CSM - Bridged Mode - Routed Mode Question

Customer's request involves setting up a backup (failover) BCR server to receive hand held device scan events.
The following needs to be performed:
- Build new server up as identical to AAEPRDBCR01 (named AAEPRDBCR02).
- Application to be installed onto the new server (configured identically to AAEPRDBCR01)
- Configure customer's CSM to parse requests to AAEPRDBCR01, and failover to AAEPRDBCR02. i.e. when BCR01 is unplugged the CSM should realise and begin parsing requests through BCR02. If BCR01 comes online again, the requests should once again fall back to BCR01.
I was thinking that the two servers would reside on eg.....VLAN 13 'BiscomBCR' and Users access these servers.
Does it need to be routed or can we do the same config in Bridged mode, where the servers have the same IP addressing?
Any pointers to any useful links is much appreciated.

You can do this in bridged mode. You can basically create a backup serverfarm which contains your new server. (CR02). It will only be used if the normal serverfarm containing your existing server (CR01) is unavailable.
Attached is a link to the CSM config doc - have a look at the config examples for the backup server farm. (Make sure you read the caveats about stickiness to understand what happens when the primary serverfarm comes back on line).
http://www.cisco.com/en/US/products/hw/switches/ps708/module_installation_and_configuration_guides_book09186a0080470b20.html
Hope this helps

Similar Messages

CSM bridge vs router mode

Hi,
Can the CSM be used in both the bridge and router mode for different VLANS ? Or does it need to use all router mode and all bridged mode ?

you can have a mix of both.
Gilles.

CSM Bridge Mode Vserver Redirect

I have a CSM in bridge mode, the MSFC in on the client side.
vlan 28 client
ip address 192.168.29.253 255.255.254.0
gateway 192.168.28.253
vlan 173 server
ip address 172.17.3.8 255.255.255.0
alias 172.17.3.5 255.255.255.0
vlan 163 client
ip address 172.17.3.8 255.255.255.0
gateway 172.17.3.1
I want to have a VIP on the 28 vlan and redirect to a VIP on the 163 vlan. I'm not sure how to do that. Plus this is all netbios, so could I do it with a virtual x.x.x.x any
or do I have to specify tcp 137,138,139,445...
any ideas would be great...thanks

how can you redirect netbios traffic ???
We can use HTTP redirect but I don't think this works for Netbios - correct me if I'm wrong.
Therefore, I don't see how you can do a redirect.
Moreover, why would you want to redirect to another vip ?
As long as the traffic is coming to the CSM why don't you simply loadbalance to the end server ????
Thanks,
Gilles.

Off Bridge Mode Question

Trying to determine how my Airport Extreme went into off-bridge mode....noticed my A.E. was blinking the amber light...after determining it was not an update alert, I unplugged the box from the socket, and detached all wires from the back of it...replugged, greenlight eventually came back on, but could not get onto the internet....called the 1-800 Apple number....tech determined I was indeed in off-mode, we fixed it, I'm back onto to the internet...forgot to ask her if unplugging the unit was what made it go into off-bridge...don't want to call back....but will if commnity can't answer the question....that is he question...did unplugging the unit, reset it into off bridge mode, or did I manipulate it within the dialogue box, and inadvertantly did something to put into off-bridge? Thanks for any and all hlep

Recycling power to the base station should NOT make any configuration changes. However, performing any of the potential resets can. The default mode of all of the Apple routers is NOT to be in bridge mode.

Introduction of SSLM into a MSFC-FWSM-CSM Bridge Mode Configuration

Hi,
Need serious help here..
I'm facing a challenging situation here.
Customer just purchased a pair of SSLM module for their web server HTTPS termination.
Here's the situation.
Currently customer already have a pair of Catalyst 6509 running with MSFC->FWSM<->CSM Bridge Configuration (i.e. client and server vlan on the same subnet).
I've been assigned the task to deploy SSLSM module seaminglessly onto this existing setup without any other major configuration changes required on their systems by this week.
My question is currently they doing bridge configuration between FWSM - CSM. How do I transparently deploy SSLM in this situation ? without changing any i.p. addresses which will break their server-to-server communications.
I read and understand CSM-SSLM bridge configuration but that requires changing their i.p. addressing scheme? hopefully somebody shed some light on this...

I've attached a logical diagram of the existing setup as well as the SSLM placement (where i think it fits in).
I've also came up with a draft configuration below, i don't really understand NAT client and NAT server applications:
module ContentSwitchingModule 7
ft group 1 vlan 201
priority 110 alt 100
heartbeat-time 1
failover 3
preempt
vlan 6 client
ip address 192.168.20.4 255.255.255.0 alt 192.168.20.5 255.255.255.0
gateway 192.168.20.1
alias 192.168.20.6 255.255.255.0
vlan 60 server
ip address 192.168.20.4 255.255.255.0 alt 192.168.20.5 255.255.255.0
vlan 7 client
ip address 192.168.10.4 255.255.255.0 alt 192.168.10.5 255.255.255.0
alias 192.168.10.6 255.255.255.0
vlan 70 server
ip address 192.168.10.4 255.255.255.0 alt 192.168.10.5 255.255.255.0
vlan 40 server
ip address 192.168.60.4 255.255.255.0 alt 192.168.60.5 255.255.255.0
alias 192.168.60.6 255.255.255.0
probe ICMP icmp
interval 3
failed 5
probe HTTPWEB http
interval 3
failed 5
probe HTTPSWEB tcp
interval 3
failed 5
port 445
probe TCP tcp
interval 2
failed 3
serverfarm MOCINT-VIP1
nat server
no nat client
predictor leastconns
real 192.168.20.71
inservice
real 192.168.20.72
inservice
probe ICMP
probe HTTPWEB
serverfarm MOCWEB-VIP1
nat server
no nat client
predictor leastconns
real 192.168.10.65
inservice
real 192.168.10.66
inservice
probe ICMP
probe HTTPWEB
serverfarm SSL-MOCINT
nat server
no nat client
real 192.168.60.11 445
inservice
real 192.168.60.12 445
inservice
probe TCP
serverfarm SSL-MOCWEB
nat server
no nat client
real 192.168.60.21 445
inservice
real 192.168.60.22 445
inservice
probe TCP
sticky 10 netmask 255.255.255.255 timeout 20
sticky 20 cookie cookie-server timeout 30
vserver DECRYPT-MOCINT
virtual 192.168.60.10 tcp 445
vlan 40
serverfarm MOCINT-VIP1
replicate csrp sticky
persistent rebalance
parse-length 4000
inservice
vserver DECRYPT-MOCWEB
virtual 192.168.60.20 tcp 445
vlan 40
serverfarm MOCWEB-VIP1
replicate csrp sticky
persistent rebalance
parse-length 4000
inservice
vserver HTTP-MOCINT
virtual 192.168.20.70 tcp www
vlan 6
serverfarm MOCINT-VIP1
advertise active
sticky 20 group 10
replicate csrp sticky
persistent rebalance
parse-length 4000
inservice
vserver HTTP-MOCWEB
virtual 192.168.10.60 tcp www
vlan 7
serverfarm MOCWEB-VIP1
advertise active
sticky 30 group 20
replicate csrp sticky
persistent rebalance
parse-length 4000
inservice
vserver HTTPS-MOCINT
virtual 192.168.20.70 tcp https
vlan 6
serverfarm SSL-MOCINT
persistent rebalance
inservice
vserver HTTPS-MOCWEB
virtual 192.168.10.60 tcp https
vlan 7
serverfarm SSL-MOCWEB
persistent rebalance
inservice

CSM bridge mode urgent issue.

Hi,
I have a pair of CSM running 4.2.6 (tried 4.2.7 too) on cat 6500 sup 720 chassis.
config is following :
vlan 902 server
ip address 192.168.1.36 255.255.255.224 alt 192.168.1.37 255.255.255.224
vlan 100 client
ip address 192.168.1.36 255.255.255.224 alt 192.168.1.37 255.255.255.224
vserver VS_MWINA_WWW
virtual 192.168.1.59 tcp www
serverfarm SF_MWINA_W
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
real R_PARKINSON
address 192.168.1.42
inservice
real R_GUEDEL
address 192.168.1.39
inservice
serverfarm SF_MWINA_W
nat server
no nat client
real name R_SRV1 8098
inservice
real name R_SRV2 8098
inservice
I am sniffing on the PO to the CSM module and what I see is the SYN goin from the chassis to the blade, nothing else. then sometimes it goes well and I have SYN/ACK and ACKs following.
Any help would be greatly appreciated.

If it was transmitted, ok I didn't see it but I don't see where it would have gone.
The csm is a fine blade but sometimes not easy to trouleshoot I find.
With our config I don't see what could cause it to stop working.
Tech Proc 1 give me this
scsm1 tech proc 1
Software version: 4.2(7)
--------------------- SESSION Statistics ---------------------
Current time 438570 324085 1
Aborted rx 152564848 2673378996 10183
Total Packets rx 163666741 101777820 387
Packets Dropped 80262 59218 0
Packets Drop Stale Connection 22473 16390 0
Packets Drop No More Sessions 0 0 0
Packets Drop No VLAN 233026 172035 0
Packets Drop Bad Checksum 0 0 0
Packets Drop IP Fragments 0 0 0
Packets Drop SI with no SMAC 0 0 0
Packets Drop: SI, Route Mode, no DMAC 116827 115609 0
Packets Drop: Not IP, SNAP 0 0 0
Packets Drop: Zero L3 offset 0 0 0
Packets Drop: vlan/vs Force Drop 204 0 0
Packets Drop: Slowpath limit exceeded 0 0 0
Packets Drop: LP non-ip, non-arp 0 0 0
Packets Drop: TCP/UDP with zero port 1 0 0
Packets Drop: CDP 0 0 0
Packets Spanning Tree DMAC 0 0 0
Packets Repeat: Slowpath limit exceeded 0 0 0
Packets Rx on secondary vlan 0 0 0
Packets Slowpath 5056349 3584950 13
Packets Shakira 0 0 0
Packets High Priority 467142 346215 1
Packets Session Hit 43583067 12829485 48
Packets New Sessions 333858 142719 0
New Session- source route checks 79701 22473 0
New Session- source ecmp route 0 0 0
Packets Repeat 114240674 84857415 323
Packets Repeat Reverse Frag 0 0 0
Packets Repeat and Slowpath 0 0 0
Packets Force Repeat 0 0 0
Packets One Shot 0 0 0
Packets bad parse 0 0 0
Packets Session Hit TCP+NAT 0 0 0
Packets Session Hit TCP 1364769 591465 2
Packets Session Hit NAT 42218298 12238019 46
Packets Session Hit Slw 0 0 0
Packets Session FIN 664593 283296 1
Packets Dropped- SYN+ACKs 0 0 0
Packet, Transmit retries 0 0 0
SYN Packets routed (w/o conn) 115956 115143 0
Packets routed (w/o conn) 0 0 0
Packets routed (w/o conn), bad enc 0 0 0
Packets routed (w/o conn), FT 0 0 0
Packets with no SMAC, sent to slowpath 539 0 0
there are quite a lot of drops here.

CSM Bridged mode config issue

I currently have a CSM that is load balancing two web servers. Everything working great. I have two new web servers that are being used for a different system so I basically copied the old config, changed the names of the vservers, serverfarms and policies and expected the same result as the first.
What is happening is that when I ping the VIP, it gets redirected to one of the reals but then the real responds back instead of the VIP.
Not sure why that is happening.

Sean,
When you said "Typically, the rservers would use the same gateway you have configured on the client VLAN. The important thing to make sure of, is that you must make sure that the ONLY for these rservers to reach their gateway is through the CSM that is bridging the servers' VLAN to that client VLAN."
Now I assume you meant to say "Typically, the rservers would use the same gateway you have configured on the client VLAN. The important thing to make sure of, is that you must make sure that the ONLY way for these rservers to reach their gateway is through the CSM that is bridging the servers' VLAN to that client VLAN.
Well, I have a working bridging configuration for a different system and I have found that the real servers in my server vlan do have the client vlan IP address... But the server vlan is in fact a layer 2 vlan, it does not have it's own gateway so it has no other way out other than through the CSM and to the client vlan gateway, just as you said.
What I have found is that the server vlan for my new set up actually has its own gateway. Because of other servers in this vlan I cannot do away with it. So, I looked at an ealier post where you stated" If the adding source-NAT resolves the issue, then you know that asymmetric routing was your problem. One solution would be to leave the source-NAT config in permanently. The other would be to set the default gateway of your new servers to the CSM interface, and another would be to use policy-based routing."
The two solutions I am interested in is the client nat and the setting of the default gateway of the new servers to the CSM interface. Exaclty what interface are you referring? Are you referring to the IP address that bridges the client and server vlan together?
Regarding your client nat example, you mentioned that the client nat address is owned by the CSM, but in your example config I did not see that IP address at all so I am a little confused as to how the csm owns this IP.
I really appreciate your responses!

E4200 bridge mode question

So, with the latest firmware update I could add a second e4200 to my network to use as a bridge or access point? What I need is another device in my living room that can pick up the wireless signal and dish out network connectivity to my receiver, xbox360, and ps3. With the new firmware update can this be done with a second e4200?
How does one connect to each e4200 on the network for setup (dohave to change the default ip address of 1?)
I just bought a trendnet TEW-687GA 450 mb/s wireless gaming adapter and a trendnet 5 port switch to accomplish what I mentioned above. I'm just wondering if there is an advantage to switching over to two e4200's. The trendnet adapater does not have a 5ghz channel.
Thanks!

The bridge feature doesn't support wireless bridging. It just dumbs it down to a switch and AP. So unless you flash it with a 3rd part firmware such as dd-wrt, what you are trying to accomplish will be impossible.
I've heard multiple people say that 3rd party firmware for this router is buggy so I would either go with the trendnet and switch setup or the 5ghz capable Linksys WES610n. The 5ghz is ideal for for gaming and streaming media because of less interference compared to the 2.4ghz band. You'll more than likely be able to bond channels with the 5ghz network so that = more bandwidth.
I don't work for Cisco. I'm just here to help.

CSM redundant bridged mode - alias IP required?

Hi! I am a little bit confused about the configuration guides concerning csm + fwsm
+ csm bridged mode. in my opinion when using bridged mode with the csm i do not really need any alias ip configuration - neither in the client vlan nor the server vlan. in bridged mode the csm does not route - thus i won't have any routes pointing to the csm. why are there always alias ip configurations in redundant bridged mode config guides? can somebody please clear that up for me? is there any other function of the alias IPs that I need them for?
Thanks,
Daniel

Daniel,
In general, if no router is present on a server-side VLAN, then each server's default route points to the aliased IP address. In the case of bridge mode, like you have, there is no need for the alias ip.
Regards
Pete..

CSM route mode and bridge mode can exist at the same time?

I'm using CSM on ver 4.x,and I used to the bridge mode for firewall load balance,for a new requset,I have to create a new server/client vlan,but the original firewall load balance was effected when I issued the server vlan command,and I'd like to use route mode for the new server farm,I'm wondering that route mode and brige mode can't exist at the same time,because it seems it doesn't make sense.Any reply will be very appreciated.

you can use bridge mode and route mode at the same time.
Traffic with desintation mac address being the CSM will be routed, otherwise it will be bridged.
Gilles.

Routed or bridged mode + licensing question

Hi Cisco ACE gurus,
I have the following questions and I would be grateful if anyone could answer them.
1) As we know the basic license for ACE limits its throughput to 4Gbps. What does it mean? Does it mean that only load balanced traffic is limited (policed) to 4Gbps? Or any other traffic passing through ACE is limited to 4Gbps (from what I know ACE is a cef720 linecard having 20Gbps to a switch fabric)?
My question comes from the following scenario. Let's say ACE is deployed in routed mode and it has 1 client vlan and 2 server vlans. There are VIPs, serverfarms, rservers defined etc.... Now there is a need for a rserver from vlan1 to communicate with a rserver from vlan2 (directly and not through a VIP). In this scenario def gateway of both servers points to ACE (ACE is doing inter-vlan routing).
So in this case in order to allow for that communication I would need to create ACLs and apply them to ACE interfaces.
Does it mean that the traffic would be limited to only 4Gbps?
2) let's say I have 2 DC (2 different geo locations). ACE is located only in one of them. Real servers are dispersed in both of them. ACE is deployed in routed mode. Is it possible to configure ACE in such a scenario (to server VIPs for clients when rservers are in 2 different DC)?
My assumption is that it is possible and in order to do that I would have to use NAT (and source NAT client traffic) so that traffic sent from client to a VIP could be src natted and go to the other DC (through client vlan), reach the rsevers in the other DC and come back.
Is it possible to also do that while ACE is deployed in bridged mode?
While reading about ACE and NAT I came across the sentence "ACE is not able to NAT bridged traffic". What does it mean?
regards

sorry Marko but I am lost. We are talking now about one-armed mode of deployment. There
are 2 contexts and the same vlan is used in both of them (that's why it is shared). In this case I don' understand what you wrote "you have server A in the shared VLAN of context A, you can not reach a VIP from context B" ... that is the same vlan so I can't see any problems..... unless you are describing situation for bridged mode deployment of ACE.

Combination bridged mode routed mode CSM

We run an active/standby pair of
CSM with SSL WS-X6066-SLB-S-K9
currently we have our real servers in 2 vlans: 116 and 117. our VIPS are mostly in the client vlan 119. load balancing works fine.
We now want to load balance between real servers in the 116 vlan. So far we have been unsuccessfull to get it owrking. I suspect because we essentially require a configuration that combines routed with bridged mode.
has any one been able to configure such a setup? Is it possible at all?

This type of topology is not 'bridged mode'.
When you has source and destination of load-balancing process in the same subnet (in your topology vlan116) you need use source NAT (client nat in CSM terminology).
Let me explain it:
1. client (srcIP-vlan116) sedn request to VIP (VIP-vlan116).
2. CSM process (modified) request and send it to dstIP-vlan116 (src IP is srcIP-vlan116) (*)
3. server receive request. It will resopnse to srcIP-vlan116 and response is not delivered through CSM, but direct. TCP communication is not possible, because client's request is modified on the CSM.
* when CSM modify source IP for example to one of IP addresses of CSM, response from server is send always to CSM and not direct.
Martin

CSM concurrent bridge and router mode

Hi,
Is it possible on the CSM to use bridge and router mode at the same time ? Or is it only router mode or only bridge mode ?
E.g. in the example below, when using HTTPS entering the vlan 3 , it will be bridged to vlan 3....But when using HTTP entering vlan 3...it will be routed to vlan 4... Will that work ?
Thanks
vlan 3 client
ip address 3.3.3.1 255.255.255.0
vlan 3 server
ip address 3.3.3.1 255.255.255.0
vlan 4 server
ip address 4.4.4.1 255.255.255.0
vserver HTTPS
vlan 3
virtual 3.3.3.10 tcp https
serverfarm HTTPS
serverfarm HTTPS
no nat server
no nat client
real 3.3.3.11
inservice
real 3.3.3.12
inservice
vserver HTTP
vlan 3
virtual 3.3.3.11 tcp http
serverfarm HTTP
serverfarm HTTP
nat server
no nat client
real 4.4.4.10
inservice
real 4.4.4.11
inservice

HI Michel,
first of all you can run bridged and routed mode at the same time but you can not define the same vlan as client and server. If you would change the above config from vlan 3 server to vlan 30 server and place the reals in vlan 30 it will work. A proper layer 2 configuration is for sure the prerequisit.
Kind regards,
Joerg

Bridge mode CSM - Serverfarm with hosts in different vlans

Hi,
I'm trying to answer a question while doing design. I am planning on deploying a CSM in bridge mode with multiple vlans. I need to create a serverfarm which has real servers in two separate server side vlans.
I would then present the Vserver on the client side only of one of the vlans (I always like to specify where I want the vserver). Whe traffic comes in to this vserver, will the CSM appropriately switch traffic to both vservers? I think it will but don't have access to a csm right now to mock it up.
Thanks
Adam

You cannot have 3 vlans configured in bridge mode with all vlans using same address space.
You can use mixed mode to achieve your goal.
It is possible to have Vlan 10 and Vlan 11 in bridge mode and at the same time have VLAN 12 (for example) in the routed mode.
- Traffic from vlan 10 to vlan 20 is bridged
- Traffic from vlan 10 to vlan 12 is routed
where Vlan 10&20 belong to same subnet and Vlan 12 is in different subnet.
Syed

CSM in Bridge mode and Server initiated connections

I know one can use Source NAT for server initiated connections back to VIP using CSM in routed mode. How do I achieve the same for bridge mode?
Thanks in advance,
Shahid

Shahid,
that's a well-known problem for all loadbalancer in the world.
With a sniffer trace, or just thinking about TCP/IP rules you can figure out why client nat is required.
If you go from a server to a vip, the CSM will forward the traffic to a random server.
The CSM forwards the traffic with the source ip unchanged by default.
The server receiving the traffic will forward the response back to the source that initiated the request.
If the source is also a server in the same subnet, the response does not need to be sent through a gateway. Since both source and destination are in the same subnet, the traffic is sent based on mac address and it bypasses the CSM which can't perform the nating.
The source receiving the response from the server directly will just ignore it.
Using client nat forces the response to go back to the CSM which can perform the nating before sending it to the client.
This has been discussed tons of times in this forum.
It's a classic question :-)
Gilles.

CSM - Bridged Mode - Routed Mode Question

Similar Messages

Maybe you are looking for