Document ID: 47881
Contents
Introduction
Prerequisites
Requirements
Components Used
Conventions
Configure
Network Diagram
Configurations
Verify
Troubleshoot
Cisco Support Community - Featured Conversations
Related Information
Introduction
This document provides a sample configuration for the setup of Firewall Load Balancing (FWLB) while using only one Content Switching Module (CSM). FWLB requires the firewall farm to be surrounded by load balancers. This is to guarantee that the inbound and outbound traffic of a single session is load balanced to the same firewall. When using a CSM, you can use the same module to do the job of both loadbalancers. This document shows you how to achieve this.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on these software and hardware versions:
-
CSM running version 3.x
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Conventions
For more information on document conventions, refer to the Cisco Technical Tips Conventions.
Configure
In this section, you are presented with the information to configure the CSM for FWLB as described in this document.
Note: To find additional information on the commands used in this document, use the Command Lookup Tool ( registered customers only) .
Network Diagram
This document uses this network setup:
Configurations
This document uses this configuration:
|
CSM Running version 3.x |
|---|
module ContentSwitchingModule 4 vlan 499 client !--- Outside world or client side. ip address 192.168.10.97 255.255.254.0 gateway 192.168.10.1 ! vlan 500 server !--- Inside world or server side. ip address 192.168.20.97 255.255.254.0 ! vlan 168 server !--- Firewall outside interface. ip address 192.168.168.97 255.255.255.0 ! vlan 169 server !--- Firewall inside interface. ip address 192.168.169.97 255.255.255.0 ! ! serverfarm FORWARD !--- Serverfarm to simply forward the traffic with no NATing. no nat server no nat client predictor forward ! serverfarm FWLB_IN2OUT !--- Firewall farm used for outbound traffic from inside to outside. no nat server no nat client real 192.168.169.1 backup real 192.168.169.2 !--- Use a backup real if your firewalls support stateful failover. inservice real 192.168.169.2 backup real 192.168.169.1 inservice ! serverfarm FWLB_OUT2IN !--- Firewall farm for inbound traffic from outside to inside. no nat server no nat client real 192.168.168.1 backup real 192.168.168.2 inservice real 192.168.168.2 backup real 192.168.168.1 inservice !--- The default is round robin load balancing. !--- If you need to guarantee *parent* connections are going !--- to the same firewall, you may need to issue the !--- predictor hash address command or sticky with reverse sticky. ! vserver FW2SERV !--- Vserver to catch traffic coming from the firewall and forward it to the server. virtual 192.168.20.0 255.255.254.0 any !--- The Virtual IP (VIP) is a subnet that matches the internal network. vlan 169 !--- Specify that the vserver only applies to traffic from VLAN 169. serverfarm FORWARD persistent rebalance inservice ! vserver IN2OUT !--- Vserver to catch traffic coming from the firewall and !--- forward it to the outside. virtual 0.0.0.0 0.0.0.0 any vlan 168 serverfarm FORWARD !--- Serverfarm to forward traffic with no load balancing and no NATing. persistent rebalance inservice ! vserver OUT2IN !--- Vserver to catch traffic from the outside world and load balance it to the firewall. virtual 192.168.20.0 255.255.254.0 any vlan 499 !--- Limit the vserver to traffic on VLAN 499 only. serverfarm FWLB_OUT2IN !--- Use the firewall farm define in FWLB_OUT2IN. persistent rebalance inservice ! vserver SERV2FW !--- Vserver to catch the server response and load balance it to the firewall. virtual 0.0.0.0 0.0.0.0 any vlan 500 serverfarm FWLB_IN2OUT persistent rebalance inservice ! !--- Same rules, however, for FTP traffic. !--- This is recommended in order to tie the control channel !--- with the data channel. ! vserver FTP_FW2SERV virtual 192.168.20.0 255.255.254.0 tcp ftp service ftp vlan 169 serverfarm FORWARD persistent rebalance inservice ! vserver FTP_OUT2IN virtual 192.168.20.0 255.255.254.0 tcp ftp service ftp vlan 499 serverfarm FWLB_OUT2IN persistent rebalance inservice ! |
Verify
This section provides information you can use to confirm your configuration is working properly.
Certain show commands are supported by the Output Interpreter Tool ( registered customers only) , which allows you to view an analysis of show command output.
-
show mod csm slot vserver
show mod csm 4 vservers vserver type prot virtual vlan state conns --------------------------------------------------------------------------- OUT2IN SLB any 192.168.20.0/23:0 499 OPERATIONAL 0 FW2SERV SLB any 192.168.20.0/23:0 169 OPERATIONAL 0 SERV2FW SLB any 0.0.0.0/0:0 500 OPERATIONAL 0 IN2OUT SLB any 0.0.0.0/0:0 168 OPERATIONAL 0 FTP_OUT2IN SLB TCP 192.168.20.0/23:21 499 OPERATIONAL 1 FTP_FW2SERV SLB TCP 192.168.20.0/23:21 169 OPERATIONAL 1
-
show mod csm slot vserver name name detail
show mod csm 4 vservers name FTP_OUT2IN vserver type prot virtual vlan state conns --------------------------------------------------------------------------- FTP_OUT2IN SLB TCP 192.168.20.0/23:21 499 OPERATIONAL 1 cpu0#show mod csm 4 vservers name FTP_OUT2IN det FTP_OUT2IN, type = SLB, state = OPERATIONAL, v_index = 26 virtual = 192.168.20.0/23:21 bidir, TCP, service = ftp, advertise = FALSE idle = 3600, replicate csrp = none, vlan = 499, pending = 30 max parse len = 2000, persist rebalance = TRUE ssl sticky offset = 0, length = 32 conns = 1, total conns = 1 Default policy: server farm = FWLB_OUT2IN, backup = <not assigned> sticky: timer = 0, subnet = 0.0.0.0, group id = 0 Policy Tot matches Client pkts Server pkts ----------------------------------------------------- (default) 1 11 10 -
show mod csm slot conns detail
sho mod csm 4 conns detail prot vlan source destination state ---------------------------------------------------------------------- In TCP 499 192.168.11.46:2830 192.168.21.240:0 ESTAB Out TCP 168 192.168.21.240:0 192.168.11.46:2830 ESTAB vs = (n/a), ftp = Data, csrp = False In TCP 169 192.168.11.46:2830 192.168.21.240:0 ESTAB Out TCP 500 192.168.21.240:0 192.168.11.46:2830 ESTAB vs = (n/a), ftp = Data, csrp = False In TCP 169 192.168.11.46:2829 192.168.21.240:21 ESTAB Out TCP 500 192.168.21.240:21 192.168.11.46:2829 ESTAB vs = FTP_FW2SERV, ftp = Control, csrp = False In TCP 499 192.168.11.46:2829 192.168.21.240:21 ESTAB Out TCP 168 192.168.21.240:21 192.168.11.46:2829 ESTAB vs = FTP_OUT2IN, ftp = Control, csrp = False
Troubleshoot
This section provides information you can use to troubleshoot your configuration.
If you experience problem with this setup, the first thing to do is check if there is any hit on the vserver by issuing the show mod csm slot vserver command. If you do not see a hit, make sure the vserver is in service. Make sure traffic is sent to the CSM using a sniffer trace. When you see hits, issue the show mod csm slot conns detail command to verify that an entry was created for the connection you are looking for. You will then need to use a sniffer again to make sure the traffic is sent to the correct firewall (you can also use any type of logging on the firewall). Proceed this way to follow the path of the traffic.
Cisco Support Community - Featured Conversations
Related Information
- Configuring Secure (Router) Mode on the CSM
- Content Switching Module Hardware Support
- Content Switching Module Software Downloads ( registered customers only)
- Technical Support - Cisco Systems
| Updated: May 04, 2004 | Document ID: 47881 |