Catalyst 6500 Series Switch Content Switching Module with SSL (CSM-S) Installation and Configuration Note
Configuration Examples
Download this chapter
Configuration ExamplesConfiguration Examples
give_us_feedback

Table Of Contents

CSM-S Configuration Examples

Configuring the Router Mode with the MSFC on the Client Side

Configuring the Bridged Mode with the MSFC on the Client Side

Configuring the Probes

Configuring the Source NAT for Server-Originated Connections to the VIP

Configuring Session Persistence (Stickiness)

Configuring Direct Access to Servers in Router Mode

Configuring Server-to-Server Load-Balanced Connections

Configuring Route Health Injection

Configuring the Server Names

Configuring a Backup Server Farm

Configuring a Load-Balancing Decision Based on the Source IP Address

Configuring Layer 7 Load Balancing

Configuring HTTP Redirect


CSM-S Configuration Examples

This chapter describes how to configure firewall load balancing and contains these sections:

Configuring the Router Mode with the MSFC on the Client Side

Configuring the Bridged Mode with the MSFC on the Client Side

Configuring the Probes

Configuring the Source NAT for Server-Originated Connections to the VIP

Configuring Session Persistence (Stickiness)

Configuring Direct Access to Servers in Router Mode

Configuring Server-to-Server Load-Balanced Connections

Configuring Route Health Injection

Configuring the Server Names

Configuring a Backup Server Farm

Configuring a Load-Balancing Decision Based on the Source IP Address

Configuring Layer 7 Load Balancing

Configuring HTTP Redirect

Each example in this appendix includes only the relevant portions of the configuration. In some cases, some portions of the Layer 2 and Layer 3 Catalyst switch configuration are included. Lines with comments start with # and can be pasted in the configuration once you are in configuration mode after entering the configuration terminal command.

Make sure that you create all the VLANs used in the CSM-S configuration on the switch using the vlan command.

Configuring the Router Mode with the MSFC on the Client Side

This example provides configuration parameters for setting up the router mode: 

module ContentSwitchingModule 5 

 vlan 220 server

  ip address 10.20.220.2 255.255.255.0

  alias 10.20.220.1 255.255.255.0


# The servers' default gateway is the alias IP address

# Alias IP addresses are needed any time that you are

# configuring a redundant system.

# However, it is a good practice to always use a

# alias IP address so that a standby CSM-S can easily

# be added without changes to the IP addressing scheme


!

 vlan 221 client

  ip address 10.20.221.5 255.255.255.0

  gateway 10.20.221.1


# The CSM-S default gateway in this config is the

# MSFC IP address on that VLAN


!

 serverfarm WEBFARM

  nat server 

  no nat client

  real 10.20.220.10

   inservice

  real 10.20.220.20

   inservice

  real 10.20.220.30

   no inservice

!

 vserver WEB

  virtual 10.20.221.100 tcp www

  serverfarm WEBFARM

  persistent rebalance

  inservice


# "persistence rebalance" is effective ONLY when performing

# L7 load balancing (parsing of URLs, cookies, header, ...)

# and only for HTTP 1.1 connections.

# It tells the CSM-S to parse and eventually make a new

# load balancing decision for each GET within the same

# TCP connection.


interface FastEthernet2/2

 no ip address

 switchport

 switchport access vlan 220


# The above is the port that connects to the real servers


interface FastEthernet2/24

 ip address 10.20.1.1 255.255.255.0


# The above is the interface that connects to the client side network


interface Vlan221

 ip address 10.20.221.1 255.255.255.0


# The above is the MSFC interface for the internal VLAN used

# for MSFC-CSM-S communication

This example shows the output of the show commands: 

Cat6k-2# show module csm 5 arp


Internet Address  Physical Interface  VLAN      Type       Status

--------------------------------------------------------------------

 10.20.220.1      00-02-FC-E1-68-EB   220       -ALIAS-    local

 10.20.220.2      00-02-FC-E1-68-EC   220       --SLB--    local

 10.20.220.10     00-D0-B7-A0-81-D8   220       REAL       up(0 misses)

 10.20.221.1      00-02-FC-CB-70-0A   221       GATEWAY    up(0 misses)

 10.20.221.5      00-02-FC-E1-68-EC   221       --SLB--    local

 10.20.220.20     00-D0-B7-A0-81-D8   220       REAL       up(0 misses)

 10.20.220.30     00-D0-B7-A0-81-D8   220       REAL       up(0 misses)

 10.20.221.100    00-02-FC-E1-68-EB   0         VSERVER    local


Cat6k-2# show module csm 5 vlan detail

vlan   IP address       IP mask          type      

---------------------------------------------------

220    10.20.220.2      255.255.255.0    SERVER

  ALIASES

  IP address       IP mask

  --------------------------------

  10.20.220.1      255.255.255.0    

221    10.20.221.5      255.255.255.0    CLIENT

  GATEWAYS

  10.20.221.1      

Cat6k-2# 

Cat6k-2# show module csm 5 real   


real                  server farm      weight  state          conns/hits

-------------------------------------------------------------------------

10.20.220.10          WEBFARM          8       OPERATIONAL    0        

10.20.220.20          WEBFARM          8       OPERATIONAL    0        

10.20.220.30          WEBFARM          8       OUTOFSERVICE   0        

Cat6k-2# 

Cat6k-2# show module csm 5 real detail

10.20.220.10, WEBFARM, state = OPERATIONAL

  conns = 0, maxconns = 4294967295, minconns = 0

  weight = 8, weight(admin) = 8, metric = 0, remainder = 0

  total conns established = 5, total conn failures = 0

10.20.220.20, WEBFARM, state = OPERATIONAL

  conns = 0, maxconns = 4294967295, minconns = 0

  weight = 8, weight(admin) = 8, metric = 0, remainder = 0

  total conns established = 5, total conn failures = 0

10.20.220.30, WEBFARM, state = OUTOFSERVICE

  conns = 0, maxconns = 4294967295, minconns = 0

  weight = 8, weight(admin) = 8, metric = 0, remainder = 0

  total conns established = 0, total conn failures = 0


Cat6k-2# 

Cat6k-2# show module csm 5 vserver detail

WEB, type = SLB, state = OPERATIONAL, v_index = 17

  virtual = 10.20.221.100/32:80 bidir, TCP, service = NONE, advertise = FALSE

  idle = 3600, replicate csrp = none, vlan = ALL, pending = 30, layer 4

  max parse len = 2000, persist rebalance = TRUE

  ssl sticky offset = 0, length = 32

  conns = 0, total conns = 10

  Default policy:

    server farm = WEBFARM, backup = <not assigned>

    sticky: timer = 0, subnet = 0.0.0.0, group id = 0

  Policy          Tot matches  Client pkts  Server pkts

  -----------------------------------------------------

  (default)       10           50           50           


Cat6k-2# 

Cat6k-2# show module csm 5 stats

Connections Created:        28

Connections Destroyed:      28

Connections Current:        0

Connections Timed-Out:      0

Connections Failed:         0

Server initiated Connections:

      Created: 0, Current: 0, Failed: 0

L4 Load-Balanced Decisions: 27

L4 Rejected Connections:    1

L7 Load-Balanced Decisions: 0

L7 Rejected Connections:

      Total: 0, Parser: 0,

      Reached max parse len: 0, Cookie out of mem: 0,

      Cfg version mismatch: 0, Bad SSL2 format: 0

L4/L7 Rejected Connections:

      No policy: 1, No policy match 0,

      No real: 0, ACL denied 0,

      Server initiated: 0

Checksum Failures:  IP: 0, TCP: 0

Redirect Connections: 0,  Redirect Dropped: 0

FTP Connections:            0

MAC Frames:

      Tx: Unicast: 345, Multicast: 5, Broadcast: 25844,

          Underflow Errors: 0

      Rx: Unicast: 1841, Multicast: 448118, Broadcast: 17,

          Overflow Errors: 0, CRC Errors: 0

Configuring the Bridged Mode with the MSFC on the Client Side

This example provides configuration parameters for configuring bridged mode: 

module ContentSwitchingModule 5 

 vlan 221 client

  ip address 10.20.220.2 255.255.255.0

  gateway 10.20.220.1

!

 vlan 220 server

  ip address 10.20.220.2 255.255.255.0


# Two VLANs with the same IP address are bridged together.


!

 serverfarm WEBFARM

  nat server 

  no nat client

  real 10.20.220.10

   inservice

  real 10.20.220.20

   inservice

  real 10.20.220.30

   no inservice

!

 vserver WEB

  virtual 10.20.220.100 tcp www

  serverfarm WEBFARM

  persistent rebalance

  inservice


interface FastEthernet2/2

 no ip address

 switchport

 switchport access vlan 220


# The above is the port that connects to the real servers


interface FastEthernet2/24

 ip address 10.20.1.1 255.255.255.0


# The above is the MSFC interface that connects to the client side network


interface Vlan221

 ip address 10.20.220.1 255.255.255.0


# The above is the MSFC interface for the internal VLAN used

# for MSFC-CSM-S communication.

# The servers use this IP address as their default gateway

# since the CSM-S is bridging between the client and server VLANs

This example shows the output of the show commands: 

Cat6k-2# show module csm 5 arp


Internet Address  Physical Interface  VLAN      Type       Status

--------------------------------------------------------------------

 10.20.220.1      00-02-FC-CB-70-0A   221       GATEWAY    up(0 misses)

 10.20.220.2      00-02-FC-E1-68-EC   221/220   --SLB--    local

 10.20.220.10     00-D0-B7-A0-81-D8   220       REAL       up(0 misses)

 10.20.220.20     00-D0-B7-A0-81-D8   220       REAL       up(0 misses)

 10.20.220.30     00-D0-B7-A0-81-D8   220       REAL       up(0 misses)

 10.20.220.100    00-02-FC-E1-68-EB   0         VSERVER    local

Configuring the Probes

This example provides configuration parameters for configuring probes: 

module ContentSwitchingModule 5 

 vlan 220 server

  ip address 10.20.220.2 255.255.255.0

  alias 10.20.220.1 255.255.255.0

!

 vlan 221 client

  ip address 10.20.221.5 255.255.255.0

  gateway 10.20.221.1

!

 probe PING icmp

  interval 5 

  failed 10 

  receive 4 


# Interval between the probes is 5 seconds for healthy servers

# while it is 10 seconds for failed servers.

# The servers need to reply within 4 seconds.


!

 probe TCP tcp

  interval 5 

  failed 10 

  open 4 


# The servers need to open the TCP connection within 4 seconds.


!

 probe HTTP http

  request method head url /probe/http_probe.html 

  expect status 200 299

  interval 20 

  port 80 


# The port for the probe is inherited from the vservers.

# The port is necessary in this case, since the same farm

# is serving a vserver on port 80 and one on port 23.

# If the "port 80" parameter is removed, the HTTP probe

# will be sent out on both ports 80 and 23, thus failing

# on port 23 which does not serve HTTP requests.


 probe PING-SERVER-30 icmp

  interval 5 

  failed 10 

!

 serverfarm WEBFARM

  nat server 

  no nat client

  real 10.20.220.10

   inservice

  real 10.20.220.20

   inservice

  real 10.20.220.30

   health probe PING-SERVER-30

   inservice

  probe PING

  probe TCP

  probe HTTP

!

 vserver TELNET

  virtual 10.20.221.100 tcp telnet

  serverfarm WEBFARM

  persistent rebalance

  inservice

!

 vserver WEB

  virtual 10.20.221.100 tcp www

  serverfarm WEBFARM

  persistent rebalance

  inservice

!

This example shows the output of the show commands: 

Cat6k-2# show module csm 5 probe


probe           type    port  interval retries failed  open   receive

---------------------------------------------------------------------

PING            icmp          5        3       10             4      

TCP             tcp           5        3       10      4             

HTTP            http    80    20       3       300     10     10     

PING-SERVER-30  icmp          5        3       10             10     


Cat6k-2# show module csm 5 probe detail

probe           type    port  interval retries failed  open   receive

---------------------------------------------------------------------

PING            icmp          5        3       10             4      

 real                  vserver         serverfarm      policy          status

 ------------------------------------------------------------------------------

 10.20.220.30:80       WEB             WEBFARM         (default)       OPERABLE

 10.20.220.20:80       WEB             WEBFARM         (default)       OPERABLE

 10.20.220.10:80       WEB             WEBFARM         (default)       OPERABLE

 10.20.220.30:23       TELNET          WEBFARM         (default)       OPERABLE

 10.20.220.20:23       TELNET          WEBFARM         (default)       OPERABLE

 10.20.220.10:23       TELNET          WEBFARM         (default)       OPERABLE

TCP             tcp           5        3       10      4             

 real                  vserver         serverfarm      policy          status

 ------------------------------------------------------------------------------

 10.20.220.30:80       WEB             WEBFARM         (default)       OPERABLE

 10.20.220.20:80       WEB             WEBFARM         (default)       OPERABLE

 10.20.220.10:80       WEB             WEBFARM         (default)       OPERABLE

 10.20.220.30:23       TELNET          WEBFARM         (default)       OPERABLE

 10.20.220.20:23       TELNET          WEBFARM         (default)       OPERABLE

 10.20.220.10:23       TELNET          WEBFARM         (default)       OPERABLE

HTTP            http    80    20       3       300     10     10     

 Probe Request:  HEAD       /probe/http_probe.html

 Expected Status Codes:

  200 to 299

 real                  vserver         serverfarm      policy          status

 ------------------------------------------------------------------------------

 10.20.220.30:80       WEB             WEBFARM         (default)       OPERABLE

 10.20.220.20:80       WEB             WEBFARM         (default)       FAILED

 10.20.220.10:80       WEB             WEBFARM         (default)       OPERABLE

 10.20.220.30:80       TELNET          WEBFARM         (default)       OPERABLE

 10.20.220.20:80       TELNET          WEBFARM         (default)       FAILED

 10.20.220.10:80       TELNET          WEBFARM         (default)       OPERABLE

PING-SERVER-30  icmp          5        3       10             10     

 real                  vserver         serverfarm      policy          status

 ------------------------------------------------------------------------------

 10.20.220.30:80       WEB             WEBFARM         (default)       OPERABLE

 10.20.220.30:23       TELNET          WEBFARM         (default)       OPERABLE


Cat6k-2# show module csm 5 real        


real                  server farm      weight  state          conns/hits

-------------------------------------------------------------------------

10.20.220.10          WEBFARM          8       OPERATIONAL    0        

10.20.220.20          WEBFARM          8       PROBE_FAILED   0        

10.20.220.30          WEBFARM          8       OPERATIONAL    0

Configuring the Source NAT for Server-Originated Connections to the VIP

This example shows a situation where the servers have open connections to the same VIP address that clients access. Because the servers are balanced back to themselves, the source NAT is required. To set the source NAT, use the vlan parameter in the virtual server configuration to distinguish the VLAN where the connection is originated. A different server farm is then used to handle server-originated connections. Source NAT is configured for that server farm. No source NAT is used for client-originated connections so that the servers can log the real client IPs.

Note You should use a similar configuration when the server-to-server load-balanced connections need to be supported with the source and destination servers located in the same VLAN. 

module ContentSwitchingModule 5 

 vlan 220 server

  ip address 10.20.220.2 255.255.255.0

  alias 10.20.220.1 255.255.255.0

!

 vlan 221 client

  ip address 10.20.221.5 255.255.255.0

  gateway 10.20.221.1

!

 natpool POOL-1 10.20.220.99 10.20.220.99 netmask 255.255.255.0

!

 serverfarm FARM

  nat server 

  no nat client

  real 10.20.220.10

   inservice

  real 10.20.220.20

   inservice

  real 10.20.220.30

   inservice

!         

 serverfarm FARM2

  nat server 

  nat client POOL-1 

  real 10.20.220.10

   inservice

  real 10.20.220.20

   inservice

  real 10.20.220.30

   inservice

!

 vserver FROM-CLIENTS

  virtual 10.20.221.100 tcp telnet

  vlan 221

  serverfarm FARM

  persistent rebalance

  inservice

!

 vserver FROM-SERVERS

  virtual 10.20.221.100 tcp telnet

  vlan 220

  serverfarm FARM2

  persistent rebalance

  inservice

This example shows the output of the show commands: 

Cat6k-2# show module csm 5 vser 

vserver         type  prot virtual                  vlan state        conns

---------------------------------------------------------------------------

FROM-CLIENTS    SLB   TCP  10.20.221.100/32:23      221  OPERATIONAL  1       

FROM-SERVERS    SLB   TCP  10.20.221.100/32:23      220  OPERATIONAL  1       


Cat6k-2# show module csm 5 conn detail


    prot vlan source                destination           state       

----------------------------------------------------------------------

In  TCP  220  10.20.220.10:32858    10.20.221.100:23      ESTAB       

Out TCP  220  10.20.220.20:23       10.20.220.99:8193     ESTAB       

    vs = FROM-SERVERS, ftp = No, csrp = False


In  TCP  221  10.20.1.100:42443     10.20.221.100:23      ESTAB       

Out TCP  220  10.20.220.10:23       10.20.1.100:42443     ESTAB       

    vs = FROM-CLIENTS, ftp = No, csrp = False


# The command shows the open connections and how they are translated.

#

# For each connection, both halves of the connection are shown.

# The output for the second half of each connection

# swaps the source and destination IP:port.

#

# The connection originated by server 10.20.220.10 is source-NAT'ed

# and source-PAT'ed (also its L4 source port needs to be translated)

# Its source IP changes from 10.20.220.10 to 10.20.220.99

# Its source L4 port changes from 32858 to 8193


Cat6k-2# show module csm 5 real       


real                  server farm      weight  state          conns/hits

-------------------------------------------------------------------------

10.20.220.10          FARM             8       OPERATIONAL    1        

10.20.220.20          FARM             8       OPERATIONAL    0        

10.20.220.30          FARM             8       OPERATIONAL    0        

10.20.220.10          FARM2            8       OPERATIONAL    0        

10.20.220.20          FARM2            8       OPERATIONAL    1        

10.20.220.30          FARM2            8       OPERATIONAL    0        


Cat6k-2# show module csm 5 natpool       

nat client POOL-1  10.20.220.99  10.20.220.99  netmask 255.255.255.0 


Cat6k-2# show module csm 5 serverfarm


server farm      type     predictor    nat   reals   redirect  bind id

----------------------------------------------------------------------

FARM             SLB      RoundRobin   S     3       0         0      

FARM2            SLB      RoundRobin   S,C   3       0         0

Configuring Session Persistence (Stickiness)

This example provides configuration parameters for configuring session persistence or stickiness: 

module ContentSwitchingModule 5 

 vlan 220 server

  ip address 10.20.220.2 255.255.255.0

  alias 10.20.220.1 255.255.255.0

!

 vlan 221 client

  ip address 10.20.221.5 255.255.255.0

  gateway 10.20.221.1

!

 serverfarm WEBFARM

  nat server 

  no nat client

  real 10.20.220.10

   inservice

  real 10.20.220.20

   inservice

  real 10.20.220.30

   inservice

!

 sticky 10 netmask 255.255.255.255 timeout 20

!

 sticky 20 cookie yourname timeout 30

!

 vserver TELNET

  virtual 10.20.221.100 tcp telnet

  serverfarm WEBFARM

  persistent rebalance

  inservice

!

 vserver WEB1

  virtual 10.20.221.101 tcp www

  serverfarm WEBFARM

  sticky 20 group 10

  persistent rebalance

  inservice

!

 vserver WEB2

  virtual 10.20.221.102 tcp www

  serverfarm WEBFARM

  sticky 30 group 20

  persistent rebalance

  inservice

!

This example shows the output of the show commands: 

Cat6k-2# show module csm 5 sticky group 10


group   sticky-data              real                  timeout

----------------------------------------------------------------

10      ip 10.20.1.100           10.20.220.10          793       


Cat6k-2# show module csm 5 sticky group 20


group   sticky-data              real                  timeout

----------------------------------------------------------------

20      cookie 4C656B72:861F0395 10.20.220.20          1597      



Cat6k-2# show module csm 5 sticky 


group   sticky-data              real                  timeout

----------------------------------------------------------------

20      cookie 4C656B72:861F0395 10.20.220.20          1584      

10      ip 10.20.1.100           10.20.220.10          778

Configuring Direct Access to Servers in Router Mode

This example shows how to configure a virtual server to give direct access to the back-end servers when you are using router mode:

Note In router mode, any connection that does not hit a virtual server is dropped. 

module ContentSwitchingModule 5 

 vlan 220 server

  ip address 10.20.220.2 255.255.255.0

  alias 10.20.220.1 255.255.255.0

!

 vlan 221 client

  ip address 10.20.221.5 255.255.255.0

  gateway 10.20.221.1

  alias 10.20.221.2 255.255.255.0


# The alias IP is only required in redundant configurations

# This is the IP address that the upstream router (the MSFC

# in this case) will use as next-hop to reach the

# backend servers

# See below for the static route added for this purpose.

#

!

 serverfarm ROUTE

  no nat server 

  no nat client

  predictor forward


#

# This serverfarm is not load balancing, but is simply

# routing the traffic according to the CSM-S routing tables

# The CSM-S routing table in this example is very simple,

# there is just a default gateway and 2 directly attached

# subnets.

#

# The "no nat server" is very important, since you do not

# want to rewrite the destination IP address when

# forwarding the traffic.


!         

 serverfarm WEBFARM

  nat server 

  no nat client

  real 10.20.220.10

   inservice

  real 10.20.220.20

   inservice

!         

 vserver DIRECT-ACCESS

  virtual 10.20.220.0 255.255.255.0 tcp 0

  serverfarm ROUTE

  persistent rebalance

  inservice


# This vserver is listening to all TCP connections destined to the

# serverfarm IP subnet.

# Note: ping to the backend servers will not work with this example


!         

 vserver WEB

  virtual 10.20.221.100 tcp www

  serverfarm WEBFARM

  persistent rebalance

  inservice


interface Vlan221

 ip address 10.20.221.1 255.255.255.0


# vlan221 is the L3 interface on the MSFC that connects to the CSM-S

# Client requests are being routed by the MSFC, from its other 

# interfaces (not shown in this example) to vlan221.


!

ip classless

ip route 10.20.220.0 255.255.255.0 10.20.221.2


# This static route is necessary to allow the MSFC to reach

# the backend servers.

This example shows the output of some of the show commands: 

Cat6k-2# show module csm 5 conn detail


    prot vlan source                destination           state       

----------------------------------------------------------------------

In  TCP  221  10.20.1.100:44268     10.20.220.10:23       ESTAB       

Out TCP  220  10.20.220.10:23       10.20.1.100:44268     ESTAB       

    vs = DIRECT-ACCESS, ftp = No, csrp = False


# The information displayed shows that the CSM-S is not rewriting any IP addresses while

# forwarding theconnection from VLAN 221 (client) to VLAN 220 (server) This connection has

# been created because it was destined to the virtual server DIRECT-ACCESS.


Cat6k-2# show module csm 5 vserver detail

WEB, type = SLB, state = OPERATIONAL, v_index = 14

  virtual = 10.20.221.100/32:80 bidir, TCP, service = NONE, advertise = FALSE

  idle = 3600, replicate csrp = none, vlan = ALL, pending = 30, layer 4

  max parse len = 2000, persist rebalance = TRUE

  ssl sticky offset = 0, length = 32

  conns = 0, total conns = 0

  Default policy:

    server farm = WEBFARM, backup = <not assigned>

    sticky: timer = 0, subnet = 0.0.0.0, group id = 0

  Policy          Tot matches  Client pkts  Server pkts

  -----------------------------------------------------

  (default)       0            0            0            


DIRECT-ACCESS, type = SLB, state = OPERATIONAL, v_index = 15

  virtual = 10.20.220.0/24:0 bidir, TCP, service = NONE, advertise = FALSE

  idle = 3600, replicate csrp = none, vlan = ALL, pending = 30, layer 4

  max parse len = 2000, persist rebalance = TRUE

  ssl sticky offset = 0, length = 32

  conns = 1, total conns = 1

  Default policy:

    server farm = ROUTE, backup = <not assigned>

    sticky: timer = 0, subnet = 0.0.0.0, group id = 0

  Policy          Tot matches  Client pkts  Server pkts

  -----------------------------------------------------

  (default)       1            48           35

Configuring Server-to-Server Load-Balanced Connections

This example shows a CSM-S configuration with three VLANs, one client, and two server VLANs. This configuration allows server-to-server load-balanced connections. There is no need for the source NAT because the source and destination servers are in separate VLANs. 

module ContentSwitchingModule 5 

 vlan 220 server

  ip address 10.20.220.2 255.255.255.0

  alias 10.20.220.1 255.255.255.0

!

 vlan 221 client

  ip address 10.20.221.5 255.255.255.0

  gateway 10.20.221.1

!

 vlan 210 server

  ip address 10.20.210.2 255.255.255.0

  alias 10.20.210.1 255.255.255.0

!

 serverfarm TIER-1

  nat server 

  no nat client

  real 10.20.210.10

   inservice

  real 10.20.210.20

   inservice

!

 serverfarm TIER-2

  nat server 

  no nat client

  real 10.20.220.10

   inservice

  real 10.20.220.20

   inservice

!

 vserver VIP1

  virtual 10.20.221.100 tcp telnet

  vlan 221

  serverfarm TIER-1

  persistent rebalance

  inservice

!

 vserver VIP2

  virtual 10.20.210.100 tcp telnet

  vlan 210

  serverfarm TIER-2

  persistent rebalance

  inservice

!

This example shows the output of some of the show commands: 

Cat6k-2# show module csm 5 arp  


Internet Address  Physical Interface  VLAN      Type       Status

--------------------------------------------------------------------

 10.20.210.1      00-02-FC-E1-68-EB   210       -ALIAS-    local

 10.20.210.2      00-02-FC-E1-68-EC   210       --SLB--    local

 10.20.210.10     00-D0-B7-A0-68-5D   210       REAL       up(0 misses)

 10.20.210.20     00-D0-B7-A0-68-5D   210       REAL       up(0 misses)

 10.20.220.1      00-02-FC-E1-68-EB   220       -ALIAS-    local

 10.20.220.2      00-02-FC-E1-68-EC   220       --SLB--    local

 10.20.210.100    00-02-FC-E1-68-EB   0         VSERVER    local

 10.20.220.10     00-D0-B7-A0-81-D8   220       REAL       up(0 misses)

 10.20.221.1      00-02-FC-CB-70-0A   221       GATEWAY    up(0 misses)

 10.20.221.5      00-02-FC-E1-68-EC   221       --SLB--    local

 10.20.220.20     00-D0-B7-A0-81-D8   220       REAL       up(0 misses)

 10.20.221.100    00-02-FC-E1-68-EB   0         VSERVER    local


Cat6k-2# show module csm 5 vser 


vserver         type  prot virtual                  vlan state        conns

---------------------------------------------------------------------------

VIP1            SLB   TCP  10.20.221.100/32:23      221  OPERATIONAL  1       

VIP2            SLB   TCP  10.20.210.100/32:23      210  OPERATIONAL  1       


Cat6k-2# show module csm 5 conn detail


    prot vlan source                destination           state       

----------------------------------------------------------------------

In  TCP  221  10.20.1.100:44240     10.20.221.100:23      ESTAB       

Out TCP  210  10.20.210.10:23       10.20.1.100:44240     ESTAB       

    vs = VIP1, ftp = No, csrp = False


In  TCP  210  10.20.210.10:45885    10.20.210.100:23      ESTAB       

Out TCP  220  10.20.220.10:23       10.20.210.10:45885    ESTAB       

    vs = VIP2, ftp = No, csrp = False


# The previous command shows a connection opened from a client coming in from VLAN 221

# (client is 10.20.1.100). That connection goes to virtual IP address 1 (VIP1) and is

# balanced to 10.20.210.10. Another connection is opened from server 10.20.210.10, goes to

# VIP2 and is balanced to 10.20.220.10

Configuring Route Health Injection

The CSM-S supports virtual servers in any IP subnet. If a virtual server is configured in a subnet that is not directly attached to the MSFC, you can configure the CSM-S to inject a static route into the MSFC routing tables, depending on the health of the server farm serving that virtual server.

You can use this mechanism also for disaster recovery or GSLB solutions, where two distinct CSMs inject a static route for the same VIP. The static routes can then be redistributed, eventually with different costs, to prefer a specific location. 

module ContentSwitchingModule 5 

 vlan 220 server

  ip address 10.20.220.2 255.255.255.0

  alias 10.20.220.1 255.255.255.0

!

 vlan 221 client

  ip address 10.20.221.5 255.255.255.0

  gateway 10.20.221.1

  alias 10.20.221.2 255.255.255.0

The alias IP is very important because it is the IP that the CSM-S instructs the MSFC to use as the next hop to reach the advertised virtual server. 

!

 probe PING icmp

  interval 2 

  retries 2 

  failed 10 

  receive 2 

!

 serverfarm WEBFARM

  nat server 

  no nat client

  real 10.20.220.10

   inservice

  real 10.20.220.20

   inservice

  probe PING

!

 vserver WEB

  virtual 10.20.250.100 tcp www

  vlan 221


# By default, a virtual server listens to traffic coming in on any VLAN. You can restrict

# access to a virtual server by defining a specific VLAN. When using Route Health

# Injection, it is required to specify the VLAN for the virtual server. This tells the 
CSM-S

# which next-hop it needs to program in the static route that it will inject in the MSFC

# routing tables.


serverfarm WEBFARM

  advertise active


# This is the command that tells the CSM-S to inject the route for this virtual server. 
The

# option "active" tells the CSM-S to remove the route if the backend serverfarm fails.


persistent rebalance

  inservice

This example shows the output of some of the show commands: 

Cat6k-2# show module csm 5 probe detail

probe           type    port  interval retries failed  open   receive

---------------------------------------------------------------------

PING            icmp          2        2       10             2      

 real                  vserver         serverfarm      policy          status

 ------------------------------------------------------------------------------

 10.20.220.20:80       WEB             WEBFARM         (default)       OPERABLE

 10.20.220.10:80       WEB             WEBFARM         (default)       OPERABLE


Cat6k-2# show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route


Gateway of last resort is 10.20.1.100 to network 0.0.0.0


     10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks

C       10.21.1.0/24 is directly connected, Vlan21

S       10.20.250.100/32 [1/0] via 10.20.221.2, Vlan221


# The static route to 10.20.250.100 has been automatically created by the CSM-S, since 
both

# servers were healthy.


C       10.20.221.0/24 is directly connected, Vlan221

S*   0.0.0.0/0 [1/0] via 10.30.1.100


Cat6k-2# show module csm 5 vser detail

WEB, type = SLB, state = OPERATIONAL, v_index = 14

  virtual = 10.20.250.100/32:80 bidir, TCP, service = NONE, advertise = TRUE

  idle = 3600, replicate csrp = none, vlan = 221, pending = 30, layer 4

  max parse len = 2000, persist rebalance = TRUE

  ssl sticky offset = 0, length = 32

  conns = 0, total conns = 6

  Default policy:

    server farm = WEBFARM, backup = <not assigned>

    sticky: timer = 0, subnet = 0.0.0.0, group id = 0

  Policy          Tot matches  Client pkts  Server pkts

  -----------------------------------------------------

  (default)       6            36           30           


# Failing the servers causes the route to be removed This behaviour is configured with the

# advertise active command.


Cat6k-2# show module csm 5 probe detail

1d20h: %SYS-5-CONFIG_I: Configured from console by vty0 (probe detail

probe           type    port  interval retries failed  open   receive

---------------------------------------------------------------------

PING            icmp          2        2       10             2      

 real                  vserver         serverfarm      policy          status

 ------------------------------------------------------------------------------

 10.20.220.20:80       WEB             WEBFARM         (default)       TESTING

 10.20.220.10:80       WEB             WEBFARM         (default)       TESTING


Cat6k-2# 

1d20h: %CSM_SLB-6-RSERVERSTATE: Module 5 server state changed: SLB-NETMGT: ICMP health 
probe failed for server 10.20.220.20:80 in serverfarm 'WEBFARM'

1d20h: %CSM_SLB-6-RSERVERSTATE: Module 5 server state changed: SLB-NETMGT: ICMP health 
probe failed for server 10.20.220.10:80 in serverfarm 'WEBFARM'


\Cat6k-2# 

Cat6k-2# show module csm 5 probe detail

probe           type    port  interval retries failed  open   receive

---------------------------------------------------------------------

PING            icmp          2        2       10             2      

 real                  vserver         serverfarm      policy          status

 ------------------------------------------------------------------------------

 10.20.220.20:80       WEB             WEBFARM         (default)       FAILED

 10.20.220.10:80       WEB             WEBFARM         (default)       FAILED

Cat6k-2#  


Cat6k-2# show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route


Gateway of last resort is 10.20.1.100 to network 0.0.0.0

     10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks

C       10.21.1.0/24 is directly connected, Vlan21

C       10.20.221.0/24 is directly connected, Vlan221

S*   0.0.0.0/0 [1/0] via 10.30.1.100

Configuring the Server Names

This example shows a different way to associate the servers to the server farms by using the server names. This method is preferred when the same servers are associated to multiple server farms because it allows the user to take a server out of rotation from all the server farms with only one command. 

module ContentSwitchingModule 5 

 vlan 220 server

  ip address 10.20.220.2 255.255.255.0

  alias 10.20.220.1 255.255.255.0

!

 vlan 221 client

  ip address 10.20.221.5 255.255.255.0

  gateway 10.20.221.1

  alias 10.20.221.2 255.255.255.0

!

 probe PING icmp

  interval 2 

  retries 2 

  failed 10 

  receive 2 

!         

 probe FTP ftp

  interval 5 

  retries 2 

  failed 20 

  open 3  

  receive 3 

!         

 probe HTTP http

  request method head 

  expect status 200 299

  interval 5 

  retries 2 

  failed 10 

  open 2  

  receive 2 

!         

 real SERVER1

  address 10.20.220.10

  inservice

 real SERVER2

  address 10.20.220.20

  inservice

!

 serverfarm FTPFARM

  nat server 

  no nat client

  real name SERVER1

   inservice

  real name SERVER2

   inservice

  probe PING

  probe FTP

!

 serverfarm WEBFARM

  nat server 

  no nat client

  real name SERVER1

   inservice

  real name SERVER2

   inservice

  probe PING

  probe HTTP

!

 vserver FTP

  virtual 10.20.221.100 tcp ftp service ftp

  serverfarm FTPFARM

  persistent rebalance

  inservice

!

 vserver WEB

  virtual 10.20.221.100 tcp www

  serverfarm WEBFARM

  persistent rebalance

  inservice

!

This example shows the output of some of the show commands: 

Cat6k-2# show module csm 5 probe detail 

probe           type    port  interval retries failed  open   receive

---------------------------------------------------------------------

PING            icmp          2        2       10             2      

 real                  vserver         serverfarm      policy          status

 ------------------------------------------------------------------------------

 10.20.220.20:21       FTP             FTPFARM         (default)       OPERABLE

 10.20.220.10:21       FTP             FTPFARM         (default)       OPERABLE

 10.20.220.20:80       WEB             WEBFARM         (default)       OPERABLE

 10.20.220.10:80       WEB             WEBFARM         (default)       OPERABLE

FTP             ftp           5        2       20      3      3      

 Expected Status Codes:

  0 to 999

 real                  vserver         serverfarm      policy          status

 ------------------------------------------------------------------------------

 10.20.220.20:21       FTP             FTPFARM         (default)       OPERABLE

 10.20.220.10:21       FTP             FTPFARM         (default)       OPERABLE

HTTP            http          5        2       10      2      2      

 Probe Request:  HEAD       /

 Expected Status Codes:

  200 to 299

 real                  vserver         serverfarm      policy          status

 ------------------------------------------------------------------------------

 10.20.220.20:80       WEB             WEBFARM         (default)       OPERABLE

 10.20.220.10:80       WEB             WEBFARM         (default)       OPERABLE


Cat6k-2# show module csm 5 real  


real                  server farm      weight  state          conns/hits

-------------------------------------------------------------------------

SERVER1               FTPFARM          8       OPERATIONAL    0        

SERVER2               FTPFARM          8       OPERATIONAL    0        

SERVER1               WEBFARM          8       OPERATIONAL    0        

SERVER2               WEBFARM          8       OPERATIONAL    0        


# Taking a server out of service at the server farm level will only take the server out of

# service for that specific farm 


Cat6k-2# configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Cat6k-2(config)# module csm 5

Cat6k-2(config-module-csm)# server webfarm

Cat6k-2(config-slb-sfarm)# real name server1

Cat6k-2(config-slb-real)# no inservice

Cat6k-2(config-slb-real)# end

1d20h: %CSM_SLB-6-RSERVERSTATE: Module 5 server state changed: SLB-NETMGT: Configured 
server 10.20.220.10:0 to OUT-OF-SERVICE in serverfarm 'WEBFARM'

Cat6k-2#

1d20h: %SYS-5-CONFIG_I: Configured from console by vty0 (10.20.1.100)

Cat6k-2#

Cat6k-2# show module csm 5 real


real                  server farm      weight  state          conns/hits

-------------------------------------------------------------------------

SERVER1               FTPFARM          8       OPERATIONAL    0        

SERVER2               FTPFARM          8       OPERATIONAL    0        

SERVER1               WEBFARM          8       OUTOFSERVICE   0        

SERVER2               WEBFARM          8       OPERATIONAL    0        

Cat6k-2#


# Taking the server out of service at the real server level will take the server out of

# service for all the server farms