Nortel Alteon rules conversion to Cisco CSS

Similar Messages

• Cisco CSS 11503 Arrowpoint/Load Balance question

  I am troubleshooting an issue with my 11503.  I am running version 07.40.0.04. I have it configured as follows:
    content upcadtoa-rule
      add service cadtoa-wls1-e0
      add service cadtoa-wls1-e1
      add service cadtoa-wls2-e0
      add service cadtoa-wls2-e1
      add service cadtoa-wls3-e0
      add service cadtoa-wls3-e1
      add service cadtoa-wls4-e0
      add service cadtoa-wls4-e1
      add service cadtoa-wls5-e0
      add service cadtoa-wls5-e1
      add service cadtoa-wls6-e0
      add service cadtoa-wls6-e1
      arrowpoint-cookie expiration 00:00:15:00
      protocol tcp
      port 8001
      advanced-balance arrowpoint-cookie
      redundant-index 2
      vip address 172.30.194.195 range 2
      arrowpoint-cookie name TOA
      active
  However, the load-balancing across the servers does not seem to be doing much balancing.  One of those servers is getting hit with 5 times as much traffic as another and another server is lucky to get a connection at all.  With the cookie expiration set, one would think that this would all balance out over time.
  I just came across this information from Cisco and I am wondering if it is relevant:
  If you configure a balance or advanced-balance method on a content rule that requires the TCP protocol for Layer 5 (L5) spoofing, you should configure a default URL string, such as url "/*". The addition of the URL string forces the content rule to become an L5 rule and ensures L5 load balancing or stickiness. If you do not configure a default URL string, unexpected results can occur.
  In the following configuration example, if you configure a Layer 3 (L3) content rule with an L5 balance method, the CSS performs L5 load balancing, but will reject UDP packets.
  content testing
  vip address 192.168.128.131
  add service s1
  balance url
  active
  The balance url method is an L5 load-balancing method in which the CSS must spoof the connection and examine the HTTP GET content request to perform load balancing. The CSS rejects the UDP packet sent to this rule because a UDP connection cannot be L5. Though the CSS allows this rule configuration, its expected behavior would be more clear if you promote the rule to L5 by configuring the url "/*" command.
  In the next example, if you configure an L3 content rule with an L5 advanced-balance method, L5 stickiness will not work as expected.
  content testing
  vip address 192.168.128.131
  add service s1
  advanced-balance arrowpoint-cookie
  active
  The advanced-balance arrowpoint-cookie method causes the CSS to spoof the connection, however, the CSS still marks it as an L3 rule. Thus, the CSS does not insert the generated cookie and the rule defaults to L3 stickiness (sticky-srcip). You must configure a URL like url "/*" to promote this rule to L5, ensuring that L5 stickiness works as expected.
  Thanks in advance for any help you can give.  The thing is not down, it is just balancing strangely causing application performance issues.
  James

  Hey James,
  You will need to suspend the content rule in order to add the url statement.  This will cause a quick downtime until the content rule is activated again.  I have shown below the commands to add the statement.  Perhaps you can create your commands in a Notepad file, then paste them all in so they execute quickly to minimize your downtime:
    content MY-SITE
      vip address 10.201.130.140
      port 80
      protocol tcp
      add service MY-SERVER
      active
  CSS11503# config t
  CSS11503(config)# owner TEST
  CSS11503(config-owner[TEST])# content MY-SITE
  CSS11503(config-owner-content[TEST-MY-SITE])# url "/*"
  %% Attribute may not be modified on active rule
  CSS11503(config-owner-content[TEST-MY-SITE])# suspend
  CSS11503(config-owner-content[TEST-MY-SITE])# url "/*"
  CSS11503(config-owner-content[TEST-MY-SITE])# active
  CSS11503(config-owner-content[TEST-MY-SITE])# exit
  CSS11503(config-owner[TEST])# exit
  CSS11503(config)# exit
  CSS11503# show run
    content MY-SITE
      vip address 10.201.130.140
      add service MY-SERVER
      port 80
      protocol tcp
     url "/*"       <--------
      active
  Hope this helps,
  Sean

• Load Balance TMG with Cisco CSS

  I am working with a Customer that is using Cisco CSS to load balance Microsoft TMG 2010.
  From the Microsoft TMG, I can see the https probes hitting the TMG Servers. The TMG 2010 recongnizes that the Cisco is trying to establish a 3-way handshake and is dropping every 3rd connection with the following error: "non-SYN packet was dropped because it was sent by a source that does not hane an established connection with the Forefron TMG computer." Since the Microsoft Forefront TMG 2010 Server is Stateful packet inspection firewall, what is the best load balance method for this service? TCP or even worst ICMP.
  Below is a snipet of the configuration:
  Thank You
  Avery
  CSS-A# show service Server1-ssl
  Name: Server1-ssl  Index: 70   
    Type: Local            State: Alive
    Rule ( x.x.x.x  TCP  443 )
    Session Redundancy: Enabled
    Redundancy Global Index: 206
    Redirect Domain: 
    Redirect String:
    Keepalive: (SSL-443   5   3   5 )
    Keepalive Encryption:      Disabled
    Last Clearing of Stats Counters: 03/05/2012 16:33:14
    Mtu:                       1500        State Transitions:            4
    Total Local Connections:   0           Total Backup Connections:     0
    Current Local Connections: 0           Current Backup Connections:   0
    Total Connections:         0           Max Connections:              65534
    Total Reused Conns:        0           Weight Reporting:             None
    Weight:                    1           Load:                         2
  CSS-A#
  CSS-A# show service Server2-ssl 
  Name: Server2-ssl  Index: 71   
    Type: Local            State: Alive
    Rule ( x.x.x.x  TCP  443 )
    Session Redundancy: Enabled
    Redundancy Global Index: 207
    Redirect Domain: 
    Redirect String:
    Keepalive: (SSL-443   5   3   5 )
    Keepalive Encryption:      Disabled
    Last Clearing of Stats Counters: 03/05/2012 16:53:49
    Mtu:                       1500        State Transitions:            6
    Total Local Connections:   0           Total Backup Connections:     0
    Current Local Connections: 0           Current Backup Connections:   0
    Total Connections:         0           Max Connections:              65534
    Total Reused Conns:        0           Weight Reporting:             None
    Weight:                    1           Load:                         2

  Hi,
  It would good to have a capture from the server itself, the TCP keepalive is really simple, as you explained, it is just a 3-way-handshake on port 443.
  The CSS is going to use it's vlan IP to generate this keepalive.
  So if the server is dropping the connection, it would be good to se the actual behavior of the keepalive.
  ICMP is just a ping, and lets say port 443 is not longer open on the server, at the point that the CSS gets the ICMP reply back from the server, the service is going to remain as alive, but the traffic is not going to work, so ICMP is not a good option.
  Thanks!

• Cisco css http keepalive is not working with GET command

  Dear all
  i have Cisco Css connected to Dell Server (via switch)
  Cisco CSS - 192.168.1.3 and Dell Server - 192.168.1.5
  Dell server is setup with windows 2009R2 and Apache HTTPD is version 2.2
  This server is dedicated to host multiple doamins with Apache lik
  www.abc.co.uk
  www.xyz.co.uk
  Now the clinet wants to setup the http keepalive  with specfic web page like /testpage.html  for all these domains. i have teseed with single URI. it is working the comamnds are
  config)# service serv1
  (config-service[serv1])# ip address 192.168.1.5
  (config-service[serv1])# keepalive type http
  (config-service[serv1])# keepalive method head    ( get i have not used due to hash mismatch with apche server, if i use GET it is not working)
  (config-service[serv1])# keepalive uri "/testpage.html"
  (config-service[serv1])# active
  It is working with single URI.  but how can i do the same thing for multiple doamins ?
  for multiple doamins do i need use script ? or can i use with commands ?
  if i need to use script the script is
  !no echo
  ! Filename: httptag-test
  ! Parameters: HostName WebPage HostTag
  ! Description:
  !       This script will connect to the remote host and do an HTTP
  !   GET method upon the web page that the user has asked for.
  !   This script also adds a host tag to the GET request.
  ! Failure Upon:
  !   1. Not establishing a connection with the host.
  !       2. Not receiving an HTTP status "200 OK"
  if ${ARGS}[#] "NEQ" "3"
          echo "Usage: httptag-test \'Hostname WebPage HostTag\'"
          exit script 1
  endbranch
  ! Defines:
  set HostName "${ARGS}[1]"
  set WebPage "${ARGS}[2]"
  set HostTag "${ARGS}[3]"
  ! Connect to the remote Host
  set EXIT_MSG "Connection Failure"
  socket connect host ${HostName} port 80 tcp
  ! Send the GET request for the web page
  set EXIT_MSG "Send: Failed"
  socket send ${SOCKET} "GET ${WebPage} HTTP/1.1\nHost: ${HostTag}\n\n"
  ! Send the HEAD request for the web page
  set EXIT_MSG "Send: Failed"
  socket send ${SOCKET} "HEAD ${WebPage} HTTP/1.1\nHost: ${HostTag}\n\n"
  ! Wait for a good status code
  set EXIT_MSG "Waitfor: Failed"
  socket waitfor ${SOCKET} "200 OK"
  no set EXIT_MSG
  socket disconnect ${SOCKET}sh w
  exit script 0
  in the script i have not used GET becasue, when CSS send GET request to apache it use hash, but apache is not able to respond with same hash and it shows that website is down. more information- click below url
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.40/command/reference/CmdKeepC.html#wp1139668
  (config-keepalive) method
  I have uploaded in CSS with httptag-test file and applied these commands
  service comp.brit.co.uk-80
    keepalive port 80
    ip address 192.168.1.5
    keepalive frequency 10
  keepalive maxfailure 2
  keepalive retryperiod 10
  keepalive type script httptag-test "192.168.1.5 /testpage.html  www.abc.co.uk
  keepalive type script httptag-test "192.168.1.5 /testpage.html  www.xyz.co.uk
  but this script is not working
  my question is:
  1.do i need use script only to setup http keepalvie with webpage for multiple domains ?
  2.with out using script is there any solution like CICSCO  CSS commands  to setup http uril for multiple domains which are on 1 singl server.
  please help me asap

  Hello Muhammad,
  If you wish to use multiple domains for a URI  keep-alive check, and perform a HEAD request what Daniel mentioned is  correct.  You have to use a scripted keep-alive check on the service.  However, you should not use the default "ap-kal-httptag" script to do so  as it's limited to only 1 website (unless you modify the script).  You're best bet would be using the "ap-kal-httplist" script on the CSS  as it allows the checking of 2 different websites along with a webpage  to check for each site using HTTP HEAD method.
  !no echo
  ! Filename: ap-kal-httplist
  ! Parameters: Site1 WebPage1 Site2 WebPage2 [...]
  ! Description:
  !    This script will connect a list of sites/webpage pairs.  The
  !   user must simply supply the site, and then the webpage and
  !   we'll attempt to do an HTTP HEAD on that page.
  ! Failure Upon:
  !   1. Not establishing a connection with the host.
  !   2. Not receiving a status code 200 on the HEAD request on any
  !      one site.  If one fails, the script fails.
  ! Make sure the user has a qualified number of arguments
  if ${ARGS}[#] "LT" "2"
          echo "Usage: ap-kal-httplist \'WebSite1 WebPage1 WebSite2 WebPage2 ...'"
          exit script 1
  endbranch
  while ${ARGS}[#] "GT" "0"
          set Site "${ARGS}[1]"
      var-shift ARGS
      if ${ARGS}[#] "==" "0"
          set EXIT_MSG "Parameter mismatch: hostname present but webpage was not"
          exit script 1
      endbranch
      set Page "${ARGS}[1]"
      var-shift ARGS
      no set EXIT_MSG
      function HeadUrl call "${Site} ${Page}"
  endbranch
  exit script 0
  function HeadUrl begin
  ! Connect to the remote Host
  set EXIT_MSG "Connect: Failed to connect to ${ARGS}[1]"
  socket connect host ${ARGS}[1] port 80 tcp 2000
  ! Send the head request
  set EXIT_MSG "Send: Failed to send to ${ARGS}[1]"
  socket send ${SOCKET} "HEAD ${ARGS}[2] HTTP/1.0\n\n"
  ! Wait for the status code 200 to be given to us
  set EXIT_MSG "Waitfor: Failed to wait for '200' on ${ARGS}[1]"
  socket waitfor ${SOCKET} " 200 " 2000
  no set EXIT_MSG
  socket disconnect ${SOCKET}
  function HeadUrl end
  Rather  then modify the default "ap-kal-httplist" script on the CSS I would  simply define the arguments within the service configuration itself.   Something like the following (using your service example):
  service dell-192.168.1.5
  ip address 192.168.1.5
  keepalive type script ap-kal-httplist "www.abc.co.uk /testpage.html www.xyz.co.uk /testpage.html"
  active
  As  long as the server is configured to reply to host headers, and the page  is configured to retuen a "200 OK" the above service configuration  should work. If there are any errors simply run "show service  " to view why there was a failure. If there is a  failure, and the output from the command specified shows a line number  run the following command against the script to view at what point  (line) did the failure occur:
  show script ap-kal-httplist line-numbers
  Hope this helps!
  - Jason Espino

• Cisco CSS 11501 - High-Availabilty

  We have a single CSS 11501 and were thinking about just buying a new one and putting it online as the standby with statefull (hopefully) failover, but weren't sure that this would work.
  Does anyone know what is needed to create a high-availability Cisco CSS 11501 environment?
  Do you only need 2 CSS 11501 and then configure them with one being active and the other being in a standby mode, like a PIX?
  Is there a HA Cable that would need to be connected between the 2 CSS's?
  Thanks in Advanced.
  Joe

  Daniel,
  There is a new stateful failover mechanism for the Cisco CSS 11500.
  This description is a bit "salesy" I know, but it covers the question asked :-)
  The Cisco CSS 11500 delivers ASR—the industry's first stateful Layer 5 session redundancy feature that enables failover of important flows while maximizing performance. Some flows—such as a long-lived File Transfer Protocol (FTP) or a database session — may be mission critical, but many are not. Most solutions on the market today require all traffic—important or not—to be backed up from one box to another. If the majority of flows are not critical, then most of system performance is wasted on unnecessary back
  ups. With ASR, the Cisco CSS 11500 may be configured so critical flows are marked as replication worthy, whereas others do not need to be so marked. ASR focuses traffic management resources precisely where needed.
  Better yet, have a look at the following link focusing on the section on Stateless Redundancy.
  http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_510/advcfggd/redndncy.htm
  Regards
  Pete..

• Security on the Cisco CSS

  I have a Cisco CSS 11501s attached to a Cisco 6000. I am using the CSS in an on arm design, which is basically a router on a stick. The Cisco 6000 only provides layer 2 switching. It utilizes 1 Ethernet interface on a single vlan.
  I configure 3 VIPs for client connection.
  - VIP 1 for SSL
  - VIP 2 is for the clear text traffic from the
  VIP1/proxy list.
  - VIP 3 is for redirecting clear text traffic from
  the client.
  - All VIPs use the same address, but differing
  ports.
  I have a source group for all outbound traffic to the server farm. I tried to block traffic to the clear text interface, but I blocked all traffic. Is there an issue with one security of VIPs in a one-arm design?
  Any design ideas?
  Thank you

  Hi,
  If I understand correctly, you want to block the traffic destined to the VIP which is actually meant for the back-end traffic with the server once it is off the proxy-list. I understnad you use the VIP2 for this purpose as per your question and is same as the client side IP range.
  Here is the solution just use a config what is known as "full-proxy" configuration by Cisco on the CSS. To do this you would need two different IP ranges. One would be for your client side (the one resolved by dns) and the other could be a different IP range preferably the non-routable private ip rnage like 192.168.x.x for the back-end server segment. You will now pick-up a VIP from server segment and assign it in the proxy-list with the 'cipher' specs.
  In essence, this way you wouldn't be forced using the same VIP range for the servers and for the clients as well. You can have a private range on the back-end. This prevents traffic being targeted to your server segment from the client segment in the clear http in your case.
  thanks

• Cisco CSS ICS via DWDM

  We are currently splitting up a campus installation (2 datacenters with < 300m cable distance).
  One datacenter remains on the campus, the other one is moved to another part of the town, approx. 30km away.
  The two datacenters are interconnected using DWDM (don't have the exact specs at the moment, but I think we have got the equivalent of 16 duplexed 4Gb/s conenctions between the two data centers)
  So far we have been able to move most of the equipment (including several members of Oracle RAC clusters on Linux and OpenVMS, VPN server farms, ESX cluster members and similar services), but we do not seem to bei able to get the Cisco CSS ICS link up on the DWDM.
  Is there anything we can ask the DWDM provider to check, or is there no chance to get the ICS link up over DWDM?

  Hi Martin,
  I guess you are referring to ISC port, right?
  As per CSS documentation: You must connect the ISC ports directly to the two CSSs. You cannot use Layer 2 devices on the ISC links between the two CSSs. Also, the ISC links must be dedicated to passing only ISC traffic.
  For that reason I believe you need to reconsider your plan.
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20_v8.10/configuration/redundancy/guide/ASR.html#wp1038263
  Best regards,
  Ahmad

• Getting logs for DOS Attack:Sync Attack on cisco CSS 11501 frequently.

  Hi ,
  Since couple of weeks , i am getting below DOS attack logs on cisco CSS.Can anyone help me out about how can we avoid this? and how to deal with it.
  04/23/2011 17:27:28:Enterprise:DOS Attack:SYN Attack -> 10 times
  04/23/2011 17:30:15:Enterprise:DOS Attack:SYN Attack -> 10 times
  04/24/2011 11:20:32:Enterprise:DOS Attack:SYN Attack -> 11 times
  04/24/2011 11:24:48:Enterprise:DOS Attack:SYN Attack -> 12 times
  04/24/2011 15:30:42:Enterprise:DOS Attack:SYN Attack -> 10 times
  Thanks
  Manish

  Hi Nicolas,
  Why i am asking about DOS attack as i am facing some issues for the 2 VIPs configured in cisco CSS 11501.
  Can you help me troubleshooting the issue?
  I have coming across some Load Balancing issues for the 2 VIPS configured on Cisco CSS11501.
  We  have cisco CSS 11501. We have 2 VIPs configured on it for FE and BE  servers.Now Client calls to FE VIP and LB forwarding it to server and  then FE server calls the BE VIP which goes through the same LB and  forward to BE server under the VIP.When we start load test, we have  observed after 2 hour test, application team getting HTTP timeout.As  this application is used by Call center so getting timeout is bad.
  Need to troubleshoot this issue if there is any problem from LB End.
  Please find the attached file for VIP configs.

• Cisco CSS as non-HTTPS SSL-traffic terminator

  Hi!
  Does anybody know is it real to use Cisco CSS as SSL-traffic terminator. I need to terminate non-HTTPS SSL-traffic on this device (i.e. SSL-encrypted sessions of any particular TCP-based application-layer protocol, not https)? If not, is there any CISCO device capable of doing such a job?
  Regards, Amir

  Hi!
  Thank you very much for your reply.
  I know about the S model - as per my post - but unfortunately I have realized after making the purchase.
  Can you please help me with the following issue: my unit is not able to boot from FTP, even if I follow up the CISCO official documentation for that version (I issue all the commands as in the manual). More than that, if I setup the Primary Boot Configuration and then I want to check it up there is nothing in that field. The Secondary Boot Configuration keeps its settings and after the Primary failure it will try the Network Booting but with Failed status - returning me to the OffDM.
  I mention that I am using the OffDM because the unit I bought has no Flash Card.
  Also I am not sure how can I have a "network mounted filesystem" and in the meantime to use the FTP protocol;  setting up a NFS server wont provide me with Windows style absolute path like k:/.... as per CISCO official guide. Is that a plain-ftp generically called as Network File System??? "First, create these subdirectories on the FTP server, then copy the files from the boot image to the subdirectories"
  Is this linked with the fact that I am using a Linux box for my FTP Server? Can you please help me to understand what the following line from CISCO official guide means "A network boot is not supported on UNIX workstations"
  Thank you!

• Cisco CSS 11500 and RDP

  Dear NetPros:
  Does anyone know that does Cisco CSS 11500 Series Content Services Switch support 'Session Caching of RDP Clients? session for roaming of disconnected sessions' features?
  Thanks
  Bernard

  The Cisco CSS 11500 is a compact modular platform, specifically designed to provide robust Layer 4-7 traffic management services for e-business applications in Internet and intranet data centers.
  This URl should help you:
  http://www.cisco.com/en/US/netsol/ns340/ns394/ns50/ns254/networking_solutions_package.html

• Nortel (Alteon) ISD SSL Accelerators

  Hi everybody. Just wondering if somebody can share their experience
  configuring a pair of Nortel (Alteon) Load Balancers and ISD SSL
  Accelerators to work with WLS 6.1 SP1.
  According to the Nortel Systems Engineer, in order to off-load the HTTPS
  traffic to the accelerator, I need to create two listeners for clear traffic
  and another listener for SSL traffic. The first clear listener is used for
  normal HTTP traffic. In that situation, the browser sends up normal HTTP to
  the load balancer. The load balancer routes the HTTP traffic to WLS.
  In the case of HTTPS traffic, the load balancer sends the HTTPS traffic to
  the ISD. The ISD performs the SSL handshake, the decryption, etc. Once the
  traffic is in the clear, the ISD sends the (clear) traffic back to the load
  balancer which then forwards the (clear) request to the second (clear)
  listener. This apparently is needed so that (1) the WLS instance gets to
  process clear traffic and (2) when it replies, the load balancer knows that
  to send the clear response to the ISD for encryption.
  I was wondering if that is how you set up your environment.
  Thanks.
  Bernie
  978-513-6155 (w)

  Hi everybody. Just wondering if somebody can share their experience
  configuring a pair of Nortel (Alteon) Load Balancers and ISD SSL
  Accelerators to work with WLS 6.1 SP1.
  According to the Nortel Systems Engineer, in order to off-load the HTTPS
  traffic to the accelerator, I need to create two listeners for clear traffic
  and another listener for SSL traffic. The first clear listener is used for
  normal HTTP traffic. In that situation, the browser sends up normal HTTP to
  the load balancer. The load balancer routes the HTTP traffic to WLS.
  In the case of HTTPS traffic, the load balancer sends the HTTPS traffic to
  the ISD. The ISD performs the SSL handshake, the decryption, etc. Once the
  traffic is in the clear, the ISD sends the (clear) traffic back to the load
  balancer which then forwards the (clear) request to the second (clear)
  listener. This apparently is needed so that (1) the WLS instance gets to
  process clear traffic and (2) when it replies, the load balancer knows that
  to send the clear response to the ISD for encryption.
  I was wondering if that is how you set up your environment.
  Thanks.
  Bernie
  978-513-6155 (w)

• Adding a Cisco CSS to MARS

  Has anyone added a Cisco CSS to MARS as a reporting device?
  If so what did you select as your "device type."?
  And did you create custom parsers?

  I have a CSS in MARS but its listed as a generic router. The logs dont get parsed but I have some alerts setup for specific messages.

• Cisco CSS and ACE study guide

  Hi,
  Im ready to kick start Cisco CSS and ACE load balancers. I found that 642-972 DCASD and 642-975 DCASI are the relevant exams for that. But, they are expired now. And, I couldn't even find the old materials for those. Could you please anyone assist me in getting started with this?

  Hi Kanwal,
  Thanks for your reply. BTW, wasn't there any specific study guides for 642-972 DCASD and 642-975 DCASI from Cisco? The reason behind this question is, I want to go step by step starting from how load balancing works, the basics and terminologies of load balancing and its various options and operations etc. I have been working with Network Security and just stepping in to DC operations.

• Difference between Source & DESTINATION GROUP RULE in Cisco CSS

  Hello All,
  I am newbie for CSS. I know how flow works for normal CSS request without group rule. But whenever it comes to group rule I am pretty much
  confuse about following:
  - When we use source group rule & when we use destination group rule ?
  - What is difference between them ?
  - How the flow of data works in both of them?
  Any help or explanation would be appreciated.
  Thanks in advance,
  Me too

  the group rule determines in which direction you will do nat . consider
  group USHA
    vip address 10.86.178.244
    add service Ushatest
    active
  add service says that if the server we defined with service Ushatest initiates a connection outbound through the CSS we will source nat the server address to 10.86.178.244
  now consider
  group DOT005
    add destination service dot008
    add destination service dot014
    vip address 10.86.178.5
  we are saying that when a client hits a content rule to get loadbalanced to one of the services we will nat the client address to 10.86.178.5
  in both cases nat is overloaded (pat) so many connections can be natted to the same address.
  In the case where you have a content rule that loadbalances to a server and that server does not use the CSS as its default gateway w would use add destination service to get the return traffic back to the CSS.
  In the case where a server is initiating the connection and we want to hide the server address we would use add service.

• How to reset password on Cisco CSS 11501?

  Hi,
  I have changed the password for the Admin user (which was SuperUser) but when I changed it I forgot to add "SuperUser" at the end, now I don't have SuperUser access to the CSS 11501.
  Can anyone shade some light on this problem and explain how can I reset the password for a SuperUser?
  Thanks in Advance,
  Shai

  Hi Shai,
  You need to reboot the CSS. When prompt, hit any key to go into the Offline Diagnostic Menu.
  When you get in the menu, you will go to Administrative options and create an additional Admin user. When you do this, DO NOT use "admin", use something totally different.
  Get out of the Offline DM and reboot the CSS. When the CSS comes up, login as the new user (which will have Superuser rights) and run the "username" cli to change the password of "admin" and add the superuser part this time.
  Regards
  Pete Knoops
  Cisco Systems