Solved: Re: CSM: server-initiated connections

ehuamannahuin · ‎12-28-2012

Hello

I hope you can help me to figure out this question, I have a CSM module with more than 10 serverfarms, all of them working fine, and all of them are on different vlans. We are using route mode for all of them.

For example:

ServerFarm01-> Vlan10
Client_Side01-> Vlan11

ServerFarm02-> Vlan20
Client_Side02-> Vlan21

ServerFarm03-> Vlan30
Client_Side03-> Vlan31

and so on...

I noticed something, When I generate outbound traffic from a real server, it does not matter it belong to SeverFarm01, 02 or 03; the packet leaves the CSM using alway the vlan31.

Can you please help to determine what’s going on?

Actually, we want realservers from ServerFarm01 to sent traffic to internet through the CSM, and those traffic should be seen on vlan11.

Thankds and Regards
Edgar

ajayku2 · ‎01-01-2013

Hi Edgar,

Few things to check.

Check if the servers has two interface. It may be sending traffic through other interface.

Please go through below configuration guidelines that will help you to associate Particular serverfarm with their respective VLAN.

Configuring Server-Initiated Connections

The NAT for the server allows you to support connections initiated by real servers and to provide a default configuration used for servers initiating connections that do not have matching entries in the server NAT configuration. By default, the CSM allows server-originated connections without NAT.

To configure NAT for the server, perform this task:


	Command	Purpose
Step 1	Router(config)# static [drop \| nat [ip-address \| virtual]]	Configures the server-originated connections. Options include dropping the connections, configuring them with NAT with a given IP address, or with the virtual IP address that they are associated with¹, ².
Step 2	Router(config-slb-static)# real ip-address [subnet-mask]	Configures the static NAT submode where the servers will have this NAT option. You cannot use the same real server with multiple NAT configuration options.

¹Enter the exit command to leave a mode or submode. Enter the end command to return to the menu's top level.

²The no form of this command restores the defaults.

For Example :

  static nat 199.200.9.140  ( IP can be virtual IP as well)
   real 192.168.24.0 255.255.252.0
   real 192.168.20.0 255.255.252.0

View solution in original post

ajayku2 · ‎01-03-2013

Hi Edgar,

I would like to see full configuration.

Can you attach the full configuration?

regards,

Ajay Kumar

View solution in original post

ajayku2 · ‎01-01-2013

Hi Edgar,

Few things to check.

Check if the servers has two interface. It may be sending traffic through other interface.

Please go through below configuration guidelines that will help you to associate Particular serverfarm with their respective VLAN.

Configuring Server-Initiated Connections

The NAT for the server allows you to support connections initiated by real servers and to provide a default configuration used for servers initiating connections that do not have matching entries in the server NAT configuration. By default, the CSM allows server-originated connections without NAT.

To configure NAT for the server, perform this task:


	Command	Purpose
Step 1	Router(config)# static [drop \| nat [ip-address \| virtual]]	Configures the server-originated connections. Options include dropping the connections, configuring them with NAT with a given IP address, or with the virtual IP address that they are associated with¹, ².
Step 2	Router(config-slb-static)# real ip-address [subnet-mask]	Configures the static NAT submode where the servers will have this NAT option. You cannot use the same real server with multiple NAT configuration options.

¹Enter the exit command to leave a mode or submode. Enter the end command to return to the menu's top level.

²The no form of this command restores the defaults.

For Example :

  static nat 199.200.9.140  ( IP can be virtual IP as well)
   real 192.168.24.0 255.255.252.0
   real 192.168.20.0 255.255.252.0

ehuamannahuin · ‎01-03-2013

Hello Ajay

My real servers have two interfaces, but each of them belong to different vlans. so that's should be a problem.

can you please give me an example with full configuration about your idea to matching a serverfarm with their respective vlan?

Thanks you

Edgar

ajayku2 · ‎01-03-2013

Hi Edgar,

Note : This configuration may not work if the second port is still enabled or the default gateway is configured on second interface.

Please note that the CSM will choose VLAN based on the configured NAT IP address.

There are two ways you can configure NAT on CSM.

One-to-one NAT of server-originated connections


!---
!--- The following lines of config allow you to NAT one-to-one the server
!--- IP addresses
!---

static nat 10.20.221.10 <<< IP from their respective vlan 
  real 10.20.220.10     <<< IP of the real server
static nat 10.20.221.20
  real 10.20.220.20

!---
!--- Let's now open 2 connections, one from each real server
!---
!---
Show command

Cat6k-2#sh mod csm 7 static server

Server           NAT Type
----------------------------------------------
10.20.220.10     NAT to 10.20.221.10
10.20.220.20     NAT to 10.20.221.20

Many-to-one NAT of server-originated connections :

!--- The following lines of config allow you to NAT one-to-one the server
!--- IP addresses
!---

static nat 10.20.221.99
  real 10.20.220.0 255.255.255.0  <<< Subnet of the real server that will cover all server.

!---
!--- Relevant show command
!---

Cat6k-2#sh mod csm 7 static server

Server           NAT Type
----------------------------------------------
10.20.220.10     NAT to 10.20.221.99
10.20.220.20     NAT to 10.20.221.99

ehuamannahuin · ‎01-03-2013

Hello Ajay

Thanks for your time on this question.

As I told you, my real server has two interfaces, one for production enviorment, the othe is for management purpuse. The default GW belong to the production enviorment. So what I say that should not be an issue. Because all traffic originate from my real servers are sent to the CSM, the problem is that the CSM sent traffic to another vlan. Do you see that?, is that because I do not have the nat configuration?

I'll check more on your advise configuration and I'll let you know.

Thanks a lot.

About

ajayku2 · ‎01-03-2013

Hi Edgar,

In that case NAT should take care of the issue.

with regards,

Ajay Kumar

ehuamannahuin · ‎01-03-2013

Hello Ajay

I just did the configuration.

Before Nat:

2013-01-03 23:24:00.657603 VLAN_31 in 192.168.96.5 -> 4.4.4.4: icmp: echo request

2013-01-03 23:24:12.348902 VLAN_31 in 192.168.96.5 -> 4.4.4.4: icmp: echo request

2013-01-03 23:24:17.656816 VLAN_31 in 192.168.96.5 -> 4.4.4.4: icmp: echo request

Configuration:

static nat 192.168.64.15

real 192.168.96.5

After NAT:

2013-01-03 23:46:30.137911 VLAN_31 in 192.168.64.15 -> 4.4.4.4: icmp: echo request

2013-01-03 23:46:35.603854 VLAN_31 in 192.168.64.15 -> 4.4.4.4: icmp: echo request

2013-01-03 23:46:41.103731 VLAN_31 in 192.168.64.15 -> 4.4.4.4: icmp: echo request

2013-01-03 23:46:46.603577 VLAN_31 in 192.168.64.15 -> 4.4.4.4: icmp: echo request

2013-01-03 23:46:52.103197 VLAN_31 in 192.168.64.15 -> 4.4.4.4: icmp: echo request

I can see that the nat is working, but i still see the traffic leaving on vlan 31, it should be vlan 11. Vlan_31 is another client vlan for another serverfarm. That what I mentioned earlier, all the outbound traffic initieated from my real servers, always, for some reason, leave the the CSM on vlan_31.

Each server farm has it own vlan, and each real server belong to the correct vlan.

Do you have any idea about it?

Thanks and Regards

Edgar

ajayku2 · ‎01-03-2013

Hi Edgar,

I would like to see full configuration.

Can you attach the full configuration?

regards,

Ajay Kumar

ehuamannahuin · ‎01-04-2013

Hello Ajay

Can I send you the full configuration via email?

Regards

Edgar