Solved

Cisco CSS

Posted on 2010-11-09
8
1,383 Views
Last Modified: 2012-06-27

A question to load balancer experts:
 
I just got hired by a new company and, besides the fact I said I had no knoledge or experience on Traffic Balancers, I got hired and here I'm with the first Load Balancing question :)

We currently have a CSS operating in an in-line style. There are two CSS, one is a backup device. The problem is that we have a requirement to log and not filter the client's source IP addresses. In other words, when the client's request hit the server, the server must be aware of the client's IP address, not the internal IP address of the CSS.

There is not much information about this, I just found some reference about doing source nat.

Does anyone can tell me how to and what is the best way to accomplish having the IP address of the clients not filtered by the CSS?  In addition to a partial configuration, I'm also posting a quick network map.

net-dmz-lb1# sh runn
!Generated on 11/09/2010 10:08:34
!Active version: sg0820001

configure


!*************************** GLOBAL ***********************
  no restrict web-mgmt
  bridge spanning-tree disabled

  snmp trap-type enterprise

  snmp community fyreTDMZ read-only
  snmp location "California"
  snmp name "net-dmz-lb1"
  snmp trap-host 204.9.236.26 SpecialDMZ snmpv2
  snmp trap-type enterprise dos-illegal-attack trap-thresho
  snmp trap-type enterprise dos-land-attack trap-threshold
  snmp trap-type enterprise dos-smurf-attack trap-threshold
  snmp trap-type enterprise dos-syn-attack trap-threshold 1
  snmp trap-host 192.168.40.33 SpecialTDMZ snmpv2

  logging host 192.168.40.24 facility 6 log-level debug-7

  dns primary 4.2.2.1
  dns secondary 4.2.2.2

  host NET-DMZ-LB1 192.168.40.141

  ftp-record DEFAULT_FTP 192.168.40.160 lhernandez des-pass
 .

  ip route 0.0.0.0 0.0.0.0 192.168.40.1 1

!************************* INTERFACE **********************
interface  1/1
  bridge vlan 4

interface  1/2
  isc-port-one

!************************** CIRCUIT ***********************
circuit VLAN4

  ip address 192.168.40.141 255.255.255.0
    ip virtual-router 141 priority 90
    ip virtual-router 143 priority 110 preempt
    ip redundant-vip 141 192.168.40.142
    ip redundant-vip 143 192.168.40.144
    ip redundant-vip 143 192.168.40.153
    ip redundant-vip 141 192.168.40.152

!************************** SERVICE ***********************
service ab-app1
  redundant-index 135
  protocol tcp
  ip address 192.168.40.135
  keepalive port 80
  keepalive type tcp
  active

service ab-app2
  redundant-index 136
  protocol tcp
  ip address 192.168.40.136
  keepalive uri "http://192.168.40.136"
  keepalive port 80
  keepalive type tcp
  active

service cw-api1
  ip address 192.168.40.150
  redundant-index 150
  protocol tcp
  keepalive type tcp
  keepalive port 8181
  active

service cw-api2
  ip address 192.168.40.151
  redundant-index 151
  protocol tcp
  keepalive type tcp
  keepalive port 8181
  active

!*************************** OWNER ************************
owner SpecialLLC

  content ab-app
    vip address 192.168.40.144
    add service ab-app1
    add service ab-app2
    active

  content cw-api
    vip address 192.168.40.153
    param-bypass enable
    add service cw-api1
    add service cw-api2
    balance srcip
    protocol tcp
    active

 !*************************** GROUP ************************
group ab-app
  vip address 192.168.40.144
  add destination service ab-app1
  add destination service ab-app2
  active

group cw-api
  vip address 192.168.40.153
  add destination service cw-api1
  add destination service cw-api2
  active


Any replies are appreciated.

 

CSS-Network.png
0
Comment
Question by:superittek
  • 5
  • 3
8 Comments
 
LVL 2

Expert Comment

by:shawntsi
Comment Utility
The group rules are performing NAT for the clients when they go through the LB. If you suspend the group rules, the content rules will continue to function but you'll see the client's real source IP at the server instead of the VIP address.
0
 
LVL 2

Expert Comment

by:shawntsi
Comment Utility
I forgot to mention that any clients in the same network (192.168.40.0/24) will not be able to access the VIPs if the group rules are suspended.
0
 

Author Comment

by:superittek
Comment Utility
Shawntsi, thanks for your help. I do have a question in regards to the solution. Do I have to change the default gateway of the servers from the Cisco ASA to the Cisco CSS?  

Also, forgive my lack of knowledge, but this servers are on production and I need to be 100% positive of the commands to type. In the above partial configuration, what would be the command to suspend the group rules?

Thanks again for your help.
0
 
LVL 2

Expert Comment

by:shawntsi
Comment Utility
Can you do a 'show arp' and paste the results?

0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:superittek
Comment Utility
Here is a partial output of the show arp on the Cisco CSS.

CSS11503# sh arp
ARP Resolution Table:

IP Address      MAC Address       Type    Port
192.168.40.1    00-**-18-5a-af-41 dynamic  1/1
192.168.40.135  00-**-17-48-ad-64 dynamic  1/1
192.168.40.136  00-**-17-48-b0-9e dynamic  1/1
192.168.40.141  00-**-fd-36-51-11 dynamic  1/1
192.168.40.145  00-**-17-51-34-2c dynamic  1/1
192.168.40.146  00-**-17-4a-55-8c dynamic  1/1
192.168.40.150  00-**-17-48-af-78 dynamic  1/1
192.168.40.151  00-**-17-48-b0-d2 dynamic  1/1
192.168.40.183  00-**-17-51-34-2c dynamic  1/1


I really appreciate your help.
0
 
LVL 2

Expert Comment

by:shawntsi
Comment Utility
I'm sorry but I have to retract my first post, I should have asked this earlier.

The ARP entries for your gateway and servers are on the same interface (1/1). This means the CSS is running in one-armed mode and the group rules are needed.

When the client sends a request to the VIP, the VIP sources traffic to the servers as its own address instead of the client. This forces the return traffic from the server to go through the CSS instead of straight back to the client.  I don't think you'll be able to disable source NAT with the current configuration.





0
 

Author Comment

by:superittek
Comment Utility
So, I will need to have an in-line style instead of the one-armed style. Right?  In addition, I will need to change the servers gateway to the Cisco CSS device. The configuration would be similar to this example by Cisco:

http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_example09186a0080228179.shtml

Again, thanks very much for your guidance and help.
0
 
LVL 2

Accepted Solution

by:
shawntsi earned 500 total points
Comment Utility
Hi Superittek,

Yes, you'll need to have an in-line setup to get rid of the source NAT. The configuration example has the LB in routed mode, and you'd use the LB as the gateway for your servers in that setup. You can also deploy them in-line in bridged mode and use the ASA as the gateway for your servers.

You'll need more interfaces to deploy them in in-line mode. We usually use the 8fe cards (CSS5-IOM-8FE) on HA 11503's while using the 2 GB interfaces for traffic and the FE interfaces for communication between the CSS's.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Why do we like using grid based layouts in website design? Let's look at the live examples of websites and compare them to grid based WordPress themes.
This article discusses four methods for overlaying images in a container on a web page
In this tutorial viewers will learn how to position items using CSS's three positioning types Create a new HTML document with an internal stylesheet.: Create another div in CSS and name it Absolute : Type "position:absolute;" and "top:10px; left:50p…
In this tutorial viewers will learn how to style a decorative dropcap for the first letter in a paragraph using CSS. In CSS, create a new paragraph class by typing "p.fancy": Then, to style only the first letter of the first sentence, include the ps…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now