One-armed config

We've done a one-armed setup in our production env using CSS11506(s) and have no issues. We're bring up a smaller setup using CSS 11150(s) and was wondering if they work just as well, performance wise, with a one-armed config?
Thanks
chad

I think it should work just fine. The same configuration would work for CSS 11000 series switches.
Check the config document:
http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080093dff.shtml

Similar Messages

CSS 11503 One armed config

All,
I got a question on the one armed config.
Cisco says use "destination service" under the source group to change the default NAT behaviour of the CSS, because the servers' default gateways are set to the router IP address and the source IP address of the load balanced request is not on the local subnet. I understand this way you avoid the packets reaching the router directly when they head back to the client, bypassing the CSS.
Now the question I got here is that, what if I set the Servers' default gateway to the CSS rather than the Router. This way you are actually forcing the packets destined for remote networks to go through the CSS DG.. Should I need the source group anyway here. I think I don?t. Someone please clarify. Much appreciated?
thanks

if you set the default gateway to be the CSS, then there is no need for the source group.
However, if you have traffic going directly to the servers, they will go client-->router-->server-->CSS [breaks - because asymetric flow].
If you never access the server directly, you're ok. OR you can set a route on the router forcing the traffic through the CSS.
Gilles.

CSS one arm config

CSS 11506
Is it possible to pass Client's IP address
to the Backend servers in One arm config.
It is so that we can get stats on Web Server
Thanks in advance

Unfortunately CSS does not support HTTP header insertion.
You can either perforn PBR at the Real Server's Default gateway or use CSS as default gateway of Real Servers.
Thanks
Syed Iftekhar Ahmed

One Arm config Domain Name Content rule

Hi Guys
How does domain name content rule works in one arm config.
What do we put in source groups as VIP address.
Does it need host headers in WebServer as a requirement.
How does the client request gets completed.
Any help much appriciated..

Thanks for your reply Jim,
This is what I am trying to do in a One arm config topology
( As the CSS guide ( cntntgd.pdf ) says under Configuring a Domain Name content rule)
The CSS allows you to use a domain name in place of, or in conjunction with, a
VIP address in a content rule. Using a domain name in a content rule enables you
to:
Enable service provisioning to be independent of IP-to-domain namemappings
Provision cache bandwidth as needed based on domain names
So I am trying to create a content rule with a domain name instead of VIP address. For ex.
content domainRule3
protocol tcp
port 80
url "//domain.com/*"
add service Serv1
active
group servers
add destination service Serv1
VIP address ???????? ( what shd we put in here )
In this case what do we put as VIP address in source groups and how does the traffic flows from Client to actual Server in One arm topology. I am trying this topology where we have multiple sites configured with the same IP address with host headers
My assumption is that I shd configure DNS servers with VIP address for domain.com and use that as VIP address in source group. But how does the actual traffic flows from client to servers
Many thanks.

One Armed Config for multiple C classes

Hi,
I am trying to implement one armed config in the existing network for several c classes. Do I need to configure multiple Circuit vlan IP addresses corresponding to different C classes or one Circuit VLAN IP is sufficient.
Can I configure VIP in a different C class than Circuit VLan IP.
I intend to use Source groups to get the traffic from servers back to CSS.
Many thanks in advance.
SS

Two options are all ok.
1. The CSS will allow you to create a secondary address on the circuit.
for example,
circuit VLAN2
ip address 148.1.2.1 255.255.255.0
ip address 148.1.3.1 255.255.255.0
2. You could also create another interface "circuit" on the CSS and assign it with the new subnet IP. Then trunk the vlan to core network.
If you uses one arm mode, then you can use either source "groups" to get the traffic from servers back to CSS or PBR from switch.
You can configure VIP in a different C class than Circuit VLan IP. However, you need to control the routing tables of all other devices. Generally speaking, I would not recommend this setup to the customer.

CSS one-armed-config and SMTP reverse lookup problems?

I was wondering if there would be potential reverse lookup problems from other company's when we try to send mail to their mail Domains.
If I configure failover for our mail server, I am thinking if we are sending mail, there could be a reverse-lookup issue, because our mail server would be configured with public IP Addresses other than what the MX record points to in DNS.
If we originate mail from our inside users, it will originate from the service IP address and not the VIP address.
Is this a valid concern?

The main advantage of this configuration is that the web servers will receive the IP address of the client that made the request. This is often required by web servers' administrators for accounting purposes.
In a one-armed configuration only, the network port ( Enet0) is used on the SCA. Only this specific port can be used for this setup. Encrypted and decrypted traffic will go through the same link
http://www.cisco.com/en/US/products/hw/contnetw/ps2083/products_configuration_example09186a00801bbf4e.shtml

Two circuit vlan in one-armed config mode

Hello.
My client needs to add another vlan to the CSS because he is getting short on ip address. So he decided to add vlan 5, removed the default route to 192.168.12.1 and added two static routes.
However nothing is working now and I can't figure out why.
The initial config was:
!*************************** GLOBAL ***************************
ip route 0.0.0.0 0.0.0.0 192.168.12.1 1
!************************* INTERFACE *************************
interface 1/1
trunk
vlan 12
interface 1/2
admin-shutdown
!************************** CIRCUIT **************************
circuit VLAN12
ip address 192.168.12.22 255.255.255.0
!************************** SERVICE **************************
service www-hux1
port 80
protocol tcp
ip address 192.168.12.24
keepalive type tcp
keepalive frequency 10
keepalive port 80
active
service www-hux2
ip address 192.168.12.25
port 80
protocol tcp
keepalive frequency 10
keepalive port 80
keepalive type tcp
active
!*************************** OWNER ***************************
owner HS
billing-info "ahp"
email-address [email protected]
content rule1
protocol tcp
port 80
add service www-hux2
vip address 192.168.12.27
add service www-hux1
balance aca
active
In the new config this is what's different:
!*************************** GLOBAL ***************************
ip route 192.168.5.0 255.255.255.0 192.168.5.1 1
ip route 192.168.12.0 255.255.255.0 192.168.12.1 1
!************************* INTERFACE *************************
interface 1/1
trunk
vlan 5
vlan 12
interface 1/2
admin-shutdown
!************************** CIRCUIT **************************
circuit VLAN5
ip address 192.168.5.20 255.255.255.0
circuit VLAN12
ip address 192.168.12.22 255.255.255.0
Can you see what's wrong in here?
I almost forgot to teel that the default gateway of real servers is the CSS
Thanks,
Joao Carvalho

Ok. I think I got the problem. The destination of the packet sent by the CSS is a public ip address and none of the static routes matches that.
Now my problem is how can I influence the next hop based on source ip address, in a CSS?
Thanks,
Joao

CSM-S mode -One-Arm-vs- routed

We currently have an environment with CSS running in routed mode. We are building a new data center with 6509s and CSM-S. My question is what is the best mode to run the CSM-S in routed or one-arm and why?

Gilles,
What do you recommend when the traffic flows from the load balanced server are significant?
ie: you are using Oracle application and database servers, load balancing http and https to the app servers. There is significant traffic flow from the app server to the database servers, such that the load balancer in a 2-armed configuration(particularly a CSS11501 w/ 8 10/100 interfaces and a single 1000Base-T interface) would be a significant bandwidth bottleneck.
Also, if Cisco usually does not recommend one-armed config.... why does the latest Server Farm Security Solution Reference Network Design v2.0 (http://www.cisco.com/warp/public/732/systems/docs/dcsrndbk.pdf) recommend a one-armed configuration for the CSS?

How to see the Source IP Address of a client using ACE One-armed-mode to load balance HTTP proxy request

I'm using an Ace 4710 Appliance deployed in One-Armed mode, using Source NAT to loadbalance HTTP request to a couple of Proxy servers.
Everything is working fine, but the thing is that I can't see the Clients IP addresses on Proxy's logs, so I can't keep track of them.
The Interfaces and Nat configs are:
interface vlan 200
description Server-Side-VLAN
bridge-group 5
nat-pool 5 10.1.1.5 10.1.1.5 netmask 255.255.255.0 pat
service-policy input VIPS
interface vlan 300
description Client-Side-VLAN
bridge-group 5
interface bvi 5
ip address 10.1.1.3 255.255.248.0
description Client-Server-Virtual-Interface
ip route 0.0.0.0 0.0.0.0 10.1.1.1
and the policy map looks like this
policy-map multi-match VIPS
class Port80
    loadbalance vip inservice
    loadbalance policy Port80
    nat dynamic 5 vlan 200
Resource assignment:
sticky ip-netmask 255.255.255.255 address both RESOURCE-CLASS
timeout 5
serverfarm Service80
Any suggestions will be appreciated,
Thanks

Hi Kanwal,
Thanks for your quick reply,
I've already tried this but it didn't work. The problem is that I don't manage the proxy servers so I rely on their skills to see the logs.
The Proxies are Squid. Do you know if they need to do something else on the servers to see that field of the HTTP header?
But I'll try again tomorrow and let you know how it goes.
Thank you again.

Sniffer Trace on ACE w/VACLs and One-Arm Design

Wow...that was a mouthful of a title!
Here is what I'm trying to accomplish. There is an application that is having issues. This application is being load balanced by the ACE. The ACE is configured in a One-Armed design. Essentially the application flow is as follows:
client --> ACE VIP --> SNAT Pool --> rserver and then the reverse.
The vlan for my ACE is 3002. It is the only vlan in this context. I have a WildPackets OmniEngine connected to port on the 6500. Here is its config:
interface GigabitEthernet x/xx
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
switchport capture
switchport capture allowed vlan 3002
no ip address
no cdp enable
Here is the problem. When I take a trace I only see the back half of the conversation. That is I only see from the SNAT pool IPs to the rservers and back. I need to be able to see the conversation between the client IPs and the VIP. Does anyone know how this can be done? If you need more details or have questions please fire away! Thanks for the help...
bc

This can be done by setting up a monitor session on the Sup, with the
TenGig/1 as SPAN
source, and a trunk port as SPAN destination.
For example, if the ACE is in slot X, the configuration would be:
monitor session 10 source interface TeX/1
monitor session 10 destination interface Giy/z
The configuration for this port would be:
int giy/z
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
Syed Iftekhar Ahmed

ACE in one-arm model. VIP on Client Side, servers in other vlan

Hello All
i have a LAN whit many servers,but only 2 need to be balanced. So i think in one-arm model, due to the higth trafic that not be pass trought ACE.
i have a vlan 900 where is the client side and the VIP also. (10.0.9.64/26)
the servers are in vlan 503 (10.12.3.0/24)
it mi first design with ONE-arm but i thinks something is missing, because doesn't work.
the configuration is the next:
MSFC:
svclc module 1 vlan-group 1,2,
svclc vlan-group 1 503,900-902
svclc vlan-group 2 511
interface Vlan503
description OSS_&_Otros
ip address 10.12.3.253 255.255.255.0
standby 10 ip 10.12.3.254
standby 10 priority 150
standby 10 preempt delay minimum 305
interface Vlan900
description MSF_<->_ACE
ip address 10.0.9.126 255.255.255.192
end
access-list 101 permit ip 10.12.3.0 0.0.0.255 10.0.9.64 0.0.0.63
access-list 101 deny ip any any
route-map From_Server_OSS_to_ACE permit 10
match ip address 101
set ip next-hop 10.0.9.125
ACE_1/admin#
ip route 0.0.0.0 0.0.0.0 10.0.9.126
context OSS
allocate-interface vlan 511
allocate-interface vlan 900
allocate-interface vlan 902
member Max20
ACE_1/OSS# sh run
Generating configuration....
access-list EVERYONE line 10 extended permit ip any any
access-list EVERYONE line 20 extended permit icmp any any
rserver host OSS_FES_1
description OSS_Front_End_Server_1
ip address 10.12.3.140
inservice
rserver host OSS_FES_2
description OSS_Front_End_Server_2
ip address 10.12.3.150
inservice
serverfarm host SERVER_farm_OSS
rserver OSS_FES_1
inservice
rserver OSS_FES_2
inservice
class-map match-all VIP-OSS
2 match virtual-address 10.0.9.66 any
policy-map type loadbalance first-match OSS-LB-POLICY
class class-default
serverfarm SERVER_farm_OSS
policy-map multi-match OSS-POLICY-MAP
class VIP-OSS
loadbalance vip inservice
loadbalance policy OSS-LB-POLICY
loadbalance vip icmp-reply
interface vlan 900
description Clients-side
ip address 10.0.9.125 255.255.255.192
access-group input EVERYONE
access-group output EVERYONE
service-policy input OSS-POLICY-MAP
no shutdown
ip route 0.0.0.0 0.0.0.0 10.0.9.126
maybe a i need to allocate the vlan 503 in OSS Context, any advice?
Thanks in advace,
Gianni From Chile

Since you server are not behind the ACE in either bridge or routed mode add the follwoing to your config and use nat to get the traffic back to the ace.
This is how one-armed mode works.
ACE_1/OSS# sh run
Generating configuration....
access-list EVERYONE line 10 extended permit ip any any
access-list EVERYONE line 20 extended permit icmp any any
rserver host OSS_FES_1
description OSS_Front_End_Server_1
ip address 10.12.3.140
inservice
rserver host OSS_FES_2
description OSS_Front_End_Server_2
ip address 10.12.3.150
inservice
serverfarm host SERVER_farm_OSS
rserver OSS_FES_1
inservice
rserver OSS_FES_2
inservice
class-map match-all VIP-OSS
2 match virtual-address 10.0.9.66 any
policy-map type loadbalance first-match OSS-LB-POLICY
class class-default
serverfarm SERVER_farm_OSS
policy-map multi-match OSS-POLICY-MAP
class VIP-OSS
loadbalance vip inservice
loadbalance policy OSS-LB-POLICY
loadbalance vip icmp-reply
nat dynamic 10 vlan 900
interface vlan 900
description Clients-side
ip address 10.0.9.125 255.255.255.192
nat-pool 10 0.9.126 10 0.9.126 netmask 255.255.255.192 pat
access-group input EVERYONE
access-group output EVERYONE
service-policy input OSS-POLICY-MAP
no shutdown

ACE 4700 one-arm design with SSL termination

Hi,
We are evaluating the one-arm design for the ACE 4700 and need some clarifications:
1. Are there any limitations in the one-arm design and the SSL offloading
2. Can the ACE be configured with an IN and an OUT vlan to the router
CLIENT -> Router -> ACE IN -> ACE OUT -> Router -> Server Vlan
so that the SSL and the clear text traffic is in a separate Vlan?
3. In some sample configuration i saw SNAT configuration on the ACE to modify the client IP. This i assume is for instructing the return traffic from the server to go through ACE? Using SNAT we eliminate the requirement for NAT or PBR on the router? Will i still be able to insert the client IP address after the SSL offload?
I would appreciate if you can share some sample configs
Regards,
George Georgiou

There are two ways to implement One Arm topology.
1. One Arm with PBR & 2.One Arm with SRC NAT
PBR/Source Nat is needed to ensure that the return traffic from Real Servers should not bypass ACE.
1. Are there any limitations in the one-arm design and the SSL offloading
The limitations/config issues I can think of are following
One ARM with PBR:
Direct access to Servers require the enabling of Assymtric routing (by turning off Normalization). If direct server access is not required then you dont need to enable assymtric routing. Now for these assymetric connection (Direct Server Access return traffic) its required to purge idle connections more frequently (default being one hour).
One ARM with SRC NAT:
You will loose the client information. Server logs will show the connections initiated from NAT IP Pool configured on ACE.
2. Can the ACE be configured with an IN and an OUT vlan to the router
CLIENT -> Router -> ACE IN -> ACE OUT -> Router -> Server Vlan
so that the SSL and the clear text traffic is in a separate Vlan?
Yes you can do that but wouldnt it make it routed mode topology?
3. In some sample configuration i saw SNAT configuration on the ACE to modify the client IP. This i assume is for instructing the return traffic from the server to go through ACE? Using SNAT we eliminate the requirement for NAT or PBR on the router? Will i still be able to insert the client IP address after the SSL offload?
As I said earlier you loose the Source IP address with SRC NAT. But with ACE you have an option to use header-insert and insert this source ip as an HTTP Header.
Details at
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/classlb.html#wp1040008
HTH
Syed Iftekhar Ahmed

Is't Single-VLAN One-Armed Mode let the pop-ups error?

Dear all
In my network I deployed Single-VLAN One-Armed Mode In this mode,the real server’s default gateway is the upstream router. To ensure the return
flow traverses back through the load balancer, the IP address of the client isrewritten to that of the load balancer.
Direct access web was fine ,however when open Pop-ups website will appear error Example, the figure-1 ：
figure-1
When I used real Server IP address not through ACE anything will be fine. Example, the figure-2 :
figure-2
The Web's Code
<%@ page language="java" pageEncoding="UTF-8"%>
<%@ taglib uri="/WEB-INF/hnisi.tld" prefix="hnisi"%>
<%@ include file="/jsp/framework/head.jsp"%>
<%@ page import="cn.sinobest.framework.util.DTOUtil,cn.sinobest.framework.util.Util,cn.sinobest.framework.util.ConfUtil" %>
<%
    //当前登录用户所属系统机构
    String orgCode = DTOUtil.getUserInfo().getBAE001();
    //操作员ID
    String operId = DTOUtil.getValue("OPERID");
    //角色类型
    String roleType = DTOUtil.getValue("ROLETYPE");
        String fromFuncDesc = DTOUtil.getValue("fromFuncDesc");
    //所选操作员的姓名
    String sOperatorName = DTOUtil.getValue("SOPERATORNAME");
    //权限树 where 条件
    String whereClsTree = " rightid in ( select distinct B.RIGHTID "+
                " from FW_RIGHT B"+
                " left join FW_OPERATOR2RIGHT A on LOCATE(B.RIGHTID,A.RIGHTID) = 1"+
                 " where A.AAE100 ='1'"+
                 " and B.AAE100 ='1' and A.operid = '"+operId+"' ";
    //条件：有效角色，当前登录用户只能操作用户所属系统机构及下级机构的角色，以及上级机构的共享角色
    String whereCls =" AAE100 ='1' and (BAE001 like '"+orgCode+"%' or ( IFSHARED = '1' and LOCATE(BAE001,'"+orgCode+"') = 1))";
    if(!Util.isEmpty(roleType)){//角色类型
             whereClsTree +=" and AUTHTYPE='"+roleType+"' ";
             String roleType_zdfpzj = ConfUtil.getDict("ROLETYPE", "13");//最大分配角色
        if("2".equals(roleType)){//分配角色包括：分配角色、最大分配角色
                 whereCls += " and ROLETYPE in('"+roleType+"','"+roleType_zdfpzj+"') ";
        }else{
                       whereCls += " and ROLETYPE='"+roleType+"' ";
    whereClsTree +=" )";
%>
<%-- 导航栏标签 --%>
<hnisi:gNavStr />
    <legend style="cursor:hand;" >
        <span>
            <img id="img_fw_authmngr_geneauth_list_grid" src="${ctx}/themes/default/images/query_icon_right.gif">
        </span>
        <span title="单击展开或收缩">
            <b><%=sOperatorName%></b>已拥有的权限树
            <hnisi:tree id="menus" type="1" whereCls="<%=whereClsTree %>"/>
        </span>
    </legend>
    <form name="roleListForm" method="post">
        <%-- 角色列表--%>
        <hnisi:glt id="fw_authmngr_geneauth_role" whereCls="<%=whereCls %>" />
        <p align="center">
            <%-- 确定按钮 --%>
            <hnisi:btn name="btnQuery" onclick="roleAutoOk()" value="保存" href="javascript:void(0)"/>
            <%-- 清除按钮 --%>
            <hnisi:btn name="btnCls" onclick="cls()" value="清除" href="javascript:void(0)"/>
            <%-- 关闭按钮 --%>
            <hnisi:btn name="btnClose" onclick="winClose()" value="关闭" href="javascript:void(0)"/>
        </p>
    </form>
    <form name="roleForm">
        <input type="hidden" name="OPERID" value="<%=operId %>"/>
        <input type="hidden" name="ROLEIDS">
    </form>
    <script type="text/javascript">
    
    </script>
</body>
</html>
The ACE's config
`show running-config`
Generating configuration....
boot system image:c4710ace-mz.A4_2_0.bin
interface gigabitEthernet 1/1
switchport access vlan 100
no shutdown
interface gigabitEthernet 1/2
shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
switchport access vlan 3
no shutdown
access-list ALL line 8 extended permit ip any any
access-list allowany line 8 extended permit ip any any
access-list allowany line 16 extended permit icmp any any
probe icmp Ping
interval 2
faildetect 2
passdetect interval 2
passdetect count 1
receive 2
probe tcp TCP6666
description RPC Client Access
port 6666
interval 30
passdetect interval 60
connection term forced
open 10
probe tcp TCP8888
description RPC Client Access
port 8888
interval 30
passdetect interval 60
connection term forced
open 1
rserver host YB1
ip address 110.43.102.241
inservice
rserver host YB2
ip address 110.43.102.245
inservice
rserver host YB3
ip address 110.43.102.246
inservice
rserver host YB4
ip address 110.43.102.247
inservice
rserver host YB5
ip address 110.43.102.248
inservice
rserver host YB6
ip address 110.43.102.242
inservice
serverfarm host YB01farm
predictor leastconns
probe TCP6666
rserver YB2
    inservice
rserver YB3
    inservice
rserver YB4
    inservice
rserver YB5
    inservice
serverfarm host YB02farm
predictor leastconns
probe TCP8888
rserver YB2
    inservice
rserver YB3
    inservice
rserver YB4
    inservice
rserver YB5
    inservice
parameter-map type http PRESIST-REBALANCE
persistence-rebalance
sticky ip-netmask 255.255.255.255 address source YB01-GRP
timeout 60
replicate sticky
serverfarm YB01farm
sticky ip-netmask 255.255.255.255 address source YB02-GRP
timeout 60
replicate sticky
serverfarm YB02farm
sticky http-cookie COOKIE1 STICKYYB01
cookie insert browser-expire
timeout 3600
replicate sticky
serverfarm YB01farm
action-list type modify http IP-header
header insert request X-Forwarded-For header-value "%is"
class-map match-all YB01-slb-vip
2 match virtual-address 110.43.102.251 any
class-map match-all YB02-slb-vip
2 match virtual-address 110.43.102.252 any
class-map type management match-any remote_access
description remote-access-traffic-match
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
    permit
policy-map type loadbalance http first-match YB01-slb
class class-default
    sticky-serverfarm STICKYYB01
    action IP-header
policy-map type loadbalance http first-match YB02-slb
class class-default
    sticky-serverfarm YB02-GRP
    action IP-header
policy-map type loadbalance first-match YB6666
class class-default
    sticky-serverfarm STICKYYB01
    action IP-header
    insert-http https header-value "on"
policy-map multi-match client-vips
class YB01-slb-vip
    loadbalance vip inservice
    loadbalance policy YB6666
    loadbalance vip icmp-reply active
    nat dynamic 100 vlan 100
    appl-parameter http advanced-options PRESIST-REBALANCE
class YB02-slb-vip
    loadbalance vip inservice
    loadbalance policy YB02-slb
    loadbalance vip icmp-reply active
    nat dynamic 100 vlan 100
interface vlan 3
ip address 192.168.50.2 255.255.255.240
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 100
ip address 110.43.102.238 255.255.255.0
access-group input allowany
nat-pool 100 110.43.102.239 110.43.102.239 netmask 255.255.255.255 pat
service-policy input remote_mgmt_allow_policy
service-policy input client-vips
no shutdown
ip route 0.0.0.0 0.0.0.0 110.43.102.112

Hi,
The error comes when accessing the website through LB. The error is thrown by the server. Do we know what does that error indicate and will be thrown by server under what circumstances?
Can you just try with one server in the serverfarm and check if it works fine?
Does it load initial page at all or throws error right away.
What do you see in show conn output? Which VIP is in question here?
Regards,
Kanwal

CSM in one armed mode Redundancy

Hi,
I have a customer with a one arm setup. However they have no server vlan, only a client vlan. They are using source nat and it is working, however I am unsure how to setup redundancy as the alias command seems to be generally used on the server vlan.
i am running hsrp and a ft vlan accross the csm's
Does anyone have any experience of this type of setup, do i need to add any additional config for fault tolerence??
Cheers
Scott

Scott,
you can use the alias and whatever vlan [client or server].
It is required if your servers or clients are using the CSM as default gateway.
There is no special config required when doing fault tolerance in one-armed mode.
It's the same as inline mode.
Gilles.

CSM-S, move to one-arm configuration.

Hello.
We are using a couple of CSM-S with a single subnet bridge and fault tolerance configuration. Now we are evaluating to move to an one-arm configuration, so I’m reading some design guides.
We want to move to this topology because there are some advantages like efficient utilization of resources.
Because we are serving different areas with different security level I’m looking for best practices also.
The main question is about security because CSM does not support virtual contexts like ACE.
Any suggestions?
Thanks.
Andrea

Hello Andrea,
As you noted, the capability for ACE to be able to keep traffic segregated is much easier to work with than the CSM's. Basically, you have to utilize both client groups and the VLAN statement under Vservers to be able to keep traffic segregated. Here is an example:
module ContentSwitchingModule 4
vlan 100 client
ip address 192.168.100.1 255.255.255.0
vlan 150 client
   ip address 192.168.150.1 255.255.255.0
vlan 200 client
   ip address 192.168.200.1 255.255.255.0
vlan 250 client
   ip address 192.168.250.1 255.255.255.0
natpool POOL-1 192.168.100.2 192.168.250.2 netmask 255.255.255.0
natpool POOL-2 192.168.150.2 192.168.250.2 netmask 255.255.255.0
natpool POOL-3 192.168.200.2 192.168.250.2 netmask 255.255.255.0
natpool POOL-4 192.168.250.2 192.168.250.2 netmask 255.255.255.0
serverfarm DMZ1
nat server
nat client POOL-1
real 192.168.100.50
no inservice
real 192.168.100.51
inservice
real 192.168.100.52
inservice
serverfarm DMZ2
nat server
nat client POOL-2
real 192.168.150.82
   no inservice
real 192.168.150.83
   inservice
real 192.168.150.84
   inservice
serverfarm DMZ3
nat server
nat client POOL-3
real 192.168.200.75
   no inservice
real 192.168.200.78
   inservice
real 192.168.200.90
   inservice
serverfarm DMZ4
nat server
nat client POOL-1
real 192.168.250.82
   no inservice
real 192.168.250.83
   inservice
real 192.168.250.84
   inservice
vserver DMZ1
virtual 192.168.100.10 tcp www
vlan 100
serverfarm DMZ1
persistent rebalance
inservice
vserver DMZ2
virtual 192.168.150.10 tcp www
vlan 150
serverfarm DMZ2
persistent rebalance
inservice
vserver DMZ3
virtual 192.168.200.10 tcp www
vlan 200
serverfarm DMZ3
persistent rebalance
inservice
vserver DMZ4
virtual 192.168.250.10 tcp www
vlan 250
serverfarm DMZ4
persistent rebalance
inservice
In the above configuration, if any packet comes into vlan 100 destine to 192.168.100.10 on port 80, it can hit the vip. If the same packet comes into any other vlan, it will not be able to hit the vip. The "vlan 100" statement under DMZ1 vserver filters the traffic so that only traffic that came into that vlan can hit that specific vserver.
If you need to do additional filtering, say by source subnet range, you can use client groups to furthur permit/deny traffic at a more granular level. Here is an example:
(The access-list is created globally on the 6500 - the access list is then referenced by number in the CSM configuration. ONLY standard access lists can be used!!)
access-list 2 permit 192.168.0.0 0.0.255.255
access-list 2 deny   any
access-list 3 permit 10.10.0.0 0.0.255.255
access-list 3 deny   any
policy 192_subnet_filter
client-group 2
serverfarm DMZ4
vserver DMZ4
   virtual 192.168.250.10 tcp www
   vlan 250
slb-policy 250_subnet_filter
   persistent rebalance
   inservice
With this configuration, only traffic with a source IP of 192.168.0.0/16 or 10.10.0.0/16 that arrive on vlan 250 will be allowed to hit the vserver. "Client-Group 2" refers to the "Access-list 2" in the global config.
Note that the serverfarm that used to be under the vserver was removed. If you leave the serverfarm DMZ4 statement under the vserver along with the slb-policy applied, and traffic that does not match your client group is sent to that serverfarm. It is another way of filtering traffic out. If you do not include a fallback serverfarm (like the example above), any traffic that doesn't match the client group is reset.
Let me know if you have any furthur questions!
Regards,
Chris Higgins

One-armed config

Similar Messages

Maybe you are looking for