[c-nsp] FWLB+SLB on ContentSwitchingModule (CSM/Cat6k)

[Rubens Kuhl Jr.]

After configuring SLB (one-arm config, no client NAT, policy-routed
return traffic), I'll now config the same box to do FWLB. The same box
will do outside and inside firewall load-balancing.

Client to DMZ traffic flow seems fine: CSM will receive the packet on
the client vlan, load-balance the traffic to the outside vlan,
firewall will verify packets and forward to the CSM on inside vlan,
SLB vservers on the inside vlan will balance packets and put them out
on DMZ vlan. No L3 routing at all by the Cat 6k, so it won't need VLAN
interfaces on those VLANs.

DMZ to client traffic however seems a bit troubled. Default gateway of
the servers is the MSFC; policy-routing today makes HTTP return
traffic goes to the CSM, but now all traffic will need to be
policy-routed. Non-HTTP traffic will match a flow and be balanced to
the inside firewall interface, but HTTP traffic will match a SLB flow
(more specific), RIP will be unNATed to VIP, and then what will happen
to these packets ? Can the CSM make two transformations (SLB and FWLB)
while the packet passes trhu it a single time ?


CSM version is 4.2.3(a), Cat6500 is running IOS 12.2(18)SXF4.

Rubens

PS: One-arm SLB is now working fine, after learning that topology
changes on Cat6K requires one to reload the CSM in order to get rid of
"Invalid Encaps ID for get info" messages and the wrong MAC addresses
forwarding mess.