Módulos e interfaces de Cisco : Módulo de switching de contenido de Cisco

Configurar el CS en el modo del router con las directivas L7

17 Octubre 2016 - Traducción Automática
Otras Versiones: PDFpdf | Inglés (22 Agosto 2015) | Comentarios


Contenido


Introducción

Este documento proporciona una configuración de muestra del módulo content switching (CS) configurado en el modo del router con las directivas de la capa 7 (L7).

El concepto de política predeterminada también se explica en este documento. El CS se configura para caer las conexiones servidor-originadas. Una sonda de ICMP simple se configura también.

Antes de comenzar

Convenciones

Para obtener más información sobre las convenciones del documento, consulte Convenciones de Consejos Técnicos de Cisco.

prerrequisitos

No hay requisitos previos específicos para este documento.

Componentes Utilizados

Este documento no tiene restricciones específicas en cuanto a versiones de software y de hardware.

La información que se presenta en este documento se originó a partir de dispositivos dentro de un ambiente de laboratorio específico. Todos los dispositivos que se utilizan en este documento se pusieron en funcionamiento con una configuración verificada (predeterminada). Si la red está funcionando, asegúrese de haber comprendido el impacto que puede tener un comando antes de ejecutarlo.

Teoría Precedente

Los clientes (o el router ascendente que conecta con los clientes) y los servidores están típicamente en dos VLAN distintos. Dependiendo de la configuración de las subredes IP, el CS puede actuar en los dos modos siguientes:

  • Modo del router — los VLA N del cliente y servidor se configuran como dos subredes IP distintas. En un entorno del Equilibrio de carga del servidor estándar (SLB), el VIP pertenece IP del cliente a la subred, y los servidores pertenecen IP del servidor a la subred, que no se puede alcanzar directamente del lado del cliente. El CS en el modo del router no permite que los pedidos entrantes sean pasados encendido a los servidores si no hacen juego un VIP.

  • Modo Bridge — los VLA N del cliente y servidor son parte de la misma subred IP. Los CSM Bridges Packet entre esos dos VLA N. En un entorno SLB estándar, los VIP y los servidores están en la misma subred IP. Todos los pedidos entrantes que no corresponden con un VIP se interligan al VLA N juntado (si la conexión vino de un cliente, será enviada al servidor de VLAN, y si la conexión vino de un servidor, será enviada al VLA N del cliente).

Configurar

En esta sección encontrará la información para configurar las funciones descritas en este documento. Las configuraciones siguientes residen totalmente en el mismo Catalyst 6500 representado en el diagrama de la red abajo. La configuración está rota en los pedazos separados ilustra mejor qué parte se refiere específicamente al CS y qué parte refiere a la configuración del (MSFC) de la capa 2/3 (L2/3) del Catalyst.

Nota: Para obtener información adicional sobre los comandos que se utilizan en este documento, use la Command Lookup Tool (solo para clientes registrados).

Diagrama de la red

Este documento utiliza la instalación de red que se muestra en el siguiente diagrama.

/image/gif/paws/26220/csm-config.gif

Configuraciones

En este documento, se utilizan estas configuraciones:

  • Catalyst 6000 - Slot 4 CS

  • Catalyst 6000 - comprobación y interfaces lógicas

Catalyst 6000 - Slot 4 CS
module ContentSwitchingModule 4 
 

vlan 50 client
  ip address 192.168.8.2 255.255.255.0
  gateway 192.168.8.1
 
 
 
 


!--- Client side VLAN configuration for the CSM in slot 4.
!--- The gateway keyword refers to the MSFC interface VLAN 50 IP address.

 
 
!
  

vlan 240 server
  ip address 10.66.86.249 255.255.255.240
  alias 10.66.86.250 255.255.255.240
 
 
 
 


!--- Server side VLAN configuration.
!--- The IP address is different from the one used for the client VLAN 240.
!--- The CSM is configured in router mode (two VLANs and two IP subnets).
!--- Bridge mode (two VLANs, only 1 IP subnet) is configured specifying
!--- the same exact IP address for a pair of client and server VLANs on the CSM.
!--- An alias is not necessary, however, it is a good practice, since it is required
!--- when migrating to a redundant configuration.
!--- In that case, active and standby CSMs have different IP addresses on the VLAN,
!--- however, they share the same alias.
!--- Real servers are configured to point to the alias as their default gateway.

 
 
 static drop
  real 10.66.86.240 255.255.255.240
 
 
 


!--- Server-originated connections from all servers in the 10.66.86.240 subnet
!--- are dropped. By default, server-originated connections are allowed and 
!--- their source IP (the server IP address) is not modified.
 
!--- Other options are allowing server-originated connections with 
!--- their source IP NATed to the VIP, or allowing server-originated connections 
!--- with their source IP NATed to a pool of specific IP addresses.
!--- Note: The static command applies only 
!--- to server originated connections, which do not hit any VIPs
!--- configured on the CSM.

 
 
!
 probe PING icmp
  interval 5 
  failed 30 
 
 
 


!--- This is an example of an Internet Control Message Protocol (ICMP) probe.
!--- Probes are sent out every interval (five) seconds.
!--- Once a server goes out of service, probes to that server are sent
!--- every failed (30) second to see if the server has come back online.

 
 
!
 serverfarm FARM1
  nat server 
 
 
 


!---  nat server is the default configuration of a serverfarm.
!---  This means that the CSM performs directed mode
!--- (destination IP of incoming connections is changed from the VIP
!--- to the IP address of the selected server) for that serverfarm.

 
 
 
 


!--- Dispatch mode (only L2 rewrite) can be configured by 
!--- issuing the no nat server command.

 
 
  no nat client
 
 
 


!--- no nat client is the default behavior for a serverfarm.
!--- The CSM by default does not change the source IP address of
!--- incoming requests.

 
 
  
   real 10.66.86.242
   weight 24
   inservice
 
 
 


!--- This is an example of a different weight (the default is eight).
!--- Remember that weights are relative to the weights of other real servers
!--- (weight of eight does not mean that eight consecutive requests are sent
!--- to the same server).
!--- Observe also that there is no port translation configured.
!--- A port translation is used to support a server listening to port 8080.
!--- You can also use real 10.66.86.242 8080 for the configuration.

 
 
  
   real 10.66.86.245
   inservice
  
   real 10.66.86.246
   inservice
  
   real 10.66.86.248
   inservice
  probe PING
 
 


!--- All the servers in the serverfarm are pinged every five seconds, 
!--- according to the probe PING configured above.
!--- No predictor was specified, and the default is round robin.

 
 
 
  
  serverfarm FARM2
  nat server 
  no nat client
  real 10.66.86.242 23
   inservice
  real 10.66.86.246 23
   inservice
 
 

!--- The real servers in FARM2 are an example of port translation.

 
 
!
 
  
  serverfarm FARM3
  nat server 
  no nat client
  real 10.66.86.242
   inservice
  
  real 10.66.86.245
   inservice
!
 sticky 10 cookie cookiename timeout 20
 
 
 


!--- A sticky group (group number 10) is configured for cookie sticky
!--- with a timeout of 20 minutes.

 
 
!
 map TEST url
  match protocol http url *jpg*
 
 
 


!--- A URL map (also HTTP header and cookie maps are available) is created.
!--- This is the first step in the creation of a L7 policy.
!--- In this case, only one match sentence is configured. In general,
!--- multiple match sentences can be configured.

 
 
!
 map IE header
  match protocol http header User-Agent header-value *IE*
 
 
 


!--- This is another example of a map, in this case a HTTP header map.
!--- Observe that the header name needs to perfectly match the
!--- HTTP header field to be examined, while the header value is
!--- a regular expression.

 
 
!
 policy TEST
  url-map TEST
  serverfarm FARM3
 
 
 


!--- Creation of the policy named TEST. You can use the same name as
!--- the one of the map previously created, however, this is not a requirement.
!--- This is just a way to easily remember the association if only one map
!--- is associated with a policy.
 
!--- In general, a policy can include a url-map, a cookie-map, a header-map,
!--- a client-group, and so on.
!--- If all of these conditions match (in this example, only the condition
!--- url-map TEST), the policy has a match, and the specified
!--- serverfarm (FARM3) is used to fulfill that request.

 
 
!
 policy IE
  header-map IE
  serverfarm FARM3
 
 vserver WEB
  virtual 192.168.8.3 tcp www
 
 
 


!--- This is a creation of a simple virtual server.
!--- No IP mask has been specified and no VLAN of incoming traffic
!--- has been specified.
!--- This means that this is a simple VIP for standard server load balancing.
!--- Traffic coming from any VLAN and directed to that specific IP address
!--- (192.168.8.3) will match this VIP if it is TCP and if it is destined
!--- to port 80 (keyword www).

 
 
  serverfarm FARM1
  sticky 20 group 10
 
 
 


!--- Default Policy: This is very important. The two lines above refer
!--- to the default policy.
!--- If there are no other policies configured or if none of the configured
!--- slb-policies has a match, the default policy is used.
!--- In this case, the default policy is used only if neither
!--- slb-policy TEST or slb-policy IE have a match.
!--- If there are no other matches, the farm FARM1 will be used, 
!--- and the rules of sticky group 10 will be applied.
!--- If the default serverfarm is not configured for a virtual server,
!--- and if none of the slb-policies has a match, the session will be discarded.

 
 
  persistence rebalance
 
 
 


!--- Default behaviour for HTTP 1.1; if multiple GETs are present
!--- in the same TCP connection, the CSM will examine every GET.
!--- If the new GET needs to be sent to a different serverfarm,
!--- the connection with the current server is closed and
!--- a new connection with a new server if opened.
!--- This is completely transparent to the client.

 
 
  slb-policy TEST
  slb-policy IE
 
 
 


!--- This is an association of two previously configured policies to 
!--- the virtual server WEB. The order is important.
!--- In this case, if TEST has a match, IE is not even considered, 
!--- and the serverfarm associated with policy TEST is used.
!--- If stickyness had to be configured for these policies, this would
!--- be done at the policy level above (in the policy TEST submode
!--- for example).

 
 
  inservice
 
 
 


!--- All virtual servers need to be put in service.

 
 
!
 

vserver FTP
  virtual 192.168.8.3 tcp ftp service ftp
 
 
 


!--- For FTP, the service ftp keyword needs 
!--- to be specified. This instructs the CSM to monitor
!--- the control channel (port "ftp", 21), 
!--- and figure out automatically the data port to be used, and map
!--- the data channel to the same real server.

 
 
 
 


!--- Both active and passive types of FTP are supported.

 
 
  serverfarm FARM3
  persistent rebalance
  inservice
!
 vserver TELNET
  virtual 192.168.8.3 tcp telnet
  serverfarm FARM1
  persistent rebalance
  inservice
!
 vserver TELNET2
  virtual 192.168.8.3 tcp 345
 
 
 


!--- This is an example of a virtual server listening to port 345, while
!--- the default policy (the only policy configured for this virtual server)
!--- uses serverfarm FARM2, and real servers in FARM2 are configured
!--- for port translation to port 23 (see above).

 
 
  serverfarm FARM2
  persistent rebalance
  inservice
!
!

Catalyst 6000 - comprobación y interfaces lógicas
!
 

interface GigabitEthernet1/1
 no ip address
 shutdown
!
==============================
!
 

interface FastEthernet8/1
 no ip address
 switchport
 switchport access vlan 176
 spanning-tree portfast
!
 
 
 


!--- Servers are connected to this port.

 
 
!
 

interface FastEthernet8/2
 no ip address
 switchport
 switchport access vlan 240
 spanning-tree portfast
 
 
 


!--- Clients are connected to this port.

 
 
==============================
 
 

interface Vlan1
 no ip address
 
 
 


!--- Default VLAN 1, cannot be configured in the CSM (CLI will prevent it).

 
 
!
 

interface Vlan50
 ip address 192.168.8.1 255.255.255.0
 
 
 


!--- Internal VLAN between MSFC and CSM.
 
!--- In this example, the MSFC on the client side of the CSM is used.
!--- Vlan50 is the client side VLAN of the CSM, and the CSM
!--- is pointing to int vlan 50 IP address as the default gateway.

 
 
!
 

interface Vlan176
 ip address 10.66.86.184 255.255.255.240
 
 
 


!--- Observe that VLAN 240 (CSM server side VLAN) is not created as
!--- a L3 entity on the MSFC. You do not want the MSFC
!--- to route between VLAN 50 and 240, thus skipping the CSM.
 
!--- VLAN 240 is created as a L2 entity in the switch
!--- (issue the show vlan command to verify this).
 
!--- VLAN 50 is also created as a L3 entity on the MSFC.
!--- In this example, the MSFC is used on the client side of the CSM.

 

Verificación

En esta sección encontrará información que puede utilizar para confirmar que su configuración esté funcionando correctamente.

Verificación
Router#
Router#sh mod csm 4 vser deta
WEB, type = SLB, state = OPERATIONAL, v_index = 19
  virtual = 192.168.8.3/32:80 bidir, TCP, service = NONE, advertise = FALSE
 
  


!--- 32 bits of mask is the default. The destination IP of incoming requests
!--- needs to be exactly the VIP.
!--- advertise = FALSE refers to the Route Health Injection feature,
!--- where VIPs are advertised with host routes by the MSFC
!--- (used on the client side).

 
 
idle = 3600, replicate csrp = none, vlan = ALL, pending = 30
 
 
 


!--- 3600 seconds of idle timer.
!--- If no packets are sent over a specific session
!--- for the idle time, the CSM tears down that session.
!--- The idle timer is important, especially for non-TCP sessions
!--- where there is no explicit termination of the session.
!--- There is no replication configured. In this example, a standby CSM will
!--- simply monitor the active CSM and eventually become active, however, it
!--- will not learn sticky database, nor TCP state.
!--- The replication can be configured as none, sticky database, or TCP state.
 
!--- Traffic can come to this vserver from any VLAN.
!--- This is the default behaviour since no VLAN was specified in the config.
 

 
  max parse len = 2000, persist rebalance = TRUE
 
 
 


!--- Max depth of inspection (default 600 bytes, max 4000 bytes).

 
 
  conns = 0, total conns = 2
 
 
 


!--- Currently open connections and total connections that have been set up
!--- since the last reset of the counters (clear mod csm 4 counters).

 
 
  Default policy:
    server farm = FARM1, backup = 
    sticky: timer = 20, subnet = 0.0.0.0, group id = 10
 
 
 


!--- Default policy serverfarm and sticky config (this sticky config only applies
!--- to the default serverfarm; stickiness for the other policies needs
!--- to be configured in the various “policy” submodes)

 
 
  Policy          Tot matches  Client pkts  Server pkts
  -----------------------------------------------------
  TEST            1            3            6
  IE              2            10           3
  (default)       0            0            0
 
 
 


!--- Total number of connections that matched the various policies and
!--- number of packets sent by servers and clients.

 
 
TELNET, type = SLB, state = OPERATIONAL, v_index = 21
  virtual = 192.168.8.3/32:23 bidir, TCP, service = NONE, advertise = FALSE
  idle = 3600, replicate csrp = none, vlan = ALL, pending = 30
  max parse len = 2000, persist rebalance = TRUE
  ssl sticky offset = 0, length = 32
  conns = 0, total conns = 0
  Default policy:
    server farm = FARM1, backup = 
    sticky: timer = 0, subnet = 0.0.0.0, group id = 0
  Policy          Tot matches  Client pkts  Server pkts
  -----------------------------------------------------
  (default)       14           375          258          
 
TELNET2, type = SLB, state = OPERATIONAL, v_index = 22
  virtual = 192.168.8.3/32:345 bidir, TCP, service = NONE, advertise = FALSE
  idle = 3600, replicate csrp = none, vlan = ALL, pending = 30
  max parse len = 2000, persist rebalance = TRUE
  ssl sticky offset = 0, length = 32
  conns = 0, total conns = 0
  Default policy:
    server farm = FARM2, backup = 
    sticky: timer = 0, subnet = 0.0.0.0, group id = 0
  Policy          Tot matches  Client pkts  Server pkts
  -----------------------------------------------------
  (default)       5            24           19           
 
FTP, type = SLB, state = OPERATIONAL, v_index = 20
  virtual = 192.168.8.3/32:21 bidir, TCP, service = ftp, advertise = FALSE
 
 
 


!--- FTP service was configured for this virtual server that is
!--- listening on port 21.

 
 
  idle = 3600, replicate csrp = none, vlan = ALL, pending = 30
  max parse len = 2000, persist rebalance = TRUE
  ssl sticky offset = 0, length = 32
  conns = 0, total conns = 0
  Default policy:
    server farm = FARM3, backup = 
    sticky: timer = 0, subnet = 0.0.0.0, group id = 0
  Policy          Tot matches  Client pkts  Server pkts
  -----------------------------------------------------
  (default)        2            21           16           
 
Router#
Router#
Router#
Router#sh mod csm 4 sticky ?
  client  sticky associated with a specific client IP address
  config  list configured sticky groups
  cookie  sticky associated with a HTTP cookie value
  group   sticky associated with a specific group
  ssl     sticky associated with a SSL session id
  |       Output modifiers
  <cr>
 
Router#
Router#sh mod csm 4 real deta
10.66.86.242, FARM1, state = OPERATIONAL
  conns = 0, maxconns = 4294967295, minconns = 0
 
 
 


!--- There are 0 active connections to this real server.
 
!--- maxconns and minconns have their default values.
!--- If changed to something else, they enable the connection watermarks feature.
!--- No more than maxconns connections will ever be active on this real server.
!--- When the server has reached its maximum, then the CSM does not send to it
!--- any more new connection until the number of active connections drops
!--- below minconns.

 
 
  weight = 24, weight(admin) = 24, metric = 0, remainder = 0
 
 
 


!--- Admin weight is configured, weight is dynamic.
!--- If using Dynamic Feedback Protocol (DFP), the dynamic weight
!--- can be different from the admin.

 
 
  total conns established = 0, total conn failures = 0
10.66.86.245, FARM1, state = OPERATIONAL
  conns = 1, maxconns = 4294967295, minconns = 0
  weight = 8, weight(admin) = 8, metric = 0, remainder = 1
  total conns established = 193, total conn failures = 0
10.66.86.246, FARM1, state = OPERATIONAL
  conns = 0, maxconns = 4294967295, minconns = 0
  weight = 8, weight(admin) = 8, metric = 0, remainder = 0
  total conns established = 563, total conn failures = 0
10.66.86.248, FARM1, state = OPERATIONAL
  conns = 0, maxconns = 4294967295, minconns = 0
  weight = 8, weight(admin) = 8, metric = 0, remainder = 0
  total conns established = 455, total conn failures = 0
10.66.86.242:23, FARM2, state = OPERATIONAL
  conns = 0, maxconns = 4294967295, minconns = 0
  weight = 8, weight(admin) = 8, metric = 0, remainder = 0
  total conns established = 3, total conn failures = 0
10.66.86.246:23, FARM2, state = OPERATIONAL
  conns = 0, maxconns = 4294967295, minconns = 0
  weight = 8, weight(admin) = 8, metric = 0, remainder = 0
  total conns established = 2, total conn failures = 0
10.66.86.242, FARM3, state = OPERATIONAL
  conns = 0, maxconns = 4294967295, minconns = 0
  weight = 8, weight(admin) = 8, metric = 0, remainder = 0
  total conns established = 180, total conn failures = 0
10.66.86.245, FARM3, state = OPERATIONAL
  conns = 0, maxconns = 4294967295, minconns = 0
  weight = 8, weight(admin) = 8, metric = 0, remainder = 0
  total conns established = 179, total conn failures = 0
Router#
Router#
Router#
Router#
Router#sh mod csm 4 serv deta
FARM1, type = SLB, predictor = RoundRobin 
  nat = SERVER
 
 


!--- Default load balancing algorithm is round robin.
!--- Default NAT options are nat server (directed mode) but no nat client.

 
 
  virtuals inservice: 2, reals = 4, bind id = 0, fail action = none
 
 
 


!--- Two active virtual servers are using this serverfarm.

 
  inband health config: <none>
  retcode map = <none>
  Probes:
    PING, type = icmp
  Real servers:
    10.66.86.242, weight = 24, OPERATIONAL, conns = 0
    10.66.86.245, weight = 8, OPERATIONAL, conns = 1
    10.66.86.246, weight = 8, OPERATIONAL, conns = 0
    10.66.86.248, weight = 8, OPERATIONAL, conns = 0
  Total connections = 1
 
 
 


!--- This number indicates the active connections only.

 
 
FARM2, type = SLB, predictor = RoundRobin
  nat = SERVER
  virtuals inservice: 1, reals = 2, bind id = 0, fail action = none
  inband health config: <none>
  retcode map = <none>
  Real servers:
    10.66.86.242:23, weight = 8, OPERATIONAL, conns = 0
    10.66.86.246:23, weight = 8, OPERATIONAL, conns = 0
  Total connections = 0
 
FARM3, type = SLB, predictor = RoundRobin
  nat = SERVER
  virtuals inservice: 2, reals = 2, bind id = 0, fail action = none
  inband health config: <none>
  retcode map = <none>
  Real servers:
    10.66.86.242, weight = 8, OPERATIONAL, conns = 0
    10.66.86.245, weight = 8, OPERATIONAL, conns = 0
  Total connections = 0
 
Router#
Router#
Router#
Router#sh mod csm 4 arp
 
 
 


!--- This is a very useful command; it shows the ARP table of the CSM.
!--- Remember that this table is completely distinct from the MSFC ARP table.

 
 
Internet Address  Physical Interface  VLAN      Type       Status
--------------------------------------------------------------------
 10.66.86.241     00-30-F2-C9-EB-F8   240       LEARNED    up(0 misses)
 10.66.86.242     00-02-B3-9D-2C-B9   240       REAL       up(0 misses)
 10.66.86.243     00-11-25-AB-21-D2   240       LEARNED    up(0 misses)
 10.66.86.244     00-09-5B-1E-B5-D5   240       LEARNED    up(0 misses)
 
 
 


!--- 0 misses refers to the number of unanswered ARP requests by that device.
!--- In this case, all ARPs are receiving a response,
!--- so the server is well connected.

 
 
 10.66.86.245     00-0D-88-2F-67-E4   240       REAL       up(0 misses)
 10.66.86.246     00-02-B3-9D-2C-B9   240       REAL       up(0 misses)
 10.66.86.247     00-11-25-8D-2F-A8   240       LEARNED    up(0 misses)
 10.66.86.248     00-0D-88-2F-67-E4   240       REAL       up(0 misses)
 10.66.86.249     00-03-32-87-B7-B8   240       --SLB--    local
 10.66.86.250     00-02-2F-00-14-0C   240       LEARNED    up(0 misses)
 10.66.86.253     00-0D-60-0F-24-6A   240       LEARNED    up(0 misses)
 10.66.86.254     00-0D-60-0F-24-5C   240       LEARNED    up(0 misses)
 192.168.8.1      00-D0-D3-86-B8-0A   50        GATEWAY    up(0 misses)
 192.168.8.2      00-03-32-87-B7-B8   50        --SLB--    local
 192.168.8.3      00-03-32-87-B7-B7   0         VSERVER    local
 
Router#
Router#
Router#
Router#
Router#
Router#sh mod csm 4 ?
  arp           SLB arp cache listing
  capp          SLB Content Application Peering Protocol information
  conns         SLB connection information
  dfp           SLB DFP manager information
  ft            SLB ft information
  gslb          Global Server Load Balancing stats
  map           SLB map information
  memory        SLB memory information
  natpools      SLB client nat pool information
  owner         SLB owner information
  policy        SLB policy information
  probe         SLB probe information
  pvlan         SLB pvlan information
  reals         SLB real server information
  script        SLB script information
  serverfarms   SLB server farm information
  static        SLB static server NAT information
  stats         SLB Statistics
  status        SLB status information
  sticky        SLB sticky database
  tech-support  SLB tech debug information
  variable      SLB environment variables
  vlan          SLB vlan information
  vservers      SLB virtual server information
  xml-config    SLB XML-config information
 
Router#sh mod csm 4 policy ?
  name  slb policy name
  |     Output modifiers
  <cr>
 
Router#sh mod csm 4 policy
policy:               TEST
type:                 SLB
url map:              TEST
serverfarm:           FARM3
 
policy:               IE
type:                 SLB
header map:           IE
serverfarm:           FARM3
 
Router#
Router#sh mod csm 4 vlan deta
vlan   IP address       IP mask          type
---------------------------------------------------
50     192.168.8.2      255.255.255.0    CLIENT
  GATEWAYS
  192.168.8.1
240    10.66.86.249     255.255.255.240  SERVER
 
Router#
Router#

Troubleshooting

Actualmente, no hay información específica de troubleshooting disponible para esta configuración.


Información Relacionada


Document ID: 26220