Pages

Cisco CSS11501 source groups and ACL

Few days ago I had to reconfigure a running CSS 11501 loadbalancer from an existing configuration in which traffic initiated from some services running in one VLAN towards any destination was source NAT-ed to a selective NAT which was based on the destination IP address.
What I wanted to do is almost exactly to what is described in this official Cisco document with the difference that I had more IP destination addresses for my ACL based source NAT, I had only 2 VLANs and the IP addresses were different than in the example given.
Below is an excerpt similar to my original configuration:
service SERV11
ip address 192.168.0.3
protocol tcp
keepalive type tcp
redundant-index 111
keepalive port 11501
active

service SERV12
ip address 192.168.0.4
protocol tcp
keepalive type tcp
redundant-index 112
keepalive port 11501
active

....

owner OWNER1

content SERV_BAL
vip address 10.0.0.1
add service SERV11
add service SERV12
redundant-index 11
balance leastconn
flow-reset-reject
flow-timeout-multiplier 20
active

....

group GROUP1
add service SERV11
add service SERV12
vip address 10.0.0.1
redundant-index 21
active
A subset of the IP addresses which I wanted to bypass the source NAT when the connection was initiated by the configured services (SERV11 and SERV12) were 10.0.0.11 and 10.0.0.12 So I wrote an ACL as documentation recommends, and applied it to the circuit VLAN of the configured services (VLAN 1), while on the other VLAN there was an ACL which allowed all traffic.
acl enable

....

acl 1
clause 5 bypass any 192.168.0.3 255.255.255.255 destination 10.0.0.11 255.255.255.255 
clause 10 bypass any 192.168.0.3 255.255.255.255 destination 10.0.0.12 255.255.255.255
clause 15 bypass any 192.168.0.4 255.255.255.255 destination 10.0.0.11 255.255.255.255 
clause 20 bypass any 192.168.0.4 255.255.255.255 destination 10.0.0.12 255.255.255.255
clause 101 permit any 192.168.0.3 255.255.255.255 destination any sourcegroup GROUP1
clause 102 permit any 192.168.0.4 255.255.255.255 destination any sourcegroup GROUP1
clause 254 permit any any destination any
apply circuit-(VLAN1)
However, checking on 10.0.0.11 and 10.0.0.12 for incoming sessions from SERV11, SERV12 I could see that the source IP address was still NAT-ed (packets were arriving with 10.0.0.1 as the source IP address). There's a catch which for me was not obvious from the documentation (probably my non-native English has contributed to that :) ). In order for the packets to arrive on 10.0.0.11, 10.0.0.12 with their real IP address and for the rest of the destinations to be NAT-ed the services had to be removed from the source group. In the end desired configuration looked like below:
acl enable

....

service SERV11
ip address 192.168.0.3
protocol tcp
keepalive type tcp
redundant-index 111
keepalive port 11501
active

service SERV12
ip address 192.168.0.4
protocol tcp
keepalive type tcp
redundant-index 112
keepalive port 11501
active

....

owner OWNER1

content SERV_BAL
vip address 10.0.0.1
add service SERV11
add service SERV12
redundant-index 11
balance leastconn
flow-reset-reject
flow-timeout-multiplier 20
active

....

group GROUP1
vip address 10.0.0.1
redundant-index 21
active
....

acl 1
clause 5 bypass any 192.168.0.3 255.255.255.255 destination 10.0.0.11 255.255.255.255 
clause 10 bypass any 192.168.0.3 255.255.255.255 destination 10.0.0.12 255.255.255.255
clause 15 bypass any 192.168.0.4 255.255.255.255 destination 10.0.0.11 255.255.255.255 
clause 20 bypass any 192.168.0.4 255.255.255.255 destination 10.0.0.12 255.255.255.255
clause 101 permit any 192.168.0.3 255.255.255.255 destination any sourcegroup GROUP1
clause 102 permit any 192.168.0.4 255.255.255.255 destination any sourcegroup GROUP1
clause 254 permit any any destination any
apply circuit-(VLAN1)

acl 2
clause 254 permit any any destination any
apply circuit-(VLAN2)
Where VLAN2 is the network towards 10.0.0 and the rest of the clients.

Reference: CSS Content Load-Balancing Configuration Guide (Software Version 8.10)

No comments: