0

First, the background to the problem: I have a Cisco CSS11501 that I am using to load balance a few web servers. These web servers have two network interfaces, one internal and one external and we are sending the requests to the internal interface.

We have the CSS configured to do NAT because our webservers need to see the client's IP address.

Because the TCP packets hit the webservers with a source address on the Internet, the webserver tries to send the packet back to the client over the external interface and not through the load balancer. In order to stop these requests being sent back out to the Internet via the external interface, we added a routing rule on these boxes so that all traffic with a source address on the internet will use the load balancer as the gateway. This part works fine.

What I would also like to to is use the CSS as a load balancer for internal services such as our MySQL slaves.

When I do this, I run into a similar problem; the TCP connection goes from the web server to the load balancer and then from the load balancer to the MySQL slave but the CSS spoofs a source address of the original webserver. The MySQL slave then tries to send the response directly to the webserver via the internal network and not via the load balancer.

The ideal solution would be to tell the CSS not to do source address spoofing on the internal network and only do it for requests originating on the Internet. Is this possible ?

Failing that, is there a way of directing the load balanced traffic back through the load balancer while keeping the other traffic (say SSH) purely on the internal network ?

Is there another way of using the CSS11501 to load balance internal services ?

Ladadadada
  • 26,337
  • 7
  • 59
  • 90

1 Answers1

1

the CSS spoofs a source address of the original webserver. The MySQL slave then tries to send the response directly to the webserver via the internal network and not via the load balancer.

I don't understand, if the CSS spoof the source IP, your mysql should see CSS IP as source and so reply to CSS not to webserver if the IP is spoofed...

Anyway, take a look to the group command, this allow you to hide the source address of request by another one for one or more services.
I guess it's exactly what you need for your mysql load balancing

radius
  • 9,633
  • 25
  • 45
  • This may not have been clear. The CSS is forwarding a connection on to the MySQL server but setting the source address of the IP packet to be the web server. So rather than using its own IP address, it is spoofing another server's IP address. – Ladadadada Jun 15 '10 at 11:43
  • Looking at groups, I guess you would put all the web servers in a group together and configure the CSS to use its own IP address as the source IP address for flows initiating from that group. The MySQL slave will then see the source address as the load balancer and send the response there. Let me know if you had something else in mind on how I should use groups. I'll let you know if that idea works. – Ladadadada Jun 15 '10 at 11:55
  • The group command worked perfectly. The trick was to create the group, add the target services to it as "destination services" and make sure the vip address of the group is the IP address you want the sources to be spoofed as. (Probably the same address as the associated content rule if anyone is trying to do the same thing.) Thanks very much. – Ladadadada Jun 18 '10 at 15:40