topic Re: cisco CSM balancing in Application Networking

cisco CSM balancing

danilodicesare — Sat, 12 Dec 2009 01:23:04 GMT

HI all,

i've got two questions about CSM:

1 i've got this config:

real foo

address 1.1.1.5

inservice

real bar

address 1.1.1.6

inservice

real foo1

address 1.1.1.7

inservice

serverfarm S_foo

nat server

no nat client

real foo 53

inservice

real bar 53

inservice

real foo1 53

inservice

serverfarm ROUTE

no nat server

no nat client

predictor forward

vserver V_route

virtual 1.1.1.0 255.255.255.0 any

serverfarm ROUTE

persistent rebalance

inservice

vserver V_foo

virtual 1.1.1.1 udp dns

serverfarm S_foo

idle 4

persistent rebalance

inservice

vserver V_bar

virtual 1.1.1.2 udp dns

serverfarm S_foo

idle 4

persistent rebalance

inservice

may you see any issue in having serverfarm and vserver for forwarding real address and having some VIP for load balancing with different subnet?

what is order of hit for CSM? I need to reach real IP and also to loadbalnce...do you thing i'll have some problem? do you think should be better to have different subnet for real ip and vserver?

2 sometimes when i query balanced DNS server (resolver) i can see (checking on a firewall beetwen CSM and client, inside interface is csm side, outside client side) some connection that seems to be generated from 1.1.1.1, 1.1.1.2...is pretty strange 'cause all response from the DNS should be in conn table of ASA and not generated from DNS towards client. on firewall i can see an ACL (applied on inside interface CSM side) increasing hits (ACL is permit 1.1.1.1-2 to any). My expectation was seeing just outside ACL increasing HITS (client --> DNS trought ASA and CSM).

tnx for any response

Dan

Re: cisco CSM balancing

busterswt — Sat, 12 Dec 2009 02:05:22 GMT

On a CSS I would recommend implementing some sort of source group rule if your DNS servers are replying directly back to the client. I've never used a CSM, but I would imagine you would would want to NAT the source address of the client so that your DNS servers will reply back through the CSM and then back out to the clients.

Consider this existing serverfarm:

serverfarm S_foo

nat server

no nat client

real foo 53

inservice

real bar 53

inservice

real foo1 53

inservice

You can create a NAT pool consisting of (1) or more IP's, and use that to NAT incoming client traffic:

natpool MY_POOL 1.1.1.254 1.1.1.254 netmask 255.255.255.0

serverfarm S_foo

nat server

nat client MY_POOL

real foo 53

inservice

real bar 53

inservice

real foo1 53

inservice

All incoming requests to your DNS servers would appear to come from 1.1.1.254, and the DNS servers would reply to that address. The CSM would then perform NAT to change 1.1.1.254 to the VIP that was originally requested, and the destination IP would be that of the client. On the ASA you would then only see DNS traffic to/from the VIP. 1.1.1.1 and 1.1.1.2 should not be seen unless they initiate outbound traffic.

Hope I'm even close to what you're asking for!

- James

Re: cisco CSM balancing

danilodicesare — Sat, 12 Dec 2009 07:56:02 GMT

Hi James,

tnx but i think is not the answer....'cause i can reach DNS server from the real IP address of client (clients are on internet). I need not source group and src NAT for letting infrastructure works properly.

I wonder wheter serverfarm 'forward' serverfarm balanced can work without problem toghether if i have same subnet fot both (as i said befor for SF balancing i've got two /32 and for serverfarm forward i've got /24 on same 1.1.1.0).

And why sometimes i can see traffic beginning from server in subnet 1.1.1.0 BUT the source is 1.1.1.1 and 1.1.1.2 (are vserver IP address) ports 53 towards client port random. I can see that traffic begin from there because hit an ACL on a firewall on inside interface, inside interface side to CSM and outside interface side to internet.

tnx

Dan

Re: cisco CSM balancing

Gilles Dufour — Mon, 14 Dec 2009 15:19:30 GMT

Dan,

1/ this is ok. You can have multiple vip subnets.

CSM does a longest match - so first /32 and then /24.

2/ You should configure a very low idle timeout - 4sec.

Because currently, the CSM will setup flows and keep them for one hour.

Since this is UDP, the connections will stay there and if the server sends a udp packet which matches an existing connections, the CSM will forward assume it belongs to the old connection and send everything to the firewall doing nat with the virtual ip.

Gilles.

Re: cisco CSM balancing

danilodicesare — Tue, 15 Dec 2009 08:44:12 GMT

Merci Gilles.

Observe

Dan