Cisco Services Modules

Configuring Secure (Router) Mode on the Content Switching Module

Document ID: 5448

Updated: May 03, 2004



The Content Switching Module (CSM) provides high-performance connections between network users and server farms based on Layer 4 through 7 information. You can represent a group of real servers (the server farm) as a single server instance (virtual server), balance the traffic to the server farm by selecting one of the server load balancing methods, and limit traffic to individual servers (sticky connections) and server farms (policies). This sample configuration describes how to configure Server Load Balancing (SLB) on the Catalyst 6000 family CSM.

You cannot run Cisco IOS® SLB software on the same switch as the CSM. You must configure the CSM mode by issuing the ip slb mode [csm | rp] command before any configuration. In the ip slb mode command, the rp argument is default.

Before You Begin


For more information on document conventions, see the Cisco Technical Tips Conventions.


There are no specific prerequisites for this document.

Components Used

The information in this document is based on the software and hardware versions below.

  • Catalyst 6000 family Supervisor IOS Release 12.1(8)EX for Supervisor Engine 1 with MSFC1 (c6sup11-jsv-mz.121-8.EX)

  • Catalyst 6000 family CSM Software Release 2.1(0) (c6slb-apc.2-1-1.bin)

The CSM runs on Cisco IOS Release 12.1(6)E or later. If you are using a Supervisor Engine 2, you must use Cisco IOS Release 12.1(8a)E or later.

Operation Mode

Client and server connections through the CSM can use either Layer 2 or Layer 3 switching. Clients connect to the client side VLAN, and servers connect to the server side VLAN. Servers and clients can exist on different subnets. Servers can also be located more than one hop away and connect to the server side VLAN through routers. In this case, the servers' default gateway and the routing through the network from servers to the CSM server side VLAN must direct all load balanced traffic from the servers through the CSM, or serverfarm client NAT must be configured in the CSM for all traffic destined to servers in the server farm. A client sends a request to a VIP address,� and the CSM forwards the request to a server that can satisfy the request. The server forwards the response to the CSM, and the CSM forwards the response to the client.

When the client side and server side VLANs are in different subnets, you can configure the CSM in secure (router) mode. This sample configuration focuses on secure (router) mode configuration. When the client side and server side VLANs are in the same subnet, you can configure the CSM to operate in single subnet (bridge) mode. Refer to the sample configurations below for more information.

Network Diagram

The client side and server side VLANs are on different subnets in secure (router) mode. The diagram shows how the secure (router) mode configuration is set up.



Complete these steps to configure CSM for secure (multiple subnet) mode:

  1. Select the CSM mode.

    cat(config)# ip slb mode csm
  2. Create the client and server VLAN in the database. When exiting the VLAN database mode, the configuration changes are applied.

    cat# vlan database 
    cat(vlan)# vlan 100 
    VLAN 100 added: Name: VLAN0100 
    cat(vlan)# vlan 200 
    VLAN 200 added: Name: VLAN0200 
    cat(vlan)# exit 
    APPLY completed. 
  3. Configure physical interfaces that connect the client (uplink) to the corresponding VLAN.

    cat(config)# inter fastEthernet 2/1 
    cat(config-if)# switchport 
    cat(config-if)# switchport access vlan 100 
    cat(config-if)# no shut
  4. Configure physical interfaces that connect the servers to the corresponding VLAN.

    cat(config)# inter fastEthernet 2/3 
    cat(config-if)# switchport 
    cat(config-if)# switchport access vlan 200 
    cat(config-if)# no shutdown 
    cat(config)# inter fastEthernet 2/4 
    cat(config-if)# switchport 
    cat(config-if)# switchport access vlan 200 
    cat(config-if)# no shutdown
  5. Create the client side VLAN and gateway.

    cat(config)# ip slb vlan 100 client 
    cat(config-slb-vlan-client)# ip address 
    cat(config-slb-vlan-client)# gateway
  6. Create the server side VLAN.

    cat(config)# ip slb vlan 200 server 
    cat(config-slb-vlan-server)# ip address 
    cat(config-slb-vlan-server)# alias
  7. Create the serverfarm.

    cat(config)# ip slb serverfarm WWWFARM 
    cat(config-slb-sfarm)# real 
    cat(config-slb-real)# inservice 
    cat(config-slb-real)# real 
    cat(config-slb-real)# inservice
  8. Create vserver and associate serverfarm.

    cat(config)# ip slb vserver SERVER 
    cat(config-slb-vserver)# virtual tcp www 
    cat(config-slb-vserver)# serverfarm WWWFARM 
    cat(config-slb-vserver)# inservice

The following is a sample configuration of server load balancing that uses the Cisco Catalyst 6500 and the CSM.

CSM (WS-X6066-SLB-APC) Running Configuration
Current configuration : 3791 bytes 
version 12.1 
service timestamps debug uptime 
service timestamps log uptime 
no service password-encryption 
hostname cat 
boot buffersize 126968 
boot system flash slot0:c6sup11-jsv-mz.121-8.EX.bin 
� auto-sync standard 
ip subnet-zero 

!--- SLB mode. 

ip slb mode csm 

!--- Client side VLAN configuration.� 
!--- Important: Gateway address pointing to interface VLAN 100.
ip slb vlan 100 client 
�ip address 

!--- Server side VLAN configuration.�
ip slb vlan 200 server 
�ip address 

!--- Serverfarm configuration.
ip slb serverfarm WWWFARM 
�nat server� 
�no nat client 
� inservice 
� inservice 

!--- Vserver configuration.�
ip slb vserver SERVER 
�virtual tcp www 
�serverfarm WWWFARM 
interface GigabitEthernet1/1 
�no ip address 
interface GigabitEthernet1/2 
�no ip address 

!--- Client (uplink) connected to FastEthernet 2/1. 

interface FastEthernet2/1 
�no ip address 
�switchport access vlan 100 
�switchport mode access 
interface FastEthernet2/2 
�no ip address 

!--- Servers connected to FastEthernet 2/3 and 2/4.
interface FastEthernet2/3 
�no ip address 
�switchport access vlan 200 
�switchport mode access 
interface FastEthernet2/4 
�no ip address 
�switchport access vlan 200 
�switchport mode access ... 
interface FastEthernet2/48 
�no ip address 
interface Vlan1 
�no ip address 
interface Vlan100 
�ip address 
ip default-gateway 
ip classless 
ip route 
no ip http server 
line con 0 
line vty 0 4 

show Commands

Note: Certain show commands are supported by the Output Interpreter Tool (registered customers only) , which allows you to view an analysis of show command output.

show ip slb status Command

The show ip slb status command displays the status of the SLB module. The module must be online.

cat6#show ip slb status�
SLB Module is online in slot 3.�
Configuration Download state: COMPLETE, SUCCESS

show ip slb vserver Command

The show ip slb vserver command displays the virtual server information. You also see the state of the virtual server and how many connections there are:

cat6#show ip slb vserver
slb vserver�� prot��� virtual������������� vlan�� state�������� conns����������

show ip slb reals Command

The show ip slb reals command displays information for each real server, such as the server farm where each server resides, the server states, thresholds, and connections.

cat6#show ip slb reals
real����������������� server farm����� weight� state��������� conns
-------------------------------------------------------------------������������� WWWFARM��������� 8������ OPERATIONAL��� 0��������������������� WWWFARM��������� 8������ OPERATIONAL��� 0

show ip slb serverfarms Command

The show ip slb serverfarms command displays the server farm information. This command shows the predictor used for load balancing. This example uses the default, round robin.

cat6#show ip slb serverfarm
server farm��� predictor��� nat�� reals�� redirect� bind id
WWWFARM������� RoundRobin�� S���� 2������ 0�������� 0

show ip slb vlan Command

The show ip slb vlan command displays the VLAN information for the client and the server.

cat6# show ip slb vlan
vlan�� IP address������ IP mask����������� type��
100��������� CLIENT
200�������������� SERVER


You can only ping the real server from the Catalyst 6500 by using the ping slb command, as shown below.

cat6#ping slb�
IP address������ Reachable�
--------------------------��������� Yes

Related Information

Updated: May 03, 2004
Document ID: 5448