Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
797
Views
0
Helpful
8
Replies

CSM Load Balancer Help

anthony.baker
Level 1
Level 1

‎04-08-2008 02:13 AM

Hey all,

I had a config working for load balancing websites but now need something to work for a flash app that uses port 1935 instead.

Everything worked but I couldn't see the real source IP (which is a requirement of the business). I know that this was because I was taking it from the HTTP header before and it's not HTTP now.

What are my options here? Is there something similar I could do or do I need to change the basic design?

My design at present looks like this:

Client -- CSM -- FWSM -- Real Servers

The servers have a DG of the FWSM and are on VLAN205.

module ContentSwitchingModule 12

vlan 205 server

ip address 10.1.205.5 255.255.255.0

!

vlan 150 client

ip address 10.1.205.5 255.255.255.0

!

natpool MAND8 10.1.205.50 10.1.205.50 netmask 255.255.255.0

!

probe TCP_80 tcp

interval 5

failed 3

port 80

!

map SOURCEIPHEADER header

insert protocol http header sourceip header-value %is

!

serverfarm MAND8

nat server

nat client MAND8

failaction reassign

real 10.1.205.209

no inservice

real 10.1.205.219

inservice

probe TCP_80

!

policy INSERTSOURCEIP

header-map SOURCEIPHEADER

serverfarm MAND8

!

vserver MAND8

virtual 10.1.205.50 tcp 1935

vlan 205

unidirectional

serverfarm MAND8

advertise active

persistent rebalance

inservice

!

As I say, the above config works fine, apart from the NAT so if anyone has any ideas that would be great!

Thanks in advance

Anthony

Labels:
0 Helpful
8 Replies 8

Gilles Dufour
Cisco Employee
Cisco Employee

‎04-08-2008 03:15 AM

You need to change the design.

Do something like this

client -- FW -- CSM --- servers

Have the same configured in bridge mode so the servers can keep the FW as their DG.

After that you can remove the natpool from the serverfarm and you will see the client ip address on the servers.

Gilles.

0 Helpful

anthony.baker
Level 1
Level 1
In response to Gilles Dufour

‎04-08-2008 03:24 AM

Ok, thanks Gilles...

I'm trying to do what you suggest but what's the main config difference between what I have and what you suggest?

I have the outside FW VLAN as VLAN15 - VLAN205 is one that is off the FWSM and VLAN150 is just on the CSM.

So how do I change what I have to 'bridge'?

Thanks for the help

Anthony

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to anthony.baker

‎04-08-2008 03:29 AM

The goal is to have the traffic hit the CSM before it goes to the firewall which could send the traffic back to the client without going through the CSM.

If I understand correctly, the servers are in vlan 205.

So you need sth like this :

vlan15 -- FW ---- vlan150 ---- CSM ----vlan205

Configure the same ip in vlan150 and vlan205 for the CSM.

Use an ip from the servers subnet.

Remove vlan 205 from the FW and replace it with vlan 150.

I hope this makes sense like this.

Don't hesitate to send more questions if you need to clarify something.

Gilles.

0 Helpful

anthony.baker
Level 1
Level 1
In response to Gilles Dufour

‎04-08-2008 06:41 AM

Hey Gilles,

Thanks for the help.

When you say remove 205 from the FW which part do you mean. I thought that all the machines still use the FWSM as their DG or am I wrong -- so I still need to keep the IP, access-lists etc there??

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to anthony.baker

‎04-08-2008 07:11 AM

the CSM will bridge between the FW and the servers.

But the FWSM can't have direct access to the server vlan.

So you keep everything the same on the firewall, but you need to remove the server vlan and replace it with a new vlan id that will exist only between the csm and the fwsm.

The fwsm will keep the same ip addresses.

Just the vlan id will change.

The csm takes care of the rest.

Gilles.

0 Helpful

anthony.baker
Level 1
Level 1
In response to Gilles Dufour

‎04-08-2008 08:23 AM

Ok, I think I understand. I've deleted VLAN205 on the FWSM and replaced it with VLAN150 but with the original VLAN205 IP address - to still be used as the DG.

When I try now I can see requests coming into the server from the non-natted address but the page doesn't load.

Should I have a gateway configured on either the server/client VLAN's on the CSM config to sort this problem or is it something else?

Thanks again!

0 Helpful

anthony.baker
Level 1
Level 1
In response to anthony.baker

‎04-08-2008 08:44 AM

So now I have:

interface Vlan105

nameif inside

security-level 100

ip address 10.2.250.1 255.255.255.0

firewall vlan-group 50 15,105

and then the same as before in terms of CSM config...

0 Helpful

anthony.baker
Level 1
Level 1
In response to anthony.baker

‎04-10-2008 05:23 AM

Hey Gilles,

Thanks for all your help!

I got it working in the end. I kept 205 as the bridged VLAN so that my other servers can stay on that without needing to be changed, then created a new VLAN for the servers that are to be load balanced. I now see the source IP and all is good!

Next problem!!

Do you know if it's possible for a probe script to look inside a text file and look for a certain line of text or if not look for a certain line of text on a webpage i.e. 'ok' or whatever?

I'm reading loads of stuff at the moment but you seem to have the answers so thought I'd ask!!

Cheers,

Anthony

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card