I am trying to set up a CSS11503 for some simple load balancing of 4 web servers. I'm not sure if I am looking at the wrong cisco documentation but I can't seem to find a tutorial that outlines the begining to end process. Is there such a document out there and if so I would greatly appreciate if someone could point me to it. As an idea of what I am trying to do: 4 web servers (http and https) on non consecutive IP's all load balanced from one VIP.
Thanks for your help and time.
Josh
create four services
Service webserver1 IP adress x.x.x.x
Dot his for all four webservers
The create 2 rule's one four port 80 and one for port 443
Owner Webservers
Rule xxxxxxxxx ip address x.x.x.x ( ip address for the outside) port 443 bla bla (see cisco docs for options..) add service webserver1 add service webserver2 add service webserver3 add service webserver4
Rule xxxxxxxxx ip address x.x.x.x ( ip address for the outside) port 80 bla bla add service webserver1 ,,,,,, .... ...
see also:
good luck..
"Josh Ozura" schreef in bericht news: snipped-for-privacy@f14g2000cwb.googlegroups.com...
This is what i have as the config
!Generated on 05/09/2005 17:37:00
!Active version: sg0750004
configure
!************************** CIRCUIT **************************
circuit VLAN1
ip address xxx.xxx.204.253 255.255.255.0
ip address xxx.xxx.205.253 255.255.255.0
ip address xxx.xxx.206.253 255.255.255.0
ip address xxx.xxx.207.253 255.255.255.0
!************************** SERVICE **************************
service web1
ip address xxx.xxx.204.130
active
service web2
ip address xxx.xxx.204.131
active
service web3
ip address xxx.xxx.204.150
active
service web4
ip address xxx.xxx.204.151
active
!*************************** OWNER ***************************
owner webservers
content web_http
protocol tcp
vip address xxx.xxx.204.250
port 80
balance leastconn
add service web1
add service web2
active
content web_https
protocol tcp
vip address xxx.xxx.204.250
port 443
when I try to go to xxx.xxx.204.250, it returns a conneciton timed out error. I can ping the ip address on the switch and I can ping my ip from the switch but i cannot connect via http. any thoughts?
Thanks.
I think you need to apply your circuit to an acl.
acl 1 clause 10 permit any any destination any apply circuit-(VLAN1)
You can try above, this will let through all traffic. if that works modify the acl to only permit port 80 and 443.
"Josh Ozura" schreef in bericht news: snipped-for-privacy@f14g2000cwb.googlegroups.com...
I added the ACL 1 entry as recomended and still nothing. I even removed service web2 from the port 80 rule to try and just send it to one server i knew was up and yet nothing. i have read and reread the docs but something just isnt correct. *pulls out hair* I will sleep on it and see if I can figure out something tomorrow. Thanks for the help guys.
Here is what i have now. I am not so much worried about load balancing as I cant even get anything returned. All 3 parties can ping each other but still no joy. The CSS seems to be upping its counter everytime I try to connect to the VIP with a webbrowser but it still timesout. Just to clarify, the client makes a request to the VIP, the CSS then sends a request to the webserver, when content is returned, it sends it to the client, is that how i have it set up?
!Generated on 05/11/2005 16:04:51
!Active version: sg0750004
configure
!*************************** GLOBAL ***************************
ip route 0.0.0.0 0.0.0.0 xxx.xxx.204.1 1
!************************** CIRCUIT **************************
circuit VLAN1
ip address xxx.xxx.204.253 255.255.255.0
!************************** SERVICE **************************
service web1
ip address xxx.xxx.204.130
active
service web2
ip address xxx.xxx.204.131
active
service web3
ip address xxx.xxx.204.150
active
service web4
ip address xxx.xxx.204.151
active
!*************************** OWNER ***************************
owner webservers
content web_http
protocol tcp
vip address xxx.xxx.204.250
port 80
balance leastconn
add service web1
active
content web_https
protocol tcp
vip address xxx.xxx.204.250
port 443
add service web1
add service web2
active
!**************************** ACL ****************************
acl 1
clause 10 permit any any destination any
apply circuit-(VLAN1)
Josh
Is see you use only 1 Vlan..
I think you have to create a different Vlan for your web servers front end.
So add a new Circuit.
Circuit VLAN 2
and assign a VLAN 2 address to your Web Server Services. ( and of course your servers)
"Josh Ozura" schreef in bericht news: snipped-for-privacy@g49g2000cwa.googlegroups.com...
Ok, so here is my current configuration.
!Generated on 05/13/2005 16:04:24
!Active version: sg0750004
configure
!*************************** GLOBAL ***************************
cdp run
cdp timer 120
sntp primary-server xxx.xxx.207.100 version 3
dns primary xxx.xxx.204.16
ip management route xxx.xxx.207.0 255.255.255.0 xxx.xxx.154.209
ip route 0.0.0.0 0.0.0.0 xxx.xxx.204.1 1
!************************* INTERFACE *************************
interface 1/1
trunk
vlan 1
default-vlan
!************************** CIRCUIT **************************
circuit VLAN1
ip address xxx.xxx.204.253 255.255.255.0
ip virtual-router 1 priority 200 preempt
ip redundant-vip 1 xxx.xxx.204.250
!************************** SERVICE **************************
service server1
ip address xxx.xxx.204.100
active
!*************************** OWNER ***************************
owner webservers
content L3_webservers_LC
add service server1
vip address xxx.xxx.204.250
active
!**************************** ACL ****************************
acl 1
clause 10 permit any any destination any
apply circuit-(VLAN1)
It still wasn't working but looked like it should based off of the docs I have been reading from cisco. the counters indicating rule hits were working but still nothing. I turned on debug for everything and then issued a show log command. This is what i get when I try to hit the VIP:
MAY 16 09:52:15 1/1 160 FLOWMGR-7: DoS SYN attack: xxx.xxx.207.83:2366->xxx.xxx.204.250:80 synCnt: 3, initSeq: 79126084
Any ideas on why it thinks I am trying to start a DoS attack?
ok, i added the following content rule:
content L5_test vip address xxx.xxx.204.250 protocol tcp port 80 url "/*" add service server1 active
then tried a conneciton and got the following from the log: MAY 16 14:16:37 1/1 225 FLOWMGR-7: While spoofing a connection backend, too many SYNs had to be sent to the server.
xxx.xxx.204.100:80->xxx.xxx.207.83:2907
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.