CSM in routing mode

Similar Messages

• How to Configure Transparent caching on Cat 6500 with CSM in routed mode

  I am trying to configure Transparent caching on Cat 6500 with CSM in routed mode, but facing some problems in it , also I have gone thru the example config on cisco site for transparent caching using CSM on Cat 6500 , but the above does not fit my clients requirement.
  The scenario is like
  Access Switches - Cat6500 with MSFC & CSM - Internet Router
  |
  Cache Engines and Real servers
  The clients as well as real servers are on seperate VLANs (L3) and the requirement is to load balance the internet traffic using cache engines.
  I'd really appreciate any helpful suggestions or any useful links/docs/info on this.
  Thanks
  kumar

  Hello Joerg,
  Thanks for the reply.
  I have already gone thru the sample config shown by this weblink, however this link refers to configuring transparent caching on the CSM in BRIDGED MODE ( i.e both the client and server vlans are having the same IP address ) but in our case , we have multiple L3 VLANS on the CAT6509 having IP addresses in different SUBNETS , and the Real servers to be used for caching also exist on one of these VLANS. Thus, the scenario described by the Weblink does not apply here. Also , in the configuration referred by the above weblink, the VLAN 100 is configured as client , however the endusers are shown to be on vlan200 which is configured as SERVER VLAN in the CSM.
  Dont you think there is something wrong here, I mean the endusers should be on VLAN 100 (Client) and real servers on VLAN 200 (SERVER).
  So, I have to configure CSM in routed mode ( i.e both the client and server vlans will have seperate IP addresses in different subnets ) and the endusers will be on all VLANS .
  Pls let me know , how I can implement this solution.
  Thanks again
  Sudhir

• How to Configure Transparent caching on Cat 6500 with CSM in bridge mode?

  hi.
  I found How to Configure Transparent caching on Cat 6500 with CSM in routed mode.
  But,
  I need help How to Configure Transparent caching on Cat 6500 with CSM in bridge mode?
  Please let me know sample configuration.
  thanks.

  Hi,
  I wrote the document you mentioned and I also wrote the one below.
  http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_configuration_example09186a00802c1201.shtml
  The one with the SSLM is a bridge mode config.
  If you replace the SSLM with a cache [or a farm of caches] it would be a similar config.
  Replace the SSL21 vserver with an HTTP vserver [most important is to keep the vlan configured on each vserver]
  Regards,
  Gilles.

• CSM in Bridge mode and Server initiated connections

  I know one can use Source NAT for server initiated connections back to VIP using CSM in routed mode. How do I achieve the same for bridge mode?
  Thanks in advance,
  Shahid

  Shahid,
  that's a well-known problem for all loadbalancer in the world.
  With a sniffer trace, or just thinking about TCP/IP rules you can figure out why client nat is required.
  If you go from a server to a vip, the CSM will forward the traffic to a random server.
  The CSM forwards the traffic with the source ip unchanged by default.
  The server receiving the traffic will forward the response back to the source that initiated the request.
  If the source is also a server in the same subnet, the response does not need to be sent through a gateway. Since both source and destination are in the same subnet, the traffic is sent based on mac address and it bypasses the CSM which can't perform the nating.
  The source receiving the response from the server directly will just ignore it.
  Using client nat forces the response to go back to the CSM which can perform the nating before sending it to the client.
  This has been discussed tons of times in this forum.
  It's a classic question :-)
  Gilles.

• Can I configure csm as one arm and routing mode at the same time?

  My csm currently is configured as the routing mode and bridge mode, resently I have a service requirement which I think the one arm mode should be the best resolution. Can anybody let me know if there will be any affect if I add the one arm mode to the currently production environment?
  Thanks in advance.
  Jason

  Gille,
  Thanks for your quick response. I notice you have same opinion about the one arm mode in your other post, but I think in the multi-tire data center design with fw in bridge mode and csm in one arm mode with RHI, do give us a lot of flexibilty. If I use policy routing instead of source nat, can I overcome these limit you metioned?
  Do you know who csm could handle the TFTP traffic? I may have too much question, I am realy looking for your suggestion.
  Thanks
  Jason

• CSM bridge vs router mode

  Hi,
  Can the CSM be used in both the bridge and router mode for different VLANS ? Or does it need to use all router mode and all bridged mode ?

  you can have a mix of both.
  Gilles.

• CSM route mode and bridge mode can exist at the same time?

  I'm using CSM on ver 4.x,and I used to the bridge mode for firewall load balance,for a new requset,I have to create a new server/client vlan,but the original firewall load balance was effected when I issued the server vlan command,and I'd like to use route mode for the new server farm,I'm wondering that route mode and brige mode can't exist at the same time,because it seems it doesn't make sense.Any reply will be very appreciated.

  you can use bridge mode and route mode at the same time.
  Traffic with desintation mac address being the CSM will be routed, otherwise it will be bridged.
  Gilles.

• Cuestion about CSM on bridge&router mode

  Hello!!
  Plese help me with this cuestion about CSM connection modes:
  We have 2 Cat6500 with a CSM inside of each (CSM1 on Cat6500_1 and CSM2 on Cat6500-2)
  The CSM1 is on bridge mode with Vlan31 for Client side and Vlan131 for Server side.
  The CSM2 is on router mode with Vlan30 for Client side an Vlan2 for Server side.
  We want to join both switches for redundancy purposes (switches and CSMs).
  We want to merge the two Client Vlans (include the logical IP segments) on a /23 mask.
  But the cuestions here are:
  Can we keep the original config (bridge mode and router mode) on the CSM1 (for example)
  considering this Module as active and CSM2 as standby?
  Is there any consideration to take in count in order to configure this? (Some examples...)
  Thanks in advance
  Pedro

  yes, you can mix bridge more and router mode and so merge the 2 configs.
  Gilles.

• CSM concurrent bridge and router mode

  Hi,
  Is it possible on the CSM to use bridge and router mode at the same time ? Or is it only router mode or only bridge mode ?
  E.g. in the example below, when using HTTPS entering the vlan 3 , it will be bridged to vlan 3....But when using HTTP entering vlan 3...it will be routed to vlan 4... Will that work ?
  Thanks
  vlan 3 client
  ip address 3.3.3.1 255.255.255.0
  vlan 3 server
  ip address 3.3.3.1 255.255.255.0
  vlan 4 server
  ip address 4.4.4.1 255.255.255.0
  vserver HTTPS
  vlan 3
  virtual 3.3.3.10 tcp https
  serverfarm HTTPS
  serverfarm HTTPS
  no nat server
  no nat client
  real 3.3.3.11
  inservice
  real 3.3.3.12
  inservice
  vserver HTTP
  vlan 3
  virtual 3.3.3.11 tcp http
  serverfarm HTTP
  serverfarm HTTP
  nat server
  no nat client
  real 4.4.4.10
  inservice
  real 4.4.4.11
  inservice

  HI Michel,
  first of all you can run bridged and routed mode at the same time but you can not define the same vlan as client and server. If you would change the above config from vlan 3 server to vlan 30 server and place the reals in vlan 30 it will work. A proper layer 2 configuration is for sure the prerequisit.
  Kind regards,
  Joerg

• Adding direct server access to CSM in bridge mode

  I have a CSM that I have set up in bridge mode and want to allow direct management access to the real servers.
  It looks like this. MSFC 10.1.100.1
  CSM 10.1.100.3
  Reals 10.1.100.10
  10.1.100.20
  10.1.100.25
  Virtual 10.1.100.130
  10.1.100.140
  I tried to use the same method that I found for routed mode on CCO.
  Serverfarm SERVER-SUBNET
  No nat server
  Predictor forward
  Vserver DIRECT-ACCESS
  Virtual 10.1.100.0 255.255.255.0 tcp any
  Serverfarm SERVER-SUBNET
  Inservice
  The next step in the documentation says to add a static route to the CSM
  Ip route 10.1.100.0 255.255.255.0 10.1.100.3
  But this does not make since since the MSFC 10.1.100.1 address is already the default gateway.
  So is there another way to configure bridge mode and enable direct management access?

  After I thought about bridge mode again and took out the direct-access and server-subnet commands. I tested again and I can now directly access the servers.

• ASA In Data Centers, why not routed mode?

  Hi Guys,
  As i can see, Cisco is recommending for the ASAs to be in transparent mode in data centers, my question, why not routed mode?
  How to decide? what is the problem in having the routing on ASA?
  I know that transparent mode is easier to place, but in my case it is new design and i want to use the interface vlans on the ASA not core. so the gateway of each server will be the ASA.
  what is the problem here? why it is not recommended?
  I'm using ASA clustering as well over two DCs.
  In Cisco links they explain why to use Transparent mode, but i couldn't find what is the problems/limitation in using routed mode?
  Any clue?
  Thanks & Regards,
  Rami

  but in my case it is new design and i want to use the interface vlans on the ASA not core. so the gateway of each server will be the ASA.
  If that's the case use routed mode on your ASA.
  Cisco's design docs are a great place to start but there is nothing that says you have to follow them to the letter, you modify them to fit with what you need.
  Bear in mind as well that it's not an either or choice. With contexts you can have some in transparent mode and some in routed mode so you have flexibility.
  I don't know what design guides you are referring to but it may be that they include some L2 features eg.
  a long while back we wanted to RRI (Reverse Route Injection) from a CSM load balancer that was behind a firewall. For it to work the CSM had to be L2 adjacent to the 6500 which meant you couldn't use the FWSM in L3 mode.
  Not saying you want to do that but it is an example of where other parts of the design can dictate how you run your firewalls.
  Jon

• Can VIP and Rservers be in the same subnet in ACE Routed Mode

  Good Day,
  Sorry for the lengthy post.
  Currently I have a 6509s running in VSS mode with ACE30 in each chassis.
  I have 5 vlans, which the VSS is the L3 interface for each. 1 Vlan is for management, the others are the data vlans for the servers.
  The ACE is configured in bridge mode, with all VLANs going to a specific context (non Admin).
  Some of the Host on each VLANs are not utilized for load-balancing. The default gateway for each VLAN is configured on the VSS.
  I would like to setup the ACE in the routed mode, without having to change the IP address of each servers on different VLANs.
  Basically I want to turn off the SVIs on VSS and move the L3 interface on the ACE Context, and let it perform the local routing for all the hosts.
  I was going to add a new /30 L3 interface between the VSS and ACE to be utilized for default route traffic coming from the ACE Context, and static routes from VSS to ACE for traffic destined to host that are being load-balanced and not being load-balanced. Basically force the traffic through the load-balancer in/out.
  For future deployment, I was planning on using different IP address for the VIPs, and Real servers (most likely RFC 1918).
  From most of the examples I have seen the VIP and Rservers are in different Subnets. But because I am trying to not change the IP address of the rservers and VIP, I wanted to know if the VIP and Rservers can be configured to be in the same subnet where the ACE is in routed mode.
  Unfortunately I don't have a spare ACE to test scenario.
  As always any help would greatly be appreciated.
  Regards,
  Raman

  Link-local addresses are usually the self assigned IP address that a device will set when a DHCP server cannot be found. These are the addresses with 169.254.x.x subnet.
  If the router is assigning IP addresses for your network, then they will usually have a different IP subnet, possibly 192.168.0 for D-Link. And this subnet would be for the wired and wireless connections. So it would be more a case of bridging the two network topolgies rather than routing them.
  The network host is busy message could be more to do with the driver and the IP protocol selected when creating the queue than the connection being broken between the Mac and printer. If you were to open Network Utility and select the Ping tab, enter the IP address of the HP and set the pings to 4, pressing the Ping button will soon show if there is a path through the wireless to the printer.
  If you get a response to the ping you could then open Safari and type the ip address as the URL. This would then connect to the internal web page of the printer and possibly let you enable an IP protocol like LPR so that you can use LPD on the Mac instead of Bonjour to connect to the printer.
  As for the driver, you could look at using a Gutenprint driver instead of the HP driver or the hpijs package to get past the limitations that some printer drivers have with network connections.

• Does ACE-30 support multicast in routed mode?

  We currently have ACE20's, which only support multicast in bridge mode.
  Was wondering if it's the same on ACE30's, or if Cisco finally implemented support for mcast in routed mode.
  thx
  Kevin

  Could you please confirm if this applies to both ACE20 & ACE30, or just ACE20?
  If both, when does Cisco plan on supporting mcast in routed mode?
  thx
  Kevin

• How to configure a RV220W in normal routing mode (No NAT)

  Hi,
  I have been very busy the last few days in trying to configure this router in normal routing mode. I do not want to have double NAT in my network. This is my setup:
  C class IP network connected to the internet via a Fritzbox router. I need this router becasue of the VOIP services it provides. I want to use the RV220W to isolate certain users from the rest of the network. When I configure the router in WAN (NAT) it partially works, e.g. I can browse, send email but cant make a connection to a apple fileserver which is on the base network. When I try to operate in normal routing mode I cant get it to work. I am sure I am doing something wrong with the static routes. 
  Setup: 
  Internet <-> Fritzbox (192.168.12.0/24) network <-> RV220W <-> LAN 1 (192.168.1.0/24) users to be isolated.
  On the 192.168.12..0/24 network the printer, fileserver and PBX are connected. 
  Please help me in configuring this.
  The firmware is the latest 1.0.5.8.
  Thanks in advance!
  Peter

  Hello Peter,
  Sorry for the late reply, but I figured I would post anyone in case anyone else has this question.
  You can put the router in what is called router mode by logging into the admin page and going to Networking >> Routing >> Routing Mode and selecting Router.  
  I am only looking at an emulator, but I believe this will cause a reboot.  Once in router mode NAT and the firewall are disabled, however access rules do still work.  
  You will still need a static route from your Fritzbox to the 192.168.1.0/24 network on the RV220W, and the RV220W should have the Fritzbox as it's default gateway on it's WAN interface.  You may also need to create an ACL to allow traffic from the Fritzbox network through the RV's WAN port.
  Some Apple devices depend on the Bonjour protocol to work properly, which doesn't always traverse subnets well, so if after all of that it still doesn't work you may have an issue with Apple.
  Thank you for choosing Cisco,
  Christopher Ebert
  Network Support Engineer - Cisco Small Business Support Center

• RV220W - in routing mode changes external Ip with router IP

  Good day.
  I just installed one RV220W in my network, in routing mode (not NAT) using on WAN port public Ip 193.111.184.xxx and on LAN side on IP from my company public C class (212.100.143.0). It's working, but main ang huge problem is than Router is changing any IP coming from intenet with it's own 212.100.143.xxx IP, which mess up everything (logs, counters, etc).
  It was using 1.0.1.0 firmware, I switched to 1.0.0.26 but nothing changed.
  Also I have a VPN - gate to gate with another location (RV042), and all computers from other side of tunnel reports same router IP 212.100.143.xxx when accesing servers from my side, which also is bad.
  Previously I user an RV082 for this joB and everything was great, except 100 Mb WAN/LAN ports of RV082, which I will use until get Rv220W working right.
  Any idea is apreciated.
  Thank you,
  Catalin Burla

  I have changed this weekend from a DSL using a Linksys by Cisco WAG54G2 to a Cisco RV220W Small Business Router and just found out the same problem. This is serious for me, for one, it completely destroys SPAM blocking with DNS blacklists.
  This is how it looked when using the linksys:
  Apr  9 03:18:17 vanroodewierda postfix/smtpd[49507]: connect from 189-041-10-204.xd-dynamic.ctbcnetsuper.com.br[189.41.10.204]
  Apr  9 03:18:18 vanroodewierda postfix/smtpd[49507]: NOQUEUE: reject: RCPT from 189-041-10-204.xd-dynamic.ctbcnetsuper.com.br[189.41.10.204]: 554 5.7.1 Service unavailable; Client host [189.41.10.204] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=189.41.10.204; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<189-041-10-204.xd-dynamic.ctbcnetsuper.com.br>
  This is how it looks when using the RV220W:
  Apr 10 18:34:29 vanroodewierda postfix/smtpd[31608]: connect from ciscorouter.rna.nl[192.168.2.254]
  And thus DNSBL is not possible. My RV220W uses One-to-One NAT to route one of the 5 outside WAN IP addresses I to the mail server on the LAN. Because I do not get the external IP address passed on to the inside, postfix has nothing to go on. I tried instead to use the  normal port forwarding in the IPv4 rules on my main WAN IP address, but that doesn't help.
  How and where can I report this and how long will it take Cisco to fix something like this? Because this is very important for me (and my users) and I'll have to return the router and buy another brand if it takes too long.