CSM Routed Mode Server

jrichterkessing · ‎03-11-2005

I am attempting to set up routed mode load balancing with my CSM. I have been running in Bridged mode up until this point, but there has been a need to see native IP address connections on the servers.

I have a config that works (see below, both routed mode and bridge mode included), but I have a question councerning the real servers outbound traffic to the rest of my private network. THe only way I have gotten this to work is by building a vserver for outbound access and natting the client (below is my entire config).

Is this a correct config?? I'm assuming the NAT is needed because of the presence of the DIRECT-ACCESS vserver (the return traffic from my routed mode servers would hit this vserver instead of CSMSERVEROUT vserver where the traffic originated??).I guess one of my concerns is that if I need to NAT all the traffic outbound from my routed mode servers, how will that play out in the Windows networking world (i.e. domain controllers, authentication, etc.)

module ContentSwitchingModule 2

vlan 605 client

ip address 10.63.240.4 255.255.255.0

gateway 10.63.240.1

!

vlan 606 server

ip address 10.63.240.4 255.255.255.0

!

vlan 607 server

ip address 10.40.120.2 255.255.255.0

alias 10.40.120.1 255.255.255.0

!

natpool WEB-BRIDGE 10.63.240.200 10.63.240.200 netmask 255.255.255.254

!

probe HTTP http

interval 5

failed 30

!

serverfarm ROUTE

no nat server

no nat client

predictor forward

!

serverfarm ROUTE-CSM-OUT

no nat server

nat client WEB-BRIDGE

predictor forward

!

serverfarm WEB-BRIDGE

nat server

nat client WEB-BRIDGE

real 10.40.109.101

inservice

real 10.40.109.102

inservice

health retries 3 failed 30

probe HTTP

!

serverfarm WEB-ROUTE

nat server

no nat client

real 10.40.120.100

inservice

real 10.40.120.101

inservice

health retries 3 failed 30

probe HTTP

!

vserver CSMSERVEROUT

virtual 10.32.0.0 255.224.0.0 any

vlan 607

serverfarm ROUTE-CSM-OUT

persistent rebalance

inservice

!

vserver DIRECT-ACCESS

virtual 10.40.120.0 255.255.255.0 any

serverfarm ROUTE

persistent rebalance

inservice

!

vserver WEB-BRIDGE

virtual 10.63.240.10 tcp www

vlan 605

serverfarm WEB-BRIDGE

sticky 1

persistent rebalance

inservice

!

vserver WEB-RTE2BRG

virtual 10.63.240.10 tcp www

vlan 607

serverfarm WEB-BRIDGE

sticky 1

persistent rebalance

inservice

!

vserver WEB-ROUTE

virtual 10.63.240.20 tcp www

vlan 605

serverfarm WEB-BRIDGE

sticky 1

persistent rebalance

inservice

interface Vlan605

description ServerLoadBalancing

ip address 10.63.240.1 255.255.255.0

no ip unreachables

ip pim sparse-mode

mls rp vtp-domain MOSL1VTP1

mls rp ip

end

jfoerster · ‎03-13-2005

Hi,

well you do not need to nat outbound traffic by default. The only thing that has to be ensured, is that the return flow is defined properly. In your case the network 10.40.120/24 needs to be routed towards the CSM. Btw do only the configured reals initiate connections or are there more servers initiated connections? If it is only the configured ones I think you do not need a vserver for that as those reals are known to the CSM.

Keep in mind routing is an issue if 10.40.120/24 is not known to your network it won't work without NAT.

Kind Regards,

Joerg

jrichterkessing · ‎03-14-2005

Initially I tried not NATting the outbound traffic, but I could not communicate with anything outside this VLAN (I do have a route to 10.40.120/24 on the MSFC routing to my client VLAN). I believe what is happening is since I need a way to access the servers directly from my private network I needed to add the vserver DIRECT-ACCESS, so if I initiate a connection from one of my Routed-mode servers to a server/workstation on the private network, the traffic out of the CSM would flow through vserver CSMSERVEROUT, but the return traffic would attempt to use the vserver DIRECT-ACCESS.??

I need the ability to access the real servers directly from my private network and for the servers to be able to have access out to boxes in the private network (initiate the connections for things like updates, etc.)

Hope this makes sense....I get more confused every time I look at it.

Thanks...Jeff

Gilles Dufour · ‎03-14-2005

the return can't hit the vserver you mentioned.

When the SYN is sent out, the CSM creates a flow entry and when the response comes back SYN/ACK, the CSM will try to match it to an existing flow to switch the packet back to its origin.

SYN/ACK can't hit vserver - they are dropped.

So, if it does not work without a client natpool, it means your destination is unable to route back to the source or is routing back via a different vlan than the one used by the CSM to forward the initial packet.

Regards,

Gilles.

jfoerster · ‎03-14-2005

Jeff,

your client vlan has no alias (redundant GW like HSRP) so to which gateway are you routing the traffic of the new server vlan? Is it possible that you route it to the redundant CSM which is the standby?

Please give it a try with configuring an alias IP on your client vlan and point the route for the server vlan to that IP-Address without the NAT.

Kind Regards,

Joerg

jrichterkessing · ‎03-14-2005

THANK YOU for your help. It was a routing problem. Even though I had a static route for the 10.40.120 network in my 6509, it was not being advertised via EIGRP to my other routers in the EIGRP group which included my redundant 6509....after I added this network to be advertised everything worked fine. Again thanks for your help!.