Configuration Examples
Available Languages
Table Of Contents
Configuring the Router Mode with the MSFC on the Client Side
Configuring the Bridged Mode with the MSFC on the Client Side
Configuring the Source NAT for Server-Originated Connections to the VIP
Configuring Session Persistence (Stickiness)
Configuring Direct Access to Servers in Router Mode
Configuring Server-to-Server Load-Balanced Connections
Configuring Route Health Injection
Configuring a Backup Server Farm
Configuring a Load-Balancing Decision Based on the Source IP Address
Configuring Layer 7 Load Balancing
CSM-S Configuration Examples
Each example in this appendix includes only the relevant portions of the configuration. In some cases, some portions of the Layer 2 and Layer 3 Catalyst switch configuration are included. Lines with comments start with # and can be pasted in the configuration once you are in configuration mode after entering the configuration terminal command.
Make sure that you create all the VLANs used in the CSM-S configuration on the switch using the vlan command.
Configuring the Router Mode with the MSFC on the Client Side
This example provides configuration parameters for setting up the router mode:
module ContentSwitchingModule 5vlan 220 serverip address 10.20.220.2 255.255.255.0alias 10.20.220.1 255.255.255.0# The servers' default gateway is the alias IP address# Alias IP addresses are needed any time that you are# configuring a redundant system.# However, it is a good practice to always use a# alias IP address so that a standby CSM-S can easily# be added without changes to the IP addressing scheme!vlan 221 clientip address 10.20.221.5 255.255.255.0gateway 10.20.221.1# The CSM-S default gateway in this config is the# MSFC IP address on that VLAN!serverfarm WEBFARMnat serverno nat clientreal 10.20.220.10inservicereal 10.20.220.20inservicereal 10.20.220.30no inservice!vserver WEBvirtual 10.20.221.100 tcp wwwserverfarm WEBFARMpersistent rebalanceinservice# "persistence rebalance" is effective ONLY when performing# L7 load balancing (parsing of URLs, cookies, header, ...)# and only for HTTP 1.1 connections.# It tells the CSM-S to parse and eventually make a new# load balancing decision for each GET within the same# TCP connection.interface FastEthernet2/2no ip addressswitchportswitchport access vlan 220# The above is the port that connects to the real serversinterface FastEthernet2/24ip address 10.20.1.1 255.255.255.0# The above is the interface that connects to the client side networkinterface Vlan221ip address 10.20.221.1 255.255.255.0# The above is the MSFC interface for the internal VLAN used# for MSFC-CSM-S communicationThis example shows the output of the show commands:
Cat6k-2# show module csm 5 arpInternet Address Physical Interface VLAN Type Status--------------------------------------------------------------------10.20.220.1 00-02-FC-E1-68-EB 220 -ALIAS- local10.20.220.2 00-02-FC-E1-68-EC 220 --SLB-- local10.20.220.10 00-D0-B7-A0-81-D8 220 REAL up(0 misses)10.20.221.1 00-02-FC-CB-70-0A 221 GATEWAY up(0 misses)10.20.221.5 00-02-FC-E1-68-EC 221 --SLB-- local10.20.220.20 00-D0-B7-A0-81-D8 220 REAL up(0 misses)10.20.220.30 00-D0-B7-A0-81-D8 220 REAL up(0 misses)10.20.221.100 00-02-FC-E1-68-EB 0 VSERVER localCat6k-2# show module csm 5 vlan detailvlan IP address IP mask type---------------------------------------------------220 10.20.220.2 255.255.255.0 SERVERALIASESIP address IP mask--------------------------------10.20.220.1 255.255.255.0221 10.20.221.5 255.255.255.0 CLIENTGATEWAYS10.20.221.1Cat6k-2#Cat6k-2# show module csm 5 realreal server farm weight state conns/hits-------------------------------------------------------------------------10.20.220.10 WEBFARM 8 OPERATIONAL 010.20.220.20 WEBFARM 8 OPERATIONAL 010.20.220.30 WEBFARM 8 OUTOFSERVICE 0Cat6k-2#Cat6k-2# show module csm 5 real detail10.20.220.10, WEBFARM, state = OPERATIONALconns = 0, maxconns = 4294967295, minconns = 0weight = 8, weight(admin) = 8, metric = 0, remainder = 0total conns established = 5, total conn failures = 010.20.220.20, WEBFARM, state = OPERATIONALconns = 0, maxconns = 4294967295, minconns = 0weight = 8, weight(admin) = 8, metric = 0, remainder = 0total conns established = 5, total conn failures = 010.20.220.30, WEBFARM, state = OUTOFSERVICEconns = 0, maxconns = 4294967295, minconns = 0weight = 8, weight(admin) = 8, metric = 0, remainder = 0total conns established = 0, total conn failures = 0Cat6k-2#Cat6k-2# show module csm 5 vserver detailWEB, type = SLB, state = OPERATIONAL, v_index = 17virtual = 10.20.221.100/32:80 bidir, TCP, service = NONE, advertise = FALSEidle = 3600, replicate csrp = none, vlan = ALL, pending = 30, layer 4max parse len = 2000, persist rebalance = TRUEssl sticky offset = 0, length = 32conns = 0, total conns = 10Default policy:server farm = WEBFARM, backup = <not assigned>sticky: timer = 0, subnet = 0.0.0.0, group id = 0Policy Tot matches Client pkts Server pkts-----------------------------------------------------(default) 10 50 50Cat6k-2#Cat6k-2# show module csm 5 statsConnections Created: 28Connections Destroyed: 28Connections Current: 0Connections Timed-Out: 0Connections Failed: 0Server initiated Connections:Created: 0, Current: 0, Failed: 0L4 Load-Balanced Decisions: 27L4 Rejected Connections: 1L7 Load-Balanced Decisions: 0L7 Rejected Connections:Total: 0, Parser: 0,Reached max parse len: 0, Cookie out of mem: 0,Cfg version mismatch: 0, Bad SSL2 format: 0L4/L7 Rejected Connections:No policy: 1, No policy match 0,No real: 0, ACL denied 0,Server initiated: 0Checksum Failures: IP: 0, TCP: 0Redirect Connections: 0, Redirect Dropped: 0FTP Connections: 0MAC Frames:Tx: Unicast: 345, Multicast: 5, Broadcast: 25844,Underflow Errors: 0Rx: Unicast: 1841, Multicast: 448118, Broadcast: 17,Overflow Errors: 0, CRC Errors: 0Configuring the Bridged Mode with the MSFC on the Client Side
This example provides configuration parameters for configuring bridged mode:
module ContentSwitchingModule 5vlan 221 clientip address 10.20.220.2 255.255.255.0gateway 10.20.220.1!vlan 220 serverip address 10.20.220.2 255.255.255.0# Two VLANs with the same IP address are bridged together.!serverfarm WEBFARMnat serverno nat clientreal 10.20.220.10inservicereal 10.20.220.20inservicereal 10.20.220.30no inservice!vserver WEBvirtual 10.20.220.100 tcp wwwserverfarm WEBFARMpersistent rebalanceinserviceinterface FastEthernet2/2no ip addressswitchportswitchport access vlan 220# The above is the port that connects to the real serversinterface FastEthernet2/24ip address 10.20.1.1 255.255.255.0# The above is the MSFC interface that connects to the client side networkinterface Vlan221ip address 10.20.220.1 255.255.255.0# The above is the MSFC interface for the internal VLAN used# for MSFC-CSM-S communication.# The servers use this IP address as their default gateway# since the CSM-S is bridging between the client and server VLANsThis example shows the output of the show commands:
Cat6k-2# show module csm 5 arpInternet Address Physical Interface VLAN Type Status--------------------------------------------------------------------10.20.220.1 00-02-FC-CB-70-0A 221 GATEWAY up(0 misses)10.20.220.2 00-02-FC-E1-68-EC 221/220 --SLB-- local10.20.220.10 00-D0-B7-A0-81-D8 220 REAL up(0 misses)10.20.220.20 00-D0-B7-A0-81-D8 220 REAL up(0 misses)10.20.220.30 00-D0-B7-A0-81-D8 220 REAL up(0 misses)10.20.220.100 00-02-FC-E1-68-EB 0 VSERVER localConfiguring the Probes
This example provides configuration parameters for configuring probes:
module ContentSwitchingModule 5vlan 220 serverip address 10.20.220.2 255.255.255.0alias 10.20.220.1 255.255.255.0!vlan 221 clientip address 10.20.221.5 255.255.255.0gateway 10.20.221.1!probe PING icmpinterval 5failed 10receive 4# Interval between the probes is 5 seconds for healthy servers# while it is 10 seconds for failed servers.# The servers need to reply within 4 seconds.!probe TCP tcpinterval 5failed 10open 4# The servers need to open the TCP connection within 4 seconds.!probe HTTP httprequest method head url /probe/http_probe.htmlexpect status 200 299interval 20port 80# The port for the probe is inherited from the vservers.# The port is necessary in this case, since the same farm# is serving a vserver on port 80 and one on port 23.# If the "port 80" parameter is removed, the HTTP probe# will be sent out on both ports 80 and 23, thus failing# on port 23 which does not serve HTTP requests.probe PING-SERVER-30 icmpinterval 5failed 10!serverfarm WEBFARMnat serverno nat clientreal 10.20.220.10inservicereal 10.20.220.20inservicereal 10.20.220.30health probe PING-SERVER-30inserviceprobe PINGprobe TCPprobe HTTP!vserver TELNETvirtual 10.20.221.100 tcp telnetserverfarm WEBFARMpersistent rebalanceinservice!vserver WEBvirtual 10.20.221.100 tcp wwwserverfarm WEBFARMpersistent rebalanceinservice!This example shows the output of the show commands:
Cat6k-2# show module csm 5 probeprobe type port interval retries failed open receive---------------------------------------------------------------------PING icmp 5 3 10 4TCP tcp 5 3 10 4HTTP http 80 20 3 300 10 10PING-SERVER-30 icmp 5 3 10 10Cat6k-2# show module csm 5 probe detailprobe type port interval retries failed open receive---------------------------------------------------------------------PING icmp 5 3 10 4real vserver serverfarm policy status------------------------------------------------------------------------------10.20.220.30:80 WEB WEBFARM (default) OPERABLE10.20.220.20:80 WEB WEBFARM (default) OPERABLE10.20.220.10:80 WEB WEBFARM (default) OPERABLE10.20.220.30:23 TELNET WEBFARM (default) OPERABLE10.20.220.20:23 TELNET WEBFARM (default) OPERABLE10.20.220.10:23 TELNET WEBFARM (default) OPERABLETCP tcp 5 3 10 4real vserver serverfarm policy status------------------------------------------------------------------------------10.20.220.30:80 WEB WEBFARM (default) OPERABLE10.20.220.20:80 WEB WEBFARM (default) OPERABLE10.20.220.10:80 WEB WEBFARM (default) OPERABLE10.20.220.30:23 TELNET WEBFARM (default) OPERABLE10.20.220.20:23 TELNET WEBFARM (default) OPERABLE10.20.220.10:23 TELNET WEBFARM (default) OPERABLEHTTP http 80 20 3 300 10 10Probe Request: HEAD /probe/http_probe.htmlExpected Status Codes:200 to 299real vserver serverfarm policy status------------------------------------------------------------------------------10.20.220.30:80 WEB WEBFARM (default) OPERABLE10.20.220.20:80 WEB WEBFARM (default) FAILED10.20.220.10:80 WEB WEBFARM (default) OPERABLE10.20.220.30:80 TELNET WEBFARM (default) OPERABLE10.20.220.20:80 TELNET WEBFARM (default) FAILED10.20.220.10:80 TELNET WEBFARM (default) OPERABLEPING-SERVER-30 icmp 5 3 10 10real vserver serverfarm policy status------------------------------------------------------------------------------10.20.220.30:80 WEB WEBFARM (default) OPERABLE10.20.220.30:23 TELNET WEBFARM (default) OPERABLECat6k-2# show module csm 5 realreal server farm weight state conns/hits-------------------------------------------------------------------------10.20.220.10 WEBFARM 8 OPERATIONAL 010.20.220.20 WEBFARM 8 PROBE_FAILED 010.20.220.30 WEBFARM 8 OPERATIONAL 0Configuring the Source NAT for Server-Originated Connections to the VIP
This example shows a situation where the servers have open connections to the same VIP address that clients access. Because the servers are balanced back to themselves, the source NAT is required. To set the source NAT, use the vlan parameter in the virtual server configuration to distinguish the VLAN where the connection is originated. A different server farm is then used to handle server-originated connections. Source NAT is configured for that server farm. No source NAT is used for client-originated connections so that the servers can log the real client IPs.
Note
You should use a similar configuration when the server-to-server load-balanced connections need to be supported with the source and destination servers located in the same VLAN.
module ContentSwitchingModule 5vlan 220 serverip address 10.20.220.2 255.255.255.0alias 10.20.220.1 255.255.255.0!vlan 221 clientip address 10.20.221.5 255.255.255.0gateway 10.20.221.1!natpool POOL-1 10.20.220.99 10.20.220.99 netmask 255.255.255.0!serverfarm FARMnat serverno nat clientreal 10.20.220.10inservicereal 10.20.220.20inservicereal 10.20.220.30inservice!serverfarm FARM2nat servernat client POOL-1real 10.20.220.10inservicereal 10.20.220.20inservicereal 10.20.220.30inservice!vserver FROM-CLIENTSvirtual 10.20.221.100 tcp telnetvlan 221serverfarm FARMpersistent rebalanceinservice!vserver FROM-SERVERSvirtual 10.20.221.100 tcp telnetvlan 220serverfarm FARM2persistent rebalanceinserviceThis example shows the output of the show commands:
Cat6k-2# show module csm 5 vservserver type prot virtual vlan state conns---------------------------------------------------------------------------FROM-CLIENTS SLB TCP 10.20.221.100/32:23 221 OPERATIONAL 1FROM-SERVERS SLB TCP 10.20.221.100/32:23 220 OPERATIONAL 1Cat6k-2# show module csm 5 conn detailprot vlan source destination state----------------------------------------------------------------------In TCP 220 10.20.220.10:32858 10.20.221.100:23 ESTABOut TCP 220 10.20.220.20:23 10.20.220.99:8193 ESTABvs = FROM-SERVERS, ftp = No, csrp = FalseIn TCP 221 10.20.1.100:42443 10.20.221.100:23 ESTABOut TCP 220 10.20.220.10:23 10.20.1.100:42443 ESTABvs = FROM-CLIENTS, ftp = No, csrp = False# The command shows the open connections and how they are translated.## For each connection, both halves of the connection are shown.# The output for the second half of each connection# swaps the source and destination IP:port.## The connection originated by server 10.20.220.10 is source-NAT'ed# and source-PAT'ed (also its L4 source port needs to be translated)# Its source IP changes from 10.20.220.10 to 10.20.220.99# Its source L4 port changes from 32858 to 8193Cat6k-2# show module csm 5 realreal server farm weight state conns/hits-------------------------------------------------------------------------10.20.220.10 FARM 8 OPERATIONAL 110.20.220.20 FARM 8 OPERATIONAL 010.20.220.30 FARM 8 OPERATIONAL 010.20.220.10 FARM2 8 OPERATIONAL 010.20.220.20 FARM2 8 OPERATIONAL 110.20.220.30 FARM2 8 OPERATIONAL 0Cat6k-2# show module csm 5 natpoolnat client POOL-1 10.20.220.99 10.20.220.99 netmask 255.255.255.0Cat6k-2# show module csm 5 serverfarmserver farm type predictor nat reals redirect bind id----------------------------------------------------------------------FARM SLB RoundRobin S 3 0 0FARM2 SLB RoundRobin S,C 3 0 0Configuring Session Persistence (Stickiness)
This example provides configuration parameters for configuring session persistence or stickiness:
module ContentSwitchingModule 5vlan 220 serverip address 10.20.220.2 255.255.255.0alias 10.20.220.1 255.255.255.0!vlan 221 clientip address 10.20.221.5 255.255.255.0gateway 10.20.221.1!serverfarm WEBFARMnat serverno nat clientreal 10.20.220.10inservicereal 10.20.220.20inservicereal 10.20.220.30inservice!sticky 10 netmask 255.255.255.255 timeout 20!sticky 20 cookie yourname timeout 30!vserver TELNETvirtual 10.20.221.100 tcp telnetserverfarm WEBFARMpersistent rebalanceinservice!vserver WEB1virtual 10.20.221.101 tcp wwwserverfarm WEBFARMsticky 20 group 10persistent rebalanceinservice!vserver WEB2virtual 10.20.221.102 tcp wwwserverfarm WEBFARMsticky 30 group 20persistent rebalanceinservice!This example shows the output of the show commands:
Cat6k-2# show module csm 5 sticky group 10group sticky-data real timeout----------------------------------------------------------------10 ip 10.20.1.100 10.20.220.10 793Cat6k-2# show module csm 5 sticky group 20group sticky-data real timeout----------------------------------------------------------------20 cookie 4C656B72:861F0395 10.20.220.20 1597Cat6k-2# show module csm 5 stickygroup sticky-data real timeout----------------------------------------------------------------20 cookie 4C656B72:861F0395 10.20.220.20 158410 ip 10.20.1.100 10.20.220.10 778Configuring Direct Access to Servers in Router Mode
This example shows how to configure a virtual server to give direct access to the back-end servers when you are using router mode:
Note
module ContentSwitchingModule 5vlan 220 serverip address 10.20.220.2 255.255.255.0alias 10.20.220.1 255.255.255.0!vlan 221 clientip address 10.20.221.5 255.255.255.0gateway 10.20.221.1alias 10.20.221.2 255.255.255.0# The alias IP is only required in redundant configurations# This is the IP address that the upstream router (the MSFC# in this case) will use as next-hop to reach the# backend servers# See below for the static route added for this purpose.#!serverfarm ROUTEno nat serverno nat clientpredictor forward## This serverfarm is not load balancing, but is simply# routing the traffic according to the CSM-S routing tables# The CSM-S routing table in this example is very simple,# there is just a default gateway and 2 directly attached# subnets.## The "no nat server" is very important, since you do not# want to rewrite the destination IP address when# forwarding the traffic.!serverfarm WEBFARMnat serverno nat clientreal 10.20.220.10inservicereal 10.20.220.20inservice!vserver DIRECT-ACCESSvirtual 10.20.220.0 255.255.255.0 tcp 0serverfarm ROUTEpersistent rebalanceinservice# This vserver is listening to all TCP connections destined to the# serverfarm IP subnet.# Note: ping to the backend servers will not work with this example!vserver WEBvirtual 10.20.221.100 tcp wwwserverfarm WEBFARMpersistent rebalanceinserviceinterface Vlan221ip address 10.20.221.1 255.255.255.0# vlan221 is the L3 interface on the MSFC that connects to the CSM-S# Client requests are being routed by the MSFC, from its other# interfaces (not shown in this example) to vlan221.!ip classlessip route 10.20.220.0 255.255.255.0 10.20.221.2# This static route is necessary to allow the MSFC to reach# the backend servers.This example shows the output of some of the show commands:
Cat6k-2# show module csm 5 conn detailprot vlan source destination state----------------------------------------------------------------------In TCP 221 10.20.1.100:44268 10.20.220.10:23 ESTABOut TCP 220 10.20.220.10:23 10.20.1.100:44268 ESTABvs = DIRECT-ACCESS, ftp = No, csrp = False# The information displayed shows that the CSM-S is not rewriting any IP addresses while# forwarding theconnection from VLAN 221 (client) to VLAN 220 (server) This connection has# been created because it was destined to the virtual server DIRECT-ACCESS.Cat6k-2# show module csm 5 vserver detailWEB, type = SLB, state = OPERATIONAL, v_index = 14virtual = 10.20.221.100/32:80 bidir, TCP, service = NONE, advertise = FALSEidle = 3600, replicate csrp = none, vlan = ALL, pending = 30, layer 4max parse len = 2000, persist rebalance = TRUEssl sticky offset = 0, length = 32conns = 0, total conns = 0Default policy:server farm = WEBFARM, backup = <not assigned>sticky: timer = 0, subnet = 0.0.0.0, group id = 0Policy Tot matches Client pkts Server pkts-----------------------------------------------------(default) 0 0 0DIRECT-ACCESS, type = SLB, state = OPERATIONAL, v_index = 15virtual = 10.20.220.0/24:0 bidir, TCP, service = NONE, advertise = FALSEidle = 3600, replicate csrp = none, vlan = ALL, pending = 30, layer 4max parse len = 2000, persist rebalance = TRUEssl sticky offset = 0, length = 32conns = 1, total conns = 1Default policy:server farm = ROUTE, backup = <not assigned>sticky: timer = 0, subnet = 0.0.0.0, group id = 0Policy Tot matches Client pkts Server pkts-----------------------------------------------------(default) 1 48 35Configuring Server-to-Server Load-Balanced Connections
This example shows a CSM-S configuration with three VLANs, one client, and two server VLANs. This configuration allows server-to-server load-balanced connections. There is no need for the source NAT because the source and destination servers are in separate VLANs.
module ContentSwitchingModule 5vlan 220 serverip address 10.20.220.2 255.255.255.0alias 10.20.220.1 255.255.255.0!vlan 221 clientip address 10.20.221.5 255.255.255.0gateway 10.20.221.1!vlan 210 serverip address 10.20.210.2 255.255.255.0alias 10.20.210.1 255.255.255.0!serverfarm TIER-1nat serverno nat clientreal 10.20.210.10inservicereal 10.20.210.20inservice!serverfarm TIER-2nat serverno nat clientreal 10.20.220.10inservicereal 10.20.220.20inservice!vserver VIP1virtual 10.20.221.100 tcp telnetvlan 221serverfarm TIER-1persistent rebalanceinservice!vserver VIP2virtual 10.20.210.100 tcp telnetvlan 210serverfarm TIER-2persistent rebalanceinservice!This example shows the output of some of the show commands:
Cat6k-2# show module csm 5 arpInternet Address Physical Interface VLAN Type Status--------------------------------------------------------------------10.20.210.1 00-02-FC-E1-68-EB 210 -ALIAS- local10.20.210.2 00-02-FC-E1-68-EC 210 --SLB-- local10.20.210.10 00-D0-B7-A0-68-5D 210 REAL up(0 misses)10.20.210.20 00-D0-B7-A0-68-5D 210 REAL up(0 misses)10.20.220.1 00-02-FC-E1-68-EB 220 -ALIAS- local10.20.220.2 00-02-FC-E1-68-EC 220 --SLB-- local10.20.210.100 00-02-FC-E1-68-EB 0 VSERVER local10.20.220.10 00-D0-B7-A0-81-D8 220 REAL up(0 misses)10.20.221.1 00-02-FC-CB-70-0A 221 GATEWAY up(0 misses)10.20.221.5 00-02-FC-E1-68-EC 221 --SLB-- local10.20.220.20 00-D0-B7-A0-81-D8 220 REAL up(0 misses)10.20.221.100 00-02-FC-E1-68-EB 0 VSERVER localCat6k-2# show module csm 5 vservserver type prot virtual vlan state conns---------------------------------------------------------------------------VIP1 SLB TCP 10.20.221.100/32:23 221 OPERATIONAL 1VIP2 SLB TCP 10.20.210.100/32:23 210 OPERATIONAL 1Cat6k-2# show module csm 5 conn detailprot vlan source destination state----------------------------------------------------------------------In TCP 221 10.20.1.100:44240 10.20.221.100:23 ESTABOut TCP 210 10.20.210.10:23 10.20.1.100:44240 ESTABvs = VIP1, ftp = No, csrp = FalseIn TCP 210 10.20.210.10:45885 10.20.210.100:23 ESTABOut TCP 220 10.20.220.10:23 10.20.210.10:45885 ESTABvs = VIP2, ftp = No, csrp = False# The previous command shows a connection opened from a client coming in from VLAN 221# (client is 10.20.1.100). That connection goes to virtual IP address 1 (VIP1) and is# balanced to 10.20.210.10. Another connection is opened from server 10.20.210.10, goes to# VIP2 and is balanced to 10.20.220.10Configuring Route Health Injection
The CSM-S supports virtual servers in any IP subnet. If a virtual server is configured in a subnet that is not directly attached to the MSFC, you can configure the CSM-S to inject a static route into the MSFC routing tables, depending on the health of the server farm serving that virtual server.
You can use this mechanism also for disaster recovery or GSLB solutions, where two distinct CSMs inject a static route for the same VIP. The static routes can then be redistributed, eventually with different costs, to prefer a specific location.
module ContentSwitchingModule 5vlan 220 serverip address 10.20.220.2 255.255.255.0alias 10.20.220.1 255.255.255.0!vlan 221 clientip address 10.20.221.5 255.255.255.0gateway 10.20.221.1alias 10.20.221.2 255.255.255.0The alias IP is very important because it is the IP that the CSM-S instructs the MSFC to use as the next hop to reach the advertised virtual server.
!probe PING icmpinterval 2retries 2failed 10receive 2!serverfarm WEBFARMnat serverno nat clientreal 10.20.220.10inservicereal 10.20.220.20inserviceprobe PING!vserver WEBvirtual 10.20.250.100 tcp wwwvlan 221# By default, a virtual server listens to traffic coming in on any VLAN. You can restrict# access to a virtual server by defining a specific VLAN. When using Route Health# Injection, it is required to specify the VLAN for the virtual server. This tells the CSM-S# which next-hop it needs to program in the static route that it will inject in the MSFC# routing tables.serverfarm WEBFARMadvertise active# This is the command that tells the CSM-S to inject the route for this virtual server. The# option "active" tells the CSM-S to remove the route if the backend serverfarm fails.persistent rebalanceinserviceThis example shows the output of some of the show commands:
Cat6k-2# show module csm 5 probe detailprobe type port interval retries failed open receive---------------------------------------------------------------------PING icmp 2 2 10 2real vserver serverfarm policy status------------------------------------------------------------------------------10.20.220.20:80 WEB WEBFARM (default) OPERABLE10.20.220.10:80 WEB WEBFARM (default) OPERABLECat6k-2# show ip routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGPi - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area* - candidate default, U - per-user static route, o - ODRP - periodic downloaded static routeGateway of last resort is 10.20.1.100 to network 0.0.0.010.0.0.0/8 is variably subnetted, 8 subnets, 3 masksC 10.21.1.0/24 is directly connected, Vlan21S 10.20.250.100/32 [1/0] via 10.20.221.2, Vlan221# The static route to 10.20.250.100 has been automatically created by the CSM-S, since both# servers were healthy.C 10.20.221.0/24 is directly connected, Vlan221S* 0.0.0.0/0 [1/0] via 10.30.1.100Cat6k-2# show module csm 5 vser detailWEB, type = SLB, state = OPERATIONAL, v_index = 14virtual = 10.20.250.100/32:80 bidir, TCP, service = NONE, advertise = TRUEidle = 3600, replicate csrp = none, vlan = 221, pending = 30, layer 4max parse len = 2000, persist rebalance = TRUEssl sticky offset = 0, length = 32conns = 0, total conns = 6Default policy:server farm = WEBFARM, backup = <not assigned>sticky: timer = 0, subnet = 0.0.0.0, group id = 0Policy Tot matches Client pkts Server pkts-----------------------------------------------------(default) 6 36 30# Failing the servers causes the route to be removed This behaviour is configured with the# advertise active command.Cat6k-2# show module csm 5 probe detail1d20h: %SYS-5-CONFIG_I: Configured from console by vty0 (probe detailprobe type port interval retries failed open receive---------------------------------------------------------------------PING icmp 2 2 10 2real vserver serverfarm policy status------------------------------------------------------------------------------10.20.220.20:80 WEB WEBFARM (default) TESTING10.20.220.10:80 WEB WEBFARM (default) TESTINGCat6k-2#1d20h: %CSM_SLB-6-RSERVERSTATE: Module 5 server state changed: SLB-NETMGT: ICMP health probe failed for server 10.20.220.20:80 in serverfarm 'WEBFARM'1d20h: %CSM_SLB-6-RSERVERSTATE: Module 5 server state changed: SLB-NETMGT: ICMP health probe failed for server 10.20.220.10:80 in serverfarm 'WEBFARM'\Cat6k-2#Cat6k-2# show module csm 5 probe detailprobe type port interval retries failed open receive---------------------------------------------------------------------PING icmp 2 2 10 2real vserver serverfarm policy status------------------------------------------------------------------------------10.20.220.20:80 WEB WEBFARM (default) FAILED10.20.220.10:80 WEB WEBFARM (default) FAILEDCat6k-2#Cat6k-2# show ip routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGPi - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area* - candidate default, U - per-user static route, o - ODRP - periodic downloaded static routeGateway of last resort is 10.20.1.100 to network 0.0.0.010.0.0.0/8 is variably subnetted, 8 subnets, 3 masksC 10.21.1.0/24 is directly connected, Vlan21C 10.20.221.0/24 is directly connected, Vlan221S* 0.0.0.0/0 [1/0] via 10.30.1.100Configuring the Server Names
This example shows a different way to associate the servers to the server farms by using the server names. This method is preferred when the same servers are associated to multiple server farms, because it allows the user to take a server out of rotation from all the server farms with only one command.
module ContentSwitchingModule 5vlan 220 serverip address 10.20.220.2 255.255.255.0alias 10.20.220.1 255.255.255.0!vlan 221 clientip address 10.20.221.5 255.255.255.0gateway 10.20.221.1alias 10.20.221.2 255.255.255.0!probe PING icmpinterval 2retries 2failed 10receive 2!probe FTP ftpinterval 5retries 2failed 20open 3receive 3!probe HTTP httprequest method headexpect status 200 299interval 5retries 2failed 10open 2receive 2!real SERVER1address 10.20.220.10inservicereal SERVER2address 10.20.220.20inservice!serverfarm FTPFARMnat serverno nat clientreal name SERVER1inservicereal name SERVER2inserviceprobe PINGprobe FTP!serverfarm WEBFARMnat serverno nat clientreal name SERVER1inservicereal name SERVER2inserviceprobe PINGprobe HTTP!vserver FTPvirtual 10.20.221.100 tcp ftp service ftpserverfarm FTPFARMpersistent rebalanceinservice!vserver WEBvirtual 10.20.221.100 tcp wwwserverfarm WEBFARMpersistent rebalanceinservice!This example shows the output of some of the show commands:
Cat6k-2# show module csm 5 probe detailprobe type port interval retries failed open receive---------------------------------------------------------------------PING icmp 2 2 10 2real vserver serverfarm policy status------------------------------------------------------------------------------10.20.220.20:21 FTP FTPFARM (default) OPERABLE10.20.220.10:21 FTP FTPFARM (default) OPERABLE10.20.220.20:80 WEB WEBFARM (default) OPERABLE10.20.220.10:80 WEB WEBFARM (default) OPERABLEFTP ftp 5 2 20 3 3Expected Status Codes:0 to 999real vserver serverfarm policy status------------------------------------------------------------------------------10.20.220.20:21 FTP FTPFARM (default) OPERABLE10.20.220.10:21 FTP FTPFARM (default) OPERABLEHTTP http 5 2 10 2 2Probe Request: HEAD /Expected Status Codes:200 to 299real vserver serverfarm policy status------------------------------------------------------------------------------10.20.220.20:80 WEB WEBFARM (default) OPERABLE10.20.220.10:80 WEB WEBFARM (default) OPERABLECat6k-2# show module csm 5 realreal server farm weight state conns/hits-------------------------------------------------------------------------SERVER1 FTPFARM 8 OPERATIONAL 0SERVER2 FTPFARM 8 OPERATIONAL 0SERVER1 WEBFARM 8 OPERATIONAL 0SERVER2 WEBFARM 8 OPERATIONAL 0# Taking a server out of service at the server farm level will only take the server out of# service for that specific farmCat6k-2# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Cat6k-2(config)# module csm 5Cat6k-2(config-module-csm)# server webfarmCat6k-2(config-slb-sfarm)# real name server1Cat6k-2(config-slb-real)# no inserviceCat6k-2(config-slb-real)# end1d20h: %CSM_SLB-6-RSERVERSTATE: Module 5 server state changed: SLB-NETMGT: Configured server 10.20.220.10:0 to OUT-OF-SERVICE in serverfarm 'WEBFARM'Cat6k-2#1d20h: %SYS-5-CONFIG_I: Configured from console by vty0 (10.20.1.100)Cat6k-2#Cat6k-2# show module csm 5 realreal server farm weight state conns/hits-------------------------------------------------------------------------SERVER1 FTPFARM 8 OPERATIONAL 0SERVER2 FTPFARM 8 OPERATIONAL 0SERVER1 WEBFARM 8 OUTOFSERVICE 0SERVER2 WEBFARM 8 OPERATIONAL 0Cat6k-2## Taking the server out of service at the real server level will take the server out of# service for all the server farmsCat6k-2# confure terminalEnter configuration commands, one per line. End with CNTL/Z.Cat6k-2(config)# module csm 5Cat6k-2(config-module-csm)# real server1Cat6k(config-slb-module-real)# no inserviceCat6k(config-slb-module-real)# endCat6k-2#1d20h: %SYS-5-CONFIG_I: Configured from console by vty0 (10.20.1.100)Cat6k-2# show module csm 5 realreal server farm weight state conns/hits-------------------------------------------------------------------------SERVER1 FTPFARM 8 OUTOFSERVICE 0SERVER2 FTPFARM 8 OPERATIONAL 0SERVER1 WEBFARM 8 OUTOFSERVICE 0SERVER2 WEBFARM 8 OPERATIONAL 0Cat6k-2#Configuring a Backup Server Farm
This example shows you how to configure a backup server farm for a virtual server. If all the servers in the primary server farm fail, the CSM-S starts directing requests to the backup server farm. The sticky options allow you to control the backup operation if stickiness is configured for that virtual server.
module ContentSwitchingModule 5vlan 220 serverip address 10.20.220.2 255.255.255.0alias 10.20.220.1 255.255.255.0!vlan 221 clientip address 10.20.221.5 255.255.255.0gateway 10.20.221.1alias 10.20.221.2 255.255.255.0!vlan 210 serverip address 10.20.210.2 255.255.255.0alias 10.20.210.1 255.255.255.0!probe PING icmpinterval 2retries 2failed 10receive 2!real SERVER1address 10.20.220.10inservicereal SERVER2address 10.20.220.20inservicereal SERVER3address 10.20.210.30inservicereal SERVER4address 10.20.210.40inservice!serverfarm WEBFARMnat serverno nat clientreal name SERVER1inservicereal name SERVER2inserviceprobe PING!serverfarm WEBFARM2nat serverno nat clientreal name SERVER3inservicereal name SERVER4inserviceprobe PING!vserver WEBvirtual 10.20.221.100 tcp wwwserverfarm WEBFARM backup WEBFARM2persistent rebalanceinservice!This example shows the output of some of the show commands:
Cat6k-2# show module csm 5 realreal server farm weight state conns/hits-------------------------------------------------------------------------SERVER1 WEBFARM 8 OPERATIONAL 0SERVER2 WEBFARM 8 OPERATIONAL 0SERVER3 WEBFARM2 8 OPERATIONAL 0SERVER4 WEBFARM2 8 OPERATIONAL 0# All the servers are shown as operational.Cat6k-2# show module csm 5 serverfarm detailWEBFARM, type = SLB, predictor = RoundRobinnat = SERVERvirtuals inservice = 1, reals = 2, bind id = 0, fail action = noneinband health config: <none>retcode map = <none>Probes:PING, type = icmpReal servers:SERVER1, weight = 8, OPERATIONAL, conns = 0SERVER2, weight = 8, OPERATIONAL, conns = 0Total connections = 0WEBFARM2, type = SLB, predictor = RoundRobinnat = SERVERvirtuals inservice = 1, reals = 2, bind id = 0, fail action = noneinband health config: <none>retcode map = <none>Probes:PING, type = icmpReal servers:SERVER3, weight = 8, OPERATIONAL, conns = 0SERVER4, weight = 8, OPERATIONAL, conns = 0Total connections = 0Cat6k-2# show module csm 5 vserver detailWEB, type = SLB, state = OPERATIONAL, v_index = 18virtual = 10.20.221.100/32:80 bidir, TCP, service = NONE, advertise = FALSEidle = 3600, replicate csrp = none, vlan = ALL, pending = 30, layer 4max parse len = 2000, persist rebalance = TRUEssl sticky offset = 0, length = 32conns = 0, total conns = 0Default policy:server farm = WEBFARM, backup = WEBFARM2 (no sticky)sticky: timer = 0, subnet = 0.0.0.0, group id = 0Policy Tot matches Client pkts Server pkts-----------------------------------------------------(default) 0 0 0# No connections have been sent to the virtual server yet.Cat6k-2# show module csm 5 vserver detailWEB, type = SLB, state = OPERATIONAL, v_index = 18virtual = 10.20.221.100/32:80 bidir, TCP, service = NONE, advertise = FALSEidle = 3600, replicate csrp = none, vlan = ALL, pending = 30, layer 4max parse len = 2000, persist rebalance = TRUEssl sticky offset = 0, length = 32conns = 0, total conns = 14Default policy:server farm = WEBFARM, backup = WEBFARM2 (no sticky)sticky: timer = 0, subnet = 0.0.0.0, group id = 0Policy Tot matches Client pkts Server pkts-----------------------------------------------------(default) 14 84 70# A total of 14 connections have been sent to the virtual server and have been balanced to # the primary server farm. For each connection, the client has sent 6 packets and the # server has sent 5 packets. Two servers are taken out of serviceCat6k-2#1d21h: %CSM_SLB-6-RSERVERSTATE: Module 5 server state changed: SLB-NETMGT: ICMP health probe failed for server 10.20.220.10:80 in serverfarm 'WEBFARM'1d21h: %CSM_SLB-6-RSERVERSTATE: Module 5 server state changed: SLB-NETMGT: ICMP health probe failed for server 10.20.220.20:80 in serverfarm 'WEBFARM'Cat6k-2# show module csm 5 serverfarm detailWEBFARM, type = SLB, predictor = RoundRobinnat = SERVERvirtuals inservice = 1, reals = 2, bind id = 0, fail action = noneinband health config: <none>retcode map = <none>Probes:PING, type = icmpReal servers:SERVER1, weight = 8, PROBE_FAILED, conns = 0SERVER2, weight = 8, PROBE_FAILED, conns = 0Total connections = 0# The two servers have failed the probe but the CSM-S has not yet refreshed the ARP table# for them, so the servers are not yet shown in the failed stateWEBFARM2, type = SLB, predictor = RoundRobinnat = SERVERvirtuals inservice = 1, reals = 2, bind id = 0, fail action = noneinband health config: <none>retcode map = <none>Probes:PING, type = icmpReal servers:SERVER3, weight = 8, OPERATIONAL, conns = 0SERVER4, weight = 8, OPERATIONAL, conns = 0Total connections = 0Cat6k-2# show module csm 5 vserver detailWEB, type = SLB, state = OUTOFSERVICE, v_index = 18virtual = 10.20.221.100/32:80 bidir, TCP, service = NONE, advertise = FALSEidle = 3600, replicate csrp = none, vlan = ALL, pending = 30, layer 4max parse len = 2000, persist rebalance = TRUEssl sticky offset = 0, length = 32conns = 0, total conns = 14Default policy:server farm = WEBFARM, backup = WEBFARM2 (no sticky)sticky: timer = 0, subnet = 0.0.0.0, group id = 0Policy Tot matches Client pkts Server pkts-----------------------------------------------------(default) 14 83 70# The virtual server is displayed as out of service, even if it is configured with a# backup server farm, which is healthy. This behaviour is useful if the backup server farm# is configured as an HTTP redirect server farm to a different site and you are using some# DNS-based GSLB method, where some connections are still being directed to the failed# virtual server.# If you want the CSM-S to consider the virtual server healthy and operational if the backup# server farm is healthy, you just need to change an environmental variable.Cat6k-2# show module csm 5 variablevariable value----------------------------------------------------------------ARP_INTERVAL 300ARP_LEARNED_INTERVAL 14400ARP_GRATUITOUS_INTERVAL 15ARP_RATE 10ARP_RETRIES 3ARP_LEARN_MODE 1ARP_REPLY_FOR_NO_INSERVICE_VIP 0ADVERTISE_RHI_FREQ 10AGGREGATE_BACKUP_SF_STATE_TO_VS 0DEST_UNREACHABLE_MASK 0xffffFT_FLOW_REFRESH_INT 15GSLB_LICENSE_KEY (no valid license)HTTP_CASE_SENSITIVE_MATCHING 1MAX_PARSE_LEN_MULTIPLIER 1NAT_CLIENT_HASH_SOURCE_PORT 0ROUTE_UNKNOWN_FLOW_PKTS 0NO_RESET_UNIDIRECTIONAL_FLOWS 0SYN_COOKIE_INTERVAL 3SYN_COOKIE_THRESHOLD 5000TCP_MSS_OPTION 1460TCP_WND_SIZE_OPTION 8192VSERVER_ICMP_ALWAYS_RESPOND falseXML_CONFIG_AUTH_TYPE Basic# The variable that you want to change is AGGREGATE_BACKUP_SF_STATE_TO_VSCat6k-2#1d21h: %CSM_SLB-6-RSERVERSTATE: Module 5 server state changed: SLB-NETMGT: Server 10.20.220.20 failed ARP requestCat6k-2## The CSM-S has refreshed the ARP entry for 10.20.220.20 which is now reported in the failedstate.Cat6k-2# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Cat6k-2(config)# module csm 5Cat6k-2(config-module-csm)# variable AGGREGATE_BACKUP_SF_STATE_TO_VS 1Cat6k-2(config-module-csm)# end1d21h: %SYS-5-CONFIG_I: Configured from console by vty0 (10.20.1.100)Cat6k-2# show module csm 5 variablevariable value----------------------------------------------------------------ARP_INTERVAL 300ARP_LEARNED_INTERVAL 14400ARP_GRATUITOUS_INTERVAL 15ARP_RATE 10ARP_RETRIES 3ARP_LEARN_MODE 1ARP_REPLY_FOR_NO_INSERVICE_VIP 0ADVERTISE_RHI_FREQ 10AGGREGATE_BACKUP_SF_STATE_TO_VS 1DEST_UNREACHABLE_MASK 0xffffFT_FLOW_REFRESH_INT 15GSLB_LICENSE_KEY (no valid license)HTTP_CASE_SENSITIVE_MATCHING 1MAX_PARSE_LEN_MULTIPLIER 1NAT_CLIENT_HASH_SOURCE_PORT 0ROUTE_UNKNOWN_FLOW_PKTS 0NO_RESET_UNIDIRECTIONAL_FLOWS 0SYN_COOKIE_INTERVAL 3SYN_COOKIE_THRESHOLD 5000TCP_MSS_OPTION 1460TCP_WND_SIZE_OPTION 8192VSERVER_ICMP_ALWAYS_RESPOND falseXML_CONFIG_AUTH_TYPE BasicCat6k-2# show module csm 5 vserver detailWEB, type = SLB, state = OPERATIONAL, v_index = 18virtual = 10.20.221.100/32:80 bidir, TCP, service = NONE, advertise = FALSEidle = 3600, replicate csrp = none, vlan = ALL, pending = 30, layer 4max parse len = 2000, persist rebalance = TRUEssl sticky offset = 0, length = 32conns = 0, total conns = 14Default policy:server farm = WEBFARM, backup = WEBFARM2 (no sticky)sticky: timer = 0, subnet = 0.0.0.0, group id = 0Policy Tot matches Client pkts Server pkts-----------------------------------------------------(default) 14 83 70# The virtual server is now shown as operational.Cat6k-2# show module csm 5 real detailSERVER1, WEBFARM, state = PROBE_FAILEDaddress = 10.20.220.10, location = <NA>conns = 0, maxconns = 4294967295, minconns = 0weight = 8, weight(admin) = 8, metric = 0, remainder = 0total conns established = 7, total conn failures = 0SERVER2, WEBFARM, state = FAILEDaddress = 10.20.220.20, location = <NA>conns = 0, maxconns = 4294967295, minconns = 0weight = 8, weight(admin) = 8, metric = 0, remainder = 0total conns established = 7, total conn failures = 0SERVER3, WEBFARM2, state = OPERATIONALaddress = 10.20.210.30, location = <NA>conns = 0, maxconns = 4294967295, minconns = 0weight = 8, weight(admin) = 8, metric = 0, remainder = 0total conns established = 0, total conn failures = 0SERVER4, WEBFARM2, state = OPERATIONALaddress = 10.20.210.40, location = <NA>conns = 0, maxconns = 4294967295, minconns = 0weight = 8, weight(admin) = 8, metric = 0, remainder = 0total conns established = 0, total conn failures = 0Cat6k-2#1d21h: %CSM-S_SLB-6-RSERVERSTATE: Module 5 server state changed: SLB-NETMGT: Server 10.20.220.10 failed ARP request# The ARP entry for the other server has been refreshed.Cat6k-2# show module csm 5 real detailSERVER1, WEBFARM, state = FAILEDaddress = 10.20.220.10, location = <NA>conns = 0, maxconns = 4294967295, minconns = 0weight = 8, weight(admin) = 8, metric = 0, remainder = 0total conns established = 7, total conn failures = 0SERVER2, WEBFARM, state = FAILEDaddress = 10.20.220.20, location = <NA>conns = 0, maxconns = 4294967295, minconns = 0weight = 8, weight(admin) = 8, metric = 0, remainder = 0total conns established = 7, total conn failures = 0SERVER3, WEBFARM2, state = OPERATIONALaddress = 10.20.210.30, location = <NA>conns = 0, maxconns = 4294967295, minconns = 0weight = 8, weight(admin) = 8, metric = 0, remainder = 0total conns established = 0, total conn failures = 0SERVER4, WEBFARM2, state = OPERATIONALaddress = 10.20.210.40, location = <NA>conns = 0, maxconns = 4294967295, minconns = 0weight = 8, weight(admin) = 8, metric = 0, remainder = 0total conns established = 0, total conn failures = 0# So far, each of the servers in the primary server farm have received 7 connections. New# connections are now sent only to the backup server farm.Cat6k-2# show module csm 5 real detailSERVER1, WEBFARM, state = FAILEDaddress = 10.20.220.10, location = <NA>conns = 0, maxconns = 4294967295, minconns = 0weight = 8, weight(admin) = 8, metric = 0, remainder = 0total conns established = 7, total conn failures = 0SERVER2, WEBFARM, state = FAILEDaddress = 10.20.220.20, location = <NA>conns = 0, maxconns = 4294967295, minconns = 0weight = 8, weight(admin) = 8, metric = 0, remainder = 0total conns established = 7, total conn failures = 0SERVER3, WEBFARM2, state = OPERATIONALaddress = 10.20.210.30, location = <NA>conns = 0, maxconns = 4294967295, minconns = 0weight = 8, weight(admin) = 8, metric = 0, remainder = 0total conns established = 6, total conn failures = 0SERVER4, WEBFARM2, state = OPERATIONALaddress = 10.20.210.40, location = <NA>conns = 0, maxconns = 4294967295, minconns = 0weight = 8, weight(admin) = 8, metric = 0, remainder = 0total conns established = 6, total conn failures = 0Cat6k-2#Configuring a Load-Balancing Decision Based on the Source IP Address
This example shows how to make a load-balancing decision based on the source IP address of the client. This configuration requires the use of slb-policies.
module ContentSwitchingModule 5vlan 220 serverip address 10.20.220.2 255.255.255.0alias 10.20.220.1 255.255.255.0!vlan 221 clientip address 10.20.221.5 255.255.255.0gateway 10.20.221.1alias 10.20.221.2 255.255.255.0!probe PING icmpinterval 2retries 2failed 10receive 2!real SERVER1address 10.20.220.10inservicereal SERVER2address 10.20.220.20inservicereal SERVER3address 10.20.220.30inservicereal SERVER4address 10.20.220.40inservice!serverfarm WEBFARMnat serverno nat clientreal name SERVER1inservicereal name SERVER2inserviceprobe PING!serverfarm WEBFARM2nat serverno nat clientreal name SERVER3inservicereal name SERVER4inservice!policy SOURCE-IP-50client-group 50serverfarm WEBFARM2# A policy consists of a series of conditions, plus the actions to take if those# conditions are matched. In this case, the only condition is client-group 50 which# requires the incoming connection to match the standard access-list 50. The only action# to take is to use server farm WEBFARM2 to serve those requests.!vserver WEBvirtual 10.20.221.100 tcp wwwserverfarm WEBFARMpersistent rebalanceslb-policy SOURCE-IP-50# Slb-policies associated to a virtual server are always examined in the order in which# they are configured. The defintion of the server farm under the virtual server# configuration is the default policy and is always used as a last resort if no policy# matches, or if there are no policies configured.# In this case, incoming requests are processed to see if they match the conditions of the# slb-policy SOURCe-IP-50. If they do, then the server farm WEBFARM2 is used, otherwise# the default policy is selected (for example, WEBFARM is used).# If a default server farm is not configured, then connections that do not match any# policy are dropped.# This example shows how to configure the IOS standard access list. You can configure any# of the 1-99 standard access lists, or you can configure named access listsinservice!access-list 50 permit 10.20.1.100This example shows the output of some of the show commands:
Cat6k-2# show module csm 5 vser detailWEB, type = SLB, state = OPERATIONAL, v_index = 18virtual = 10.20.221.100/32:80 bidir, TCP, service = NONE, advertise = FALSEidle = 3600, replicate csrp = none, vlan = ALL, pending = 30, layer 4max parse len = 2000, persist rebalance = TRUEssl sticky offset = 0, length = 32conns = 0, total conns = 0Default policy:server farm = WEBFARM, backup = <not assigned>sticky: timer = 0, subnet = 0.0.0.0, group id = 0Policy Tot matches Client pkts Server pkts-----------------------------------------------------SOURCE-IP-50 0 0 0(default) 0 0 0# This example shows that six connections have matched the slb-policy SOURCE-IP-50.Cat6k-2# show module csm 5 vser detailWEB, type = SLB, state = OPERATIONAL, v_index = 18virtual = 10.20.221.100/32:80 bidir, TCP, service = NONE, advertise = FALSEidle = 3600, replicate csrp = none, vlan = ALL, pending = 30, layer 4max parse len = 2000, persist rebalance = TRUEssl sticky offset = 0, length = 32conns = 0, total conns = 6Default policy:server farm = WEBFARM, backup = <not assigned>sticky: timer = 0, subnet = 0.0.0.0, group id = 0Policy Tot matches Client pkts Server pkts-----------------------------------------------------SOURCE-IP-50 6 36 30(default) 0 0 0# This example shows that SERVER3 and SERVER4 have received 3 connections each.Cat6k-2# show module csm 5 real detailSERVER1, WEBFARM, state = OPERATIONALaddress = 10.20.220.10, location = <NA>conns = 0, maxconns = 4294967295, minconns = 0weight = 8, weight(admin) = 8, metric = 0, remainder = 0total conns established = 0, total conn failures = 0SERVER2, WEBFARM, state = OPERATIONALaddress = 10.20.220.20, location = <NA>conns = 0, maxconns = 4294967295, minconns = 0weight = 8, weight(admin) = 8, metric = 0, remainder = 0total conns established = 0, total conn failures = 0SERVER3, WEBFARM2, state = OPERATIONALaddress = 10.20.220.30, location = <NA>conns = 0, maxconns = 4294967295, minconns = 0weight = 8, weight(admin) = 8, metric = 0, remainder = 0total conns established = 3, total conn failures = 0SERVER4, WEBFARM2, state = OPERATIONALaddress = 10.20.220.40, location = <NA>conns = 0, maxconns = 4294967295, minconns = 0weight = 8, weight(admin) = 8, metric = 0, remainder = 0total conns established = 3, total conn failures = 0Cat6k-2#Configuring Layer 7 Load Balancing
This example shows how to make load-balancing decisions based on Layer 7 information. In this case, the CSM-S terminates the TCP connection, buffers the request, and parses it to see if the request matches the policy conditions. When a load-balancing decision is made, the CSM-S opens the connection to the selected server and splices the two flows together.
The configuration in this example requires the use of maps and policies. A policy is a list of conditions and actions that are taken if all the conditions are true.
Cat6k-2(config-module-csm)# policy testCat6k-2(config-slb-policy)# ?SLB policy configclient-group define policy client groupcookie-map define policy cookie mapdefault Set a command to its defaultsexit exit slb policy submodeheader-map define policy header mapno Negate a command or set its defaultsreverse-sticky define sticky group for reverse trafficserverfarm define policy serverfarmset set policy parameterssticky-group define policy sticky groupurl-map define policy URL map# The conditions are:# -client-group (source IP matches a certain ACL)# -cookie-map (match based on cookies)# -header-map (match based on HTTP headers)# -url-map (match based on URLs)# The actions are:# -serverfarm (the most common: use this serverfarm)# -sticky-group (use sticky)# -reverse-sticky (use reverse sticky)# -set (set ip dscp)\module ContentSwitchingModule 5vlan 220 serverip address 10.20.220.2 255.255.255.0alias 10.20.220.1 255.255.255.0!vlan 221 clientip address 10.20.221.5 255.255.255.0gateway 10.20.221.1alias 10.20.221.2 255.255.255.0!probe PING icmpinterval 2retries 2failed 10receive 2!map TEST headermatch protocol http header Host header-value www.test.com!map SPORTS urlmatch protocol http url /sports/*# The definition of maps is based on the header and the URL. The URL starts right after# the host. For example, in the URL http://www.test.com/sports/basketball/ the URL portion# that the URL map applies to is /sports/basketball/.!real SERVER1address 10.20.220.10inservicereal SERVER2address 10.20.220.20inservicereal SERVER3address 10.20.220.30inservicereal SERVER4address 10.20.220.40inservice!serverfarm WEBFARMnat serverno nat clientreal name SERVER1inservicereal name SERVER2inserviceprobe PING!serverfarm WEBFARM2nat serverno nat clientreal name SERVER3inservicereal name SERVER4inservice!policy TEST-SPORTS-50url-map SPORTSheader-map TESTclient-group 50serverfarm WEBFARM2# Three conditions need to match for this policy to have a match.!vserver WEBvirtual 10.20.221.100 tcp wwwserverfarm WEBFARMpersistent rebalanceslb-policy TEST-SPORTS-50inservice!# If the three conditions defined in the policy are true then WEBFARM2 is used otherwise# WEBFARM is.This example shows the output of some of the show commands:
# In this example, 17 requests have matched the policy Of those, 12 requests have not# matched the policyCat6k-2# show module csm 5 vserver detailWEB, type = SLB, state = OPERATIONAL, v_index = 18virtual = 10.20.221.100/32:80 bidir, TCP, service = NONE, advertise = FALSEidle = 3600, replicate csrp = none, vlan = ALL, pending = 30, layer 4max parse len = 2000, persist rebalance = TRUEssl sticky offset = 0, length = 32conns = 0, total conns = 29Default policy:server farm = WEBFARM, backup = <not assigned>sticky: timer = 0, subnet = 0.0.0.0, group id = 0Policy Tot matches Client pkts Server pkts-----------------------------------------------------TEST-SPORTS-50 17 112 95(default) 12 82 72# This example shows that the 29 connections that were load balanced have been load# balanced at Layer 7. For example, the CSM-S has to terminate TCP and parse Layer 5 through# Layer 7 information.Cat6k-2# show module csm 5 statsConnections Created: 29Connections Destroyed: 29Connections Current: 0Connections Timed-Out: 0Connections Failed: 0Server initiated Connections:Created: 0, Current: 0, Failed: 0L4 Load-Balanced Decisions: 0L4 Rejected Connections: 0L7 Load-Balanced Decisions: 29L7 Rejected Connections:Total: 0, Parser: 0,Reached max parse len: 0, Cookie out of mem: 0,Cfg version mismatch: 0, Bad SSL2 format: 0L4/L7 Rejected Connections:No policy: 0, No policy match 0,No real: 0, ACL denied 0,Server initiated: 0Checksum Failures: IP: 0, TCP: 0Redirect Connections: 0, Redirect Dropped: 0FTP Connections: 0MAC Frames:Tx: Unicast: 359, Multicast: 0, Broadcast: 8,Underflow Errors: 0Rx: Unicast: 387, Multicast: 221, Broadcast: 1,Overflow Errors: 0, CRC Errors: 0Configuring HTTP Redirect
This example shows how you can configure the CSM-S to send HTTP redirect messages:
# This configuration represents the configuration of site Amodule ContentSwitchingModule 6vlan 211 clientip address 10.20.211.2 255.255.255.0gateway 10.20.211.1!vlan 210 serverip address 10.20.210.1 255.255.255.0!map SPORTMAP urlmatch protocol http url /sports*!serverfarm REDIRECTFARMnat serverno nat clientredirect-vserver WWW2webhost relocation www2.test.com 301inservice!serverfarm WWW1FARMnat serverno nat clientreal 10.20.210.10inservicereal 10.20.210.20inservice!policy SPORTPOLICYurl-map SPORTMAPserverfarm REDIRECTFARM!vserver WWW1VIPvirtual 10.20.211.100 tcp wwwserverfarm WWW1FARMpersistent rebalanceslb-policy SPORTPOLICYinservice# This configuration represents the configuration of site Bmodule ContentSwitchingModule 7vlan 221 clientip address 10.20.221.2 255.255.255.0gateway 10.20.221.1!vlan 220 serverip address 10.20.220.1 255.255.255.0!serverfarm WWW2FARMnat serverno nat clientreal 10.20.220.10inservicereal 10.20.220.20inservice!vserver WWW2VIPvirtual 10.20.221.100 tcp wwwserverfarm WWW2FARMpersistent rebalanceinserviceThis example shows the output of some of the show commands:
# To test the configuration, the first nine requests are sent to www1.test.com requesting# the home page "/." The 10th request is sent to http://www1.test.com/sports/.Cat6k-2# show module csm 6 vser detaWWW1VIP, type = SLB, state = OPERATIONAL, v_index = 11virtual = 10.20.211.100/32:80 bidir, TCP, service = NONE, advertise = FALSEidle = 3600, replicate csrp = none, vlan = ALL, pending = 30max parse len = 2000, persist rebalance = TRUEssl sticky offset = 0, length = 32conns = 0, total conns = 10Default policy:server farm = WWW1FARM, backup = <not assigned>sticky: timer = 0, subnet = 0.0.0.0, group id = 0Policy Tot Conn Client pkts Server pkts-----------------------------------------------------SPORTPOLICY 1 3 1(default) 9 45 45Cat6k-2# show module csm 7 vser detailWWW2VIP, type = SLB, state = OPERATIONAL, v_index = 26virtual = 10.20.221.100/32:80 bidir, TCP, service = NONE, advertise = FALSEidle = 3600, replicate csrp = none, vlan = ALL, pending = 30max parse len = 2000, persist rebalance = TRUEssl sticky offset = 0, length = 32conns = 0, total conns = 1Default policy:server farm = WWW2FARM, backup = <not assigned>sticky: timer = 0, subnet = 0.0.0.0, group id = 0Policy Tot Conn Client pkts Server pkts-----------------------------------------------------(default) 1 5 5# Nine requests have matched the default policy for www1.test.com so they have been served# by WWW1FARM. One request has matched the policy SPORTPOLICY and has been redirected to# the second site that has then served the request.# The following is an example of the request that was sent to www1.cisco.com asking for# /sports/.10.20.1.100.34589 > 10.20.211.100.80: P 1:287(286) ack 1 win 5840 (DF)0x0000 4500 0146 763c 4000 4006 da85 0a14 0164 E..Fv<@.@......d0x0010 0a14 d364 871d 0050 ec1d 69e6 7b57 aead ...d...P..i.{W..0x0020 5018 16d0 96b2 0000 4745 5420 2f73 706f P.......GET./spo0x0030 7274 732f 2048 5454 502f 312e 310d 0a43 rts/.HTTP/1.1..C0x0040 6f6e 6e65 6374 696f 6e3a 204b 6565 702d onnection:.Keep-0x0050 416c 6976 650d 0a55 7365 722d 4167 656e Alive..User-Agen0x0060 743a 204d 6f7a 696c 6c61 2f35 2e30 2028 t:.Mozilla/5.0.(0x0070 636f 6d70 6174 6962 6c65 3b20 4b6f 6e71 compatible;.Konq0x0080 7565 726f 722f 322e 322d 3131 3b20 4c69 ueror/2.2-11;.Li0x0090 6e75 7829 0d0a 4163 6365 7074 3a20 7465 nux)..Accept:.te0x00a0 7874 2f2a 2c20 696d 6167 652f 6a70 6567 xt/*,.image/jpeg0x00b0 2c20 696d 6167 652f 706e 672c 2069 6d61 ,.image/png,.ima0x00c0 6765 2f2a 2c20 2a2f 2a0d 0a41 6363 6570 ge/*,.*/*..Accep0x00d0 742d 456e 636f 6469 6e67 3a20 782d 677a t-Encoding:.x-gz0x00e0 6970 2c20 677a 6970 2c20 6964 656e 7469 ip,.gzip,.identi0x00f0 7479 0d0a 4163 6365 7074 2d43 6861 7273 ty..Accept-Chars0x0100 6574 3a20 416e 792c 2075 7466 2d38 2c20 et:.Any,.utf-8,.0x0110 2a0d 0a41 6363 6570 742d 4c61 6e67 7561 *..Accept-Langua0x0120 6765 3a20 656e 5f55 532c 2065 6e0d 0a48 ge:.en_US,.en..H0x0130 6f73 743a 2077 7777 312e 7465 7374 2e63 ost:.www1.test.c0x0140 6f6d 0d0a 0d0a om....# The following example is the message that the client has received back from# www1.cisco.com. This message is the HTTP redirect message generated by the CSM-S10.20.211.100.80 > 10.20.1.100.34589: FP 1:56(55) ack 287 win 2048 (DF)0x0000 4500 005f 763c 4000 3e06 dd6c 0a14 d364 E.._v<@.>..l...d0x0010 0a14 0164 0050 871d 7b57 aead ec1d 6b04 ...d.P..{W....k.0x0020 5019 0800 8b1a 0000 4854 5450 2f31 2e30 P.......HTTP/1.00x0030 2033 3031 2046 6f75 6e64 200d 0a4c 6f63 .301.Found...Loc0x0040 6174 696f 6e3a 2068 7474 703a 2f2f 7777 ation:.http://ww0x0050 7732 2e74 6573 742e 636f 6d0d 0a0d 0a w2.test.com....# The redirect location sent back to the client matches exactly the string configured with# the webhost relocation www2.test.com 301 command because the client was browsing# www1.test.com/sports/ and is redirected to www2.test.com/.# In some cases this might not be the desired behaviour and there might be the need to# preserve the original URL that the browser requested.# To preseerve the URL that the browser requested, you can use the %p parameter as part of# the redirect string.# The configuration would then appear as:# serverfarm REDIRECTFARM# nat server# no nat client# redirect-vserver WWW2# webhost relocation www2.test.com/%p# inservice# The following example shows the resulting redirect message which is sent back to the# client:10.20.211.100.80 > 10.20.1.100.34893: FP 1:64(63) ack 329 win 2048 (DF)0x0000 4500 0067 7d95 4000 3e06 d60b 0a14 d364 E..g}.@.>......d0x0010 0a14 0164 0050 884d 7093 b53b 4e0b e8a8 ...d.P.Mp..;N...0x0020 5019 0800 2800 0000 4854 5450 2f31 2e30 P...(...HTTP/1.00x0030 2033 3032 2046 6f75 6e64 200d 0a4c 6f63 .302.Found...Loc0x0040 6174 696f 6e3a 2068 7474 703a 2f2f 7777 ation:.http://ww0x0050 7732 2e74 6573 742e 636f 6d2f 7370 6f72 w2.test.com/spor0x0060 7473 2f0d 0a0d 0a ts/....# In other cases, you may need to redirect an HTTP request to an HTTPS VIP, on the same or# on a remote CSM-S. In that case, the URL request must change from http:// to https://# You can do this by using the parameter ssl 443# The configuration would then be as follows:# serverfarm REDIRECTFARM# nat server# no nat client# redirect-vserver WWW2# webhost relocation www2.test.com/%p# ssl 443# inservice# The following is the resulting redirect message sent back to the client.10.20.211.100.80 > 10.20.1.100.34888: FP 1:65(64) ack 329 win 2048 (DF)0x0000 4500 0068 2cda 4000 3e06 26c6 0a14 d364 E..h,.@.>.&....d0x0010 0a14 0164 0050 8848 7088 b087 21e5 a627 ...d.P.Hp...!..'0x0020 5019 0800 f39e 0000 4854 5450 2f31 2e30 P.......HTTP/1.00x0030 2033 3032 2046 6f75 6e64 200d 0a4c 6f63 .302.Found...Loc0x0040 6174 696f 6e3a 2068 7474 7073 3a2f 2f77 ation:.https://w0x0050 7777 322e 7465 7374 2e63 6f6d 2f73 706f ww2.test.com/spo0x0060 7274 732f 0d0a 0d0a rts/....
Feedback