Document ID: 26220
Contents
Introduction
Before You Begin
Conventions
Prerequisites
Components Used
Background Theory
Configure
Network Diagram
Configurations
Verify
Troubleshoot
Related Information
Introduction
This document provides a sample configuration of the Content Switching Module (CSM) configured in router mode with Layer 7 (L7) policies.
The concept of default policy is also explained in this document. The CSM is configured to drop server-originated connections. A simple ICMP probe is configured as well.
Before You Begin
Conventions
For more information on document conventions, see the Cisco Technical Tips Conventions.
Prerequisites
There are no specific prerequisites for this document.
Components Used
This document is not restricted to specific software and hardware versions.
The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.
Background Theory
Clients (or the upstream router that connects to the clients) and servers are typically on two separate VLANs. Depending on the IP subnets configuration, the CSM can operate in the following two modes:
-
Router mode—client and server VLANs are configured as two distinct IP subnets. In a standard Server Load Balancing (SLB) environment, the VIP belongs to the client IP subnet, and the servers belong to the server IP subnet, which cannot be reached directly from the client side. The CSM in router mode does not allow incoming requests to be passed on to servers if they do not match a VIP.
-
Bridge mode—client and server VLANs are part of the same IP subnet. The CSM bridges packets between those two VLANs. In a standard SLB environment, both the VIPs and the servers are on the same IP subnet. All incoming requests not matching a VIP are bridged to the coupled VLAN (if the connection came from a client, it will be sent over to the server VLAN, and if the connection came from a server, it will be sent to the client VLAN).
Configure
In this section, you are presented with the information to configure the features described in this document. The following configurations entirely resides on the same Catalyst 6500 represented in the network diagram below. The configuration is broken into separate pieces to better illustrates which part refers specifically to the CSM and which part refers to the Layer 2/3 (L2/3) (MSFC) configuration of the Catalyst.
Note: To find additional information on the commands used in this document, use the Command Lookup Tool (registered customers only) .
Network Diagram
This document uses the network setup shown in the diagram below.
Configurations
This document uses these configurations:
-
Catalyst 6000 - CSM Slot 4
-
Catalyst 6000 - physical and logical interfaces
|
Catalyst 6000 - CSM Slot 4 |
|---|
module ContentSwitchingModule 4 vlan 50 client ip address 192.168.8.2 255.255.255.0 gateway 192.168.8.1 !--- Client side VLAN configuration for the CSM in slot 4. !--- The gateway keyword refers to the MSFC interface VLAN 50 IP address. ! vlan 240 server ip address 10.66.86.249 255.255.255.240 alias 10.66.86.250 255.255.255.240 !--- Server side VLAN configuration. !--- The IP address is different from the one used for the client VLAN 240. !--- The CSM is configured in router mode (two VLANs and two IP subnets). !--- Bridge mode (two VLANs, only 1 IP subnet) is configured specifying !--- the same exact IP address for a pair of client and server VLANs on the CSM. !--- An alias is not necessary, however, it is a good practice, since it is required !--- when migrating to a redundant configuration. !--- In that case, active and standby CSMs have different IP addresses on the VLAN, !--- however, they share the same alias. !--- Real servers are configured to point to the alias as their default gateway. static drop real 10.66.86.240 255.255.255.240 !--- Server-originated connections from all servers in the 10.66.86.240 subnet !--- are dropped. By default, server-originated connections are allowed and !--- their source IP (the server IP address) is not modified. !--- Other options are allowing server-originated connections with !--- their source IP NATed to the VIP, or allowing server-originated connections !--- with their source IP NATed to a pool of specific IP addresses. !--- Note: The static command applies only !--- to server originated connections, which do not hit any VIPs !--- configured on the CSM. ! probe PING icmp interval 5 failed 30 !--- This is an example of an Internet Control Message Protocol (ICMP) probe. !--- Probes are sent out every interval (five) seconds. !--- Once a server goes out of service, probes to that server are sent !--- every failed (30) second to see if the server has come back online. ! serverfarm FARM1 nat server !--- nat server is the default configuration of a serverfarm. !--- This means that the CSM performs directed mode !--- (destination IP of incoming connections is changed from the VIP !--- to the IP address of the selected server) for that serverfarm. !--- Dispatch mode (only L2 rewrite) can be configured by !--- issuing the no nat server command. no nat client !--- no nat client is the default behavior for a serverfarm. !--- The CSM by default does not change the source IP address of !--- incoming requests. real 10.66.86.242 weight 24 inservice !--- This is an example of a different weight (the default is eight). !--- Remember that weights are relative to the weights of other real servers !--- (weight of eight does not mean that eight consecutive requests are sent !--- to the same server). !--- Observe also that there is no port translation configured. !--- A port translation is used to support a server listening to port 8080. !--- You can also use real 10.66.86.242 8080 for the configuration. real 10.66.86.245 inservice real 10.66.86.246 inservice real 10.66.86.248 inservice probe PING !--- All the servers in the serverfarm are pinged every five seconds, !--- according to the probe PING configured above. !--- No predictor was specified, and the default is round robin. serverfarm FARM2 nat server no nat client real 10.66.86.242 23 inservice real 10.66.86.246 23 inservice !--- The real servers in FARM2 are an example of port translation. ! serverfarm FARM3 nat server no nat client real 10.66.86.242 inservice real 10.66.86.245 inservice ! sticky 10 cookie cookiename timeout 20 !--- A sticky group (group number 10) is configured for cookie sticky !--- with a timeout of 20 minutes. ! map TEST url match protocol http url *jpg* !--- A URL map (also HTTP header and cookie maps are available) is created. !--- This is the first step in the creation of a L7 policy. !--- In this case, only one match sentence is configured. In general, !--- multiple match sentences can be configured. ! map IE header match protocol http header User-Agent header-value *IE* !--- This is another example of a map, in this case a HTTP header map. !--- Observe that the header name needs to perfectly match the !--- HTTP header field to be examined, while the header value is !--- a regular expression. ! policy TEST url-map TEST serverfarm FARM3 !--- Creation of the policy named TEST. You can use the same name as !--- the one of the map previously created, however, this is not a requirement. !--- This is just a way to easily remember the association if only one map !--- is associated with a policy. !--- In general, a policy can include a url-map, a cookie-map, a header-map, !--- a client-group, and so on. !--- If all of these conditions match (in this example, only the condition !--- url-map TEST), the policy has a match, and the specified !--- serverfarm (FARM3) is used to fulfill that request. ! policy IE header-map IE serverfarm FARM3 vserver WEB virtual 192.168.8.3 tcp www !--- This is a creation of a simple virtual server. !--- No IP mask has been specified and no VLAN of incoming traffic !--- has been specified. !--- This means that this is a simple VIP for standard server load balancing. !--- Traffic coming from any VLAN and directed to that specific IP address !--- (192.168.8.3) will match this VIP if it is TCP and if it is destined !--- to port 80 (keyword www). serverfarm FARM1 sticky 20 group 10 !--- Default Policy: This is very important. The two lines above refer !--- to the default policy. !--- If there are no other policies configured or if none of the configured !--- slb-policies has a match, the default policy is used. !--- In this case, the default policy is used only if neither !--- slb-policy TEST or slb-policy IE have a match. !--- If there are no other matches, the farm FARM1 will be used, !--- and the rules of sticky group 10 will be applied. !--- If the default serverfarm is not configured for a virtual server, !--- and if none of the slb-policies has a match, the session will be discarded. persistence rebalance !--- Default behaviour for HTTP 1.1; if multiple GETs are present !--- in the same TCP connection, the CSM will examine every GET. !--- If the new GET needs to be sent to a different serverfarm, !--- the connection with the current server is closed and !--- a new connection with a new server if opened. !--- This is completely transparent to the client. slb-policy TEST slb-policy IE !--- This is an association of two previously configured policies to !--- the virtual server WEB. The order is important. !--- In this case, if TEST has a match, IE is not even considered, !--- and the serverfarm associated with policy TEST is used. !--- If stickyness had to be configured for these policies, this would !--- be done at the policy level above (in the policy TEST submode !--- for example). inservice !--- All virtual servers need to be put in service. ! vserver FTP virtual 192.168.8.3 tcp ftp service ftp !--- For FTP, the service ftp keyword needs !--- to be specified. This instructs the CSM to monitor !--- the control channel (port "ftp", 21), !--- and figure out automatically the data port to be used, and map !--- the data channel to the same real server. !--- Both active and passive types of FTP are supported. serverfarm FARM3 persistent rebalance inservice ! vserver TELNET virtual 192.168.8.3 tcp telnet serverfarm FARM1 persistent rebalance inservice ! vserver TELNET2 virtual 192.168.8.3 tcp 345 !--- This is an example of a virtual server listening to port 345, while !--- the default policy (the only policy configured for this virtual server) !--- uses serverfarm FARM2, and real servers in FARM2 are configured !--- for port translation to port 23 (see above). serverfarm FARM2 persistent rebalance inservice ! ! |
|
Catalyst 6000 - physical and logical interfaces |
|---|
! interface GigabitEthernet1/1 no ip address shutdown ! ============================== ! interface FastEthernet8/1 no ip address switchport switchport access vlan 176 spanning-tree portfast ! !--- Servers are connected to this port. ! interface FastEthernet8/2 no ip address switchport switchport access vlan 240 spanning-tree portfast !--- Clients are connected to this port. ============================== interface Vlan1 no ip address !--- Default VLAN 1, cannot be configured in the CSM (CLI will prevent it). ! interface Vlan50 ip address 192.168.8.1 255.255.255.0 !--- Internal VLAN between MSFC and CSM. !--- In this example, the MSFC on the client side of the CSM is used. !--- Vlan50 is the client side VLAN of the CSM, and the CSM !--- is pointing to int vlan 50 IP address as the default gateway. ! interface Vlan176 ip address 10.66.86.184 255.255.255.240 !--- Observe that VLAN 240 (CSM server side VLAN) is not created as !--- a L3 entity on the MSFC. You do not want the MSFC !--- to route between VLAN 50 and 240, thus skipping the CSM. !--- VLAN 240 is created as a L2 entity in the switch !--- (issue the show vlan command to verify this). !--- VLAN 50 is also created as a L3 entity on the MSFC. !--- In this example, the MSFC is used on the client side of the CSM. |
Verify
This section provides information you can use to confirm your configuration is working properly.
|
Verify |
|---|
Router#
Router#sh mod csm 4 vser deta
WEB, type = SLB, state = OPERATIONAL, v_index = 19
virtual = 192.168.8.3/32:80 bidir, TCP, service = NONE, advertise = FALSE
!--- 32 bits of mask is the default. The destination IP of incoming requests
!--- needs to be exactly the VIP.
!--- advertise = FALSE refers to the Route Health Injection feature,
!--- where VIPs are advertised with host routes by the MSFC
!--- (used on the client side).
idle = 3600, replicate csrp = none, vlan = ALL, pending = 30
!--- 3600 seconds of idle timer.
!--- If no packets are sent over a specific session
!--- for the idle time, the CSM tears down that session.
!--- The idle timer is important, especially for non-TCP sessions
!--- where there is no explicit termination of the session.
!--- There is no replication configured. In this example, a standby CSM will
!--- simply monitor the active CSM and eventually become active, however, it
!--- will not learn sticky database, nor TCP state.
!--- The replication can be configured as none, sticky database, or TCP state.
!--- Traffic can come to this vserver from any VLAN.
!--- This is the default behaviour since no VLAN was specified in the config.
max parse len = 2000, persist rebalance = TRUE
!--- Max depth of inspection (default 600 bytes, max 4000 bytes).
conns = 0, total conns = 2
!--- Currently open connections and total connections that have been set up
!--- since the last reset of the counters (clear mod csm 4 counters).
Default policy:
server farm = FARM1, backup =
sticky: timer = 20, subnet = 0.0.0.0, group id = 10
!--- Default policy serverfarm and sticky config (this sticky config only applies
!--- to the default serverfarm; stickiness for the other policies needs
!--- to be configured in the various “policy” submodes)
Policy Tot matches Client pkts Server pkts
-----------------------------------------------------
TEST 1 3 6
IE 2 10 3
(default) 0 0 0
!--- Total number of connections that matched the various policies and
!--- number of packets sent by servers and clients.
TELNET, type = SLB, state = OPERATIONAL, v_index = 21
virtual = 192.168.8.3/32:23 bidir, TCP, service = NONE, advertise = FALSE
idle = 3600, replicate csrp = none, vlan = ALL, pending = 30
max parse len = 2000, persist rebalance = TRUE
ssl sticky offset = 0, length = 32
conns = 0, total conns = 0
Default policy:
server farm = FARM1, backup =
sticky: timer = 0, subnet = 0.0.0.0, group id = 0
Policy Tot matches Client pkts Server pkts
-----------------------------------------------------
(default) 14 375 258
TELNET2, type = SLB, state = OPERATIONAL, v_index = 22
virtual = 192.168.8.3/32:345 bidir, TCP, service = NONE, advertise = FALSE
idle = 3600, replicate csrp = none, vlan = ALL, pending = 30
max parse len = 2000, persist rebalance = TRUE
ssl sticky offset = 0, length = 32
conns = 0, total conns = 0
Default policy:
server farm = FARM2, backup =
sticky: timer = 0, subnet = 0.0.0.0, group id = 0
Policy Tot matches Client pkts Server pkts
-----------------------------------------------------
(default) 5 24 19
FTP, type = SLB, state = OPERATIONAL, v_index = 20
virtual = 192.168.8.3/32:21 bidir, TCP, service = ftp, advertise = FALSE
!--- FTP service was configured for this virtual server that is
!--- listening on port 21.
idle = 3600, replicate csrp = none, vlan = ALL, pending = 30
max parse len = 2000, persist rebalance = TRUE
ssl sticky offset = 0, length = 32
conns = 0, total conns = 0
Default policy:
server farm = FARM3, backup =
sticky: timer = 0, subnet = 0.0.0.0, group id = 0
Policy Tot matches Client pkts Server pkts
-----------------------------------------------------
(default) 2 21 16
Router#
Router#
Router#
Router#sh mod csm 4 sticky ?
client sticky associated with a specific client IP address
config list configured sticky groups
cookie sticky associated with a HTTP cookie value
group sticky associated with a specific group
ssl sticky associated with a SSL session id
| Output modifiers
<cr>
Router#
Router#sh mod csm 4 real deta
10.66.86.242, FARM1, state = OPERATIONAL
conns = 0, maxconns = 4294967295, minconns = 0
!--- There are 0 active connections to this real server.
!--- maxconns and minconns have their default values.
!--- If changed to something else, they enable the connection watermarks feature.
!--- No more than maxconns connections will ever be active on this real server.
!--- When the server has reached its maximum, then the CSM does not send to it
!--- any more new connection until the number of active connections drops
!--- below minconns.
weight = 24, weight(admin) = 24, metric = 0, remainder = 0
!--- Admin weight is configured, weight is dynamic.
!--- If using Dynamic Feedback Protocol (DFP), the dynamic weight
!--- can be different from the admin.
total conns established = 0, total conn failures = 0
10.66.86.245, FARM1, state = OPERATIONAL
conns = 1, maxconns = 4294967295, minconns = 0
weight = 8, weight(admin) = 8, metric = 0, remainder = 1
total conns established = 193, total conn failures = 0
10.66.86.246, FARM1, state = OPERATIONAL
conns = 0, maxconns = 4294967295, minconns = 0
weight = 8, weight(admin) = 8, metric = 0, remainder = 0
total conns established = 563, total conn failures = 0
10.66.86.248, FARM1, state = OPERATIONAL
conns = 0, maxconns = 4294967295, minconns = 0
weight = 8, weight(admin) = 8, metric = 0, remainder = 0
total conns established = 455, total conn failures = 0
10.66.86.242:23, FARM2, state = OPERATIONAL
conns = 0, maxconns = 4294967295, minconns = 0
weight = 8, weight(admin) = 8, metric = 0, remainder = 0
total conns established = 3, total conn failures = 0
10.66.86.246:23, FARM2, state = OPERATIONAL
conns = 0, maxconns = 4294967295, minconns = 0
weight = 8, weight(admin) = 8, metric = 0, remainder = 0
total conns established = 2, total conn failures = 0
10.66.86.242, FARM3, state = OPERATIONAL
conns = 0, maxconns = 4294967295, minconns = 0
weight = 8, weight(admin) = 8, metric = 0, remainder = 0
total conns established = 180, total conn failures = 0
10.66.86.245, FARM3, state = OPERATIONAL
conns = 0, maxconns = 4294967295, minconns = 0
weight = 8, weight(admin) = 8, metric = 0, remainder = 0
total conns established = 179, total conn failures = 0
Router#
Router#
Router#
Router#
Router#sh mod csm 4 serv deta
FARM1, type = SLB, predictor = RoundRobin
nat = SERVER
!--- Default load balancing algorithm is round robin.
!--- Default NAT options are nat server (directed mode) but no nat client.
virtuals inservice: 2, reals = 4, bind id = 0, fail action = none
!--- Two active virtual servers are using this serverfarm.
inband health config: <none>
retcode map = <none>
Probes:
PING, type = icmp
Real servers:
10.66.86.242, weight = 24, OPERATIONAL, conns = 0
10.66.86.245, weight = 8, OPERATIONAL, conns = 1
10.66.86.246, weight = 8, OPERATIONAL, conns = 0
10.66.86.248, weight = 8, OPERATIONAL, conns = 0
Total connections = 1
!--- This number indicates the active connections only.
FARM2, type = SLB, predictor = RoundRobin
nat = SERVER
virtuals inservice: 1, reals = 2, bind id = 0, fail action = none
inband health config: <none>
retcode map = <none>
Real servers:
10.66.86.242:23, weight = 8, OPERATIONAL, conns = 0
10.66.86.246:23, weight = 8, OPERATIONAL, conns = 0
Total connections = 0
FARM3, type = SLB, predictor = RoundRobin
nat = SERVER
virtuals inservice: 2, reals = 2, bind id = 0, fail action = none
inband health config: <none>
retcode map = <none>
Real servers:
10.66.86.242, weight = 8, OPERATIONAL, conns = 0
10.66.86.245, weight = 8, OPERATIONAL, conns = 0
Total connections = 0
Router#
Router#
Router#
Router#sh mod csm 4 arp
!--- This is a very useful command; it shows the ARP table of the CSM.
!--- Remember that this table is completely distinct from the MSFC ARP table.
Internet Address Physical Interface VLAN Type Status
--------------------------------------------------------------------
10.66.86.241 00-30-F2-C9-EB-F8 240 LEARNED up(0 misses)
10.66.86.242 00-02-B3-9D-2C-B9 240 REAL up(0 misses)
10.66.86.243 00-11-25-AB-21-D2 240 LEARNED up(0 misses)
10.66.86.244 00-09-5B-1E-B5-D5 240 LEARNED up(0 misses)
!--- 0 misses refers to the number of unanswered ARP requests by that device.
!--- In this case, all ARPs are receiving a response,
!--- so the server is well connected.
10.66.86.245 00-0D-88-2F-67-E4 240 REAL up(0 misses)
10.66.86.246 00-02-B3-9D-2C-B9 240 REAL up(0 misses)
10.66.86.247 00-11-25-8D-2F-A8 240 LEARNED up(0 misses)
10.66.86.248 00-0D-88-2F-67-E4 240 REAL up(0 misses)
10.66.86.249 00-03-32-87-B7-B8 240 --SLB-- local
10.66.86.250 00-02-2F-00-14-0C 240 LEARNED up(0 misses)
10.66.86.253 00-0D-60-0F-24-6A 240 LEARNED up(0 misses)
10.66.86.254 00-0D-60-0F-24-5C 240 LEARNED up(0 misses)
192.168.8.1 00-D0-D3-86-B8-0A 50 GATEWAY up(0 misses)
192.168.8.2 00-03-32-87-B7-B8 50 --SLB-- local
192.168.8.3 00-03-32-87-B7-B7 0 VSERVER local
Router#
Router#
Router#
Router#
Router#
Router#sh mod csm 4 ?
arp SLB arp cache listing
capp SLB Content Application Peering Protocol information
conns SLB connection information
dfp SLB DFP manager information
ft SLB ft information
gslb Global Server Load Balancing stats
map SLB map information
memory SLB memory information
natpools SLB client nat pool information
owner SLB owner information
policy SLB policy information
probe SLB probe information
pvlan SLB pvlan information
reals SLB real server information
script SLB script information
serverfarms SLB server farm information
static SLB static server NAT information
stats SLB Statistics
status SLB status information
sticky SLB sticky database
tech-support SLB tech debug information
variable SLB environment variables
vlan SLB vlan information
vservers SLB virtual server information
xml-config SLB XML-config information
Router#sh mod csm 4 policy ?
name slb policy name
| Output modifiers
<cr>
Router#sh mod csm 4 policy
policy: TEST
type: SLB
url map: TEST
serverfarm: FARM3
policy: IE
type: SLB
header map: IE
serverfarm: FARM3
Router#
Router#sh mod csm 4 vlan deta
vlan IP address IP mask type
---------------------------------------------------
50 192.168.8.2 255.255.255.0 CLIENT
GATEWAYS
192.168.8.1
240 10.66.86.249 255.255.255.240 SERVER
Router#
Router#
|
Troubleshoot
There is currently no specific troubleshooting information available for this configuration.
Related Information
- Catalyst 6000 Family Content Switching Module Installation and Configuration Note, Release 2.2
- Content Networking Downloads (registered customers only)
- Content Networking Devices Hardware Support
- Technical Support - Cisco Systems
| Updated: Jan 31, 2006 | Document ID: 26220 |