CSS 11501

Or do I assign one more port per VLAN and connect the CSS between the Firewall and Switch?

If you will make sure return traffic hits CSS - why not? You can either change default gateway on srv4 and 5 to point to 172.16.2.3 or do full NAT on CSS and translate source IPs to 172.16.2.3.

Or you can do that :-)

Load balancers are first and foremost NAT device. You have to figure out what mode do you want to use - bridged (transparent) or routed, how traffic gets from client to VIP, how traffic gets from VIP to the real server, how return traffic gets back to load balancer (unless you are doing direct server return), and last leg - from LB back to client.

Chances are you will be doing destination NAT - changing destination IP from VIP to real server IP. You may need to change source if LB is not in the direct path of return traffic. Everything else is just bells and whistles :-)

Regards, Andrey.

Hi Andrey, How are the two modes, bridged vs routed, different? How do you configure the modes?

Here's my physical diagram:

And my latest config:

!**************** INTERFACE **** interface e1 bridge vlan 2

interface e2 bridge vlan 3

interface e5 bridge vlan 2

interface e6 bridge vlan 3

!**************** CIRCUIT **** circuit VLAN2 ip address 172.16.2.3 255.255.255.0

circuit VLAN3 ip address 172.16.3.3 255.255.255.0

!**************** SERVICE **** service srv4 ip address 172.16.2.21 keepalive type tcp keepalive port 80 active service srv5 ip address 172.16.2.22 keepalive type tcp keepalive port 80 active

!***************** OWNER ***** owner vlan2_servers

content app1 vip address 172.16.2.100 add service srv4 add service srv5 balance leastconn port 80 protocol tcp active

(eof)

Interestingly enough, with this setup, without using any VIP addresses, only existing IPs of the servers, I'm able to connect to servers in VLAN3 from outside, but not from servers on VLAN2. However, I'm able to ping servers on VLAN3 from servers on VLAN2. Servers on VLAN2 have

172.16.2.1 as their gateway and servers on VLAN3 have 172.16.3.1 as theirs. What kind of NATing is the CSS doing at this point? What mode is it in? I was under the impression that in the current setup, the CSS would only work as a LAN switch, not NATing anything. I guess I don't have a fundamental understanding of how this device actually works :(

Thanks, Paul

Is this CSS trying to route between 172.16.2.0 and 172.16.3.0? That is not my intention. The firewall is set up to do this, including appropriate ACLs, etc. Can I just have the CSS pass traffic to the firewall without messing with it? My only intention is to have the CSS balance two servers on each subnet for connections from outside, but do not interfere with any traffic between the internal subnets. Is that possible?

Here is whitepaper with overview of CSS architecture -

Given your requirements, you will have to use one-armed mode (by the way, no bridged mode on this box, I mixed it with ACE). Here is the example (just ignore redundancy stuff)

I couldn't find configuration example for full NAT, so it's quite possible that CSS doesn't do that. You will have to use CSS as default gateway for your servers in that case. Also, since CSS doesn't support contexts, you will need two boxes - one for each VLAN to keep traffic separated.

Regards, Andrey.

You are better off using a 2 armed mode with VIP's in the long run. Full NAT as you are calling it is achieved by using source groups- =20

-

>

I'm pretty sure CSS and "in the long run" can't be used in the same sentence :-)

Not really. Source groups do NAT for connections initiated by servers. Full NAT is when client source IPs are translated into IP owned by load balancer.

Regards, Andrey.