CSS 11503 Setup Question Basic

[intelwizrd]

I just got a CSS 11503 Switch for load balancing some web servers and other services. I am having some trouble setting it up. Cisco's documentation doesn't flow through the process well and seems to be more of a reference than ah how to type manual. Can anyone point me in the right direction or send me the config i need? This is what i am trying to do:

4 webservers running HTTP and HTTPS
want to load balance all 4 web servers from 1 VIP

Switch is connected via gbic link to c3548XL. No servers are plugged into the switch.

current server ip's are xxx.xxx.xxx.130, xxx.xxx.xxx.140, xxx.xxx.xxx.150, xxx.xxx.xxx.160. Want to use xxx.xxx.xxx.250 as the VIP.

Thanks for your help

----------------------------
Josh
CCNA, MCSE 2003(in progress)

 

[lambent]

Spend some time on this:

http://www.cisco.com/en/US/products...configuration_guide_book09186a0080157738.html

 

[intelwizrd]

This is the config that I have so far. I can still not get it work. I can ping the VIP and everytime I try to open a connection to it via a web browser, the CSS seems to up its counter but the connection still times out and nothing is returned.

I am not on the same subnet as the webserver or the switch vlan1 ip. the switch is connected via a GBIC link to a c3548XL. It also has other x3548XL switches connected via GBIC links. There is only one VLAN on any of the switches and all ports are members.

Any Ideas? I'm not sure what to try next.

!Generated on 05/11/2005 16:04:51

!Active version: sg0750004

configure

!*************************** GLOBAL ***************************

ip route 0.0.0.0 0.0.0.0 xxx.xxx.204.1 1

!************************** CIRCUIT **************************

circuit VLAN1

ip address xxx.xxx.204.253 255.255.255.0

!************************** SERVICE **************************

service web1

ip address xxx.xxx.204.130

active

service web2

ip address xxx.xxx.204.131

active

service web3

ip address xxx.xxx.204.150

active

service web4

ip address xxx.xxx.204.151

active

!*************************** OWNER ***************************

owner webservers

content web_http

protocol tcp

vip address xxx.xxx.204.250

port 80

balance leastconn

add service web1

active

content web_https

protocol tcp

vip address xxx.xxx.204.250

port 443

add service web1

add service web2

active

!**************************** ACL ****************************

acl 1

clause 10 permit any any destination any

apply circuit-(VLAN1)

----------------------------
Josh
CCNA, MCSE 2003(in progress)

 

[warpzero]

First I would recommend that you do not run the CSS in a bridged configuration as there are performance problems amongst failover issues and other bugs found while.
Second, I would recommend having the servers on a different subnet then that of the Virtual IP. Reason being that the servers will not be able to access the Virtual IP without source natting

1. Make sure that your default gateway is that of your router, "x.x.204.1"

2a. If you have 2 CSS's with the same config up and running I would recommend you turn off CSS #2 for the purposes of your test.

2b. A pair of CSS's running in bridged as a redudant configuration will cause loops in the network.
ie:
Traffic will flow through the "Master" CSS (primary) and the response from the server may go back via the "Backup" CSS (secondary). As the CSS is a stateful device this will cause a-symetric routing in the network.

Try the above and let me know.




WarpZero Technologies

http://www.warpzero.com/

 

[intelwizrd]

I tried changing the VIP to a different subnet but still no joy. I guess there are other things i need to change. The switch is connected as follows

c3548XL
|
(GBIC)
|
c3548XL---(GBIC)---CSS11503
|
(GBIC)
|
c3548XL

The servers are connected to the various c3548XL switches as are the ethernet links to the PIX. I was told by a cisco rep that this config would work, it seems to as i can ping the VIP's and such.


There is only one CSS at the moment, we will probably be getting another for a hot spare config later. The basic concept I am trying to work out is as follows.
4 web servers
1 VIP on the CSS
traffic directed to the VIP via a DNS entry for the domain name.
CSS is loadbalancer for the 4 web servers.

All servers have public IP's (no private addresses in use for these servers)

xxx.xxx.204.1 is a gateway on the pix. I would like to keep the VIP on the same subnet if possible as that is the subnet i use for web servers. The servers in question can ping the VIP and the IP on the VLAN1 circuit.

I would think that this is fairly straight forward but for some reason I am baffled. thanks for you help.

----------------------------
Josh
CCNA, MCSE 2003(in progress)

 

[warpzero]

One thing that I have over looked was the floating VIP address as it was not added to the circuit. Add the below to the circuit.

circuit VLAN1
ip address xxx.xxx.204.253 255.255.255.0
ip virtual-router 1 priority 200 preempt
ip redundant-vip 1 xxx.xxx.204.250


Mike


WarpZero Technologies

http://www.warpzero.com/

 

[intelwizrd]

warpzero,

Am I correct in assuming that you are using/have used a CSS11503 switch before? I have tried everything that i can think of. I added the virtual router as you suggested and still nothing. I have gone through all of the documentation that i can find on cisco's website. I just want to start off with a simple IP load balance and work up from there (ie client types in VIP, receives content). I don't understand what is so complicated about it. I guess the only thing that I can think of is that there is no fastethernet ports on this switch. As I said before, I was told by a cisco rep that the switched could be "one armed" into the network. I can ping the VIP and server IP's, the switch can ping my ip and the server ip and the server can ping the VIP and my ip.

Do you think that cisco would be able/willing to help me out if i had a smartnet contract? This shouldn't be so complicated.

This is where i am now after stripping out some things and blowing the config a few times

!Generated on 05/13/2005 16:04:24

!Active version: sg0750004

configure

!*************************** GLOBAL ***************************

cdp run

cdp timer 120

sntp primary-server xxx.xxx.207.100 version 3

dns primary xxx.xxx.204.16

ip management route xxx.xxx.207.0 255.255.255.0 xxx.xxx.154.209

ip route 0.0.0.0 0.0.0.0 xxx.xxx.204.1 1

!************************* INTERFACE *************************

interface 1/1

trunk

vlan 1

default-vlan

!************************** CIRCUIT **************************

circuit VLAN1

ip address xxx.xxx.204.253 255.255.255.0

ip virtual-router 1 priority 200 preempt

ip redundant-vip 1 xxx.xxx.204.250

!************************** SERVICE **************************

service server1

ip address xxx.xxx.204.100

active

!*************************** OWNER ***************************

owner webservers

content L3_webservers_LC

add service server1

vip address xxx.xxx.204.250

active

!**************************** ACL ****************************

acl 1

clause 10 permit any any destination any

apply circuit-(VLAN1)


If you know of anyone I could talk to I would greatly appreciate it. It has to be something small and stupid that i am missing. The switch says that the service is alive, it increases its counters when ever i try and hit the VIP with a web browser...etc.

Thanks again.

----------------------------
Josh
CCNA, MCSE 2003(in progress)

 

[intelwizrd]

this might be interesting,

I just turned on logging for all at debug level, then issued the show log command to pipe logging into the console conneciton. I then tried to hit the VIP with a webbrowser and saw this message:

MAY 13 16:29:30 1/1 107 FLOWMGR-7:
DoS SYN attack: xxx.xxx.207.83:4802->xxx.xxx.204.250:80
synCnt: 2, initSeq: 2977222798

Why does it think I am trying to initiate a SYN attack?

----------------------------
Josh
CCNA, MCSE 2003(in progress)

 

[intelwizrd]

ok, i added the following content rule:

content L5_test
vip address xxx.xxx.204.250
protocol tcp
port 80
url "/*"
add service server1
active

then tried a conneciton and got the following from the log:
MAY 16 14:16:37 1/1 225 FLOWMGR-7:
While spoofing a connection backend, too many SYNs had to be sent to the server.

xxx.xxx.204.100:80->xxx.xxx.207.83:2907

----------------------------
Josh
CCNA, MCSE 2003(in progress)