????????? : 思科内容交换模块

在路由器模式下使用L7策略配置CSM

2015 年 8 月 28 日 - 机器翻译
其他版本: PDFpdf | 英语 (2014 年 10 月 1 日) | 反馈


目录


简介

本文提供了一个在路由器模式下以第七层(L7)策略配置的内容交换模块(CSM)的示例配置。

默认策略的概念在本文也解释。CSM配置切服务器发出的连接。一个简单ICMP探测配置。

开始使用前

规则

有关文档规则的详细信息,请参阅 Cisco 技术提示规则

先决条件

本文档没有任何特定的前提条件。

使用的组件

本文档不限于特定的软件和硬件版本。

本文档中的信息都是基于特定实验室环境中的设备创建的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您是在真实网络上操作,请确保您在使用任何命令前已经了解其潜在影响。

背景理论

客户端(或连接到客户端的上行路由器)和服务器通常位于两个独立的VLAN上。根据IP子网配置,CSM能在以下二个模式中运行:

  • 路由器模式—客户端和服务器VLAN配置作为两个明显的IP子网。在标准服务器负载均衡(SLB)环境中,VIP属于客户端IP子网;服务器属于服务器IP子网,不能直接地从客户端到达。如果这些请求和VIP不匹配的话,CSM在路由器模式下不会允许把流入请求传递到服务器那里。

  • 网桥模式—客户端和服务器VLAN是同样IP子网的一部分。在那两VLAN之间的CSM网桥信息包。在一个标准的SLB环境,VIP和服务器位于同一个IP子网。所有与VIP不匹配的流入请求被桥接到相关的VLAN (如果连接来自客户端,它将被发送到服务器VLAN;如果连接来自服务器,它将被发送到客户端VLAN)。

配置

本部分提供有关如何配置本文档所述功能的信息。以下配置完全驻留在下面网络图表示的同一个Catalyst 6500上。该配置分成单独部分,以便更好地说明哪个部件特定参考CSM,哪个部件参考 Catalyst的层2/3(L2/3) (MSFC)的配置。

注意: 要查找本文档所用命令的其他信息,请使用命令查找工具仅限注册用户)。

网络图

本文档使用下图所示的网络设置。

/image/gif/paws/26220/csm-config.gif

配置

本文档使用以下配置:

  • Catalyst 6000 - CSM插槽4

  • 物理的Catalyst 6000 -和逻辑接口

Catalyst 6000 - CSM插槽4
module ContentSwitchingModule 4 
 

vlan 50 client
  ip address 192.168.8.2 255.255.255.0
  gateway 192.168.8.1
 
 
 
 


!--- Client side VLAN configuration for the CSM in slot 4.
!--- The gateway keyword refers to the MSFC interface VLAN 50 IP address.

 
 
!
  

vlan 240 server
  ip address 10.66.86.249 255.255.255.240
  alias 10.66.86.250 255.255.255.240
 
 
 
 


!--- Server side VLAN configuration.
!--- The IP address is different from the one used for the client VLAN 240.
!--- The CSM is configured in router mode (two VLANs and two IP subnets).
!--- Bridge mode (two VLANs, only 1 IP subnet) is configured specifying
!--- the same exact IP address for a pair of client and server VLANs on the CSM.
!--- An alias is not necessary, however, it is a good practice, since it is required
!--- when migrating to a redundant configuration.
!--- In that case, active and standby CSMs have different IP addresses on the VLAN,
!--- however, they share the same alias.
!--- Real servers are configured to point to the alias as their default gateway.

 
 
 static drop
  real 10.66.86.240 255.255.255.240
 
 
 


!--- Server-originated connections from all servers in the 10.66.86.240 subnet
!--- are dropped. By default, server-originated connections are allowed and 
!--- their source IP (the server IP address) is not modified.
 
!--- Other options are allowing server-originated connections with 
!--- their source IP NATed to the VIP, or allowing server-originated connections 
!--- with their source IP NATed to a pool of specific IP addresses.
!--- Note: The static command applies only 
!--- to server originated connections, which do not hit any VIPs
!--- configured on the CSM.

 
 
!
 probe PING icmp
  interval 5 
  failed 30 
 
 
 


!--- This is an example of an Internet Control Message Protocol (ICMP) probe.
!--- Probes are sent out every interval (five) seconds.
!--- Once a server goes out of service, probes to that server are sent
!--- every failed (30) second to see if the server has come back online.

 
 
!
 serverfarm FARM1
  nat server 
 
 
 


!---  nat server is the default configuration of a serverfarm.
!---  This means that the CSM performs directed mode
!--- (destination IP of incoming connections is changed from the VIP
!--- to the IP address of the selected server) for that serverfarm.

 
 
 
 


!--- Dispatch mode (only L2 rewrite) can be configured by 
!--- issuing the no nat server command.

 
 
  no nat client
 
 
 


!--- no nat client is the default behavior for a serverfarm.
!--- The CSM by default does not change the source IP address of
!--- incoming requests.

 
 
  
   real 10.66.86.242
   weight 24
   inservice
 
 
 


!--- This is an example of a different weight (the default is eight).
!--- Remember that weights are relative to the weights of other real servers
!--- (weight of eight does not mean that eight consecutive requests are sent
!--- to the same server).
!--- Observe also that there is no port translation configured.
!--- A port translation is used to support a server listening to port 8080.
!--- You can also use real 10.66.86.242 8080 for the configuration.

 
 
  
   real 10.66.86.245
   inservice
  
   real 10.66.86.246
   inservice
  
   real 10.66.86.248
   inservice
  probe PING
 
 


!--- All the servers in the serverfarm are pinged every five seconds, 
!--- according to the probe PING configured above.
!--- No predictor was specified, and the default is round robin.

 
 
 
  
  serverfarm FARM2
  nat server 
  no nat client
  real 10.66.86.242 23
   inservice
  real 10.66.86.246 23
   inservice
 
 

!--- The real servers in FARM2 are an example of port translation.

 
 
!
 
  
  serverfarm FARM3
  nat server 
  no nat client
  real 10.66.86.242
   inservice
  
  real 10.66.86.245
   inservice
!
 sticky 10 cookie cookiename timeout 20
 
 
 


!--- A sticky group (group number 10) is configured for cookie sticky
!--- with a timeout of 20 minutes.

 
 
!
 map TEST url
  match protocol http url *jpg*
 
 
 


!--- A URL map (also HTTP header and cookie maps are available) is created.
!--- This is the first step in the creation of a L7 policy.
!--- In this case, only one match sentence is configured. In general,
!--- multiple match sentences can be configured.

 
 
!
 map IE header
  match protocol http header User-Agent header-value *IE*
 
 
 


!--- This is another example of a map, in this case a HTTP header map.
!--- Observe that the header name needs to perfectly match the
!--- HTTP header field to be examined, while the header value is
!--- a regular expression.

 
 
!
 policy TEST
  url-map TEST
  serverfarm FARM3
 
 
 


!--- Creation of the policy named TEST. You can use the same name as
!--- the one of the map previously created, however, this is not a requirement.
!--- This is just a way to easily remember the association if only one map
!--- is associated with a policy.
 
!--- In general, a policy can include a url-map, a cookie-map, a header-map,
!--- a client-group, and so on.
!--- If all of these conditions match (in this example, only the condition
!--- url-map TEST), the policy has a match, and the specified
!--- serverfarm (FARM3) is used to fulfill that request.

 
 
!
 policy IE
  header-map IE
  serverfarm FARM3
 
 vserver WEB
  virtual 192.168.8.3 tcp www
 
 
 


!--- This is a creation of a simple virtual server.
!--- No IP mask has been specified and no VLAN of incoming traffic
!--- has been specified.
!--- This means that this is a simple VIP for standard server load balancing.
!--- Traffic coming from any VLAN and directed to that specific IP address
!--- (192.168.8.3) will match this VIP if it is TCP and if it is destined
!--- to port 80 (keyword www).

 
 
  serverfarm FARM1
  sticky 20 group 10
 
 
 


!--- Default Policy: This is very important. The two lines above refer
!--- to the default policy.
!--- If there are no other policies configured or if none of the configured
!--- slb-policies has a match, the default policy is used.
!--- In this case, the default policy is used only if neither
!--- slb-policy TEST or slb-policy IE have a match.
!--- If there are no other matches, the farm FARM1 will be used, 
!--- and the rules of sticky group 10 will be applied.
!--- If the default serverfarm is not configured for a virtual server,
!--- and if none of the slb-policies has a match, the session will be discarded.

 
 
  persistence rebalance
 
 
 


!--- Default behaviour for HTTP 1.1; if multiple GETs are present
!--- in the same TCP connection, the CSM will examine every GET.
!--- If the new GET needs to be sent to a different serverfarm,
!--- the connection with the current server is closed and
!--- a new connection with a new server if opened.
!--- This is completely transparent to the client.

 
 
  slb-policy TEST
  slb-policy IE
 
 
 


!--- This is an association of two previously configured policies to 
!--- the virtual server WEB. The order is important.
!--- In this case, if TEST has a match, IE is not even considered, 
!--- and the serverfarm associated with policy TEST is used.
!--- If stickyness had to be configured for these policies, this would
!--- be done at the policy level above (in the policy TEST submode
!--- for example).

 
 
  inservice
 
 
 


!--- All virtual servers need to be put in service.

 
 
!
 

vserver FTP
  virtual 192.168.8.3 tcp ftp service ftp
 
 
 


!--- For FTP, the service ftp keyword needs 
!--- to be specified. This instructs the CSM to monitor
!--- the control channel (port "ftp", 21), 
!--- and figure out automatically the data port to be used, and map
!--- the data channel to the same real server.

 
 
 
 


!--- Both active and passive types of FTP are supported.

 
 
  serverfarm FARM3
  persistent rebalance
  inservice
!
 vserver TELNET
  virtual 192.168.8.3 tcp telnet
  serverfarm FARM1
  persistent rebalance
  inservice
!
 vserver TELNET2
  virtual 192.168.8.3 tcp 345
 
 
 


!--- This is an example of a virtual server listening to port 345, while
!--- the default policy (the only policy configured for this virtual server)
!--- uses serverfarm FARM2, and real servers in FARM2 are configured
!--- for port translation to port 23 (see above).

 
 
  serverfarm FARM2
  persistent rebalance
  inservice
!
!

物理的Catalyst 6000 -和逻辑接口
!
 

interface GigabitEthernet1/1
 no ip address
 shutdown
!
==============================
!
 

interface FastEthernet8/1
 no ip address
 switchport
 switchport access vlan 176
 spanning-tree portfast
!
 
 
 


!--- Servers are connected to this port.

 
 
!
 

interface FastEthernet8/2
 no ip address
 switchport
 switchport access vlan 240
 spanning-tree portfast
 
 
 


!--- Clients are connected to this port.

 
 
==============================
 
 

interface Vlan1
 no ip address
 
 
 


!--- Default VLAN 1, cannot be configured in the CSM (CLI will prevent it).

 
 
!
 

interface Vlan50
 ip address 192.168.8.1 255.255.255.0
 
 
 


!--- Internal VLAN between MSFC and CSM.
 
!--- In this example, the MSFC on the client side of the CSM is used.
!--- Vlan50 is the client side VLAN of the CSM, and the CSM
!--- is pointing to int vlan 50 IP address as the default gateway.

 
 
!
 

interface Vlan176
 ip address 10.66.86.184 255.255.255.240
 
 
 


!--- Observe that VLAN 240 (CSM server side VLAN) is not created as
!--- a L3 entity on the MSFC. You do not want the MSFC
!--- to route between VLAN 50 and 240, thus skipping the CSM.
 
!--- VLAN 240 is created as a L2 entity in the switch
!--- (issue the show vlan command to verify this).
 
!--- VLAN 50 is also created as a L3 entity on the MSFC.
!--- In this example, the MSFC is used on the client side of the CSM.

 

验证

本部分所提供的信息可用于确认您的配置是否正常工作。

验证
Router#
Router#sh mod csm 4 vser deta
WEB, type = SLB, state = OPERATIONAL, v_index = 19
  virtual = 192.168.8.3/32:80 bidir, TCP, service = NONE, advertise = FALSE
 
  


!--- 32 bits of mask is the default. The destination IP of incoming requests
!--- needs to be exactly the VIP.
!--- advertise = FALSE refers to the Route Health Injection feature,
!--- where VIPs are advertised with host routes by the MSFC
!--- (used on the client side).

 
 
idle = 3600, replicate csrp = none, vlan = ALL, pending = 30
 
 
 


!--- 3600 seconds of idle timer.
!--- If no packets are sent over a specific session
!--- for the idle time, the CSM tears down that session.
!--- The idle timer is important, especially for non-TCP sessions
!--- where there is no explicit termination of the session.
!--- There is no replication configured. In this example, a standby CSM will
!--- simply monitor the active CSM and eventually become active, however, it
!--- will not learn sticky database, nor TCP state.
!--- The replication can be configured as none, sticky database, or TCP state.
 
!--- Traffic can come to this vserver from any VLAN.
!--- This is the default behaviour since no VLAN was specified in the config.
 

 
  max parse len = 2000, persist rebalance = TRUE
 
 
 


!--- Max depth of inspection (default 600 bytes, max 4000 bytes).

 
 
  conns = 0, total conns = 2
 
 
 


!--- Currently open connections and total connections that have been set up
!--- since the last reset of the counters (clear mod csm 4 counters).

 
 
  Default policy:
    server farm = FARM1, backup = 
    sticky: timer = 20, subnet = 0.0.0.0, group id = 10
 
 
 


!--- Default policy serverfarm and sticky config (this sticky config only applies
!--- to the default serverfarm; stickiness for the other policies needs
!--- to be configured in the various “policy” submodes)

 
 
  Policy          Tot matches  Client pkts  Server pkts
  -----------------------------------------------------
  TEST            1            3            6
  IE              2            10           3
  (default)       0            0            0
 
 
 


!--- Total number of connections that matched the various policies and
!--- number of packets sent by servers and clients.

 
 
TELNET, type = SLB, state = OPERATIONAL, v_index = 21
  virtual = 192.168.8.3/32:23 bidir, TCP, service = NONE, advertise = FALSE
  idle = 3600, replicate csrp = none, vlan = ALL, pending = 30
  max parse len = 2000, persist rebalance = TRUE
  ssl sticky offset = 0, length = 32
  conns = 0, total conns = 0
  Default policy:
    server farm = FARM1, backup = 
    sticky: timer = 0, subnet = 0.0.0.0, group id = 0
  Policy          Tot matches  Client pkts  Server pkts
  -----------------------------------------------------
  (default)       14           375          258          
 
TELNET2, type = SLB, state = OPERATIONAL, v_index = 22
  virtual = 192.168.8.3/32:345 bidir, TCP, service = NONE, advertise = FALSE
  idle = 3600, replicate csrp = none, vlan = ALL, pending = 30
  max parse len = 2000, persist rebalance = TRUE
  ssl sticky offset = 0, length = 32
  conns = 0, total conns = 0
  Default policy:
    server farm = FARM2, backup = 
    sticky: timer = 0, subnet = 0.0.0.0, group id = 0
  Policy          Tot matches  Client pkts  Server pkts
  -----------------------------------------------------
  (default)       5            24           19           
 
FTP, type = SLB, state = OPERATIONAL, v_index = 20
  virtual = 192.168.8.3/32:21 bidir, TCP, service = ftp, advertise = FALSE
 
 
 


!--- FTP service was configured for this virtual server that is
!--- listening on port 21.

 
 
  idle = 3600, replicate csrp = none, vlan = ALL, pending = 30
  max parse len = 2000, persist rebalance = TRUE
  ssl sticky offset = 0, length = 32
  conns = 0, total conns = 0
  Default policy:
    server farm = FARM3, backup = 
    sticky: timer = 0, subnet = 0.0.0.0, group id = 0
  Policy          Tot matches  Client pkts  Server pkts
  -----------------------------------------------------
  (default)        2            21           16           
 
Router#
Router#
Router#
Router#sh mod csm 4 sticky ?
  client  sticky associated with a specific client IP address
  config  list configured sticky groups
  cookie  sticky associated with a HTTP cookie value
  group   sticky associated with a specific group
  ssl     sticky associated with a SSL session id
  |       Output modifiers
  <cr>
 
Router#
Router#sh mod csm 4 real deta
10.66.86.242, FARM1, state = OPERATIONAL
  conns = 0, maxconns = 4294967295, minconns = 0
 
 
 


!--- There are 0 active connections to this real server.
 
!--- maxconns and minconns have their default values.
!--- If changed to something else, they enable the connection watermarks feature.
!--- No more than maxconns connections will ever be active on this real server.
!--- When the server has reached its maximum, then the CSM does not send to it
!--- any more new connection until the number of active connections drops
!--- below minconns.

 
 
  weight = 24, weight(admin) = 24, metric = 0, remainder = 0
 
 
 


!--- Admin weight is configured, weight is dynamic.
!--- If using Dynamic Feedback Protocol (DFP), the dynamic weight
!--- can be different from the admin.

 
 
  total conns established = 0, total conn failures = 0
10.66.86.245, FARM1, state = OPERATIONAL
  conns = 1, maxconns = 4294967295, minconns = 0
  weight = 8, weight(admin) = 8, metric = 0, remainder = 1
  total conns established = 193, total conn failures = 0
10.66.86.246, FARM1, state = OPERATIONAL
  conns = 0, maxconns = 4294967295, minconns = 0
  weight = 8, weight(admin) = 8, metric = 0, remainder = 0
  total conns established = 563, total conn failures = 0
10.66.86.248, FARM1, state = OPERATIONAL
  conns = 0, maxconns = 4294967295, minconns = 0
  weight = 8, weight(admin) = 8, metric = 0, remainder = 0
  total conns established = 455, total conn failures = 0
10.66.86.242:23, FARM2, state = OPERATIONAL
  conns = 0, maxconns = 4294967295, minconns = 0
  weight = 8, weight(admin) = 8, metric = 0, remainder = 0
  total conns established = 3, total conn failures = 0
10.66.86.246:23, FARM2, state = OPERATIONAL
  conns = 0, maxconns = 4294967295, minconns = 0
  weight = 8, weight(admin) = 8, metric = 0, remainder = 0
  total conns established = 2, total conn failures = 0
10.66.86.242, FARM3, state = OPERATIONAL
  conns = 0, maxconns = 4294967295, minconns = 0
  weight = 8, weight(admin) = 8, metric = 0, remainder = 0
  total conns established = 180, total conn failures = 0
10.66.86.245, FARM3, state = OPERATIONAL
  conns = 0, maxconns = 4294967295, minconns = 0
  weight = 8, weight(admin) = 8, metric = 0, remainder = 0
  total conns established = 179, total conn failures = 0
Router#
Router#
Router#
Router#
Router#sh mod csm 4 serv deta
FARM1, type = SLB, predictor = RoundRobin 
  nat = SERVER
 
 


!--- Default load balancing algorithm is round robin.
!--- Default NAT options are nat server (directed mode) but no nat client.

 
 
  virtuals inservice: 2, reals = 4, bind id = 0, fail action = none
 
 
 


!--- Two active virtual servers are using this serverfarm.

 
  inband health config: <none>
  retcode map = <none>
  Probes:
    PING, type = icmp
  Real servers:
    10.66.86.242, weight = 24, OPERATIONAL, conns = 0
    10.66.86.245, weight = 8, OPERATIONAL, conns = 1
    10.66.86.246, weight = 8, OPERATIONAL, conns = 0
    10.66.86.248, weight = 8, OPERATIONAL, conns = 0
  Total connections = 1
 
 
 


!--- This number indicates the active connections only.

 
 
FARM2, type = SLB, predictor = RoundRobin
  nat = SERVER
  virtuals inservice: 1, reals = 2, bind id = 0, fail action = none
  inband health config: <none>
  retcode map = <none>
  Real servers:
    10.66.86.242:23, weight = 8, OPERATIONAL, conns = 0
    10.66.86.246:23, weight = 8, OPERATIONAL, conns = 0
  Total connections = 0
 
FARM3, type = SLB, predictor = RoundRobin
  nat = SERVER
  virtuals inservice: 2, reals = 2, bind id = 0, fail action = none
  inband health config: <none>
  retcode map = <none>
  Real servers:
    10.66.86.242, weight = 8, OPERATIONAL, conns = 0
    10.66.86.245, weight = 8, OPERATIONAL, conns = 0
  Total connections = 0
 
Router#
Router#
Router#
Router#sh mod csm 4 arp
 
 
 


!--- This is a very useful command; it shows the ARP table of the CSM.
!--- Remember that this table is completely distinct from the MSFC ARP table.

 
 
Internet Address  Physical Interface  VLAN      Type       Status
--------------------------------------------------------------------
 10.66.86.241     00-30-F2-C9-EB-F8   240       LEARNED    up(0 misses)
 10.66.86.242     00-02-B3-9D-2C-B9   240       REAL       up(0 misses)
 10.66.86.243     00-11-25-AB-21-D2   240       LEARNED    up(0 misses)
 10.66.86.244     00-09-5B-1E-B5-D5   240       LEARNED    up(0 misses)
 
 
 


!--- 0 misses refers to the number of unanswered ARP requests by that device.
!--- In this case, all ARPs are receiving a response,
!--- so the server is well connected.

 
 
 10.66.86.245     00-0D-88-2F-67-E4   240       REAL       up(0 misses)
 10.66.86.246     00-02-B3-9D-2C-B9   240       REAL       up(0 misses)
 10.66.86.247     00-11-25-8D-2F-A8   240       LEARNED    up(0 misses)
 10.66.86.248     00-0D-88-2F-67-E4   240       REAL       up(0 misses)
 10.66.86.249     00-03-32-87-B7-B8   240       --SLB--    local
 10.66.86.250     00-02-2F-00-14-0C   240       LEARNED    up(0 misses)
 10.66.86.253     00-0D-60-0F-24-6A   240       LEARNED    up(0 misses)
 10.66.86.254     00-0D-60-0F-24-5C   240       LEARNED    up(0 misses)
 192.168.8.1      00-D0-D3-86-B8-0A   50        GATEWAY    up(0 misses)
 192.168.8.2      00-03-32-87-B7-B8   50        --SLB--    local
 192.168.8.3      00-03-32-87-B7-B7   0         VSERVER    local
 
Router#
Router#
Router#
Router#
Router#
Router#sh mod csm 4 ?
  arp           SLB arp cache listing
  capp          SLB Content Application Peering Protocol information
  conns         SLB connection information
  dfp           SLB DFP manager information
  ft            SLB ft information
  gslb          Global Server Load Balancing stats
  map           SLB map information
  memory        SLB memory information
  natpools      SLB client nat pool information
  owner         SLB owner information
  policy        SLB policy information
  probe         SLB probe information
  pvlan         SLB pvlan information
  reals         SLB real server information
  script        SLB script information
  serverfarms   SLB server farm information
  static        SLB static server NAT information
  stats         SLB Statistics
  status        SLB status information
  sticky        SLB sticky database
  tech-support  SLB tech debug information
  variable      SLB environment variables
  vlan          SLB vlan information
  vservers      SLB virtual server information
  xml-config    SLB XML-config information
 
Router#sh mod csm 4 policy ?
  name  slb policy name
  |     Output modifiers
  <cr>
 
Router#sh mod csm 4 policy
policy:               TEST
type:                 SLB
url map:              TEST
serverfarm:           FARM3
 
policy:               IE
type:                 SLB
header map:           IE
serverfarm:           FARM3
 
Router#
Router#sh mod csm 4 vlan deta
vlan   IP address       IP mask          type
---------------------------------------------------
50     192.168.8.2      255.255.255.0    CLIENT
  GATEWAYS
  192.168.8.1
240    10.66.86.249     255.255.255.240  SERVER
 
Router#
Router#

故障排除

目前没有针对此配置的故障排除信息。

相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


相关信息


Document ID: 26220