Guest

Cisco CSS 11000 Series Content Services Switches

CSS Load Balancing Using One Interface Configuration Example

Document ID: 12637

Updated: Apr 20, 2005

   Print

Introduction

A network administrator may run into a situation where they need to load balance services through one port of the Content Services Switch (CSS 11000). This method of load balancing is sometimes called a one-armed configuration. This document explains that process.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco CSS 11000

  • Cisco Layer 2 (L2) switch

  • WebNS 5.0 Build 2 (ap0500002)

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

For more information on document conventions, refer to the Cisco Technical Tips Conventions.

Advantages of a One-Armed Configuration

These are the advantages of a one-armed configuration:

  1. The number of services that can be load balanced through the CSS is not restricted by the number of ports.

  2. This configuration makes it easy to introduce a CSS to an existing network.

  3. Traffic that is not load balanced does not flow through the CSS.

Disadvantages of a One-Armed Configuration

These are the disadvantages of a one-armed configuration:

  1. This configuration reduces the performance of the CSS 11000 considerably. The reason for this is that the CSS performs optimally when passing inbound traffiic through and out a different port rather than in and out the same port. Although it performs well, the CSS 11000 is found to perform better in-line between servers and clients performs. Unfortunately, there are situations where this is not possible, therefore making the one-armed configuration a good solution.

  2. When using this configuration, the load balanced servers will see all traffic as being originated from the CSS rathar than the real client source IP address. You do not get a true representation of where your traffic is coming from.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: To find additional information on the commands used in this document, use the Command Lookup Tool (registered customers only) .

Network Diagram

This document uses this network setup:

one_armed_bandit2.gif

In this diagram, three servers and the CSS 11000 connect to the switch. The gateway router connects to both the switch and the Internet.

Each server is configured with the default gateway being the gateway router at IP address 10.10.10.1. This is done because if you have server initiated traffic, the server initiated traffic does not need to go through the CSS and goes through NAT at the gateway router. All traffic that is destined for the VIP on the CSS 11000 goes through the L2 switch to the CSS and will then be forwarded to the appropriately load balanced server. The return traffic returns through the CSS becauseall load balanced traffic arrives at the real servers with the source IP address being the VIP address of the source group.

Configurations

This document uses these configurations:

  • CSS load balancing using one interface

  1. Log into your CSS into the SuperUser mode. This mode is identified by a prompt that ends with a pound sign (#).

  2. Once you are in SuperUser mode, you must enter into the configuration mode.

    css# configure <cr>
    
  3. Configure a circuit VLAN. VLAN must be typed in all caps when entered into the CLI.

    css(config)# circuit VLAN1 <cr>
    
  4. Enter the IP address of the circuit VLAN and the command no redirects.

    css(config-circuit[VLAN1]# ip address 10.10.10.5 255.255.255.0 <cr>
    css(config-circuit[VLAN1-10.10.10.5]# no redirects <cr>
    css(config-circuit[VLAN1-10.10.10.5]# exit
    
  5. Configure the IP route statement.

    css(config)# ip route 0.0.0.0 0.0.0.0 10.10.10.1 <cr> 

Complete these steps to configure the services:

  1. In this example, there are three services: Service 1, Service 2, and Service 3. To configure services, you must be in the normal configuration mode.

    For the examples below, service names 1, 2, and 3 are used. Once at the configuration service prompt, you can enter the IP address of the service and make it active. Please note that there is a space between service and the service name.

    This example shows how to configure service 1:

    css(config)# service 1 <cr> 
    css(config-service[1])# ip address 10.10.10.2 <cr> 
    css(config-service[1])# active <cr> 
    
  2. This example shows how to configure service 2:

    css(config)# service 2 <cr> 
    css(config-service[2])# ip address 10.10.10.3 <cr> 
    css(config-service[2])# active <cr> 
    
  3. This example shows how to configure service 3:

    css(config)# service 3 <cr> 
    css(config-service[3])# ip address 10.10.10.4 <cr> 
    css(config-service[3])# active <cr> 
    
  4. Configure an owner to apply these services to.

    1. Enter normal configuration mode. Type exit to leave service configuration mode.

      css(config-service[3])# exit
      
    2. Configure an owner to apply these services to. Enter owner plus the name of the owner. This example uses cisco_systems.

      css(config)# owner cisco_systems <cr>
      
    3. You are now in owner configuration mode. Configure the content rules by entering the name of the content rule. In this example, the content rule is one_armed_config.

      css(config-owner[cisco_systems])# content one_armed_config <cr>
      
    4. Once in the content configuration, you can enter the VIP address and add the services that you want the traffic going to the VIP to use. Enter the VIP address.

      css(config-owner-content[cisco_systems-one_armed_config])# vip address 
      10.10.10.6 <cr>
      

      Note: The above command should be on one line.

    5. Add the services that you want the traffic going to the VIP to use.

      css(config-owner-content[cisco_systems-one_armed_config])# add service 1 <cr> 
      css(config-owner-content[cisco_systems-one_armed_config])# add service 2 <cr> 
      css(config-owner-content[cisco_systems-one_armed_config])# add service 3 <cr>
      
    6. To make the content rule active enter the command active.

      css(config-owner-content[cisco_systems-one_armed_config])# active <cr> 
      
  5. The CSS is now configured to load balance to the services, however, there is one problem. When the traffic goes through the CSS to get load balanced, the destination IP address is changed but the source IP address is not changed. When those packets head back to the client, they bypass the CSS through the switch because the servers' default gateways are set to the router IP address and the source IP address of the load balanced request is not on the local subnet.

    You must not only NAT the destination address of the packet but the source addresses as well. In order to do this, configure the source groups.

    1. You must be back in the normal configuration mode to configure the group. To do that, type exit twice. The CLI prompt should read css (config)#.

    2. In this example, the name group name Servers is used.

      css(config)# group Servers <cr> 
      
    3. Once in the group configuration mode, you can enter the VIP address and add the destination services that you want the traffic going to the VIP to use. Enter the VIP address.

      css(config-group[servers])# vip address 10.10.10.6 <cr>
      
    4. The command add destination service under the source group configuration states that when a source IP address is meant for this service, NAT the source IP address to show that it is coming from the CSS. The reply traffic goes back to the CSS through the switch instead of bypassing it.

      css(config-group[Servers])# add destination service 1 <cr> 
      css(config-group[Servers])# add destination service 2 <cr> 
      css(config-group[Servers])# add destination service 3 <cr> 
      
    5. To make the source groups active, issue the command active.

      css(config-group[Servers])# active <cr>
      
CSS 11050 WebNS 5.0 Build 2
!Active version: ap0500002        
!*************************** GLOBAL ***************************        
  ip route 0.0.0.0 0.0.0.0 10.10.10.1          

!************************** INTERFACE *************************        
!*************************** CIRCUIT **************************          
         circuit vlan1 
           ip address 10.10.10.5 255.255.255.0          
           no redirects 
!*************************** SERVICE **************************        
service 1 
           ip address 10.10.10.2 
           active        
service 2 
           ip address 10.10.10.3 
           active        
service 3 
           ip address 10.10.10.4 
           active        
!*************************** OWNER ****************************          
  owner  cisco_systems        
  content One-Arm-rule 
             vip address 10.10.10.6          
             add service 1          
             add service 2          
             add service 3          
             active        
!*************************** GROUP ****************************          
         group Servers 
             vip address 10.10.10.6          
           add destination service 1          
           add destination service 2          
           add destination service 3          
           active     

Verify

This section provides information you can use to confirm your configuration is working properly.

Certain show commands are supported by the Output Interpreter Tool (registered customers only) , which allows you to view an analysis of show command output.

  • show service-summary—Displays service name and state.

    Service Name                     State     Conn  Weight  Avg   State 
                                                             Load  Transitions 
    1                                Alive         0      1     2            0 
    2                                Alive         0      1     2            2 
    3                                Alive         0      1     2            1
    
    
  • show summary—Enables you to display a summary of this owner information for all owners or a specific owner:

    Global Bypass Counters: 
       No Rule Bypass Count:     0 
       Acl Bypass Count:         0 
    
    Owner            Content Rules    State     Services         Service Hits 
    
    cisco_systems    One-Arm-rule     Active    1                5 
                                                2                6 
                                                3                4
    
    
  • show rule—Displays all the content rules for a specific owner or all owners. The screen shows information about the owner and the content rules.

    Name:            One-Arm-rule   Owner:    cisco_systems 
    State:                 Active   Type:              HTTP 
    Balance:          Round Robin   Failover:           N/A 
    Persistence:          Enabled   Param-Bypass:  Disabled 
    IP Redundancy:  Not Redundant 
    L3:         10.10.10.6 
    L4:         Any/Any 
    Url: 
    Redirect: "" 
    TCP RST client if service unreachable: Disabled 
    Rule Services: 
     1: 1-Alive 
     2: 2-Alive 
     3: 3-Alive
    
  • show service—Displays information for all services. Similar to the show service summary command, this command also displays the service type, associated content rule, keepalive, the number state transitions, and Quality of Service (QoS) rate and bandwidth settings.

    Name: 1                 Index: 1 
     Type: Local            State: Alive 
     Rule ( 10.10.10.2  ANY  ANY ) 
     Redirect Domain: 
     Redirect String: 
     Keepalive: (ICMP   5   3   5 ) 
     Mtu:               1500        State Transitions:  0 
     Connections:       0           Max Connections:    0 
     Total Connections: 5           Total Reused Conns: 0 
     Weight:            1           Load:               2
    

Troubleshoot

The command show flows 0.0.0.0 can be used to show sessions flowing in and out of the CSS. In the case of this one-armed configuration, the InPort and OutPort details show the same port for both directions. Normal CSS configurations where two or more ports are in use must show different InPort and OutPort ports being used. Below is the flow information for a Web browser session (port 80) from client 10.64.104.208 to content rule VIP address 10.10.10.6 being load balanced to service address 10.10.10.2.

show flows 0.0.0.0 
Src Address     SPort Dst Address     DPort NAT Dst Address Prt InPort    OutPort 
--------------- ----- --------------- ----- --------------- --- --------- --------- 
10.10.10.2      80    10.10.10.6      36805 10.64.104.208   TCP  1         1 
10.64.104.208   37413 10.10.10.6      80    10.10.10.2      TCP  1         1 

Related Information

Updated: Apr 20, 2005
Document ID: 12637