The CSS will allow you to create a secondary address on the circuit.
for example,
circuit VLAN2
ip address 148.1.2.1 255.255.255.0
ip address 148.1.3.1 255.255.255.0
2. You could also create another interface "circuit" on the CSS and assign it with the new subnet IP. Then trunk the vlan to core network.
If you uses one arm mode, then you can use either source "groups" to get the traffic from servers back to CSS or PBR from switch.
You can configure VIP in a different C class than Circuit VLan IP. However, you need to control the routing tables of all other devices. Generally speaking, I would not recommend this setup to the customer. -
We've done a one-armed setup in our production env using CSS11506(s) and have no issues. We're bring up a smaller setup using CSS 11150(s) and was wondering if they work just as well, performance wise, with a one-armed config?
Thanks
chadI think it should work just fine. The same configuration would work for CSS 11000 series switches.
Check the config document:
http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080093dff.shtml -
CSS one-armed-config and SMTP reverse lookup problems?
I was wondering if there would be potential reverse lookup problems from other company's when we try to send mail to their mail Domains.
If I configure failover for our mail server, I am thinking if we are sending mail, there could be a reverse-lookup issue, because our mail server would be configured with public IP Addresses other than what the MX record points to in DNS.
If we originate mail from our inside users, it will originate from the service IP address and not the VIP address.
Is this a valid concern?The main advantage of this configuration is that the web servers will receive the IP address of the client that made the request. This is often required by web servers' administrators for accounting purposes.
In a one-armed configuration only, the network port ( Enet0) is used on the SCA. Only this specific port can be used for this setup. Encrypted and decrypted traffic will go through the same link
http://www.cisco.com/en/US/products/hw/contnetw/ps2083/products_configuration_example09186a00801bbf4e.shtml -
Two circuit vlan in one-armed config mode
Hello.
My client needs to add another vlan to the CSS because he is getting short on ip address. So he decided to add vlan 5, removed the default route to 192.168.12.1 and added two static routes.
However nothing is working now and I can't figure out why.
The initial config was:
!*************************** GLOBAL ***************************
ip route 0.0.0.0 0.0.0.0 192.168.12.1 1
!************************* INTERFACE *************************
interface 1/1
trunk
vlan 12
interface 1/2
admin-shutdown
!************************** CIRCUIT **************************
circuit VLAN12
ip address 192.168.12.22 255.255.255.0
!************************** SERVICE **************************
service www-hux1
port 80
protocol tcp
ip address 192.168.12.24
keepalive type tcp
keepalive frequency 10
keepalive port 80
active
service www-hux2
ip address 192.168.12.25
port 80
protocol tcp
keepalive frequency 10
keepalive port 80
keepalive type tcp
active
!*************************** OWNER ***************************
owner HS
billing-info "ahp"
email-address [email protected]
content rule1
protocol tcp
port 80
add service www-hux2
vip address 192.168.12.27
add service www-hux1
balance aca
active
In the new config this is what's different:
!*************************** GLOBAL ***************************
ip route 192.168.5.0 255.255.255.0 192.168.5.1 1
ip route 192.168.12.0 255.255.255.0 192.168.12.1 1
!************************* INTERFACE *************************
interface 1/1
trunk
vlan 5
vlan 12
interface 1/2
admin-shutdown
!************************** CIRCUIT **************************
circuit VLAN5
ip address 192.168.5.20 255.255.255.0
circuit VLAN12
ip address 192.168.12.22 255.255.255.0
Can you see what's wrong in here?
I almost forgot to teel that the default gateway of real servers is the CSS
Thanks,
Joao CarvalhoOk. I think I got the problem. The destination of the packet sent by the CSS is a public ip address and none of the static routes matches that.
Now my problem is how can I influence the next hop based on source ip address, in a CSS?
Thanks,
Joao -
CSS11500 one arm design configuration assistance.
Is it possible to configure the CSS11500 as single arm design? if yes how to configure the source nat on the CSS11500, it is not possibe for me to change the default gateway as well as configure CSS as inline.
Regardsyes you can configure CSS in one armed mode. You would do the nat with a group config ie:
service yada
ip address 192.168.20.40
active
content yadayada
vip address 192.168.20.55
add service yada
group yadayadayada
vip address 192.168.20.55
add destination service yada -
CSM-S mode -One-Arm-vs- routed
We currently have an environment with CSS running in routed mode. We are building a new data center with 6509s and CSM-S. My question is what is the best mode to run the CSM-S in routed or one-arm and why?
Gilles,
What do you recommend when the traffic flows from the load balanced server are significant?
ie: you are using Oracle application and database servers, load balancing http and https to the app servers. There is significant traffic flow from the app server to the database servers, such that the load balancer in a 2-armed configuration(particularly a CSS11501 w/ 8 10/100 interfaces and a single 1000Base-T interface) would be a significant bandwidth bottleneck.
Also, if Cisco usually does not recommend one-armed config.... why does the latest Server Farm Security Solution Reference Network Design v2.0 (http://www.cisco.com/warp/public/732/systems/docs/dcsrndbk.pdf) recommend a one-armed configuration for the CSS? -
One armed bandit and one port to another
I was trying to setup a CSS in one-armed bandit mode for the first time per the URL below. But I want to be able to have arbitrary ports on the "real" servers. E.g. use https://hooty.com as the VIP but on the backend take you to hoot1.hooty.com port 8443 say while http://hooty.com would direct you to hoot1.hoot.com port 8080. Must the port number on the VIP equal the port number on the real server in one-armed-bandit mode?
http://www.cisco.com/warp/public/117/one_armed_bandit.html
group Servers1
vip address 26.19.98.45
add destination service oldwww:80
active
group Servers2
vip address 26.19.98.45
add destination service oldwww:443
css-n1-1(config)# group Servers2
css-n1-1(config-group[Servers2])# active
%% An active source group with that address already existsThe port number of the vip does not have to to be the same as the real server.
You can set the port you want for the real server with the 'port' command under the service definition.
This is true for one-armed or any other type of setup.
The problem in your config is that you can't create 2 groups using the same vip ip address.
So, simply configure all your servers under one group.
ie:
group Servers1
vip address 26.19.98.45
add destination service oldwww:80
add destination service oldwww:443
active
Gilles. -
CSS One Arm Configuration with VIP(non-shared)/IP Interface Redundancy
With Reference to the following CCO documentation;
1). "How to Configure the CSS to Load Balance Using 1 Interface"
In this example, the Real Server's (10.10.10.2 etc) gateway are pointed to the router's gateway(10.10.10.1) and used the 'add destination service' command to NAT the RealServer's IP address back to the VIP (10.10.10.6).
2). "Understanding and Configuring VIP and Interface Redundancy on the CSS11000".
In the interface redundancy configuration, the gateway of the Real Server are configured as the CSS11000's Interface Redundancy Address (192.168.1.1), not the Router's gateway.
Can anyone help to advise on the preferred one arm configuration with VIP/IP redundancy?
(i). Is the reason for configuring the gateway of the Real Server to CSS11000's Interface Redundancy Address in 2) same as using 'add destination service' command in 1)? That is to make sure that the return path from Real Server back to Client passes through the CSS and is NAT back to the VIP.
(ii). To configure VIP(non-shared)/IP Interface redundancy(Active/Backup Mode) in a one arm configuration, my understanding is that there are 2 methods of configuration. Is it correct? Which method is preferred?
Method a)
1.Configure the Real Server's gateway to Router's Gateway
2.Configure 'add destination service' command on the CSS to NAT the RealServer's IP address back to the VIP
3.Configure VIP(non-shared) redundancy for the VIP on the CSS
4.IP Interface Redundancy on the CSS is not required as the Real Server's gateway is already pointing to the Router's gateway. (Assuming that HSRP redundancy is already running on the Router)
Method b)
1. Configure the Real Server's gateway to the CSS's IP Interface Redundancy IP Address
2. Configure IP Interface Redundancy on the CSS (as the Real Server's gateway)
3. Configure VIP(non-shared) redundancy for the VIP on the CSSif you use method a) (server gateway is the router) you need the CSS to nat
the source ip address of the client in order to force the server to send traffic back to the CSS.
The issue then is that the server does not see the IP address of real client.
The server only see connections with source IP address = CSS ip address.
With method b) you don't have the above problem, but connection initiated by the servers are sent to the CSS that will then send it to the router.
You have a performance issue because the traffic will cross 2 times the one-armed interface.
If this is a new design, it is strongly recommended not to use one-armed setup.
Regards,
Gilles. -
CSS redundancy on one-armed configuration
Can we configure box-to-box redundancy on a one-armed configuration or do we have to use the 'Active-active stateful failover ASR' ?
We are using CSS 11500.you can use box-to-box.
However, the vip/interface redundancy is much more interesting.
With the combination of ASR you have stateful redundancy that you do not have with box-to-box.
Also, box-to-box redundancy as a single point of failure since you can have only 1 cable for the redundancy protocol between the 2 CSS.
If this connection fails, both CSS will become active and you get into lot of troubles.
Regards,
Gilles. -
Please verify the CSS and SCA configuration for one-armed transparent mode
I have a problem to configure one-armed transparent mode. I cannot access the server with "https://9.9.9.1" even "http://9.9.9.1:80" and "http://9.9.9.1:81" operational. looks CSS cannot communicate properly with SCA.
I couldn't figure out from CCO sample configuration. please correct the attached configuraiton.
Thanks,
** connectivity ********
<client>----<router>----<CSS>---<SCA>,<Server>
- client=7.7.7.100
- router's e0/0=7.7.7.1, e0/1=8.8.8.3(connect to VLAN2 of CSS)
- SCA=11.11.11.100, connect to VLAN3 of CSS
- server=10.147.153.12 and 10.147.153.15 on the same box, connect to VLAN4 of CSS
** configuration *********
CSS11050# sh run
!Generated on 01/01/2079 00:00:47
!Active version: ap0500105
configure
!*************************** GLOBAL ***************************
acl enable
ip route 0.0.0.0 0.0.0.0 11.11.11.100 1
ip route 7.7.7.100 255.255.255.255 8.8.8.3 1
ip route 7.7.7.200 255.255.255.255 8.8.8.3 1
!************************* INTERFACE *************************
interface e2
bridge vlan 2
interface e3
bridge vlan 3
interface e4
bridge vlan 4
interface e5
bridge vlan 4
!************************** CIRCUIT **************************
circuit VLAN1
ip address 9.9.9.2 255.255.255.0
circuit VLAN2
ip address 8.8.8.2 255.255.255.0
circuit VLAN3
ip address 11.11.11.1 255.255.255.0
circuit VLAN4
ip address 10.147.153.1 255.255.255.0
!************************** SERVICE **************************
service ING_SVC_12
protocol tcp
ip address 10.147.153.12
active
service ING_SVC_15
protocol tcp
ip address 10.147.153.15
active
service ING_SVC_SCA
port 443
protocol tcp
ip address 11.11.11.100
type transparent-cache
no cache-bypass
active
service upstream
ip address 8.8.8.3
type transparent-cache
active
!*************************** OWNER ***************************
owner ING_OWNER
content cnt_443
add service ING_SVC_SCA
protocol tcp
port 443
vip address 9.9.9.1
active
content cnt_80
add service ING_SVC_12
add service ING_SVC_15
protocol tcp
port 80
url "/*"
vip address 9.9.9.1
active
content cnt_81
add service ING_SVC_12
add service ING_SVC_15
vip address 9.9.9.1
protocol tcp
port 81
url "/*" <-- If I configure url "/secure/*", not working "http://9.9.9.1:81" from client.
active
!**************************** ACL ****************************
acl 1
clause 10 permit any any destination any
apply circuit-(VLAN1)
acl 2
clause 10 permit any any destination any
apply circuit-(VLAN2)
acl 3
clause 10 permit any any destination any
apply circuit-(VLAN3)
acl 4
clause 10 permit any any destination any
apply circuit-(VLAN4)
ING_SCA# sh run
# Cisco SCA Device Configuration File
# Written: Sun Feb 6 01:12:54 2106 MST
# Inxcfg: version 4.1 build 200211151311
# Device Type: CSS-SCA
# Device Id: S/N 11aca8
# Device OS: MaxOS version 4.1.0 build 200211151311 by reading
### Mode ###
mode one-port
### Interfaces ###
interface network
auto
end
interface server
auto
end
### Device ###
ip address 11.11.11.100 netmask 255.255.255.0
hostname ING_SCA
timezone "MST7MDT"
### Password ###
password idle-timeout 15
### SNTP ###
sntp interval 86400
### Static Routes ###
ip route 0.0.0.0 0.0.0.0 11.11.11.1 metric 1
### RIP ###
no rip
### DNS ###
no ip name-server
no ip domain-name
### Telnet ###
telnet enable
### Web Management ###
web-mgmt port 80
no web-mgmt enable
### SNMP Subsystem ###
no snmp
### SSL Subsystem ###
ssl
server ING create
ip address 9.9.9.1
localport 443
remoteport 81
key default
cert default
secpolicy default
sslv2 enable
sslv3 enable
tlsv1 enable
session-cache size 20480
session-cache timeout 300
session-cache enable
no clientauth enable
clientauth verifydepth 1
clientauth error cert-other-error fail
clientauth error cert-not-provided fail
clientauth error cert-has-expired fail
clientauth error cert-not-yet-valid fail
clientauth error cert-has-invalid-ca fail
clientauth error cert-has-signature-failure fail
clientauth error cert-revoked fail
sharedcipher error failhtml
ephemeral error failhtml
no httpheader client-cert
no httpheader server-cert
no httpheader session
no httpheader pre-filter
httpheader prefix "SSL"
ephrsa
keepalive frequency 5
keepalive maxfailure 3
no keepalive enable
end
endthe problem is the routing.
You need a route for the client pointing to the SCA like this
ip route 7.7.7.100 255.255.255.255 11.11.11.100 1
This is so the reply from the server to the client goes back to the SCA first
for encryption.
Gilles. -
Trying to run CSS11503 08.10.0.02 one-armed DNAT+SNAT with UDP 921
Is there a way to perform DNAT + SNAT and portmap disable on the CIsco CSS 11503. I need to do a DNAT in a one-armed configuration and the to SNAT for UDP traffic with SRC Port 9211 and DST Port 9211. I don't need loadbalancing but only NAT. Is there a way to solve this issue with ACL. Any help will be appreciated...
Thanksif you want to do DNAT, you have to it a content rule.
The vip will be nated to the service address.
Then you need a group to nat the client ip.
Finally, you need to use the command 'portmap disable' under the group to avoid port mapping.
Gilles.
Maybe you are looking for
-
When I want to send a new email I click on file and then new message. Somehow, and I dont know how I have done this, it has gone into the full screen mode. I cant find in the right hand top corner the two arrows, pointing in opposite directions,to mi
-
I can't view PDF files on Safari 5.1 for windows 7, how do I fix this?
I like using Safari 5.1 for my web browser at work (I use a windows 7 machine). But the recent update won't let me view PDF files. I have to open up Google Chrome then copy and paste the address into it so I can view the PDF. How do I fix this?
-
DreamWeaver Template change not updating children webpages?
Hi Group, Sorry for my newbie question here. I loaded an HTML webpage, and saved it out as a DreamWeaver Template file. I then created webpages from the template file (( File - New - Page From Template - Site - Template), and made sure that the "Upda
-
I remove default VOIP Monitor Service in "Cisco desktop administrator>Services Configuration > Multiline, Monitoring & Recording >Remove VoIP/Recording & Playback Services". Now I can't choose in "Services Configuration > Multiline, Monitoring
-
Refnum out: where to find it on the function/c​ontrol palette?
Refer pic. Refnum out looks like a dummy variable to paste to the shift register so the register would not be empty, am I right? But I searched on the function/control palette, I can't find refnum out, where is it? Solved! Go to Solution. Attachments