Csm on 6500

Similar Messages

• ACE and static NAT

  Hello
  I had pix+CSM on 6500. I've changed it to new ACE module on 6500.
  I've made loadbalancing which was done on CSM. Now i wanted to connect dmz which was connected to pix and make static DNAT.
  I used configuration guide/examples from: http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/security/guide/nat.html
  I need to make static DNAT, but i can't figure how it works. There are many errors in this document including incorrect (old?) syntax (for example: nat static 192.0.0.0 255.0.0.0 80 vlan 101)
  I analyzed three examples at the and of this document. My questions:
  1. how do i choose if it's source or destination NAT ?
  2. do i always apply service-policy to vlan interface which receives packets which should be natted ?
  3. What is class-map(it's ACL) choosing ? Incoming traffic which destination address should be changed ?
  4. is in command: "nat static A netmask netmaskA vlan B" A is outside ip address before translation to inside address ?
  5. Could anybody give me a simple example of static DNAT ? (or any links?)
  Thanx

  Destination nat is equivalent to loadbalancing to one server.
  I would therefore configure a vip being the inbound destination address, and a rserver which would be the outbound nated destination ip address.
  Then create a policy-map to link the 2 together and apply the policy-map to the incoming vlan, or you can apply it globally.
  For the reverse connections, where you then need to nat the source ip back to the 'VIP' you use the static nat config that you have found in the document.
  By the way, I don't see anything wrong with it.
  Those commands are in A1 and also the new A2 release.
  ACE is really a loadbalancer with some firewall features and not the opposite.
  This is why pure nating functions are not straightfoward to configure.
  Gilles.

• What switch do i need?

  Hi All,
  I am not familar with the range of products from cisco in regards to content swtiching so i thought i would ask here :)
  What we are going to have:
  6 http/https/imap+ssl servers
  3 incoming smtp servers
  1 big ass RAID or SAN
  all beefy machines, we are probably look at providing 35,000 webbased/imap email accounts where say 15,000 people could be logged in at any one time.
  would a CSS 11500 be overkill for this?
  cheers
  dave

  Cisco Content Switching Products include:
  Cisco CSS 11500 Series Content Services Switches
  Cisco CSS 11000 Series Content Services Switches
  Cisco LocalDirector 400 Series
  Cisco Catalyst. 6500 Series Content Switching Module
  It is recommended to CSS 11500 for Small/Medium networks and
  CSM over 6500 for large networks.
  Am not sure about the no. of connections it can support though.

• CSM 3.3.1 and 6500

  Hello,
  We are facing a problem with CSM 3.3.1 and 6500 switch with FWSM. We have 2x 6500 switches with 2 supervisors in each + 2 FWSM cards one in each chassis. The problem is that we have CSM 3.3.1 that manages the switch and FWSM. The problem is that when we try to delete a VLAN in 6500 we get a deployment failure because the switch outputs this message:
  % Applying VLAN changes may take few minutes. Please wait..
  We are using the following IOS version.
  CSR-CORE#sh ver
  Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(33)SXI2a, RELEASE SOFTWARE (fc2)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2009 by Cisco Systems, Inc.
  Compiled Wed 02-Sep-09 01:00 by prod_rel_team
  ROM: System Bootstrap, Version 12.2(17r)SX6, RELEASE SOFTWARE (fc1)
  CSR-CORE uptime is 22 weeks, 6 days, 23 hours, 59 minutes
  Uptime for this control processor is 22 weeks, 6 days, 23 hours, 55 minutes
  Time since CSR-CORE switched to active is 22 weeks, 6 days, 23 hours, 55 minutes
  System returned to ROM by  power cycle at 06:42:16 UTC Fri Feb 12 2010 (SP by power on)
  System restarted at 11:10:39 EEST Mon Jun 14 2010
  System image file is "sup-bootdisk:s72033-ipservicesk9_wan-mz.122-33.SXI2a.bin"
  Last reload reason: Reload Command
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  cisco WS-C6509-E (R7000) processor (revision 1.5) with 983008K/65536K bytes of memory.
  Processor board ID SMC1401000U
  SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache
  Last reset from s/w reset
  30 Virtual Ethernet interfaces
  116 Gigabit Ethernet interfaces
  12 Ten Gigabit Ethernet interfaces
  1917K bytes of non-volatile configuration memory.
  8192K bytes of packet buffer memory.
  65536K bytes of Flash internal SIMM (Sector size 512K).
  Configuration register is 0x2102
  CSR-CORE# 
  Note that we are NOT using VSS.
  TIA,
  Nicos

  Hi all,
  Sorry for not replying earlier. We found a workaround, as quoted below:
  Changing How Security Manager Responds to Device Messages
  Security Manager has built-in responses to many of the response messages that can be encountered when configuring a device. You might find that messages Security Manager treats as errors are messages that you want to ignore or treat as informational. Although you can configure your deployment jobs to ignore errors, you might instead want to update Security Manager to treat specific messages differently. To change how Security Manager treats a message, you need to update the DCS.properties file in \CSCOpx\MDC\athena\config folder in the installation directory (usually c:\Program Files).
  Use a text editor such as NotePad to update the file. It is easiest to determine the message you want to ignore by looking at the transcript of a deployment job that encountered the error using these steps:
  Step 1 Select the job with the error message from the Deployment Manager window.
  Step 2 Click the Transcript button in the Deployment Details tab to open the transcript.
  Step 3 Identify the error text that you want to ignore.
  Step 4 Locate the appropriate warning expressions property in the DCS.properties file. For example, for PIX devices the property is called dev.pix.warningExpressions, whereas for IOS devices the property is called dev.ios.warningExpressions.Conversely, you can make device responses that are not tagged with the Error prefix to appear as error messages. To do this, add the message to the Error Expressions list (for example, dev.pix.ErrorExpressions).
  Step 5 Add the error text to the warning expressions list. The warning message should be a generic regular expression string. Except for the last expression, you must delimit all expressions with “$\”. For example, if the message you want to ignore is “Enter a public key as a hexadecimal number,” enter the following string: .*Enter a public key as a hexidecimal number .*$
  Step 6 Restart the CiscoWorks Daemon Manager
  This has resolved the issue successfully

• How to Configure Transparent caching on Cat 6500 with CSM in bridge mode?

  hi.
  I found How to Configure Transparent caching on Cat 6500 with CSM in routed mode.
  But,
  I need help How to Configure Transparent caching on Cat 6500 with CSM in bridge mode?
  Please let me know sample configuration.
  thanks.

  Hi,
  I wrote the document you mentioned and I also wrote the one below.
  http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_configuration_example09186a00802c1201.shtml
  The one with the SSLM is a bridge mode config.
  If you replace the SSLM with a cache [or a farm of caches] it would be a similar config.
  Replace the SSL21 vserver with an HTTP vserver [most important is to keep the vlan configured on each vserver]
  Regards,
  Gilles.

• How to configure 2 CSM modules in 6500 ?

  hi,
  6500 supports multiple CSM modules in one chassis. I check the configuation about the CSM with 2 modes one is rp and another is csm. another mether is to enter the csm module. Does anyone know the current way to setup the 2 csm modules in one 6500 or give me a sample ?
  best regards.
  fred.

  If you are running muliple CSM's in the same chassis you need to run in csm mode, otherwise if you are running a single csm in a chassis you can run in rp mode.
  hope that helps
  I am running one csm in each chassis and fault-tolerant
  mark

• Active active with multiple csm in the same 6500

  How can I achieve active/active configuration with csm in a 6500? Can I do it with 2 csm in the same chassis or I need two chassis, each with one csm?

  you can't have active-active setup with CSM.
  The CSM uses only 1 FT group and all vservers are linked to it.
  So once CSM is active and the other one standby.
  If the FT group fails on the active, the standby takes over and it takes a full control - not partial as needed for active-active.
  It does not matter if you have 1 chassis or more.
  The new ACE module offers the possibility to do active-active.
  Gilles.

• How to Configure Transparent caching on Cat 6500 with CSM in routed mode

  I am trying to configure Transparent caching on Cat 6500 with CSM in routed mode, but facing some problems in it , also I have gone thru the example config on cisco site for transparent caching using CSM on Cat 6500 , but the above does not fit my clients requirement.
  The scenario is like
  Access Switches - Cat6500 with MSFC & CSM - Internet Router
  |
  Cache Engines and Real servers
  The clients as well as real servers are on seperate VLANs (L3) and the requirement is to load balance the internet traffic using cache engines.
  I'd really appreciate any helpful suggestions or any useful links/docs/info on this.
  Thanks
  kumar

  Hello Joerg,
  Thanks for the reply.
  I have already gone thru the sample config shown by this weblink, however this link refers to configuring transparent caching on the CSM in BRIDGED MODE ( i.e both the client and server vlans are having the same IP address ) but in our case , we have multiple L3 VLANS on the CAT6509 having IP addresses in different SUBNETS , and the Real servers to be used for caching also exist on one of these VLANS. Thus, the scenario described by the Weblink does not apply here. Also , in the configuration referred by the above weblink, the VLAN 100 is configured as client , however the endusers are shown to be on vlan200 which is configured as SERVER VLAN in the CSM.
  Dont you think there is something wrong here, I mean the endusers should be on VLAN 100 (Client) and real servers on VLAN 200 (SERVER).
  So, I have to configure CSM in routed mode ( i.e both the client and server vlans will have seperate IP addresses in different subnets ) and the endusers will be on all VLANS .
  Pls let me know , how I can implement this solution.
  Thanks again
  Sudhir

• CSM - does it support ACLs on a Cisco Catalyst 6500

  Hi,
  Does anyone know if CSM Enterprise Standard can be used to manage ACLs (standard and extended) on a Catalyst 6500?
  Regards,
  Piaras

  Hi,
  Just insert the blade and the switch should recognize it. For the 6500 series the blades are hot swap able.
  HTH

• Cannot ping REAL server IP addresses from CSM 6500

  I have a dual 6500/CSM routed topology in which the traffic from clients to the server VIP works fine. However, in preparation for some upcoming work, I find that I cannot ping the REAL server IP addresses. This would seem to be an important troubleshooting step. Any ideas why this wouldn't work?

  Gilles, followup question. If I understand this, what you outlined above will allow traffic external coming into the 6500/CSM to be forwarded thru to the REAL server IPs. If it wasn't clear, I was trying to ping from the native-mode 6500 that contains the CSM. I've tried regular and extended pings using the CSM-configured server VLAN's IP and alias IP, but get no response back from any of the REAL server IP addresses.
  Is what you've indicated required to ping even if I'm on the 6500 which contains the CSM?

• Questions about 6500/FWSM/CSM

  Hi,
  I have some questions regarding FWSM and CSM. Thank you in advance for your feedback.
  I am using a pair of 6513 with one fwsm and csm in each. I am setting up a dmz environment with these units. fwsm is the second tier firewall (a pair of PIX 525 are in perimeter).
  1. Do I have to use MSFC? I am connecting PIXes to the outside VLAN of the FWSM and two inside routers to inside VLAN of the FWSM. FWSM has a DMZ VLAN as well. I don't see any reason to involve MSFC in the picture. Is this correct? Is there any reason in the future that I may need MSFC (i.e. changing from single context to multiple or using load balancing for DMZ servers)?
  2. I am going to extend outside and inside VLANs of FWSM between two 6513 switches. Should I do this for DMZ as well? As I do not use gateway redundancy for my DMZ servers and it is a pure firewall configuration of 6513/FWSM, I don't think it is required.
  3. My understanding is with extending outside VLAN, if the link between primary PIX and primary 6513 fails or if primary PIX fails over to secondary for any reason, secondary PIX will have a way to get to the outside interface of primary FWSM. Is this correct? If not, then how I can make sure that PIX fail over will be transparent to primary 6513/FWSM which is not connected to secondary PIX?
  4. Any difference in spanning-tree configuration between this environment and a regular dual homed server based config?
  Thanks,

  Hi
  1) No you should be fine if you leave out the MSFC. Certainly you don't want the MSFC between your perimeter pix firewalls and the FWSM's as you could end up routing around the firewalls. You could have the MSFC on the inside of the FSWM's.
  Changing to multiple context will not requre that you need the MSFC for the above. It is quite feasible to have a separate context where the MSFC is involved and still have your above setup where you haven't involved the MSFC. You dictate this by how you allocate vlans to the FWSM.
  2) You will have to extend the DMZ, or at least you will have to allocate the DMZ vlan on both switches under the "firewall vlan-group .. " command. If you don't allocate the same vlans on each switch to the FWSM your failover will not work properley. If the DMZ servers are physically connecting into the 6500 chassis i would look to dual hone and include the DMZ in failover if you can. Can't see the reason not to use failover between chassis's if you can. (Of course depends on your have 2 NIC's in DMZ servers ).
  3)Assuming your 6500's are connected with a layer 2 trunk yes the secondary pix should still be able to get to the outside interface of the FWSM primary.
  4) For the FWSM not really. Just make sure you use a dedicated layer 2 trunk/etherchannel for the FWSM between the 2 switches.
  Hope this has answered some of your queries
  Jon

• VIP telnet issue in CSM 6500

  Not able to telnet to VIP address of CMS from 6500 switch.

  Hi all
  my Problem is that i have configured two real server in CSM Load balancer.
  I m able to get the ping & telent response of VIP address of Load balacer IP,from both of the real server ..but when i telent to VIP address from 6500 switch its not happening ..
  what can be the reason pls.
  guide me .
  thanks

• Web App Security Firewall Using Catalyst 6500 w/ CSM

  We are evaluating web application security firewalls. The other products can recognize application level attacks such as SQL insertion and deranged parameters. Some of my colleagues believe that the CSM (which we already have deployed) has these sorts of capabilities.
  While the CSM has some layer 7 capabilities, my read of the specs does not suggest that it is suited to this function.
  Anyone have experience or input?
  Thanks!

  The same as a SYN attack protection feature.
  That's all.
  It does not have content analysis for intrusion detection.
  Regards,
  Gilles.

• Catalyst 6500 CSM-S Cookie stickiness timout ?

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin-top:0cm;
  mso-para-margin-right:0cm;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0cm;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Hi, anyone able to help with this ?
  We have a CSM-S sitting in a 6513, at the moment we have IP stickiness applied for a Vserver/Serverfarm. The back end product vendor advises that cookie stickiness would be more appropriate for their application.
  I have been scratching my head around the timeout of the inserted cookies; whatever I do they persist seemingly indefinitely, for example:
  Just a test configuration with a 10minute sticky timout.
  serverfarm applicationA
    nat server
    nat client applicationA_pool
    failaction reassign
    real 1.1.1.1
     inservice
    real 1.1.1.2
     inservice
    health retries 1 failed 120
    probe applicationA_probe
  sticky 1 cookie applicationA_sticky insert timeout 10
  vserver applicationA-HTTP
    virtual 2.2.2.10 tcp www
    unidirectional
    serverfarm applicationA
    sticky 10 group 1
    no persistent rebalance
    inservice
  Doing show mod csm 1 sticky
  group   sticky-data              real                  timeout
  1       cookie F5BF7115:F80EA688 1.1.1.1           0
  1       cookie 4AFC972B:BB722437 1.1.1.2           0
  Then a show mod csm 1 sticky config
  Group  NumEntries Timeout  Type
  1             82                           10        cookie-insert applicationA_sticky
  When browsing to the VIP I see the application page via one of the reals. For the sake of the test I am using round-robin. Without cookies applied my browser will bounce between reals (I turned off persistent rebalance during testing) as expected.
  With a sticky cookie inserted the browser stays on one of the real’s, however the timeout which I have applied does not work. The client will stay stuck to the real almost indefinitely (the actual cookie expiry is 2099!).
  The online documentation advised that the method I am using should work as expected:
  Quote
  This example shows how to configure a virtual server named barnett, associate it with the server farm named bosco, and configure a sticky connection with a duration of 50 minutes to sticky group 12:
  Router(config)# mod csm 2
  Router(config-module-csm)# sticky 1 cookie foo timeout 100
  Router(config-module-csm)# exit
  Router(config-module-csm)#
  Router(config-module-csm)# serverfarm bosco
  Router(config-slb-sfarm)# real 10.1.0.105
  Router(config-slb-real)# inservice
  Router(config-slb-real)# exit
  Router(config-slb-sfarm)#
  Router(config-slb-sfarm)# vserver barnett
  Router(config-slb-vserver)# virtual 10.1.0.85 tcp 80
  Router(config-slb-vserver)# serverfarm bosco
  Router(config-slb-vserver)# sticky 50 group 12
  Router(config-slb-vserver)# inservice
  Router(config-slb-vserver)# exit
  Router(config-module-csm)# end
  End Quote
  I am guessing that sticky group 12 / 1 is a typo
  Looking at the documentation, sticky can also be applied not in the vserver config but in a policy (this is how we are doing IP stickiness). I have tried both methods. Same result.
  I am natting the client address to a private pool which then talks to the reals (and back). Would'nt expect this to be any issue.
  The CSM is running Software version: 4.3(5).
  Any help appreciated.

  Good mornign Simon,
  The behavior you are seeing is the expected one.
  When the CSM is configured for cookie insertion, a static cookie value is created in the sticky table for each server. This is the cookie that is being inserted, using as expiration date the one defined in the COOKIE_INSERT_EXPIRATION_DATE variable.
  With this stickiness method, there is no need to use a timeout, because, since the sticky table will only contain one entry for each server, it will never become full.
  Quoting from the documentation:
  Note     The
  configurable timeout values are not applied when using cookie insert. 
  You can adjust the timeout value using the environment variables.
  If you don't want to keep the cookies in the client for that long, another approach you can use is setting an empty date in the COOKIE_INSERT_EXPIRATION_DATE variable. When doing that, the cookie will be inserted without an expiration date, so it will be cleared when the browser is closed.
  I hope this answers your question
  Regards
  Daniel

• 6500 w/csm client talking with vip gets direct to real

  We got a small server farm with four real servers and one vserver. when the client initiate a connection with the vserv it opens up an RPC at a certain point and starts talking directly with one ofthe real servers totally bypassing the vserver and if we take down that real server, then the connection hangs and it does not get re-directed to another server. CSM is setup in bridge mode and the servers are being used for a document management application by Hummingbird. Has anyone seen that kind of behavior?
  Any help would be welcomed has we are going live with this project at the end of the week.

  what is the concern ?
  That the client goes directly to the real or that disconnecting the real does not redirect the connection ?
  For the later, you should use the command 'failaction purge' under the serverfarm definition.
  This will force the CSM to kill the connection if the real goes down.
  For the other concern, your application is probably sending at some point its server ip address.
  Each server will therefore send its own ip address and the client will go directly to it.
  You should see if there is a way for your application to return a "configured" ip address that would be your vip.
  You could also try to configure the vip as a loopback ip address on every real server and tell your application to advertise this address.
  Hope this helps.
  Gilles.