Reverse-Sticky for Content Switching Module Configuration Example [Cisco Services Modules]

Document ID: 47921

Updated: May 04, 2004

Download PDF

Introduction

This document provides a sample configuration for using reverse-sticky. This feature is mostly used in Firewall Load Balancing (FWLB) scenarios to guarantee that the outbound traffic is sent to the same firewall as the inbound traffic. For example, if you are using FTP from a client on the Internet to a server on your inside network, you will need the data connection open by the server to the client to go through the same firewall as control channel.

Before You Begin

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these hardware and software versions:

Content Switching Module (CSM) 3.x
Native IOS 12.1(20)E

Conventions

For more information on document conventions, see the Cisco Technical Tips Conventions.

Configure

In this section, you are presented with the information to configure the features described in this document.

Network Diagram

This document uses this network setup:

/image/gif/paws/47921/rsticky.jpg

Configurations

This document uses these configurations:

module ContentSwitchingModule 4 
 vlan 500 server

!--- Internal network.

  ip address 192.168.20.97 255.255.254.0
  route 192.168.50.0 255.255.255.0 gateway 192.168.20.1
!
 vlan 169 server

!--- Inside firewall VLAN.

  ip address 192.168.169.97 255.255.255.0
!
 serverfarm FORWARD

!--- Serverfarm to simply forward the traffic with no load balancing.

  no nat server 
  no nat client
  predictor forward
!
 serverfarm FWLB_IN2OUT

!--- Firewall serverfarm.

  no nat server 
  no nat client
  real 192.168.169.1

!--- Firewall inside IP address.

   backup real 192.168.169.2


!--- Backup firewall inside IP address; only if firewalls support stateful failover.

   inservice
  real 192.168.169.2
   backup real 192.168.169.1
   inservice
!
sticky 60 netmask 255.255.255.255 address destination timeout 200


!--- Define a sticky group based on destination IP address.
!--- The sticky entry will link a destination IP address with a firewall

!
 vserver FW2SERV
  virtual 192.168.20.0 255.255.254.0 any
  vlan 169
  serverfarm FORWARD
  reverse-sticky 60


!--- Enable reverse-sticky for group 60.
!--- The source IP address (reverse of group 60) will be used
!--- to create an entry in the sticky table.

  persistent rebalance
  inservice
!
 vserver SERV2FW
  virtual 0.0.0.0 0.0.0.0 any
  vlan 500
  serverfarm FWLB_IN2OUT
  sticky 200 group 60


!--- Normal sticky group.
!--- The sticky entry is used to determine the correct firewall to be used.

  persistent rebalance
  inservice
!

Verify

This section provides information you can use to confirm your configuration is working properly.

show mod csm slot sticky
show mod csm slot vserver
clear mod csm slot sticky all

show mod csm 4 sticky 

group   sticky-data              real                  timeout
----------------------------------------------------------------
60      ip 192.168.11.46         192.168.169.2         0

When the client (192.168.11.46) opens a TCP connection with the server (192.168.21.240), the traffic hits the vserver FW2SERV. Due to the reverse-sticky command, an entry is created in the sticky table for the SOURCE IP ADDRESS. The entry point to the firewall where the traffic is coming from, in this example, firewall 192.168.169.2.

show mod csm 4 vservers 

vserver         type  prot virtual                  vlan state        conns
---------------------------------------------------------------------------    
FW2SERV         SLB   any  192.168.20.0/23:0        169  OPERATIONAL  0       
SERV2FW         SLB   any  0.0.0.0/0:0              500  OPERATIONAL  0

The command show mod csm slot vserver indicates the number of active connections for each vserver.

Troubleshoot

This section provides information you can use to troubleshoot your configuration.

To check if the stickyness works, issue the show mod csm slot vserver command to see if a connection came to the right vserver. Issue the command show mod csm slot sticky to see if an entry was created in the sticky table.