[c-nsp] csm Bride Mode Simple scenario. Is it Possible?

Arie Vayner (avayner) avayner at cisco.com
Sun Apr 13 08:04:40 EDT 2008 

Brad,

There is an alternative for client nat, which is usually not recommended
as it makes reporting and other mechanisms which rely on the source IP
to be unique.

The idea is to configure the VIP address (50.40.220.100) as a loopback
on the real servers. Then, disable "nat server" on the serverfarm. This
would send the queries to the real server with the VIP's IP (which would
be fine, as the real server has this IP locally configured).
In the situation when a local server is the client, this would allow the
server (after load balancing) to send the response directly to the
server.

Another approach is to have a different vserver (with the same IP
address) by configuring the client VLAN inside the vserver. Take a look
here:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csm/
4.2.x/configuration/guide/cfgxpls.html#wp1008442 

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brad Case
Sent: Sunday, April 13, 2008 12:30 PM
To: Ross Vandegrift
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] csm Bride Mode Simple scenario. Is it Possible?

Hey,

Sorry guys, I have one last CSM query which relates directly to the
below.
In the customers network  1 of the 2 VIP's  is actually used for server
to server load balancing.

So to simplify 3 servers all reside in the same subnet.

The addresses are the following:

server A: 10.20.220.11
server B: 10.20.220.12
server C: 10.20.220.15

Server A & B are in a serverfarm & the VIP address is 50.40.220.100

Server C needs to communicate to the VIP address of 50.40.220.100 to
load balance to servers A & B

Configuring ths up in Routed mode on the CSM is easy, however, in bridge
mode I am not  so sure. Below is the configuration which I think should
work
(I cannot test it)   Presuming it does I am a little concerned with
things
such as ICMP redirect occuring from the MSFC interface. Anyway, I would
really appreciate peoples input on the configuration:




vlan 221 client
   ip address 10.20.220.2 255.255.255.0
   gateway 10.20.220.1
  !
  vlan 220 server
   ip address 10.20.220.2 255.255.255.0
   <<<<<<<<<<<<Two VLANs with the same IP address are bridged
  together.

  serverfarm WEBFARM
   nat server
   nat client SABRIX
   real 10.20.220.11
   inservice
   real 10.20.220.12
   inservice
  !
  vserver WEB
   virtual 50.40.220.100 tcp www
<<<<<<<<<<  Place the IP address in a different subnet than the IP's in
the serverfarm >>>>>>>>
  serverfarm WEBFARM
persistent rebalance
 inservice

natpool SABRIX 10.20.220.55 10.20.220.55 netmask 255.255.255.0


Interface Vlan 221
ip address 10.20.220.1


  <<<<<<<<On the MSFC place a static route to route the 50.40.220.100

  address towards the CSM IP on vlan 221>>>>>.

  ip route 50.40.220.100 255.255.255.255 10.20.220.2


interface GigabitEthernet6/31
 description Server A
 switchport
 switchport access vlan 220
 switchport mode access


interface GigabitEthernet6/32
 description Server B
 switchport
 switchport access vlan 220
 switchport mode access

interface GigabitEthernet6/33
 description Server C
 switchport
 switchport access vlan 221
 switchport mode access


On Server C the default gateway is obviously going towards the MSFC
address of 10.20.220.1.  No other routes are defined on the server.

Anyones input is highly appreciated.

Regards,

Brad














On Thu, Apr 10, 2008 at 12:03 AM, Ross Vandegrift <ross at kallisti.us>
wrote:

> On Wed, Apr 09, 2008 at 11:02:06PM +1000, Brad Case wrote:
> > I actually asked this same question to Cisco. The official response 
> > I
> got
> > was this:
> >
> > Extract:
> >
> >
> > This should work to some extent. However, for the large network I 
> > don't
> know
> > how reliable you can run this system for sure.
> >
> > You are basically forcing static route in MSFC to forward traffic to

> > the client vlan of the CSM. This is not something desirable way to 
> > do
> routing on
> > the CSM. Especially bridge mode.
>
> This response is completely bogus and highlights why I am frustrated 
> with Cisco's support for the CSM.  I have only ever heard of two 
> people at Cisco that really understood the thing, and I've personally 
> only talked to one.
>
> > There will "only" be 2 VIP's setup this way & never anymore. There 
> > will be many additional VIPs  that will be created using an VIP IP 
> > in the
> same
> > address range as the real server addresses (Text book scenario).
> > If the customer were to change the 2 VIP addresses it requires a 
> > massive amount of logistics to do so, hence the reason why I am 
> > considering
> doing it
> > this way.
> >
> >
> > I would really like to here what people have to say in relation to 
> > this response & if I should be concerned in doing it like this for 
> > just 2
> VIP's
> > only.
>
> I have over 400 VIPs on a CSM running in this way, in bridged mode, 
> without advertise active.  Any IP can be used as a VIP so long as 
> traffic to that IP ends up directed to the CSM's client VLAN IP.
>
> The easiest way to do this is add a static route for the VIP to the 
> CSM's client IP on the MSFC.  So for your example below, you would 
> need "ip route 50.40.220.99 255.255.255.255 10.20.220.2".
>
> If you have an FT setup, you'll want the next-hop to be the client 
> VLAN's alias IP.
>
>
> Ross
>
> >
> >
> > Regards,
> >
> > Brad
> >
> >
> >
> >
> >
> > On Tue, Apr 8, 2008 at 5:59 PM, Arie Vayner (avayner) 
> > <avayner at cisco.com
> >
> > wrote:
> >
> > > Brad,
> > >
> > > You should just make sure the virtual IP is routable on the MSFC. 
> > > The best way is to use the "advertise" command on the virtual
server.
> > >
> > > Arie
> > >
> > > -----Original Message-----
> > > From: cisco-nsp-bounces at puck.nether.net 
> > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brad Case
> > > Sent: Tuesday, April 08, 2008 02:27 AM> > To:
> cisco-nsp at puck.nether.net
> > > Subject: [c-nsp] csm Bride Mode Simple scenario. Is it Possible?
> > >
> > > Hi Guys,
> > > I have a question that I simply cannot find an answer to on the 
> > > Cisco site in regards to the CSM in Bridge mode.
> > > Is it possible to have the vserver (VIP) IP in a differnt subnet 
> > > range than the real IP addresses in the serverfarm that is bound
to it?
> > >
> > > In other words, as an example a typical bridge configuration is 
> > > like
> > > this:
> > >
> > >
> > >
> > > vlan 221 client
> > >  ip address 10.20.220.2 255.255.255.0  gateway 10.20.220.1 !
> > > vlan 220 server
> > >  ip address 10.20.220.2 255.255.255.0 <<<<<<<<<<<<Two VLANs with 
> > > the same IP address are bridged
> > > together>>>>>>>>>>>>>>>>>.
> > > serverfarm WEBFARM
> > >  nat server
> > >  no nat client
> > >  real 10.20.220.10
> > >  inservice
> > >  real 10.20.220.20
> > >  inservice
> > > !
> > > vserver WEB
> > >  virtual 10.20.220.100 tcp www
> > >  serverfarm WEBFARM
> > >  persistent rebalance
> > >  inservice
> > >
> > >
> > >
> > > Is it possible to do something like this:
> > >
> > > vlan 221 client
> > >  ip address 10.20.220.2 255.255.255.0  gateway 10.20.220.1 !
> > > vlan 220 server
> > >  ip address 10.20.220.2 255.255.255.0  <<<<<<<<<<<<Two VLANs with 
> > > the same IP address are bridged
> > > together>>>>>>>>>>>>>>>>>.
> > >
> > > serverfarm WEBFARM
> > >  nat server
> > >  no nat client
> > >  real 10.20.220.10
> > >  inservice
> > >  real 10.20.220.20
> > >  inservice
> > > !
> > > vserver WEB
> > >  virtual 50.40.220.99 tcp www   <<<<<<<<<<  Place the IP address
in a
> > > different subnet than the IP's in the serverfarm >>>>>>>>>>>>>>> 
> > > serverfarm WEBFARM  persistent rebalance  inservice
> > >
> > >
> > > <<<<<<<<On the MSFC place a static route to route the 50.40.220.99

> > > address towards the CSM IP on vlan 221>>>>>>>>>.
> > >
> > > ip route 50.40.220.99 255.255.255.255 10.20.220.2
> > >
> > >
> > > Please if somebody knows if this is or is not possible it would be

> > > highly appreciated to hear your feedback.
> > >
> > >
> > > Regards,
> > >
> > > Brad
> > >  _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> --
> Ross Vandegrift
> ross at kallisti.us
>
> "The good Christian should beware of mathematicians, and all those who

> make empty prophecies. The danger already exists that the 
> mathematicians have made a covenant with the devil to darken the 
> spirit and to confine man in the bonds of Hell."
>        --St. Augustine, De Genesi ad Litteram, Book II, xviii, 37
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list