CSM Basics and FT

Cisco Content Switching Module adds layer 4 to layer 7 content switching capabilities to the Catalyst 6500/7600 Series providing high-performance load balancing for servers, firewalls or even NAC boxes! Cisco CSM is old and not a new product, it has been replaced by newer Cisco ACE load-balancers. Cisco ACE is being sold in two different fashions, as Blade modules just like CSM or as 4710 appliances just like CSS appliance-based load-balancers.

 

ACE supports virtualization (multiple-contexts and resource allocation) while CSM is monolithic. CSM uses IOS configuration file and stores its configuration in the running-config. It’s really easy and straight forward to configure if you know what you’re doing!

It’s been awhile since the last time that I touched CSM as it’s end of sales and support. EOL/EOS reference link! But you might have some customers that are still using this product and they might need some levels of technical support. Last week, a call came through asking for CSM support, the customer has four CSM blades inside 6509s in redundant fashion in main and DR site…

 

This post quickly reviews the following topics:

• CSM Basic setup
• Fault tolerant
• Multiple set of Client/Server VLAN pairs.
• Dual / Multiple Gateways
• Direct Server Access
• CSM Verification with show commands
• How to ping from CSM VIP address

 

Basic CSM Setup

The most basic and common method of setting up a load-balancer is to have a VLAN pair; one facing servers and the other VLAN facing clients (facing firewall/routers). Then the Load-balancer sits between client and server and creates a VIP (virtual ip address). That VIP is related to several real servers but all are seen as one entity or one VIP. That VIP is reflected by a NAT statement further on a firewall to a public address and is ready for being resolved by DNS.

Client request comes through client VLAN of load-balancer and hits the VIP address then it gets distributed among available real servers.

 

The first step is to create CLIENT and SERVER VLAN pair:

1. Create two VLANs on 6500 catalyst but do not assign an ip address.

2. Create same VLANs on the CSM and assign IP address inside the CSM:

 

module ContentSwitchingModule 3

vlan 302 server
  ip address 10.8.108.2 255.255.255.0
!
vlan 301 client
  ip address 10.8.8.2 255.255.255.0
  gateway 10.8.8.254

 

Gateway is required for CSM to talk to clients (it might be your DMZ firewall interface)

The next step is to create server-farm (real-servers sit there) and vserver (virtual server – VIP)

probe HTTP http
  recover 3
  request method head
  expect status 200
  interval 2
  failed 6
  port 80
!
serverfarm HTTP_2010
  nat server
  no nat client
  real 10.8.108.17
   inservice
  real 10.8.108.18
   inservice
  probe HTTP
!
vserver HTTP_2010
  virtual 10.8.8.201 tcp www
  serverfarm HTTP_2010
  replicate csrp connection
  persistent rebalance
  inservice

 

The first part of above configuration is probe config. It checks the real servers health and sees whether HTTP code 200 is returned by each HTTP server. If probe to a server fails, that server will not be used.

The Serverfarm section configures two real servers (IP address is from SERVER VLAN) and uses HTTP probe for server health check. The vserver section, defines the VIP and correlates the server farm to vserver. Easy! now let’s verify:

dc1sw01#sh module csm 3 vlan

vlan   IP address       IP mask          type     
---------------------------------------------------
301    10.8.8.2         255.255.255.0    CLIENT
302    10.8.108.2       255.255.255.0    SERVER
401    10.8.12.2        255.255.255.0    CLIENT
402    10.8.112.2       255.255.252.0    SERVER
997    0.0.0.0          0.0.0.0          FT

 

CSM Fault-tolerant configuration

CSM FT configuration is pretty straight-forward. FT is configured when you have two CSM blades located in two 6500 catalysts to work as a fail-over group. You can also create a fault-tolerant configuration with two CSMs in a single Catalyst 6500 series chassis.

First step to create a VLAN on both catalysts specifically for FT and the configure priority on each CSM (master must have higher priority):

 

vlan 997
name CSM_Failover
!
module ContentSwitchingModule 3
ft group 1 vlan 997
  priority 110
  preempt
!

 

Then you need to configure your VLAN-pair to include alternate CSM IP address to be seen as single entity by servers to be used as the default gateway (the alias command):

vlan 302 server
  ip address 10.8.108.2 255.255.255.0 alt 10.8.108.3 255.255.255.0
  alias 10.8.108.1 255.255.255.0
!
vlan 301 client
  ip address 10.8.8.2 255.255.255.0 alt 10.8.8.3 255.255.255.0
  gateway 10.8.8.254

 

Secondary Set of VLAN-pair

What if we need to have more than one CLIENT/SERVER VLAN-pair?

Usually the client side is connected to a firewall (Cisco FWSM, ASA or something else). You can have different client/server VLAN pairs while firewall serves each client VLAN as a different DMZ zone.

You can also use this approach during server migration between DMZs!  or even during DMZ migration…

!        
vlan 402 server
  ip address 10.108.12.2 255.255.255.0 alt 10.108.12.3 255.255.255.0
  alias 10.108.12.1 255.255.255.0
!        
vlan 401 client
  ip address 10.8.12.2 255.255.255.0 alt 10.8.12.2 255.255.255.0
  gateway 10.8.12.254

real TEST_1
  address 10.108.12.17
  inservice
real TEST_2
  address 10.108.12.18
  inservice
!
serverfarm TEST_SERVERS
  nat server
  no nat client
  real name TEST_1
   inservice
  real name TEST_2
   inservice
  probe HTTP
!
vserver TEST_HTTP
  virtual 10.8.12.11 tcp www
  serverfarm TEST_SERVERS
  replicate csrp connection
  persistent rebalance
  inservice

 

Perhaps the secondary CLIENT VLAN requires its own default gateway. You need to consider that CSM always uses the lowest CLIENT VLAN ID to reach its configured gateway, so in case of having multiple gateways for different CLIENT VLANs you need to configure the following trick:

 

Dual Gateway

The first CSM VLAN pair has no problem with gateway reachability. But configuring a gateway for a secondary VLAN pair is not as easy as first one. Based on the above drawing to force CSM to use 10.8.12.254 as gateway for VLAN pair 401/402 you need to configure:

serverfarm VLAN402-out
no nat server
no nat client
real 10.8.12.254
inservice

vserver VLAN402-out
virtual 0.0.0.0 0.0.0.0 any
vlan 402
serverfarm VLAN402-out
inservice

 

Direct Server Access

If you need to access your servers from different VLANs without using the VIP address, this section is useful for you. You might find it impossible to connect to real servers. The following debug output demonstrate that something is wrong!

Failed LB : access-denied

For direct server access configure a separate serverfarm/vserver pair:

serverfarm ROUTE
  no nat server
  no nat client
  predictor forward
!   
vserver REAL_ACCESS
  virtual 10.8.112.0 255.255.255.0 any
  serverfarm ROUTE
  persistent rebalance
  inservice

 

Verification

dc1sw01#show module csm 3 reals

real        server farm    weight  state       conns/hits
---------------------------------------------------------   
TEST_1      TEST_SERVERS   8       OPERATIONAL 0       
TEST_2      TEST_SERVERS   8       OPERATIONAL 0       
10.8.12.1   VLAN402-OUT    8       OPERATIONAL 1  

 

dc1sw01#show module csm 3 vservers

vserver        type  prot virtual            vlan state        conns
--------------------------------------------------------------------
DIRECT_ACCESS  SLB   any  10.8.108.0/24:0    ALL  OPERATIONAL  19     
TEST_HTTP      SLB   TCP  10.8.12.11/32:80   ALL  OPERATIONAL  0      
VLAN402-OUT    SLB   any  0.0.0.0/0:0        402  OPERATIONAL  3      
REAL_ACCESS    SLB   any  10.8.112.0/24:0    ALL  OPERATIONAL  1     

 

dc1sw01#show module csm 3 serverfarm

server farm     type  predictor   nat   reals  redirect bind id
---------------------------------------------------------------
DIRECT_ACCESS   SLB   Forward     S     0      0        0     
TEST_SERVERS    SLB   RoundRobin  S     2      0        0     
VLAN402-OUT     SLB   RoundRobin  none  1      0        0     
ROUTE           SLB   Forward     none  0      0        0   

 

dc1sw01#show module csm 3 vlan   

vlan   IP address       IP mask          type     
---------------------------------------------------
208    10.8.8.2         255.255.255.0    CLIENT
318    10.8.108.2       255.255.255.0    SERVER
401    10.8.12.2        255.255.255.0    CLIENT
402    10.8.112.2       255.255.252.0    SERVER
997    0.0.0.0          0.0.0.0          FT

dc1sw01#show module csm 3 arp

Internet Address  Physical Interface  VLAN      Type       Status
--------------------------------------------------------------------
10.8.108.1       00-01-64-F9-1A-01   318       -ALIAS-    local
10.8.108.2       00-0F-34-2C-52-06   318       --SLB--    local
10.8.108.3       00-02-FC-E1-CE-60   318       LEARNED    up(0 misses)
10.8.112.1       00-01-64-F9-1A-01   402       -ALIAS-    local
10.8.112.2       00-0F-34-2C-52-06   402       --SLB--    local
10.8.112.3       00-02-FC-E1-CE-60   402       LEARNED    up(0 misses)
10.8.112.17      00-50-56-AD-00-96   402       REAL       up(0 misses)
10.8.112.18      00-50-56-AD-00-96   402       REAL       up(0 misses)
10.8.8.254       00-C0-EA-EA-EA-EA   208       GATEWAY    up(0 misses)
10.8.8.2         00-0F-34-2C-52-06   208       --SLB--    local
10.8.8.3         00-02-FC-E1-CE-60   208       LEARNED    up(0 misses)
10.8.12.254      00-22-90-9D-D3-0F   401       GATEWAY    up(0 misses)
10.8.12.2        00-0F-34-2C-52-06   401       --SLB--    local
10.8.12.3        00-02-FC-E1-CE-60   401       LEARNED    up(0 misses)
10.8.12.11       00-01-64-F9-1A-01   0         VSERVER    local

 

 

CSM PING

If you want to PING from a VIP address:

 

dc1sw01#ping module csm 3 10.8.12.254
IP address       Reachable
--------------------------
10.8.12.254      Yes

dc1coresw01#ping module csm 3 gateways

IP address       Reachable
--------------------------
10.8.8.254       Yes
10.8.12.254      Yes

dc1sw01#ping module csm 3 reals

IP address       Reachable
--------------------------
10.8.108.10      Yes
10.8.108.11      Yes
10.8.112.17      Yes
10.8.112.18      Yes
10.8.12.254      Yes

 

Hope that helps!