Document ID: 12590
Updated: Jan 03, 2007
Contents
Introduction
This document provides a sample configuration for sticky global load balancing on the Cisco CSS 11000 Series Content Services Switches.
Prerequisites
Requirements
Ensure that you meet these requirements before you attempt this configuration:
-
Make the rules sticky. After an initial connection has been load balanced to a server, make all subsequent connections to that same server.
-
Each site must have site-specific URLs or relative links. Web servers accept URLs that are specific to their site.
-
If you use Secure Socket Layer (SSL) servers, they must include certificates for the site-specific names. Use HTTP when you initially load balance the SSL servers.
-
The CSS WebNS Enhanced feature set license key is needed for the Proximity Database and Secure Shell Protocol (SSH), which are optional features. If you enter the Proximity Database license key after you boot the CSS 11000, you must reboot the CSS 11000 before you can configure the Proximity Database so the CSS 11000 can reallocate memory. For licensing information, contact the Cisco licensing team at licensing@cisco.com.
Components Used
The information in this document is based on these software and hardware versions:
-
Cisco CSS 11150
-
Cisco Web Network Services (WebNS) Software Release 5.0, Build 2 (Use Build 4 or later.)
-
Cisco WebNS Software Release 4.10, Build 10 (Use WebNS 4.01 or later, Build 37s.)
-
Cisco WebNS Software Release 4.01, Build 23
-
Cisco WebNS Software Release 4.10, Build 17s
Note: Use global server load balancing Cisco WebNS 3.10, Build 71 or later; Cisco WebNS 4.01, Build 14 or later; or Cisco WebNS 5.0, Build 4 or later.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Conventions
Refer to the Cisco Technical Tips Conventions for information on document conventions.
Background Information
The Cisco CSS 11000 answers Domain Name Service (DNS) queries when it uses global load balancing. Until a subsequent DNS query occurs, a user continues to use servers at a given site. Issues arise when a second DNS query returns a new Virtual Internet Protocol (VIP) address and sends a user to a different site, while the state information remains at the original site. In many cases, a user needs to stick to the original site that has the state information.
Configure
In this section, you are presented with the information to configure the features described in this document.
Note: Use the Command Lookup Tool (registered customers only) for more information on the commands used in this section.
Network Diagram
This document uses this network setup:
Description
In this example, a company named mycompany.com has four sites and four servers at each site. The company uses the generic name of www.mycompany.com for its Web servers. Each site uses a site-specific name of site-x, in which x equals a, b, c, or d. Users are initially load balanced to the least-loaded site and to the least-loaded server at that site. From that point, they remain on that site and server unless one of these situations occur:
-
The site loses all its servers.
-
A link sends the user to the generic URL.
-
The CSS 11000 is shut down on the site.
The rules, LOCAL-?, respond to DNS queries for site-specific names. Therefore, the port number and the URL in those rules are insignificant. They differentiate them from other services because duplicate services with the same rules are not permitted.
The services, REMOTE-?, require HTTP keepalives because Internet Control Message Protocol (ICMP) keepalives to a VIP that has no local services alive are still successful. If you send a DNS query to CSS-A for site-b.mycompany.com (assume that site-b has no services alive), CSS-A attempts a keepalive on 192.168.2.6. The ICMP type responds successfully, which causes you to return that VIP (192.168.2.6) and leaves the user connected to a dead site. In this case, an HTTP would fail and cause the user to receive a different address for site-b.mycompany.com. When users reach the other site with the URL site-b, they are redirected to the local site-specific name by the ReDirectMeB rule. This is important in the case that a user has bookmarked a site that has been removed or is down for maintenance.
Configurations
This document uses these configurations:
These tables provide an example of each configuration.
| CSS-A Switch Configuration WebNS 5.0, Build 2 |
|---|
!--- This is the configuration for the CSS at site A. prompt CSS-A configure !--- *************************** GLOBAL *************************** acl enable dns-server app app session 192.168.2.1 app session 192.168.3.1 app session 192.168.4.1 ip route 0.0.0.0 0.0.0.0 192.168.1.254 1 !--- *************************** CIRCUIT ************************** circuit VLAN1 ip address 192.168.1.1 255.255.255.0 !--- *************************** SERVICE ************************** service A-S1 ip address 192.168.1.2 active service A-S2 ip address 192.168.1.3 active service A-S3 ip address 192.168.1.4 active service A-S4 ip address 192.168.1.5 active service RedirectLocal domain site-a.mycompany.com type redirect keepalive type none active service REMOTE-B ip address 192.168.2.6 keepalive type http keepalive method head active service REMOTE-C ip address 192.168.3.6 keepalive type http keepalive method head active service REMOTE-D ip address 192.168.4.6 keepalive type http keepalive method head active !--- *************************** OWNER *************************** owner GSLB dns both content WWW vip address 192.168.1.6 add service A-S1 add service A-S2 add service A-S3 add service A-S4 add dns www.mycompany.com balance leastconn advanced-balance sticky-srcip active content ReDirectMe VIP address 192.168.1.6 protocol tcp port 80 add service RedirectLocal url "//www.mycompany.com/*" active content ReDirectMeB VIP address 192.168.1.6 protocol tcp port 80 add service RedirectLocal url "//site-b.mycompany.com/*" active content ReDirectMeC VIP address 192.168.1.6 protocol tcp port 80 add service RedirectLocal url "//site-c.mycompany.com/*" active content ReDirectMeD VIP address 192.168.1.6 protocol tcp port 80 add service RedirectLocal url "//site-d.mycompany.com/*" active !--- You need to differentiate these rules from other !--- rules: if you did not set a bogus port and URL, the LOCAL-? !--- rules conflict with the WWW rule or the ReDirectMe?. !--- These rules are used only for DNS responses. content LOCAL-A VIP address 192.168.1.6 protocol tcp port 81 url "//site-a.mycompany.com/*" add service A-S1 add service A-S2 add service A-S3 add service A-S4 add dns site-a.mycompany.com dnsbalance preferlocal balance leastconn advanced-balance sticky-srcip active content LOCAL-B VIP address 192.168.1.6 protocol tcp port 81 url "//site-b.mycompany.com/*" add service A-S1 add service A-S2 add service A-S3 add service A-S4 add dns site-b.mycompany.com active content LOCAL-C VIP address 192.168.1.6 protocol tcp port 81 url "//site-c.mycompany.com/*" add service A-S1 add service A-S2 add service A-S3 add service A-S4 add dns site-c.mycompany.com active content LOCAL-D VIP address 192.168.1.6 protocol tcp port 81 url "//site-d.mycompany.com/*" add service A-S1 add service A-S2 add service A-S3 add service A-S4 add dns site-d.mycompany.com active !--- ****************** Access Control List (ACL) ***************** acl 1 clause 10 permit any any destination content GSLB/LOCAL-B prefer REMOTE-B clause 20 permit any any destination content GSLB/LOCAL-C prefer REMOTE-C clause 30 permit any any destination content GSLB/LOCAL-D prefer REMOTE-D clause 99 permit any any destination any apply circuit-(VLAN1) apply dns |
| CSS-B Switch Configuration WebNS 4.10, Build 10 |
|---|
!--- This is the configuration for the CSS at site B. prompt CSS-B configure !--- *************************** GLOBAL *************************** acl enable dns-server app app session 192.168.1.1 app session 192.168.3.1 app session 192.168.4.1 ip route 0.0.0.0 0.0.0.0 192.168.2.254 1 !--- *************************** CIRCUIT *************************** circuit VLAN1 ip address 192.168.2.1 255.255.255.0 !--- *************************** SERVICE *************************** service B-S1 ip address 192.168.2.2 active service B-S2 ip address 192.168.2.3 active service B-S3 ip address 192.168.2.4 active service B-S4 ip address 192.168.2.5 active service RedirectLocal domain site-b.mycompany.com type redirect keepalive type none active service REMOTE-A ip address 192.168.1.6 keepalive type http keepalive method head active service REMOTE-C ip address 192.168.3.6 keepalive type http keepalive method head active service REMOTE-D ip address 192.168.4.6 keepalive type http keepalive method head active !--- *************************** OWNER *************************** owner GSLB dns both content WWW VIP address 192.168.2.6 add service B-S1 add service B-S2 add service B-S3 add service B-S4 add dns www.mycompany.com balance leastconn advanced-balance sticky-srcip active content ReDirectMe VIP address 192.168.2.6 protocol tcp port 80 add service RedirectLocal url "//www.mycompany.com/*" active content ReDirectMeA VIP address 192.168.2.6 protocol tcp port 80 add service RedirectLocal url "//site-a.mycompany.com/*" active content ReDirectMeC VIP address 192.168.2.6 protocol tcp port 80 add service RedirectLocal url "//site-c.mycompany.com/*" active content ReDirectMeD VIP address 192.168.2.6 protocol tcp port 80 add service RedirectLocal url "//site-d.mycompany.com/*" active !--- You need to differentiate these rules from other !--- rules: if you did not set a bogus port and URL, the LOCAL-? !--- rules conflict with the WWW rule or the ReDirectMe?. !--- These rules are used only for DNS responses. Content LOCAL-A VIP address 192.168.2.6 protocol tcp port 81 url "//site-a.mycompany.com/*" add service B-S1 add service B-S2 add service B-S3 add service B-S4 add dns site-a.mycompany.com active content LOCAL-B VIP address 192.168.2.6 protocol tcp port 81 url "//site-b.mycompany.com/*" add service B-S1 add service B-S2 add service B-S3 add service B-S4 add dns site-b.mycompany.com dnsbalance preferlocal balance leastconn advanced-balance sticky-srcip active content LOCAL-C VIP address 192.168.2.6 protocol tcp port 81 url "//site-c.mycompany.com/*" add service B-S1 add service B-S2 add service B-S3 add service B-S4 add dns site-c.mycompany.com active content LOCAL-D VIP address 192.168.2.6 protocol tcp port 81 url "//site-d.mycompany.com/*" add service B-S1 add service B-S2 add service B-S3 add service B-S4 add dns site-d.mycompany.com active !--- *************************** ACL ************************** acl 1 clause 10 permit any any destination content GSLB/LOCAL-A prefer REMOTE-A clause 20 permit any any destination content GSLB/LOCAL-C prefer REMOTE-C clause 30 permit any any destination content GSLB/LOCAL-D prefer REMOTE-D clause 99 permit any any destination any apply circuit-(VLAN1) apply dns |
| CSS-C Switch Configuration WebNS 4.01, Build 23 |
|---|
!--- This is the configuration for the CSS at site C. prompt CSS-C configure !--- *************************** GLOBAL *************************** acl enable dns-server app app session 192.168.1.1 app session 192.168.2.1 app session 192.168.4.1 ip route 0.0.0.0 0.0.0.0 192.168.3.254 1 !--- *************************** CIRCUIT *************************** circuit VLAN1 ip address 192.168.3.1 255.255.255.0 !--- *************************** SERVICE *************************** service C-S1 ip address 192.168.3.2 active service C-S2 ip address 192.168.3.3 active service C-S3 ip address 192.168.3.4 active service C-S4 ip address 192.168.3.5 active service RedirectLocal domain site-c.mycompany.com type redirect keepalive type none active service REMOTE-A ip address 192.168.1.6 keepalive type http keepalive method head active service REMOTE-B ip address 192.168.2.6 keepalive type http keepalive method head active service REMOTE-D ip address 192.168.4.6 keepalive type http keepalive method head active !--- *************************** OWNER *************************** owner GSLB dns both content WWW VIP address 192.168.3.6 add service C-S1 add service C-S2 add service C-S3 add service C-S4 add dns www.mycompany.com balance leastconn advanced-balance sticky-srcip active content ReDirectMe VIP address 192.168.3.6 protocol tcp port 80 add service RedirectLocal url "//www.mycompany.com/*" active content ReDirectMeA VIP address 192.168.3.6 protocol tcp port 80 add service RedirectLocal url "//site-a.mycompany.com/*" active content ReDirectMeB VIP address 192.168.3.6 protocol tcp port 80 add service RedirectLocal url "//site-b.mycompany.com/*" active content ReDirectMeD VIP address 192.168.3.6 protocol tcp port 80 add service RedirectLocal url "//site-d.mycompany.com/*" active !--- You need to differentiate these rules from other !--- rules: if you did not set a bogus port and URL, the LOCAL-? !--- rules conflict with the WWW rule or the ReDirectMe?. !--- Use only these rules for DNS responses. Content LOCAL-A VIP address 192.168.3.6 protocol tcp port 81 url "//site-a.mycompany.com/*" add service C-S1 add service C-S2 add service C-S3 add service C-S4 add dns site-a.mycompany.com active content LOCAL-B VIP address 192.168.3.6 protocol tcp port 81 url "//site-b.mycompany.com/*" add service C-S1 add service C-S2 add service C-S3 add service C-S4 add dns site-b.mycompany.com active content LOCAL-C VIP address 192.168.3.6 protocol tcp port 81 url "//site-c.mycompany.com/*" add service C-S1 add service C-S2 add service C-S3 add service C-S4 add dns site-c.mycompany.com dnsbalance preferlocal balance leastconn advanced-balance sticky-srcip active content LOCAL-D VIP address 192.168.3.6 protocol tcp port 81 url "//site-d.mycompany.com/*" add service C-S1 add service C-S2 add service C-S3 add service C-S4 add dns site-d.mycompany.com active !--- *************************** ACL *************************** acl 1 clause 10 permit any any destination content GSLB/LOCAL-A prefer REMOTE-A clause 20 permit any any destination content GSLB/LOCAL-B prefer REMOTE-B clause 30 permit any any destination content GSLB/LOCAL-D prefer REMOTE-D clause 99 permit any any destination any apply circuit-(VLAN1) apply dns |
| CSS-D Switch Configuration WebNS 4.10, Build 17 |
|---|
!--- This is the configuration for the CSS at site D. prompt CSS-D configure !--- *************************** GLOBAL *************************** acl enable dns-server app app session 192.168.1.1 app session 192.168.2.1 app session 192.168.3.1 ip route 0.0.0.0 0.0.0.0 192.168.4.254 1 !--- *************************** CIRCUIT *************************** circuit VLAN1 ip address 192.168.4.1 255.255.255.0 !--- *************************** SERVICE *************************** service D-S1 ip address 192.168.4.2 active service D-S2 ip address 192.168.4.3 active service D-S3 ip address 192.168.4.4 active service D-S4 ip address 192.168.4.5 active service RedirectLocal domain site-d.mycompany.com type redirect keepalive type none active service REMOTE-A ip address 192.168.1.6 keepalive type http keepalive method head active service REMOTE-B ip address 192.168.2.6 keepalive type http keepalive method head active service REMOTE-C ip address 192.168.3.6 keepalive type http keepalive method head active !--- *************************** OWNER *************************** owner GSLB dns both content WWW VIP address 192.168.4.6 add service D-S1 add service D-S2 add service D-S3 add service D-S4 add dns www.mycompany.com balance leastconn advanced-balance sticky-srcip active content ReDirectMe VIP address 192.168.4.6 protocol tcp port 80 add service RedirectLocal url "//www.mycompany.com/*" active content ReDirectMeA VIP address 192.168.4.6 protocol tcp port 80 add service RedirectLocal url "//site-a.mycompany.com/*" active content ReDirectMeB VIP address 192.168.4.6 protocol tcp port 80 add service RedirectLocal url "//site-b.mycompany.com/*" active content ReDirectMeC VIP address 192.168.4.6 protocol tcp port 80 add service RedirectLocal url "//site-c.mycompany.com/*" active !--- You need to differentiate these rules from other !--- rules: if you did not set a bogus port and URL, the LOCAL-? !--- rules conflict with the WWW rule or the ReDirectMe?. !--- Use only these rules for DNS responses. Content LOCAL-A VIP address 192.168.4.6 protocol tcp port 81 url "//site-a.mycompany.com/*" add service D-S1 add service D-S2 add service D-S3 add service D-S4 add dns site-a.mycompany.com active content LOCAL-B VIP address 192.168.4.6 protocol tcp port 81 url "//site-b.mycompany.com/*" add service D-S1 add service D-S2 add service D-S3 add service D-S4 add dns site-b.mycompany.com active content LOCAL-C VIP address 192.168.4.6 protocol tcp port 81 url "//site-c.mycompany.com/*" add service D-S1 add service D-S2 add service D-S3 add service D-S4 add dns site-c.mycompany.com active content LOCAL-D VIP address 192.168.4.6 protocol tcp port 81 url "//site-d.mycompany.com/*" add service D-S1 add service D-S2 add service D-S3 add service D-S4 add dns site-d.mycompany.com dnsbalance preferlocal balance leastconn advanced-balance sticky-srcip active !--- *************************** ACL *************************** acl 1 clause 10 permit any any destination content GSLB/LOCAL-A prefer REMOTE-A clause 20 permit any any destination content GSLB/LOCAL-B prefer REMOTE-B clause 30 permit any any destination content GSLB/LOCAL-C prefer REMOTE-C clause 99 permit any any destination any apply circuit-(VLAN1) apply dns |
Verify
Use this section in order to confirm that your configuration works properly.
The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT in order to view an analysis of show command output.
show app session
In order to verify that all the sites have valid Application Peering Protocol (APP) sessions, issue the show app session command.
CSS-B#show app session App Session Information 'no hostname': Session ID: 83ba9e40 IP Address: 192.168.1.1 State: APP_SESSION_UP App Session Information 'no hostname': Session ID: 83ba1c00 IP Address: 192.168.3.1 State: APP_SESSION_UP App Session Information 'no hostname': Session ID: 83b999c0 IP Address: 192.168.4.1 State: APP_SESSION_UP CSS-B#
show summary
For a list of rules and the associated services, issue the show summary command.
CSS-B#show summary
Global Bypass Counters:
No Rule Bypass Count: 0
Acl Bypass Count: 0
Owner Content Rules State Services Service Hits
GSLB WWW Active B-S1 36968
B-S2 0
B-S3 0
B-S4 0
WWW@192.168.1.6 0
WWW@192.168.3.6 0
WWW@192.168.4.6 0
LOCAL-A Active B-S1 0
B-S2 0
B-S3 0
B-S4 0
LOCAL-A@192.168. 0
LOCAL-A@192.168. 0
LOCAL-A@192.168. 0
LOCAL-B Active B-S1 0
B-S2 0
B-S3 0
B-S4 0
LOCAL-B@192.168. 0
LOCAL-B@192.168. 0
LOCAL-B@192.168. 0
LOCAL-C Active B-S1 0
B-S2 0
B-S3 0
B-S4 0
LOCAL-C@192.168. 0
LOCAL-C@192.168. 0
LOCAL-C@192.168. 0
LOCAL-D Active B-S1 0
B-S2 0
B-S3 0
B-S4 0
LOCAL-D@192.168. 0
LOCAL-D@192.168. 0
LOCAL-D@192.168. 0
ReDirectMe Active RedirectLocal 0
ReDirectMeA Active RedirectLocal 0
ReDirectMeC Active RedirectLocal
ReDirectMeD Active RedirectLocal 0
CSS-B#
show service summary
You can determine the operational services that each site has if you issue the show service summary command. Remote sites are those listed with an "@" symbol in the name. The site name is comprised of the content rule name followed by the VIP address at the remote site. A load of 255 on a remote rule means that all services for the specified rule at that site are down. This output shows that site-d has no services alive, yet the site itself is alive.
CSS-A#show service summary
Service Name State Conn Weight Avg State
Load Transitions
A-S1 Alive 0 1 2 0
A-S2 Alive 1 1 32 0
A-S3 Down 0 1 255 0
A-S4 Down 0 1 255 0
RedirectLocal Alive 0 1 2 0
REMOTE-B Alive 0 1 2 2
REMOTE-C Alive 0 1 2 0
REMOTE-D Down 0 1 255 1
WWW@192.168.4.6 Alive 0 1 255 0
LOCAL-A@192.168.4.6 Alive 0 1 255 0
LOCAL-B@192.168.4.6 Alive 0 1 255 0
LOCAL-C@192.168.4.6 Alive 0 1 255 0
LOCAL-D@192.168.4.6 Alive 0 1 255 0
WWW@192.168.3.6 Alive 0 1 87 0
LOCAL-A@192.168.3.6 Alive 0 1 87 0
LOCAL-B@192.168.3.6 Alive 0 1 87 0
LOCAL-C@192.168.3.6 Alive 0 1 87 0
LOCAL-D@192.168.3.6 Alive 0 1 87 0
WWW@192.168.2.6 Alive 0 1 4 0
LOCAL-A@192.168.2.6 Alive 0 1 4 0
LOCAL-B@192.168.2.6 Alive 0 1 4 0
LOCAL-C@192.168.2.6 Alive 0 1 4 0
LOCAL-D@192.168.2.6 Alive 0 1 4 0
CSS-A#
show rule
In order to verify rules, issue the show rule command.
CSS-B#show rule GSLB WWW
Name: WWW Owner: GSLB
Author: Local Index: 9
State: Active Type: HTTP
IP Redundancy: Not Redundant
L3: 192.168.2.6
L4: Any/Any
Url:
URQL:
EQL:
DQL:
Header Field Group:
Total Bytes: 48948441 Total Frames: 336684
Total Redirects: 0 Total Rejects: 0
Overload Rejects: 0
Balance: Least Connections
Advanced Balance: Source IP
Sticky Mask: 255.255.255.255
Sticky Inactivity timeout: 0 minutes
Sticky No Cookie Found Action: Balance
Sticky Server Down Failover: Balance
ArrowPoint Cookie Path: /
ArrowPoint Cookie Expiration: Browser Exit
ArrowPoint Cookie Text: None
ArrowPoint Cookie Url: None
Arrowpoint Cookie display url in header: Enabled
String Match Criteria:
String Range: 1 - 100
String Prefix: ""
String Eos-Char: "" String Ascii-Conversion: Enabled
String Skip-Len: 0 String Process-Len: 0
String Operation: Match-Service-Cookie
Redirect: ""
Persistence: Enabled
Param-Bypass: Disabled
Services:
Local Load Threshold: 254
PrimarySorryServer: None
SecondSorryServer: None
Name: Hits: Wgt: State: Ld: KAlive: Conn: DNS:
----- ----- ---- ------ --- ------- ----- ----
B-S1 36,934 S-1 Alive 2 ICMP 2 0
B-S2 0 S-1 Down 255 ICMP 0 0
B-S3 0 S-1 Down 255 ICMP 0 0
B-S4 0 S-1 Down 255 ICMP 0 0
WWW@192.168.1.6
0 S-1 Alive 10 APP 0 0
WWW@192.168.3.6
0 S-1 Alive 5 APP 0 0
WWW@192.168.4.6
0 S-1 Alive 5 APP 0 0
DNS Names: DNS TTL:
DNS Balance: roundrobin
www.mycompany.com 0
Hotlist: Disabled
Size: 10, Type: HitCount, Threshold 0, Interval 1
Associated ACLs:
CSS-B#
show rule services
A site that has no active services has a load of 255. (Refer to the Ld column in the show rule output.) With WebNS 5.0, you can issue the show rule services command in order to view services.
Note: In this output, no services are alive for Site 4 even though the state is alive.
CSS-A#show rule GSLB WWW services
Rule Services:
Local Load Threshold: 254
PrimarySorryServer: None
SecondSorryServer: None
Name: Hits: Wgt: State: Ld: KAlive: Conn: DNS:
----- ----- ---- ------ --- ------- ----- ----
A-S1 30,194 S-1 Alive 2 ICMP 0 0
A-S2 14,908 S-1 Alive 32 ICMP 2 0
A-S3 0 S-1 Down 255 ICMP 0 0
A-S4 0 S-1 Down 255 ICMP 0 0
WWW@192.168.2.6
0 S-1 Alive 4 APP 0 0
WWW@192.168.3.6
0 S-1 Alive 87 APP 0 0
WWW@192.168.4.6
0 S-1 Alive 255 APP 0 0
CSS-A#
Troubleshoot
There is currently no specific troubleshooting information available for this configuration.
Related Information
Open a Support Case 
(Requires a Cisco Service Contract.)
Related Cisco Support Community Discussions
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.