Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
563
Views
0
Helpful
3
Replies

CSM-Direct administrative access to reals

joe.plummer
Level 1
Level 1

‎06-10-2004 09:25 AM

Situation:

- CSMs on redundant 6503s that trunk to Distribution L3 switches. Using aliases front and back.

- No Ethernet ports on 6503s; everything trunks.

- The upstream distros are advertising both the client and server subnets.

- Default GW on the reals is the server-side alias of the CSM, of course.

Question: how to allow direct admin access to the reals without creating an asymmetric routing problem?

Is there an administrative bypass which doesn't involve any static routes? And doesn't require separate management VIPs?

Labels:
0 Helpful
3 Replies 3

jfoerster
Level 4
Level 4

‎06-10-2004 11:40 PM

Hi Joe,

two solutions depening on the configuration:

1) bridged mode: nothing has to be done except that the servers have to reside in the server VLAN and the clients in the client VLAN with the CSM as only bridge between those two VLANs

2) routed/secure mode:

a) Servers should use a GW on the CSM as default GW or a specific route on the servers pointint to the Managemnt-stations using the GW on the CSM

b) do client NAT on the CSM in the serverfarm using predictor forward and define a VSERVER for the client access.

Kind Regards,

joerg

0 Helpful

joe.plummer
Level 1
Level 1
In response to jfoerster

‎06-11-2004 07:55 AM

Thanks joerg, we were familiar with these...

---

Using routed mode.

Using the alias of of the server VLAN as the default gateway on the real servers.

---

BUT, how would we define such a Vserver? We need to allow a great many applications to pass for server administration. And every time we added a real server to the farm, we'd have to add a new Vserver for the direct access.

CSM documentation indicates the use of a static route for the real server subnet on the MSFC pointing to the client-side alias IP, but statics are not allowed by policy by network management. How to work around?

---

We can route anywhere (on the MSFC of the CSM's 6503 or on the upstream distro), but cannot redistriute statics (by policy). Why can we not route both the client and server VLANs? Why does this break routing?

0 Helpful

jfoerster
Level 4
Level 4
In response to joe.plummer

‎06-13-2004 11:43 AM

Hi Joe,

well one possible solution is that you have the real adresses routed elsewhere loosing the CSM in between (guess not wanted)

The other one is if all servers are in the same network ie 10.0.0.0/24 and this network is only reachable via the CSM you could use vserver like this (I do not write down everything as I guess you can complete the syntax and so on...)

vserver directaccess

virtual 10.0.0.0 mask 255.255.255.0

serverfarm direct

inservice

serverfarm direct

client nat SRCNAT <- depending if the servers have another gateway back to the workstations if not you do not need this

no server nat

predictor forward

inservice

natpool SRCNAT 10.0.0.1 10.0.0.1 mask 255.255.255.0

(compare with http://www.cisco.com/en/US/customer/products/hw/switches/ps708/products_installation_and_configuration_guide_chapter09186a00801c58a5.html#1038253)

Well I'm not sure if this solves all your problems as I do not know you exact topolgie... If you want to discuss feel free to send me a quick and dirty drawing with the recommendations and I'll try to answer asap..

Kind Regards,

Joerg.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card