Guest

Cisco Services Modules

Configuring CSM in Router Mode with L7 Policies

Document ID: 26220

Updated: Jan 31, 2006

   Print

Introduction

This document provides a sample configuration of the Content Switching Module (CSM) configured in router mode with Layer 7 (L7) policies.

The concept of default policy is also explained in this document. The CSM is configured to drop server-originated connections. A simple ICMP probe is configured as well.

Before You Begin

Conventions

For more information on document conventions, see the Cisco Technical Tips Conventions.

Prerequisites

There are no specific prerequisites for this document.

Components Used

This document is not restricted to specific software and hardware versions.

The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.

Background Theory

Clients (or the upstream router that connects to the clients) and servers are typically on two separate VLANs. Depending on the IP subnets configuration, the CSM can operate in the following two modes:

  • Router mode—client and server VLANs are configured as two distinct IP subnets. In a standard Server Load Balancing (SLB) environment, the VIP belongs to the client IP subnet, and the servers belong to the server IP subnet, which cannot be reached directly from the client side. The CSM in router mode does not allow incoming requests to be passed on to servers if they do not match a VIP.

  • Bridge mode—client and server VLANs are part of the same IP subnet. The CSM bridges packets between those two VLANs. In a standard SLB environment, both the VIPs and the servers are on the same IP subnet. All incoming requests not matching a VIP are bridged to the coupled VLAN (if the connection came from a client, it will be sent over to the server VLAN, and if the connection came from a server, it will be sent to the client VLAN).

Configure

In this section, you are presented with the information to configure the features described in this document. The following configurations entirely resides on the same Catalyst 6500 represented in the network diagram below. The configuration is broken into separate pieces to better illustrates which part refers specifically to the CSM and which part refers to the Layer 2/3 (L2/3) (MSFC) configuration of the Catalyst.

Note: To find additional information on the commands used in this document, use the Command Lookup Tool (registered customers only) .

Network Diagram

This document uses the network setup shown in the diagram below.

csm-config.gif

Configurations

This document uses these configurations:

  • Catalyst 6000 - CSM Slot 4

  • Catalyst 6000 - physical and logical interfaces

Catalyst 6000 - CSM Slot 4
module ContentSwitchingModule 4 
 

vlan 50 client
  ip address 192.168.8.2 255.255.255.0
  gateway 192.168.8.1
 
 
 
 


!--- Client side VLAN configuration for the CSM in slot 4.
!--- The gateway keyword refers to the MSFC interface VLAN 50 IP address.

 
 
!
  

vlan 240 server
  ip address 10.66.86.249 255.255.255.240
  alias 10.66.86.250 255.255.255.240
 
 
 
 


!--- Server side VLAN configuration.
!--- The IP address is different from the one used for the client VLAN 240.
!--- The CSM is configured in router mode (two VLANs and two IP subnets).
!--- Bridge mode (two VLANs, only 1 IP subnet) is configured specifying
!--- the same exact IP address for a pair of client and server VLANs on the CSM.
!--- An alias is not necessary, however, it is a good practice, since it is required
!--- when migrating to a redundant configuration.
!--- In that case, active and standby CSMs have different IP addresses on the VLAN,
!--- however, they share the same alias.
!--- Real servers are configured to point to the alias as their default gateway.

 
 
 static drop
  real 10.66.86.240 255.255.255.240
 
 
 


!--- Server-originated connections from all servers in the 10.66.86.240 subnet
!--- are dropped. By default, server-originated connections are allowed and 
!--- their source IP (the server IP address) is not modified.
 
!--- Other options are allowing server-originated connections with 
!--- their source IP NATed to the VIP, or allowing server-originated connections 
!--- with their source IP NATed to a pool of specific IP addresses.
!--- Note: The static command applies only 
!--- to server originated connections, which do not hit any VIPs
!--- configured on the CSM.

 
 
!
 probe PING icmp
  interval 5 
  failed 30 
 
 
 


!--- This is an example of an Internet Control Message Protocol (ICMP) probe.
!--- Probes are sent out every interval (five) seconds.
!--- Once a server goes out of service, probes to that server are sent
!--- every failed (30) second to see if the server has come back online.

 
 
!
 serverfarm FARM1
  nat server 
 
 
 


!---  nat server is the default configuration of a serverfarm.
!---  This means that the CSM performs directed mode
!--- (destination IP of incoming connections is changed from the VIP
!--- to the IP address of the selected server) for that serverfarm.

 
 
 
 


!--- Dispatch mode (only L2 rewrite) can be configured by 
!--- issuing the no nat server command.

 
 
  no nat client
 
 
 


!--- no nat client is the default behavior for a serverfarm.
!--- The CSM by default does not change the source IP address of
!--- incoming requests.

 
 
  
   real 10.66.86.242
   weight 24
   inservice
 
 
 


!--- This is an example of a different weight (the default is eight).
!--- Remember that weights are relative to the weights of other real servers
!--- (weight of eight does not mean that eight consecutive requests are sent
!--- to the same server).
!--- Observe also that there is no port translation configured.
!--- A port translation is used to support a server listening to port 8080.
!--- You can also use real 10.66.86.242 8080 for the configuration.

 
 
  
   real 10.66.86.245
   inservice
  
   real 10.66.86.246
   inservice
  
   real 10.66.86.248
   inservice
  probe PING
 
 


!--- All the servers in the serverfarm are pinged every five seconds, 
!--- according to the probe PING configured above.
!--- No predictor was specified, and the default is round robin.

 
 
 
  
  serverfarm FARM2
  nat server 
  no nat client
  real 10.66.86.242 23
   inservice
  real 10.66.86.246 23
   inservice
 
 

!--- The real servers in FARM2 are an example of port translation.

 
 
!
 
  
  serverfarm FARM3
  nat server 
  no nat client
  real 10.66.86.242
   inservice
  
  real 10.66.86.245
   inservice
!
 sticky 10 cookie cookiename timeout 20
 
 
 


!--- A sticky group (group number 10) is configured for cookie sticky
!--- with a timeout of 20 minutes.

 
 
!
 map TEST url
  match protocol http url *jpg*
 
 
 


!--- A URL map (also HTTP header and cookie maps are available) is created.
!--- This is the first step in the creation of a L7 policy.
!--- In this case, only one match sentence is configured. In general,
!--- multiple match sentences can be configured.

 
 
!
 map IE header
  match protocol http header User-Agent header-value *IE*
 
 
 


!--- This is another example of a map, in this case a HTTP header map.
!--- Observe that the header name needs to perfectly match the
!--- HTTP header field to be examined, while the header value is
!--- a regular expression.

 
 
!
 policy TEST
  url-map TEST
  serverfarm FARM3
 
 
 


!--- Creation of the policy named TEST. You can use the same name as
!--- the one of the map previously created, however, this is not a requirement.
!--- This is just a way to easily remember the association if only one map
!--- is associated with a policy.
 
!--- In general, a policy can include a url-map, a cookie-map, a header-map,
!--- a client-group, and so on.
!--- If all of these conditions match (in this example, only the condition
!--- url-map TEST), the policy has a match, and the specified
!--- serverfarm (FARM3) is used to fulfill that request.

 
 
!
 policy IE
  header-map IE
  serverfarm FARM3
 
 vserver WEB
  virtual 192.168.8.3 tcp www
 
 
 


!--- This is a creation of a simple virtual server.
!--- No IP mask has been specified and no VLAN of incoming traffic
!--- has been specified.
!--- This means that this is a simple VIP for standard server load balancing.
!--- Traffic coming from any VLAN and directed to that specific IP address
!--- (192.168.8.3) will match this VIP if it is TCP and if it is destined
!--- to port 80 (keyword www).

 
 
  serverfarm FARM1
  sticky 20 group 10
 
 
 


!--- Default Policy: This is very important. The two lines above refer
!--- to the default policy.
!--- If there are no other policies configured or if none of the configured
!--- slb-policies has a match, the default policy is used.
!--- In this case, the default policy is used only if neither
!--- slb-policy TEST or slb-policy IE have a match.
!--- If there are no other matches, the farm FARM1 will be used, 
!--- and the rules of sticky group 10 will be applied.
!--- If the default serverfarm is not configured for a virtual server,
!--- and if none of the slb-policies has a match, the session will be discarded.

 
 
  persistence rebalance
 
 
 


!--- Default behaviour for HTTP 1.1; if multiple GETs are present
!--- in the same TCP connection, the CSM will examine every GET.
!--- If the new GET needs to be sent to a different serverfarm,
!--- the connection with the current server is closed and
!--- a new connection with a new server if opened.
!--- This is completely transparent to the client.

 
 
  slb-policy TEST
  slb-policy IE
 
 
 


!--- This is an association of two previously configured policies to 
!--- the virtual server WEB. The order is important.
!--- In this case, if TEST has a match, IE is not even considered, 
!--- and the serverfarm associated with policy TEST is used.
!--- If stickyness had to be configured for these policies, this would
!--- be done at the policy level above (in the policy TEST submode
!--- for example).

 
 
  inservice
 
 
 


!--- All virtual servers need to be put in service.

 
 
!
 

vserver FTP
  virtual 192.168.8.3 tcp ftp service ftp
 
 
 


!--- For FTP, the service ftp keyword needs 
!--- to be specified. This instructs the CSM to monitor
!--- the control channel (port "ftp", 21), 
!--- and figure out automatically the data port to be used, and map
!--- the data channel to the same real server.

 
 
 
 


!--- Both active and passive types of FTP are supported.

 
 
  serverfarm FARM3
  persistent rebalance
  inservice
!
 vserver TELNET
  virtual 192.168.8.3 tcp telnet
  serverfarm FARM1
  persistent rebalance
  inservice
!
 vserver TELNET2
  virtual 192.168.8.3 tcp 345
 
 
 


!--- This is an example of a virtual server listening to port 345, while
!--- the default policy (the only policy configured for this virtual server)
!--- uses serverfarm FARM2, and real servers in FARM2 are configured
!--- for port translation to port 23 (see above).

 
 
  serverfarm FARM2
  persistent rebalance
  inservice
!
!

Catalyst 6000 - physical and logical interfaces
!
 

interface GigabitEthernet1/1
 no ip address
 shutdown
!
==============================
!
 

interface FastEthernet8/1
 no ip address
 switchport
 switchport access vlan 176
 spanning-tree portfast
!
 
 
 


!--- Servers are connected to this port.

 
 
!
 

interface FastEthernet8/2
 no ip address
 switchport
 switchport access vlan 240
 spanning-tree portfast
 
 
 


!--- Clients are connected to this port.

 
 
==============================
 
 

interface Vlan1
 no ip address
 
 
 


!--- Default VLAN 1, cannot be configured in the CSM (CLI will prevent it).

 
 
!
 

interface Vlan50
 ip address 192.168.8.1 255.255.255.0
 
 
 


!--- Internal VLAN between MSFC and CSM.
 
!--- In this example, the MSFC on the client side of the CSM is used.
!--- Vlan50 is the client side VLAN of the CSM, and the CSM
!--- is pointing to int vlan 50 IP address as the default gateway.

 
 
!
 

interface Vlan176
 ip address 10.66.86.184 255.255.255.240
 
 
 


!--- Observe that VLAN 240 (CSM server side VLAN) is not created as
!--- a L3 entity on the MSFC. You do not want the MSFC
!--- to route between VLAN 50 and 240, thus skipping the CSM.
 
!--- VLAN 240 is created as a L2 entity in the switch
!--- (issue the show vlan command to verify this).
 
!--- VLAN 50 is also created as a L3 entity on the MSFC.
!--- In this example, the MSFC is used on the client side of the CSM.

 

Verify

This section provides information you can use to confirm your configuration is working properly.

Verify
Router#
Router#sh mod csm 4 vser deta
WEB, type = SLB, state = OPERATIONAL, v_index = 19
  virtual = 192.168.8.3/32:80 bidir, TCP, service = NONE, advertise = FALSE
 
  


!--- 32 bits of mask is the default. The destination IP of incoming requests
!--- needs to be exactly the VIP.
!--- advertise = FALSE refers to the Route Health Injection feature,
!--- where VIPs are advertised with host routes by the MSFC
!--- (used on the client side).

 
 
idle = 3600, replicate csrp = none, vlan = ALL, pending = 30
 
 
 


!--- 3600 seconds of idle timer.
!--- If no packets are sent over a specific session
!--- for the idle time, the CSM tears down that session.
!--- The idle timer is important, especially for non-TCP sessions
!--- where there is no explicit termination of the session.
!--- There is no replication configured. In this example, a standby CSM will
!--- simply monitor the active CSM and eventually become active, however, it
!--- will not learn sticky database, nor TCP state.
!--- The replication can be configured as none, sticky database, or TCP state.
 
!--- Traffic can come to this vserver from any VLAN.
!--- This is the default behaviour since no VLAN was specified in the config.
 

 
  max parse len = 2000, persist rebalance = TRUE
 
 
 


!--- Max depth of inspection (default 600 bytes, max 4000 bytes).

 
 
  conns = 0, total conns = 2
 
 
 


!--- Currently open connections and total connections that have been set up
!--- since the last reset of the counters (clear mod csm 4 counters).

 
 
  Default policy:
    server farm = FARM1, backup = 
    sticky: timer = 20, subnet = 0.0.0.0, group id = 10
 
 
 


!--- Default policy serverfarm and sticky config (this sticky config only applies
!--- to the default serverfarm; stickiness for the other policies needs
!--- to be configured in the various “policy” submodes)

 
 
  Policy          Tot matches  Client pkts  Server pkts
  -----------------------------------------------------
  TEST            1            3            6
  IE              2            10           3
  (default)       0            0            0
 
 
 


!--- Total number of connections that matched the various policies and
!--- number of packets sent by servers and clients.

 
 
TELNET, type = SLB, state = OPERATIONAL, v_index = 21
  virtual = 192.168.8.3/32:23 bidir, TCP, service = NONE, advertise = FALSE
  idle = 3600, replicate csrp = none, vlan = ALL, pending = 30
  max parse len = 2000, persist rebalance = TRUE
  ssl sticky offset = 0, length = 32
  conns = 0, total conns = 0
  Default policy:
    server farm = FARM1, backup = 
    sticky: timer = 0, subnet = 0.0.0.0, group id = 0
  Policy          Tot matches  Client pkts  Server pkts
  -----------------------------------------------------
  (default)       14           375          258          
 
TELNET2, type = SLB, state = OPERATIONAL, v_index = 22
  virtual = 192.168.8.3/32:345 bidir, TCP, service = NONE, advertise = FALSE
  idle = 3600, replicate csrp = none, vlan = ALL, pending = 30
  max parse len = 2000, persist rebalance = TRUE
  ssl sticky offset = 0, length = 32
  conns = 0, total conns = 0
  Default policy:
    server farm = FARM2, backup = 
    sticky: timer = 0, subnet = 0.0.0.0, group id = 0
  Policy          Tot matches  Client pkts  Server pkts
  -----------------------------------------------------
  (default)       5            24           19           
 
FTP, type = SLB, state = OPERATIONAL, v_index = 20
  virtual = 192.168.8.3/32:21 bidir, TCP, service = ftp, advertise = FALSE
 
 
 


!--- FTP service was configured for this virtual server that is
!--- listening on port 21.

 
 
  idle = 3600, replicate csrp = none, vlan = ALL, pending = 30
  max parse len = 2000, persist rebalance = TRUE
  ssl sticky offset = 0, length = 32
  conns = 0, total conns = 0
  Default policy:
    server farm = FARM3, backup = 
    sticky: timer = 0, subnet = 0.0.0.0, group id = 0
  Policy          Tot matches  Client pkts  Server pkts
  -----------------------------------------------------
  (default)        2            21           16           
 
Router#
Router#
Router#
Router#sh mod csm 4 sticky ?
  client  sticky associated with a specific client IP address
  config  list configured sticky groups
  cookie  sticky associated with a HTTP cookie value
  group   sticky associated with a specific group
  ssl     sticky associated with a SSL session id
  |       Output modifiers
  <cr>
 
Router#
Router#sh mod csm 4 real deta
10.66.86.242, FARM1, state = OPERATIONAL
  conns = 0, maxconns = 4294967295, minconns = 0
 
 
 


!--- There are 0 active connections to this real server.
 
!--- maxconns and minconns have their default values.
!--- If changed to something else, they enable the connection watermarks feature.
!--- No more than maxconns connections will ever be active on this real server.
!--- When the server has reached its maximum, then the CSM does not send to it
!--- any more new connection until the number of active connections drops
!--- below minconns.

 
 
  weight = 24, weight(admin) = 24, metric = 0, remainder = 0
 
 
 


!--- Admin weight is configured, weight is dynamic.
!--- If using Dynamic Feedback Protocol (DFP), the dynamic weight
!--- can be different from the admin.

 
 
  total conns established = 0, total conn failures = 0
10.66.86.245, FARM1, state = OPERATIONAL
  conns = 1, maxconns = 4294967295, minconns = 0
  weight = 8, weight(admin) = 8, metric = 0, remainder = 1
  total conns established = 193, total conn failures = 0
10.66.86.246, FARM1, state = OPERATIONAL
  conns = 0, maxconns = 4294967295, minconns = 0
  weight = 8, weight(admin) = 8, metric = 0, remainder = 0
  total conns established = 563, total conn failures = 0
10.66.86.248, FARM1, state = OPERATIONAL
  conns = 0, maxconns = 4294967295, minconns = 0
  weight = 8, weight(admin) = 8, metric = 0, remainder = 0
  total conns established = 455, total conn failures = 0
10.66.86.242:23, FARM2, state = OPERATIONAL
  conns = 0, maxconns = 4294967295, minconns = 0
  weight = 8, weight(admin) = 8, metric = 0, remainder = 0
  total conns established = 3, total conn failures = 0
10.66.86.246:23, FARM2, state = OPERATIONAL
  conns = 0, maxconns = 4294967295, minconns = 0
  weight = 8, weight(admin) = 8, metric = 0, remainder = 0
  total conns established = 2, total conn failures = 0
10.66.86.242, FARM3, state = OPERATIONAL
  conns = 0, maxconns = 4294967295, minconns = 0
  weight = 8, weight(admin) = 8, metric = 0, remainder = 0
  total conns established = 180, total conn failures = 0
10.66.86.245, FARM3, state = OPERATIONAL
  conns = 0, maxconns = 4294967295, minconns = 0
  weight = 8, weight(admin) = 8, metric = 0, remainder = 0
  total conns established = 179, total conn failures = 0
Router#
Router#
Router#
Router#
Router#sh mod csm 4 serv deta
FARM1, type = SLB, predictor = RoundRobin 
  nat = SERVER
 
 


!--- Default load balancing algorithm is round robin.
!--- Default NAT options are nat server (directed mode) but no nat client.

 
 
  virtuals inservice: 2, reals = 4, bind id = 0, fail action = none
 
 
 


!--- Two active virtual servers are using this serverfarm.

 
  inband health config: <none>
  retcode map = <none>
  Probes:
    PING, type = icmp
  Real servers:
    10.66.86.242, weight = 24, OPERATIONAL, conns = 0
    10.66.86.245, weight = 8, OPERATIONAL, conns = 1
    10.66.86.246, weight = 8, OPERATIONAL, conns = 0
    10.66.86.248, weight = 8, OPERATIONAL, conns = 0
  Total connections = 1
 
 
 


!--- This number indicates the active connections only.

 
 
FARM2, type = SLB, predictor = RoundRobin
  nat = SERVER
  virtuals inservice: 1, reals = 2, bind id = 0, fail action = none
  inband health config: <none>
  retcode map = <none>
  Real servers:
    10.66.86.242:23, weight = 8, OPERATIONAL, conns = 0
    10.66.86.246:23, weight = 8, OPERATIONAL, conns = 0
  Total connections = 0
 
FARM3, type = SLB, predictor = RoundRobin
  nat = SERVER
  virtuals inservice: 2, reals = 2, bind id = 0, fail action = none
  inband health config: <none>
  retcode map = <none>
  Real servers:
    10.66.86.242, weight = 8, OPERATIONAL, conns = 0
    10.66.86.245, weight = 8, OPERATIONAL, conns = 0
  Total connections = 0
 
Router#
Router#
Router#
Router#sh mod csm 4 arp
 
 
 


!--- This is a very useful command; it shows the ARP table of the CSM.
!--- Remember that this table is completely distinct from the MSFC ARP table.

 
 
Internet Address  Physical Interface  VLAN      Type       Status
--------------------------------------------------------------------
 10.66.86.241     00-30-F2-C9-EB-F8   240       LEARNED    up(0 misses)
 10.66.86.242     00-02-B3-9D-2C-B9   240       REAL       up(0 misses)
 10.66.86.243     00-11-25-AB-21-D2   240       LEARNED    up(0 misses)
 10.66.86.244     00-09-5B-1E-B5-D5   240       LEARNED    up(0 misses)
 
 
 


!--- 0 misses refers to the number of unanswered ARP requests by that device.
!--- In this case, all ARPs are receiving a response,
!--- so the server is well connected.

 
 
 10.66.86.245     00-0D-88-2F-67-E4   240       REAL       up(0 misses)
 10.66.86.246     00-02-B3-9D-2C-B9   240       REAL       up(0 misses)
 10.66.86.247     00-11-25-8D-2F-A8   240       LEARNED    up(0 misses)
 10.66.86.248     00-0D-88-2F-67-E4   240       REAL       up(0 misses)
 10.66.86.249     00-03-32-87-B7-B8   240       --SLB--    local
 10.66.86.250     00-02-2F-00-14-0C   240       LEARNED    up(0 misses)
 10.66.86.253     00-0D-60-0F-24-6A   240       LEARNED    up(0 misses)
 10.66.86.254     00-0D-60-0F-24-5C   240       LEARNED    up(0 misses)
 192.168.8.1      00-D0-D3-86-B8-0A   50        GATEWAY    up(0 misses)
 192.168.8.2      00-03-32-87-B7-B8   50        --SLB--    local
 192.168.8.3      00-03-32-87-B7-B7   0         VSERVER    local
 
Router#
Router#
Router#
Router#
Router#
Router#sh mod csm 4 ?
  arp           SLB arp cache listing
  capp          SLB Content Application Peering Protocol information
  conns         SLB connection information
  dfp           SLB DFP manager information
  ft            SLB ft information
  gslb          Global Server Load Balancing stats
  map           SLB map information
  memory        SLB memory information
  natpools      SLB client nat pool information
  owner         SLB owner information
  policy        SLB policy information
  probe         SLB probe information
  pvlan         SLB pvlan information
  reals         SLB real server information
  script        SLB script information
  serverfarms   SLB server farm information
  static        SLB static server NAT information
  stats         SLB Statistics
  status        SLB status information
  sticky        SLB sticky database
  tech-support  SLB tech debug information
  variable      SLB environment variables
  vlan          SLB vlan information
  vservers      SLB virtual server information
  xml-config    SLB XML-config information
 
Router#sh mod csm 4 policy ?
  name  slb policy name
  |     Output modifiers
  <cr>
 
Router#sh mod csm 4 policy
policy:               TEST
type:                 SLB
url map:              TEST
serverfarm:           FARM3
 
policy:               IE
type:                 SLB
header map:           IE
serverfarm:           FARM3
 
Router#
Router#sh mod csm 4 vlan deta
vlan   IP address       IP mask          type
---------------------------------------------------
50     192.168.8.2      255.255.255.0    CLIENT
  GATEWAYS
  192.168.8.1
240    10.66.86.249     255.255.255.240  SERVER
 
Router#
Router#

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Related Information

Updated: Jan 31, 2006
Document ID: 26220