CSS-11503 redundancy

Similar Messages

• CSS 11503 in Active Active mode

  Can we configure CSS 11503 in Active/Active mode, means can multiple context would be configured?
  Thanks & Regards,
  Shahzad.

  Here you go
  Assumptions:
  VIP 10.10.10.100 is Master on the CSS 2 and backup on the CSS1
  VIP 10.10.10.101 is Master on the CSS1 and backup on the CSS1
  Vlan 10 is the Server Vlan (Redundant Interfaces here)
  Vlan 20 is the Client vlan (Redundant Vips here)
  Services for VIP 10.10.10.100 (real server) have default gateway pointing to redundant interface 172.20.40.253
  Services for VIP 10.10.10.101 (real server) have default gateway pointing to redundant interface 172.20.40.254
  CSS #1
  circuit VLAN10
  ip address 172.20.40.1 255.255.255.0
  ip virtual-router 1 priority 101 preempt
  ip virtual-router 2
  ip-redundant-interface 1 172.20.40.253
  ip-redundant-interface 2 172.20.40.254
  Circuit VLAN20
  ip address 10.10.10.1 255.255.255.0
  ip virtual-router 3 priority 101 preempt
  ip virtual-router 4
  ip redundant-vip 3 10.10.10.101
  ip redundant-vip 4 10.10.10.100
  CSS #2
  circuit VLAN10
  ip address 172.20.40.2 255.255.255.0
  ip virtual-router 1
  ip virtual-router 2 priority 101 preempt
  ip-redundant-interface 1 172.20.40.253
  ip-redundant-interface 2 172.20.40.254
  Circuit VLAN20
  ip address 10.10.10.2 255.255.255.0
  ip virtual-router 3
  ip virtual-router 4 priority 101 preempt
  ip redundant-vip 3 10.10.10.101
  ip redundant-vip 4 10.10.10.100
  More details at
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20_v8.10/configuration/redundancy/guide/VIPRedun.html#wp1112245
  Syed Iftekhar Ahmed

• Remove Health Care (keepalives) CSS 11503

  Hi,
  We normally distribute the load between two servers by checking if the server its active (using TCP 80), yesterday, we want to remove the Health Care (keepalives) due to a maintenance test, to sent the traffic direct to the server, but the service stop working.
  We think we didn’t remove the health care properly, could anybody please help me to know hoe to remove it?
  We are using CSS 11503, I’m adding the config.
  Thanks

  CSS11503-2(config)# service Linux2
  CSS11503-2(config-service[Linux2])# ip add 192.168.20.41
  CSS11503-2(config-service[Linux2])# active
  CSS11503-2(config-service[Linux2])# show service Linux2
  Name: Linux2            Index: 33
    Type: Local            State: Alive
    Rule ( 192.168.20.41  ANY  ANY )
    Session Redundancy: Disabled
    Redirect Domain:
    Redirect String:
    Keepalive: (ICMP   5   3   5 )
    Keepalive Encryption:      Disabled
    Last Clearing of Stats Counters: 08/12/2009 05:29:24
    Mtu:                       1500        State Transitions:            0
    Total Local Connections:   0           Total Backup Connections:     0
    Current Local Connections: 0           Current Backup Connections:   0
    Total Connections:         0           Max Connections:              65534
    Total Reused Conns:        0
    Weight:                    1           Load:                         2
    Weight Reporting:          None
  CSS11503-2(config-service[Linux2])# keepalive type none
  CSS11503-2(config-service[Linux2])# show service Linux2
  Name: Linux2            Index: 33
    Type: Local            State: Alive
    Rule ( 192.168.20.41  ANY  ANY )
    Session Redundancy: Disabled
    Redirect Domain:
    Redirect String:
    Keepalive: (NONE   5   3   5 )
    Keepalive Encryption:      Disabled
    Last Clearing of Stats Counters: 08/12/2009 05:29:24
    Mtu:                       1500        State Transitions:            1
    Total Local Connections:   0           Total Backup Connections:     0
    Current Local Connections: 0           Current Backup Connections:   0
    Total Connections:         0           Max Connections:              65534
    Total Reused Conns:        0
    Weight:                    1           Load:                         2
    Weight Reporting:          None
  CSS11503-2(config-service[Linux2])#
  Same if the service is down before disabling the keepalive.
  CSS11503-2(config-service[Linux2])# keepalive type icmp
  CSS11503-2(config-service[Linux2])# show service Linux2
  Name: Linux2            Index: 33
    Type: Local            State: Down
    Rule ( 192.168.20.41  ANY  ANY )
    Session Redundancy: Disabled
    Redirect Domain:
    Redirect String:
    Keepalive: (ICMP   5   3   5 )
    Keepalive Encryption:      Disabled
    Last Clearing of Stats Counters: 08/12/2009 05:31:42
    Mtu:                       1500        State Transitions:            4
    Total Local Connections:   0           Total Backup Connections:     0
    Current Local Connections: 0           Current Backup Connections:   0
    Total Connections:         0           Max Connections:              65534
    Total Reused Conns:        0
    Weight:                    1           Load:                         255
    Weight Reporting:          None
  CSS11503-2(config-service[Linux2])# keepalive type none
  CSS11503-2(config-service[Linux2])# show service Linux2
  Name: Linux2            Index: 33
    Type: Local            State: Alive
    Rule ( 192.168.20.41  ANY  ANY )
    Session Redundancy: Disabled
    Redirect Domain:
    Redirect String:
    Keepalive: (NONE   5   3   5 )
    Keepalive Encryption:      Disabled
    Last Clearing of Stats Counters: 08/12/2009 05:36:08
    Mtu:                       1500        State Transitions:            5
    Total Local Connections:   0           Total Backup Connections:     0
    Current Local Connections: 0           Current Backup Connections:   0
    Total Connections:         0           Max Connections:              65534
    Total Reused Conns:        0
    Weight:                    1           Load:                         2
    Weight Reporting:          None
  Gilles.

• Routing issue with CSS 11503

  The senerio contains a PIX 515 E firewall,4507R Chassis switch and a CSS 11503. The servers in inside zone of the PIX is load balanced using a vip with default route specified in the CSS is the inside zone interface IP of the PIX
  Now I would like to load balance the servers in the DMZ zone of the PIX with a separate vip(from DMZ zone) in the same CSS. Since the default route in CSS is towards the inside zone of the PIX, I am unable to see the load blanced pages from dmz. Is there any solution to load balance the servers of the 2 zones with 2 different vip's using a single css ?

  The default behavior is to use the calling device's CSS for the redirected calls. In your case it sounds like you want to use the redirecting device's CSS. I haven't tried this myself but I believe you will need to change the following registry entry on your PGs. You will want to use option 2 (ROUTEADDRESS_SEARCH_SPACE).
  HKEY_LOCAL_MACHINE\SOFTWARE\Cisco
  Systems,Inc.\ICM\IPCCL\PG1B\PG\CurrentVersion\JGWS\jgw1\JGWData\Dynamic
  "UseRouteAddressSearchSpace"=dword:00000000
  - Used to control behavior on CTI Route Points for Route Selects.
  UseRouteAddressSearchSpace can be to set 0, 1, or 2 where :
  DEFAULT_SEARCH_SPACE = 0
  CALLINGADDRESS_SEARCH_SPACE = 1
  ROUTEADDRESS_SEARCH_SPACE = 2

• CSS 11503 load-balancing with MS Print Servers

  We are trying to load-balance print server connections between 2 MS print servers. When we try to connect to the print servers name, (\\PS01) or even the VIP address, we get a Path not found error. However, if we direct the path to the actual name or ip address of the print servers (not the VIP), we can view all the queues and connect/print to them. Is this possible to do on the CSS 11503? Thanks.

  Pete- Here is our config. See any problems?
  configure
  !*************************** GLOBAL ***************************
  ip route 0.0.0.0 0.0.0.0 1.100.100.100 1
  !************************* INTERFACE *************************
  interface 1/2
  bridge vlan 2
  !************************** CIRCUIT **************************
  circuit VLAN1
  ip address 1.100.101.110 255.0.0.0
  circuit VLAN2
  ip address 10.100.249.1 255.255.255.0
  !************************** SERVICE **************************
  service ps01
  ip address 10.100.249.5
  active
  service ps02
  ip address 10.100.249.6
  active
  !*************************** OWNER ***************************
  owner printserver
  content L3_Basic
  add service ps01
  add service ps02
  vip address 1.100.100.35

• CSS 11503 - question on version

  We're about to do an annual OS update to our CSS 11503, and I noticed that there are two current versions of WebNS, both released in the same month: 8.10.4.01 and 8.20.2.01. Could anyone outline for me the differences between the two (or point me to the right release notes)? I usually upgrade to the latest release, but having two at the same time is awfully confusing.
  Thank you!

  They are essentially the same.
  We always port all fix to both of them.
  Release notes are here :
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/release/note/RN810_X.html
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/release/note/RN820_X.html
  Gilles.

• CSS 11503 Users using a proxy

  I currently have a CSS 11503 LB that I am using to balance 443 and 80 traffic and I have it working but my question is if a users are coming from a proxy should I continue to use Layer 3 LB technique? Also is it possible to see the real IP address instead of the IP of the proxy server?

  the problem with proxy is if you use some form of stickyness like sticky src ip.
  Since the src ip is always the proxy, you end up with all your traffic going to a single server.
  If you are doing sticky src ip, I would suggest to use arrowpoint-cookie instead.
  To see the real-ip you need your proxy to insert in the http header a 'x-forwarded-for' line with the client ip.
  Your servers can then extract this value to determine the client ip.
  On the CSS you won't be able to see the client-ip.
  Gilles.

• Global Cerificate on CSS 11503

  Hi
  I am planning to enable https for few web servers behind a CSS 11503. I have tested the functionality with the trial cert every thing works as desired.
  Now I need to buy a certificate from Verisign to make it work in production.
  At verisign they offer two different certs (Secure Site --40 bits encryption) and (Secure Site Pro -- 128 bit encryption).
  1. Is this 128 bit cert a "global cert"? and I need to concatenate the "intermediate cert" and "server cert" to make it work?
  2. If all my users are in USA then does it make sense to buy this 128 bit certificate?
  3. Verisign website also asks for "server Platform" and cisco is not mentioned as an option (I can see other LB as F5 in the list). What should I select for the server Platform when I am requesting it for CSS 11503 (I have generated the CSR on CSS 11503).
  Thanks in advance
  Glenn

  1.The guy who picked the phone at verisign had no clue.Verisign website says the following
  Secure Site Certificate (40bit minimum)- SSL Certificates without SGC
  To install your SSL Certificate, go to the instructions below for your server software. If your server is not listed or you need additional information, refer to your server documentation or contact your server vendor
  Secure Site Pro Certificate(128bit minimum) - SSL Certificates with SGC
  If you are installing an SSL Certificate with SGC, you need to copy an Intermediate CA Certificate before proceeding to the installation instructions for your server software.
  2.My understanding was that 40 bit is minimum encryption level and only old browsers (exported ones) will us 40/56 bit ciphers. Other wise even with 40 bit certificate the new browsers will establish a 128 bit session.
  Verisign says about their 40 bit certificate
  "40-Bit to 256-Bit SSL Encryption Non-SGC SSL Certificates provide a minimum of 40-bit and up to 256-bit SSL encryption. Site visitors using certain older browsers and many Windows 2000 users will only receive 40- or 56-bit encryption unless they’re connecting to an SGC-enabled SSL Certificate"
  I found a document on net in favor of buying 40 bit certs.
  http://www.whichssl.com/myths_about_sgc.html
  Gilles I am a bit confused here.Need HELP :)

• Routing non-TCP/UDP traffic while using FWLB on CSS 11503s

  Hello all,
  I've been tasked to setup up FWLB with CSS 11503's as shown below. The issue is that intranet workstations use VPN client software when connecting to certain sites through the Internet and other times they use http or https (for connection to different sites). Because no flow is setup for ipsec and ECMP uses per packet routing for non TCP/UDP traffic, I'm concerned that load balancing through the firewalls will occur on a per packet basis. If that is true, stateful inspection in the firewalls will block asymmetrical traffic flows.
  Is my understanding correct? And, if so, is there a way to configure the CSS units to deal with this?
  Thanks in advance.
  (sorry for the dots in the drawing but the spaces kept getting deleted)
  .| Internet |
  ..........|
  .| CSS-outside |
  .............|
  ........|...............|
  .| FW1 |.....| FW2 |
  .......|................|
  ............|
  .| CSS-inside |
  ............|
  .| Intranet |

  for non-flowy traffic like IPSEC, we use a hash algorithm to decide where to send the traffic.
  So, it's not per packet loadbalancing.
  The same source/destination ip/port will always go to the same firewall.
  Gilles.

• Installing an SSL certificate for a CSS 11503

  I'm having the hardest time searching for clear instructions on how to request and install an SSL certificate for a CSS 11503 Content Switch. Can anyone help or point me in the right direction?
  I'm also looking for instructions on how to replace an SSL certificate once it's been installed. Thanks!

  Allen,
  The portion of the configuration guide related to SSL certificates and keys can be found here:
  http://cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a00801eea82.html#1422544
  To replace an SSL certificate, you'll need to remove the current certificate and re-import/create the new one.
  ~Zach

• To set enable password for CSS 11503

  We need to set enable password on CSS 11503.
  Can we do this.If yes how we can do this?

  there is no enable password on the CSS.
  The user is a privilege user or not.
  If you login as a privilege user, you get full access. No need to enable anything.
  CSS11503-2> en
  enable Authenticate for SuperUser mode
  endbranch End a branching command
  CSS11503-2> enable
  Username:
  As you can see above, if you type enable you have to re-login with a superuser account.
  Gilles.

• CSS 11503 does not ask confirmation

  Hi,
  Our CSS 11503 does not ask confirmation when I want to delete or add a service, owner or group.
  Here is the log of some deletion and addition a service:
  11503_Master(config)# sh run ser mtsopa01-9700
  service mtsopa01-9700
  ip address A.B.C.D
  protocol tcp
  port 9700
  keepalive type http
  keepalive port 9700
  active
  11503_Master(config)# no service mtsopa01-9700
  11503_Master(config)# (As you see there is no confirmation)
  11503_Master(config)# service mtsopa01-9700
  11503_Master(config-service[mtsopa01-9700])# (As you see there is no confirmation)
  11503_Master(config-service[mtsopa01-9700])# ip address A.B.C.D
  11503_Master(config-service[mtsopa01-9700])# protocol tcp
  11503_Master(config-service[mtsopa01-9700])# port 9700
  11503_Master(config-service[mtsopa01-9700])# keepalive type http
  11503_Master(config-service[mtsopa01-9700])# keepalive port 9700
  11503_Master(config-service[mtsopa01-9700])# active
  Have you any idea?
  PS:
  Version: sg0750103 (07.50.1.03)
  Product Name: CSS11503-AC J0

  do a 'show profile'
  You are probably in expert mode.
  CSS11503-2# sho prof
  @no terminal more
  @prompt CSS11503-2
  @expert <=====
  do 'no expert' to revert to normal mode and don't forget to do a save profile.
  Gilles.

• CISCO CSS 11503: Adaptive Session Redundancy + Resets

  Hi
  we have release 7.10.206a configured with SourceGroup and ASR. I made a sniffer trace and experienced that the CSS sends a lot of RST. As well I saw that it use only 1984 source ports for the connections to the server. How can I increase the number of source Ports? .In the attachments you will find the sniffer trace with the incorrect behaviour and the configuration.
  Any suggestion, idea ?

  the problem of the RST seems to be the frequent reuse of the same source port.
  The destination of this connection seems to be confused and ACK the new SYN with the ack number of the previous connection. This ack number is out of range from the syn sequence number so the result if a RST.
  ie:
  Flow1 - Syn -> packet 1
  Flow1 - Last ACK -> packet 33
  Flow 2 - syn -> packet 34
  Flow 2 - ack (instead of syn/ack) with acknumber same is packet 33.
  This triggers a RESET -> packet 36
  Flow 3 - syn -> packet 55
  Flow 3 - same as flow 2 issue, ack with old ack number. This triggers a RST (packet 57).
  Now the 2nd issue, the CSS (I believe tpkg0x.post.ch is the CSS) sends packet for flow 2 but the end station believes flow 2 was killed with the RESET of flow 3 and the host sends a RST to the CSS (packet 59) because its connection does not exist anymore.
  So the all issue is the fact that ports are being reused to quickly.
  You will need to involve more people to find a workaround to the 1984 ports available [and be aware they are available but not all usable].
  Work with Marco K., your sale support.
  Regards,
  Gilles.

• Cisco CSS 11503 Arrowpoint/Load Balance question

  I am troubleshooting an issue with my 11503.  I am running version 07.40.0.04. I have it configured as follows:
    content upcadtoa-rule
      add service cadtoa-wls1-e0
      add service cadtoa-wls1-e1
      add service cadtoa-wls2-e0
      add service cadtoa-wls2-e1
      add service cadtoa-wls3-e0
      add service cadtoa-wls3-e1
      add service cadtoa-wls4-e0
      add service cadtoa-wls4-e1
      add service cadtoa-wls5-e0
      add service cadtoa-wls5-e1
      add service cadtoa-wls6-e0
      add service cadtoa-wls6-e1
      arrowpoint-cookie expiration 00:00:15:00
      protocol tcp
      port 8001
      advanced-balance arrowpoint-cookie
      redundant-index 2
      vip address 172.30.194.195 range 2
      arrowpoint-cookie name TOA
      active
  However, the load-balancing across the servers does not seem to be doing much balancing.  One of those servers is getting hit with 5 times as much traffic as another and another server is lucky to get a connection at all.  With the cookie expiration set, one would think that this would all balance out over time.
  I just came across this information from Cisco and I am wondering if it is relevant:
  If you configure a balance or advanced-balance method on a content rule that requires the TCP protocol for Layer 5 (L5) spoofing, you should configure a default URL string, such as url "/*". The addition of the URL string forces the content rule to become an L5 rule and ensures L5 load balancing or stickiness. If you do not configure a default URL string, unexpected results can occur.
  In the following configuration example, if you configure a Layer 3 (L3) content rule with an L5 balance method, the CSS performs L5 load balancing, but will reject UDP packets.
  content testing
  vip address 192.168.128.131
  add service s1
  balance url
  active
  The balance url method is an L5 load-balancing method in which the CSS must spoof the connection and examine the HTTP GET content request to perform load balancing. The CSS rejects the UDP packet sent to this rule because a UDP connection cannot be L5. Though the CSS allows this rule configuration, its expected behavior would be more clear if you promote the rule to L5 by configuring the url "/*" command.
  In the next example, if you configure an L3 content rule with an L5 advanced-balance method, L5 stickiness will not work as expected.
  content testing
  vip address 192.168.128.131
  add service s1
  advanced-balance arrowpoint-cookie
  active
  The advanced-balance arrowpoint-cookie method causes the CSS to spoof the connection, however, the CSS still marks it as an L3 rule. Thus, the CSS does not insert the generated cookie and the rule defaults to L3 stickiness (sticky-srcip). You must configure a URL like url "/*" to promote this rule to L5, ensuring that L5 stickiness works as expected.
  Thanks in advance for any help you can give.  The thing is not down, it is just balancing strangely causing application performance issues.
  James

  Hey James,
  You will need to suspend the content rule in order to add the url statement.  This will cause a quick downtime until the content rule is activated again.  I have shown below the commands to add the statement.  Perhaps you can create your commands in a Notepad file, then paste them all in so they execute quickly to minimize your downtime:
    content MY-SITE
      vip address 10.201.130.140
      port 80
      protocol tcp
      add service MY-SERVER
      active
  CSS11503# config t
  CSS11503(config)# owner TEST
  CSS11503(config-owner[TEST])# content MY-SITE
  CSS11503(config-owner-content[TEST-MY-SITE])# url "/*"
  %% Attribute may not be modified on active rule
  CSS11503(config-owner-content[TEST-MY-SITE])# suspend
  CSS11503(config-owner-content[TEST-MY-SITE])# url "/*"
  CSS11503(config-owner-content[TEST-MY-SITE])# active
  CSS11503(config-owner-content[TEST-MY-SITE])# exit
  CSS11503(config-owner[TEST])# exit
  CSS11503(config)# exit
  CSS11503# show run
    content MY-SITE
      vip address 10.201.130.140
      add service MY-SERVER
      port 80
      protocol tcp
     url "/*"       <--------
      active
  Hope this helps,
  Sean

• CSS 11503 Destination NAT - can only enable one service

  I have three web servers configured as six services. Three are for MOSS (Microsoft Office Sharepoint Server) and three are for SSRS (SQL Server Reporting Services 2006 in integration mode).
  THE PROBLEM:
  When more than one MOSS service is active I can no longer connect to the SSRS services.
  This is a trunked Configuration:
  interface 1/1
  trunk
  redundancy-phy
  vlan 1
  default-vlan
  vlan 100
  vlan 101
  vlan 103
  interface 3/16
  bridge vlan 4000
  circuit VLAN100
  redundancy
  ip address 192.168.100.xx0 255.255.255.0
  circuit VLAN103
  redundancy
  ip address 192.168.103.xx0 255.255.255.0
  circuit VLAN4000
  ip address 1.x.x.2 255.255.255.252
  redundancy-protocol
  circuit VLAN101
  redundancy
  ip address 192.168.101.xx0 255.255.255.0
  service MOSSWeb01
  ip address 192.168.103.xx1
  keepalive port 80
  keepalive type tcp
  active
  service MOSSWeb02
  ip address 192.168.103.xx2
  keepalive port 80
  keepalive type tcp
  active
  service MOSSWeb03
  ip address 192.168.103.xx3
  keepalive port 80
  keepalive type tcp
  active
  service SSRSWeb01
  ip address 192.168.103.xx1
  active
  service SSRSWeb02
  ip address 192.168.103.xx2
  active
  service SSRSWeb03
  ip address 192.168.103.xx3
  active
  owner MOSS
  content MOSS
  vip address 192.168.100.xx1
  vip-ping-response local-remote
  add service MOSSWeb01
  add service MOSSWeb02
  add service MOSSWeb03
  active
  owner SSRS
  content REPORTSERVER
  vip address 192.168.100.xx2
  add service SSRSWeb01
  add service SSRSWeb02
  add service SSRSWeb03
  vip-ping-response local-remote
  active
  group MOSS2007-DSTNAT
  vip address 192.168.100.xx1
  add destination service MOSSWeb01
  add destination service MOSSWeb02
  add destination service MOSSWeb03
  active
  group SSRS2005-DSTNAT
  vip address 192.168.100.xx2
  add destination service SSRSWeb01
  add destination service SSRSWeb02
  add destination service SSRSWeb03
  active
  NOTES:
  All (3) real servers have a default route to 192.168.103.xx0 which insures traffic passing through the CSS (so I don't understand why I still need a destination service group).
  When MOSS accesses SSRS it does so via http://SSRS2005/reportserver. This is configured in DNS as 192.168.100.xx2. I would think that this would also insure traffic through the CSS but I still had to configure a destination service for these.
  All clients connect to the MOSS services via one VIP (192.168.100.xx1) and the MOSS services connect to the SSRS services via a 2nd VIP (192.168.100.xx2). MOSS also connects to itself for indexing content and a variety of other services (I had originally tried separating the MOSS content rules using layer 5 matching on Host Headers. This seemed to cause issues with access to ports 139 and 445 for UNC access to document libraries so I simplified the MOSS content rule back to layer 3).
  I have setup two distinct groups and have used destination NAT so that the servers can communicate to each other.
  When using Wireshark on the servers to run packet traces and all services are up I do not even see any packets destined for the SSRS services leading me to believe that they are dropped by the CSS (however, I don't see them using show flows on the CSS either).
  Can anyone here shed some light on the correct way to configure the CSS in such a scenario?
  Thanks in advance.

  I have two MOSS services down because MOSS can't get to SSRS if more than one MOSSservice is active. That's the crux of the biscuit.
  I had hoped to avoid the whole packet sniffing activity but it looks like I may need to capture more information. I don't really want to change the VLAN configuration since this CSS is managed by our network team and there are other services configured on the CSS that I have not indicated.
  I appreciate your advice, so far. I will actually have some downtime this coming weekend where I can try some additional configuration options after prime time from home.
  One thing that may not be apparent in this whole discussion is that all of the sites on both MOSS and SSRS use HOST Headers for HTTP. That's what keeps them separated. I had tried using layer 5 content rules but had the same issue plus other issues with non-HTTP traffic. I also did not care for the fact that the CSS actually spoofs the responses when using layer 5. There is a lot of NTLM Challenge/Response traffic for Windows Integrated Authentication and Negotiated Kerberos. The bottom line is that even without Layer 5 content rules the Host Headers do get passed to IIS and the sites are selected properly based on that header. The exception is that Host Headers are no longer required for SSRS since it is the default website on port 80 (besides - setting up host headers for SSRS in MOSS integration mode has it's own set of issues). Still, the host headers are sent to SSRS SOAP Endpoints and there are no issues connecting to any of the three SSRS services from any of the three MOSS servers interactively. The issue is when a client outside of these VLANs makes a request for a report.
  client->MOSS->SSRS->MOSS->client
  Be aware too that both MOSS and SSRS are making connections back through the CSS to their respective databases for each request.