Cisco catalyst 6500 series, catalyst 6000 series Configuration Note

Download

Page 1

Catalyst 6500 Series Content Switching Module Configuration Note

Software Release 3.2(1) September, 2003

Corporate Headquarters

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 526-4100

Text Part Number: OL-4612-01

Page 2

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL

C i C E N P t

A b

STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The following inform ation is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.

The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with Cisco’s installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation.

Modifying the equipment without Cisco’s written authorization may result in the equipment no longer complying with FCC requirements for Class A or Class B digital devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television communications at your own expense.

You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the following measures:

• Turn the television or radio antenna until the interference stops.

• Move the equipment to one side or the other of the television or radio.

• Move the equipment farther away from the television or radio.

• Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make certain the equipment and the television or radio are on circuits controlled by different circuit breakers or fuses.)

Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate your authority to operate the product.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES

CSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and

Quick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco

ertified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering the Internet Generation, nterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ et Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Pac k et , PIX, Post-Routing, Pre-Routing,

roConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView Plus, TeleRouter, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered

rademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

ll other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship

etween Cisco and any other company. (0502R)

Catalyst 6500 Series Content Switching Module Configuration Note

Page 3

Software License Agreement

THIS AGREEMENT IS AVAILABLE IN LANGUAGES OTHER THAN ENGLISH; PLEASE SEE YOUR CISCO SYSTEMS, INC. (“CISCO”) RESELLER OR VISIT OUR WEBSITE AT WWW.CISCO.COM. PLEASE READ THIS SOFTWARE LICENSE AGREEMENT CAREFULLY BEFORE DOWNLOADING, INSTALLING OR USING CISCO OR CISCO-SUPPLIED SOFTWARE. BY DOWNLOADING OR INSTALLING THE SOFTWARE, OR USING THE EQUIPMENT THAT CONTAINS THIS SOFTWARE, YOU ARE CONSENTING TO BE BOUND BY THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, THEN (A) DO NOT DOWNLOAD, INSTALL OR USE THE SOFTWARE, AND (B) YOU MAY RETURN THE SOFTWARE FOR A FULL REFUND, OR, IF THE SOFTWARE IS SUPPLIED AS PART OF ANOTHER PRODUCT, YOU MAY RETURN THE ENTIRE PRODUCT FOR A FULL REFUND. YOUR RIGHT TO RETURN AND REFUND EXPIRES 30 DAYS AFTER PURCHASE FROM CISCO OR AN AUTHORIZED CISCO RESELLER, AND APPLIES ONLY IF YOU ARE THE ORIGINAL PURCHASER. The following terms govern your use of the Software except to the extent a particular program (a) is the subject of a separat e written agreement with Cisco or (b) includes a separate “click-on” license agreement as part of the installation process. License. Subject to the terms and conditions of and except as otherwise provided in this Agreement, Cisco Systems, Inc. (“Cisco”) and its suppliers grant to Custo mer (“Customer”) a nonexclusive and nontransferable license to use the specific Cisco program modules, feature se t(s) or feature(s) for which Customer has paid the required license fees (the “Software”), in object code form only. In addition, the foregoing license shall also be subject to each of the following limitations:

• Unless otherwise expressly provided in the documentation, Customer shall use the Software solely as embedded in, for execution on, or (where the applicable documentation permits installation on non-Cisco equipment) for communication with Cisco equipment owned or leased by Customer;

• Customer’s use of the Software shall be limited to use on a single hardware chassis, on a single central processing unit, as applicable, or use on such greater number of chassis or central processing units as Customer may have paid Cisco the required license fee; and

• Customer’s use of the Software shall also be limited as applicable to the number of issued and outstanding IP addresses, central processing unit performance, number of ports, and any other restrictions set forth in Cisco’s product catalog for the Software.

NOTE: For evaluation or beta copies for which Cisco does not charge a license fee, the above requirement to pay a license fee does not apply. General Limitations. Except as otherwise expressly provided under this Agreement, Custo mer shall have no right, and Customer specifically agrees not to: (i) transfer, assign or sublicense

its license rights to any other person, or use the Software on unauthorized or secondhand Cisco equipment, and any such attempted transfer, assignment or sublicense shall be void; (i i) make error corrections to or otherwise modify or adapt the Software or create derivative works based upon the Software, or to permit third parties to do the same ; or (iii) decompile, decrypt, reverse engineer, disassemble or otherwise reduce the Software to human-readable form to gain access t o trade secrets or confidential information in the Software. To the extent required by law, at Customer’s request, Cisco shall provide Customer with the interface information needed to achieve interoperability between the Software and another independently created program, on payment of Cisco’s applicable fee. Customer shall observe strict obligations of confidentiality with respect to such information. Upgrades and Additional Copies. For purposes of this Agreement, “Software” shall include (and the terms and conditions of this Agreement shall apply to) any upgrades, updates, bug fixes or modified versions (collectively, “Upgrades”) or backup copies of the Software licensed or provided to Customer by Cisco or an authorized distributor for which Customer has paid the applicable license fees. NOTWITHSTANDING ANY OTHER PROVISION OF THIS AGREEMENT: (1) CUSTOMER HAS NO LICENSE OR RIGHT TO USE ANY SUCH ADDITIONAL COPIES OR UPGRADES UNLESS CUSTOMER, AT THE TIME OF ACQUIRING SUCH COPY OR UPGRADE, ALREADY HOLDS A VALID LICENSE TO THE ORIGINAL SOFTWARE AND HAS PAID THE APPLICABLE FEE FOR THE UPGRADE; (2) U SE OF UPGRADES IS LIMITED TO CISCO EQUIPMENT FOR WHICH CUSTOMER IS THE ORIGINAL END USER PURCHASER OR LESSEE OR WHO OTHERWISE HOLDS A VALID LICENSE TO USE THE SOFTWARE WHICH IS BEING UPGRADED; AND (3) USE OF ADDITIONAL COPIES IS LIMITED TO BACKUP PURPOSES ONLY. Proprietary Notices. Customer agrees to maintain and reproduce all copyright and other proprietary notices on all copies, in any form, of the Software in the same form and manner that such copyright and other proprietary notices are included on the Software. Except as expressly authorized in this Agreement, Customer shall not make any copies or duplicates or any Software without the prior written permission of Cisco. Customer may make such backup cop ies of the Software as may be necessary for Customer’s lawful use, provided Customer affixes to such copies all copyright, confidentiality, and proprietary notices that appear on the original. Protection of Information. Customer agrees that aspects of the Software and associated documentation, including the specific design and structure of individual programs, constitute trade secrets and/or copyrighted material of Cisco. Customer shall not disclose, provide, or otherwise make available such trade secrets or copyrighted material in any form to any third party without the prior written consent of Cisco. Customer shall implement reas onable security measures to protect such trade secrets and copyrighted material. Title to Software and documentation shall remain solely with Cisco. Limited Warranty. If Customer obtained the Software directly from Cisco, then Cisco warrants that during the Warranty Period (as defined below): (i) the media on which the Software is furnished will be free of defects in materials and workmanship under normal use; and (ii) the Software will substantially conform to its published specifications. The “Warranty Period means a period beginning on the date of Customer’s receipt of the Software and ending on the later of (a) ninety (90) days from the date of initial shipment of the Software by Cisco, or (b) the end of the minimum period required by the law of the applicable jurisdiction. In addition, Cisco may provide an additional limited Year 2000 warranty for the Software; information regarding this warranty and its applicability to the Software may be found at the web site address www.cisco.com/warp/public/779/smbiz/service/y2k/y2k_comp.htm. The limited warranties extend only to Customer as the original licensee. Customer's sole and exclusive remedy and the entire liability of Cisco and its suppliers under these limited warranties will be, at Cisco or its service center's option, repair, replacement, or refund of the Software if reported (or, upon request, returned) to Cisco or its designee. Except as expressly granted in this Agreement, the Software is provided AS IS. Cisco does not warrant that the Software is error free or that C ustomer will be able to operate the Software with out problems or interruptions. In addition, due to the continual development of new techniques for intruding upon and attacking networks, Cisco does not warrant that the Software or any equipment, system or network on which the Software is used will be free of vulnerability to intrusion or attack. This warranty does not apply if the Software (a) is licensed for beta, evaluation, testing or demonstration purposes for which Cisco does not receive a license fee, (b) has been altered, except by Cisco, (c) has not been installed, operated, repaired, or maintained in accordance with instructions supplied by Cisco, (d) has been subjected to abnormal physical or electrical stress, misuse, negligence, or accident, or (e) is used in ultrahazardous activities. If Customer obtained the Software from a Cisco reseller, the terms of any warranty shall be as provided by such distributor, and Cisco provides Customer no warranty with respect to such Software. Disclaimer of Warranties. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS WHICH VARY FROM JURISDICTION TO JURISDICTION. Disclaimer of Liabilities. IN NO EVENT WILL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY LOST REVENUE, PROFIT, OR DATA, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE THE SOFTWARE EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. In no event shall Cisco's or its suppliers' liability to Customer, whether in contract, tort (including negligence), or otherwise, exceed the price paid by Cus tomer. The foregoing limitations shall apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. Term and Termination. This Agreement is effective until terminated. Customer may terminate this Agreement at any time by destroying all copies of Software including any documentation. Customer’s license rights under this Agreement will termin ate immediately without notice from Cisco if Customer fails to comply with any provision of this Agreement. Upon termination, Customer must destroy all copies of Software in its possession or control. Customer Records. Customer grants to Cisco and its i ndependent accountants the right to examine Customer’s books, records and accounts during Customer’s normal business hours to verify compliance with this Agreement.In the event such audit discloses non-compliance with this Agreement, Customer shall promptly pay to Cisco the appropriate licensee fees. Export. Software, including technical data, may be subject to U.S. export control laws, including the U.S. Export Administration Act and its associated regulations, and may be subject to export or import regulations in other countries. Customer agrees to comply strictly with all such regulations and acknowledges that it has the responsibility to obtain licenses to export, re-export, or import Software.

Page 4

Restricted Rights. Cisco’s commercial software and commercial computer software docum entation is provided to United States Government agencies in accordance with the terms of this Agreement, and per subparagraph “(c)” of the “Commercial Computer Software - Restricted Rights” clause at FAR 52.227-19 (June 1987). For DOD agencies, the restrictions set forth in the “Technical Data-Commercial Items” clause at DFARS 252.227-7015 (Nov 1995) shall also apply. General. This Agreement shall be governed by and construed in accordance with the laws of the State of California, United States of America, as if performed wholly within the state and without giving effect to the principles of conflict of law. If any portion hereof is found to be void or unenforceable, the remaining provisions of this Agreement shall remain in full force a nd effect. Cisco hereby specifically disclaims the UN Convention on Contracts for the International Sale of Goods. Except as expressly provided herein, this Agreement constitutes the entire agreement between the parties with respect to the license of the Software and supercedes any conflicting or additional terms contained in the purchase order.

Page 5

Preface xi

Audience xi

Organization xi

Conventions xii

Safety Overview xiv

Preface

This preface describes who should read the Catalyst 6500 Series Content Switching Module Installation and Configuration Note, how it is organized, and its document conventions.

Note Except where specifically differentiated, the term “Catalyst 6500 series switches” includes both Catalyst

6500 series and Catalyst 6000 series switches.

This publication does not contain the instructions to install the Catalyst 6500 series switch chassis. For information on installing the switch chassis, refer to the Catalyst 6500 Series Switch Installation Guide.

Note For translations of the warnings in this publication, see the “Safety Overview” section on page xiv.

Audience

Only trained and qualified service personnel (as defined in IEC 60950 and AS/NZS3260) should install, replace, or service the equipment described in this publication.

Organization

This publication is organized as follows:

Chapter Title Description

Chapter 1 Product Overview Presents an overview of the Catalyst 6500 series Content

Switching Module (CSM).

Chapter 2 Networking with the Content Switching Module Describes how the CSM operates on a network.

Chapter 3 Getting Started Provides quick start guide to content switching on the

CSM.

Chapter 4 Configuring VLANs Describes how to set up client and server VLANs for the

CSM.

Chapter 5 Configuring Real Servers and Server Farms Describes how to configure load balancing on the CSM.

Chapter 6 Configuring Virtual Servers, Maps, and Policies Describes how to configure health monitoring on the CSM.

OL-4612-01

Catalyst 6500 Series Content Switching Module Configuration Note

Page 12

Preface

Conventions

Chapter Title Description

Chapter 7 Configuring Redundant Connections Describes how to configure fault tolerance, HSRP,

connection redundancy, and hitless upgrades.

Chapter 8 Configuring Additional Features and Options Describes how to configure sticky groups and route health

injection (RHI), Global Server Load Balancing (GSLB), and network management.

Chapter 9 Configuring Health Monitoring Describes how to configure and monitor the health of

servers and server farms.

Chapter 10 Configuring CSM Scripts Describes how to use Toolkit Command Language (TCL)

scripts to configure the CSM.

Chapter 11 Configuring Firewall Load Balancing Describes firewalls in a load-balancing configuration with

the CSM.

Appendix A Configuration Examples Lists sample CSM configurations.

Appendix B Troubleshooting and System Messages Provides troubleshooting information and lists system

messages.

Appendix C CSM XML Document Type Definition Lists CSM error messages with explanations about why

they occurred and actions required to correct the problem.

Conventions

This publication uses the following conventions:

Convention Description

boldface font Commands, command options, and keywords are in

boldface.

italic font Arguments for which you supply values are in italics.

[ ] Elements in square brackets are optional.

{ x | y | z } Alternative keywords are grouped in braces and

separated by vertical bars.

[ x | y | z ] Optional alternative keywords are grouped in brackets

and separated by vertical bars.

string A nonquoted set of characters. Do not use quotation

marks around the string or the string will include the quotation marks.

screen font Terminal sessions and information the system displays

are in

screen font.

boldface screen

Information you must enter is in boldface screen font.

font

italic screen font Arguments for which you supply values are in italic

screen font.

xii

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Page 13

Preface

Conventions

Convention Description

^ The symbol ^ represents the key labeled Control—for

example, the key combination ^D in a screen display means hold down the Control key while you press the D key.

< > Nonprinting characters, such as passwords are in angle

brackets.

Notes use the following conventions:

Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the

publication.

Tips use the following conventions:

Tip Means the following information will help you solve a problem. The tips information might not be

troubleshooting or even an action, but it could be useful information, similar to a Timesaver.

Cautions use the following conventions:

Caution Means reader be careful. In this situation, you might do something that could result in equipment

damage or loss of data.

OL-4612-01

Catalyst 6500 Series Content Switching Module Configuration Note

xiii

Page 14

Safety Overview

Safety warnings appear throughout this publication in procedures that, if performed incorrectly, may harm you. A warning symbol precedes each warning statement.

IMPORTANT SAFETY INSTRUCTIONS

Preface

Warning

Waarschuwing

Varoitus

This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. Use the statement number provided at the end of each warning to locate its translation in the translated safety warnings that accompanied this device.

SAVE THESE INSTRUCTIONS

BELANGRIJKE VEILIGHEIDSINSTRUCTIES

Dit waarschuwingssymbool betekent gevaar. U verkeert in een situatie die lichamelijk letsel kan veroorzaken. Voordat u aan enige apparatuur gaat werken, dient u zich bewust te zijn van de bij elektrische schakelingen betrokken risico's en dient u op de hoogte te zijn van de standaard praktijken om ongelukken te voorkomen. Gebruik het nummer van de verklaring onderaan de waarschuwing als u een vertaling van de waarschuwing die bij het apparaat wordt geleverd, wilt raadplegen.

BEWAAR DEZE INSTRUCTIES

TÄRKEITÄ TURVALLISUUSOHJEITA

Tämä varoitusmerkki merkitsee vaaraa. Tilanne voi aiheuttaa ruumiillisia vammoja. Ennen kuin käsittelet laitteistoa, huomioi sähköpiirien käsittelemiseen liittyvät riskit ja tutustu onnettomuuksien yleisiin ehkäisytapoihin. Turvallisuusvaroitusten käännökset löytyvät laitteen mukana toimitettujen käännettyjen turvallisuusvaroitusten joukosta varoitusten lopussa näkyvien lausuntonumeroiden avulla.

Statement 1071

xiv

SÄILYTÄ NÄMÄ OHJEET

Attention

Catalyst 6500 Series Content Switching Module Configuration Note

IMPORTANTES INFORMATIONS DE SÉCURITÉ

Ce symbole d'avertissement indique un danger. Vous vous trouvez dans une situation pouvant entraîner des blessures ou des dommages corporels. Avant de travailler sur un équipement, soyez conscient des dangers liés aux circuits électriques et familiarisez-vous avec les procédures couramment utilisées pour éviter les accidents. Pour prendre connaissance des traductions des avertissements figurant dans les consignes de sécurité traduites qui accompagnent cet appareil, référez-vous au numéro de l'instruction situé à la fin de chaque avertissement.

CONSERVEZ CES INFORMATIONS

OL-4612-01

Page 15

Preface

Safety Overview

Warnung

Avvertenza

Advarsel

WICHTIGE SICHERHEITSHINWEISE

Dieses Warnsymbol bedeutet Gefahr. Sie befinden sich in einer Situation, die zu Verletzungen führen kann. Machen Sie sich vor der Arbeit mit Geräten mit den Gefahren elektrischer Schaltungen und den üblichen Verfahren zur Vorbeugung vor Unfällen vertraut. Suchen Sie mit der am Ende jeder Warnung angegebenen Anweisungsnummer nach der jeweiligen Übersetzung in den übersetzten Sicherheitshinweisen, die zusammen mit diesem Gerät ausgeliefert wurden.

BEWAHREN SIE DIESE HINWEISE GUT AUF.

IMPORTANTI ISTRUZIONI SULLA SICUREZZA

Questo simbolo di avvertenza indica un pericolo. La situazione potrebbe causare infortuni alle persone. Prima di intervenire su qualsiasi apparecchiatura, occorre essere al corrente dei pericoli relativi ai circuiti elettrici e conoscere le procedure standard per la prevenzione di incidenti. Utilizzare il numero di istruzione presente alla fine di ciascuna avvertenza per individuare le traduzioni delle avvertenze riportate in questo documento.

CONSERVARE QUESTE ISTRUZIONI

VIKTIGE SIKKERHETSINSTRUKSJONER

Dette advarselssymbolet betyr fare. Du er i en situasjon som kan føre til skade på person. Før du begynner å arbeide med noe av utstyret, må du være oppmerksom på farene forbundet med elektriske kretser, og kjenne til standardprosedyrer for å forhindre ulykker. Bruk nummeret i slutten av hver advarsel for å finne oversettelsen i de oversatte sikkerhetsadvarslene som fulgte med denne enheten.

Aviso

¡Advertencia!

TA VARE PÅ DISSE INSTRUKSJONENE

INSTRUÇÕES IMPORTANTES DE SEGURANÇA

Este símbolo de aviso significa perigo. Você está em uma situação que poderá ser causadora de lesões corporais. Antes de iniciar a utilização de qualquer equipamento, tenha conhecimento dos perigos envolvidos no manuseio de circuitos elétricos e familiarize-se com as práticas habituais de prevenção de acidentes. Utilize o número da instrução fornecido ao final de cada aviso para localizar sua tradução nos avisos de segurança traduzidos que acompanham este dispositivo.

GUARDE ESTAS INSTRUÇÕES

INSTRUCCIONES IMPORTANTES DE SEGURIDAD

Este símbolo de aviso indica peligro. Existe riesgo para su integridad física. Antes de manipular cualquier equipo, considere los riesgos de la corriente eléctrica y familiarícese con los procedimientos estándar de prevención de accidentes. Al final de cada advertencia encontrará el número que le ayudará a encontrar el texto traducido en el apartado de traducciones que acompaña a este dispositivo.

GUARDE ESTAS INSTRUCCIONES

OL-4612-01

Catalyst 6500 Series Content Switching Module Configuration Note

Page 16

Safety Overview

Preface

Varning!

VIKTIGA SÄKERHETSANVISNINGAR

Denna varningssignal signalerar fara. Du befinner dig i en situation som kan leda till personskada. Innan du utför arbete på någon utrustning måste du vara medveten om farorna med elkretsar och känna till vanliga förfaranden för att förebygga olyckor. Använd det nummer som finns i slutet av varje varning för att hitta dess översättning i de översatta säkerhetsvarningar som medföljer denna anordning.

SPARA DESSA ANVISNINGAR

xvi

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Page 17

Preface

Obtaining Documentation

Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation on the World Wide Web at this URL:

http://www.cisco.com/univercd/home/home.htm

You can access the Cisco website at this URL:

http://www.cisco.com

International Cisco websites can be accessed from this URL:

OL-4612-01

http://www.cisco.com/public/countries_languages.shtml

Catalyst 6500 Series Content Switching Module Configuration Note

xvii

Page 18

Obtaining Technical Assistance

Documentation CD-ROM

Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated regularly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual or quarterly subscription.

Registered Cisco.com users can order a single Documentation CD-ROM (product number DOC-CONDOCCD=) through the Cisco Ordering tool:

http://www.cisco.com/en/US/partner/ordering/ordering_place_order_ordering_tool_launch.html

All users can order annual or quarterly subscriptions through the online Subscription Store:

http://www.cisco.com/go/subscription

Ordering Documentation

You can find instructions for ordering documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

You can order Cisco documentation in these ways:

Preface

• Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from

the Networking Products MarketPlace:

http://www.cisco.com/en/US/partner/ordering/index.shtml

• Nonregistered Cisco.com users can order documentation through a local account representative by

calling Cisco Systems Corporate Headquarters (California, USA.) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Documentation Feedback

You can submit comments electronically on Cisco.com. On the Cisco Documentation home page, click Feedback at the top of the page.

You can send your comments in e-mail to bug-doc@cisco.com.

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems Attn: Customer Document Ordering 170 West Tasman Drive San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, the Cisco Technical Assistance Center (TAC) provides 24-hour, award-winning technical support services, online and over the phone. Cisco.com features the Cisco TAC website as an online starting point for technical assistance.

Catalyst 6500 Series Content Switching Module Configuration Note

xviii

OL-4612-01

Page 19

Preface

Cisco TAC Website

The Cisco TAC website (http://www.cisco.com/tac) provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The Cisco TAC website is available 24 hours a day, 365 days a year.

Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a login ID or password, register at this URL:

http://tools.cisco.com/RPF/register/register.do

Opening a TAC Case

The online TAC Case Open Tool (http://www.cisco.com/tac/caseopen) is the fastest way to open P3 and P4 cases. (Your network is minimally impaired or you require product information). After you describe your situation, the TAC Case Open Tool automatically recommends resources for an immediate solution. If your issue is not resolved using these recommendations, your case will be assigned to a Cisco TAC engineer.

For P1 or P2 cases (your production network is down or severely degraded) or if you do not have Internet access, contact Cisco TAC by telephone. Cisco TAC engineers are assigned immediately to P1 and P2 cases to help keep your business operations running smoothly.

Obtaining Technical Assistance

To open a case by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227) EMEA: +32 2 704 55 55 USA: 1 800 553-2447

For a complete listing of Cisco TAC contacts, go to this URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

TAC Case Priority Definitions

To ensure that all cases are reported in a standard format, Cisco has established case priority definitions.

Priority 1 (P1)—Your network is “down” or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Priority 2 (P2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Priority 3 (P3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Priority 4 (P4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

OL-4612-01

Catalyst 6500 Series Content Switching Module Configuration Note

xix

Page 20

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

• The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as

ordering and customer support services. Access the Cisco Product Catalog at this URL:

http://www.cisco.com/en/US/products/products_catalog_links_launch.html

• Cisco Press publishes a wide range of networking publications. Cisco suggests these titles for new

and experienced users: Internetworking Terms and Acronyms Dictionary, Internetworking Technology Handbook, Internetworking Troubleshooting Guide, and the Internetworking Design Guide. For current Cisco Press titles and other information, go to Cisco Press online at this URL:

http://www.ciscopress.com

• Packet magazine is the Cisco quarterly publication that provides the latest networking trends,

technology breakthroughs, and Cisco products and solutions to help industry professionals get the most from their networking investment. Included are networking deployment and troubleshooting tips, configuration examples, customer case studies, tutorials and training, certification information, and links to numerous in-depth online resources. You can access Packet magazine at this URL:

Preface

http://www.cisco.com/go/packet

• iQ Magazine is the Cisco bimonthly publication that delivers the latest information about Internet

business strategies for executives. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering

professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.html

• Training—Cisco offers world-class networking training. Current offerings in network training are

listed at this URL:

http://www.cisco.com/en/US/learning/le31/learning_recommended_training_list.html

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Page 21

CHAPTER

Product Overview

The Catalyst 6500 series Content Switching Module (CSM) provides high-performance server load balancing (SLB) among groups of servers, server farms, firewalls, caches, VPN termination devices, and other network devices, based on Layer 3 as well as Layer 4 through Layer 7 packet information.

Server farms are groups of load-balanced devices. Server farms that are represented as virtual servers can improve scalability and availability of services for your network. You can add new servers and remove failed or existing servers at any time without affecting the virtual server’s availability.

Clients connect to the CSM directing their requests to the virtual IP (VIP) address of the virtual server. When a client initiates a connection to the virtual server, the CSM chooses a real server (a physical device that is assigned to a server farm) for the connection based on configured load-balancing algorithms and policies (access rules). Policies manage traffic by defining where to send client connections.

Sticky connections limit traffic to individual servers by allowing multiple connections from the same client to stick (or attach) to the same real server using source IP addresses, source IP subnets, cookies, and the secure socket layer (SSL) or by redirecting these connections using Hypertext Transfer Protocol (HTTP) redirect messages.

These sections describe the CSM:

• Features, page 1-2

• Front Panel Description, page 1-5

• Operation, page 1-7

• Traffic Flow, page 1-8

OL-4612-01

Catalyst 6500 Series Content Switching Module Configuration Note

1-1

Page 22

Features

Chapter 1 Product Overview

Table 1 -1 lists the new CSM features in this release.

Table 1-1 New CSM Feature Set Description

Features New in this Release Description

Added management features from release 3.1(1) Includes the XML DTD (document definition

type), the Cisco IOS MIB extensions for the CSM, and the system object identifier (SYSOB ID MIB).

Backup (sorry server) Allows a backup at the real server level.

Denial of service (DoS) improvements Allows TCP termination for all connections to

the CSM providing SYN attacks.

Failover improvements Provides enhancements for preempt delay, the

forced failover command, Layer 2 MAC address rewrites, and improved tracking.

Idle and pending timeouts Allows for the configuration of the idle and

pending timeouts for server-initiated connections.

Improved TCL (Toolkit Command Language) functionality

Increased VLAN support Supports up to 512 server and client VLANs.

Jumbo Frame support Jumbo Frame support has been added to the

Limited MIB write support Allow you to change the weights of servers.

Load balancing per packet Allows the CSM to make load balancing

Route lookup Allows the CSM to work more efficiently with

Stateful Firewall Load Balancing (FWLB) Allows all connections, both existing and new,

Static ARP entry Provides the ability to manually add entries to

Static sticky entries The sticky table can be prepopulated with

Provides User Datagram Protocol (UDP) socket and global variable support.

CSM software release 3.2 to allow support of frames of up to 9 KB for Layer 4 load balancing.

decisions without creating a flow. This feature is useful when load balancing UDP traffic with flows that exist for a short time period, such as DNS.

upstream gateways regardless of their redundancy implementation (HSRP, VRRP, proprietary, etc.)

to failover to the secondary firewall in a redundant pair. This feature works only with active-active stateful firewall configurations.

the CSM ARP table.

entries to force certain users to connect to specific servers.

1-2

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Page 23

Chapter 1 Product Overview

Table 1-1 New CSM Feature Set Description (continued)

Features New in this Release Description

Sticky debug tools Includes a show command for the number of

TCP fragments Provides support for fragmented TCP packets.

UDP Probe Provides the ability to send UDP probes to

XML configuration from TCL scripts Adds the ability to send CSM configuration

Table 1 -2 lists the CSM features available in this release and previous releases.

Table 1-2 CSM Feature Set Description

Features

sticky table entries and the ability to enter a specific IP address and receive the sticky information for that IP address.

specified ports to verify that the CSM does not receive a “port unreachable” message.

commands within a TCL script.

Features

Supported Hardware

Supervisor 1A with MSFC and PFC

Supervisor 2 with MSFC and PFC

Supervisor 720—requires CSM software release 3.1(4) or later

Supported Protocols

TCP load balancing

UDP generic IP protocol load balancing

Special application-layer support for FTP and the Real Time Streaming Protocol (RTSP)

Layer 7 Functionality

Full regular expression matching

URL, cookie switching, Generic HTTP header parsing, HTTP method parsing

Miscellaneous Functionality

VIP connection watermarks

Backup (sorry server) and server farm

Optional port for health probes

IP reassembly

TCL (Toolkit Command Language) scripting

XML configuration interface

SNMP

GSLB (Global Server Load Balancing)–requires a license

Resource usage display

Configurable idle and pending connection timeout

Idle timeout for unidirectional flows

OL-4612-01

Catalyst 6500 Series Content Switching Module Configuration Note

1-3

Page 24

Features

Chapter 1 Product Overview

Table 1-2 CSM Feature Set Description (continued)

Features

STE integration for SSL load balancing

Real server names

TCP connection redundancy for all types of flows (TCP, UDP, and IP)

Fault tolerant show command enhancements

IOS SLB FWLB interoperation (IP reverse-sticky)

Multiple CSMs in a chassis

CSM and IOS-SLB functioning simultaneously in a chassis

Configurable HTTP 1.1 persistence (either all GETs are made to the same server or are balanced to multiple servers)

Fully configurable NAT

Server-initiated connections

Route health injection

Load-balancing Algorithms

Round-robin

Weighted round-robin (WRR)

Least connections

Weighted least connections

URL hashing

Source IP hashing (configurable mask)

Destination IP hashing (configurable mask)

Source and Destination IP hashing (configurable mask)

Load Balancing Supported

Server load balancing (TCP, UDP, or generic IP protocols)

Firewall load balancing

DNS load balancing

Stealth firewall load balancing

Transparent cache redirection

Reverse proxy cache

SSL off-loading

VPN-Ipsec load balancing

Generic IP devices and protocols

Stickiness

Cookie sticky with configurable offset and length

SSL ID

Source IP (configurable mask)

HTTP redirection

Redundancy

1-4

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Page 25

Chapter 1 Product Overview

Table 1-2 CSM Feature Set Description (continued)

Features

Health Checking

Management

Front Panel Description

Sticky state

Full stateful failover (connection redundancy)

HTTP

ICMP

Telne t

TCP

FTP

SMTP

DNS

Return error-code checking

Inband health checking

User-defined TCL scripts

SNMP traps

Full SNMP and MIB support

XML interface for remote CSM configuration

Front Panel Description

Figure 1-1 shows the CSM front panel.

Figure 1-1 Content Switching Module Front Panel

Status

LED

Note The RJ-45 connector is covered by a removable plate.

RJ-45 (Test) connector

CSG

47525

OL-4612-01

Catalyst 6500 Series Content Switching Module Configuration Note

1-5

Page 26

Front Panel Description

Status LED

Note For more information on the supervisor engine LEDs, refer to the Catalyst 6500 Series Switch Module

Chapter 1 Product Overview

When the CSM powers up, it initializes various hardware components and communicates with the supervisor engine. The Status LED indicates the supervisor engine operations and the initialization results. During the normal initialization sequence, the status LED changes from off to red, orange, and green.

Installation Guide.

Table 1 -3 describes the Status LED operation.

Table 1-3 Content Switching Module Status LED

Color Description

Off

• The module is waiting for the supervisor engine to provide power.

• The module is not online.

• The module is not receiving power, which could be caused by the following:

–

Power is not available to the CSM.

–

Module temperature is over the limit1.

Red • The module is released from reset by the supervisor engine and is booting.

• If the boot code fails to run, the LED stays red after power up.

Orange

• The module is initializing hardware or communicating with the supervisor

engine.

• A fault occurred during the initialization sequence.

• The module has failed to download its Field Programmable Gate Arrays

(FPGAs) on power up but continues with the remainder of the initialization sequence and provides the module online status from the supervisor engine.

• The module has not received module online status from the supervisor engine.

This problem could be caused by the supervisor engine detecting a failure in an external loopback test that it issued to the CSM.

Green

• The module is operational; the supervisor engine has provided module online

status.

Green to orange

• The module is disabled through the supervisor engine CLI

using the set

module disable mod command.

1. Enter the show environment temperature mod command to display the temperature of each of four sensors on the CSM.

2. CLI = command-line interface.

RJ-45 Connector

The RJ-45 connector, which is covered by a removable plate, is used to connect a management station device or a test device. This connector is used by field engineers to perform testing and to obtain dump information.

Catalyst 6500 Series Content Switching Module Configuration Note

1-6

OL-4612-01

Page 27

Chapter 1 Product Overview

Operation

Clients and servers communicate through the CSM using Layer 2 and Layer 3 technology in a specific VLAN configuration. (See Figure 1-2.) In a simple Server Load Balancing (SLB) deployment, clients connect to the client-side VLAN and servers connect to the server-side VLAN. Servers and clients can exist on different subnets. Servers can also be located one or more Layer 3 hops away and connect to the CSM through routers.

A client sends a request to one of the module’s VIP addresses. The CSM forwards this request to a server that can respond to the request. The server then forwards the response to the CSM, and the CSM forwards the response to the client.

When the client-side and server-side VLANs are on the same subnets, you can configure the CSM in single subnet (bridge) mode. For more information, see the “Configuring the Single Subnet (Bridge)

Mode” section on page 2-1.

When the client-side and server-side VLANs are on different subnets, you can configure the CSM to operate in a secure (router) mode. For more information, see the “Configuring the Secure (Router)

Mode” section on page 2-4.

You can set up a fault-tolerant configuration in either the secure (router) or single subnet (bridged) mode using redundant CSMs. For more information, see the “Configuring Fault Tolerance” section on

page 7-1.

Single subnet (bridge) mode and secure (router) mode can coexist in the same CSM with multiple VLANs.

Figure 1-2 Content Switching Module and Servers

Catalyst 6500 chassis

Router

Internet

Client

Content services gateway

4 gigabit

Switching

fabric

Internet

47527

Content

provider

OL-4612-01

Catalyst 6500 Series Content Switching Module Configuration Note

1-7

Page 28

Traffic Flow

This section describes how the traffic flows between the client and server in a CSM environment. (See Figure 1-3.)

Figure 1-3 Traffic Flow Between Client and Server

Chapter 1 Product Overview

www.example.com

IP address

www.example.com

Note The numbers in Figure 1-3 correspond to the steps in the following procedure.

W Server

X Server

Y Server

Z Server

Server pool

www.example.com

IP address

client

DNS

IP address

Content

Switching

Module

www.example.com

IP address

www.example.com

When you enter a request for information by entering a URL, the traffic flows as follows:

1. Yo u en te r a UR L . ( Figure 1-3 shows www.example.com as an example.)

2. The client contacts a DNS server to locate the IP address associated with the URL.

47528

1-8

3. The DNS server sends the IP address of the virtual IP (VIP) to the client.

4. The client uses the IP address (CSM VIP) to send the HTTP request to the CSM.

5. The CSM receives the request with the URL, makes a load-balancing decision, and selects a server.

For example, in Figure 1-3, the CSM selects a server (X server) from the www.example.com server pool, replacing its own VIP address with the address of the X server (directed mode), and forwards the traffic to the X server. If the NAT server option is disabled, the VIP address remains unchanged (dispatch mode).

6. The CSM performs Network Address Translation (NAT) and eventually TCP sequence numbers

translation.

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Page 29

Networking with the Content Switching Module

This chapter describes networking the CSM and contains these sections:

• Configuring Modes for Networking, page 2-1

• CSM Networking Topologies, page 2-4

• Routing with the CSM, page 2-7

• Protecting Against Denial-of-Service Attacks, page 2-8

Configuring Modes for Networking

You can configure the CSM in a single subnet or bridged mode and a secure or router mode. These sections describe the modes:

• Configuring the Single Subnet (Bridge) Mode, page 2-1

CHAPTER

• Configuring the Secure (Router) Mode, page 2-4

Configuring the Single Subnet (Bridge) Mode

In the single subnet (bridge) mode configuration, the client-side and server-side VLANs are on the same subnets. Figure 2-1 shows how the single subnet (bridge) mode configuration is set up.

OL-4612-01

Catalyst 6500 Series Content Switching Module Configuration Note

2-1

Page 30

Configuring Modes for Networking

Figure 2-1 Single Subnet (Bridge) Mode Configuration

Gateway

192.158.38.20

Router A

Virtual server 1

192.158.38.30

Chapter 2 Networking with the Content Switching Module

Content Switching Module

Client-side Server-side

192.158.38.10 192.158.39.10

VLAN 3

Client

workstation

NAS

router

VLAN 2

Content provider

Router B

Gateway

192.158.38.21

Server A

Server B

Server Farm 1

99427

Note The addresses in Figure 2-1 refer to the steps in the following task table.

Note You configure single subnet (bridge) mode by assigning the same IP address to the CSM client and server

VLANs.

To configure content switching for the single subnet (bridge) mode, perform this task:

Command Purpose

Step 1

Step 2 Step 3 Step 4 Step 5

Step 6

Step 7

Step 8

Router(config-module-csm)# vlan database

Router(vlan)# vlan 2

Router(vlan)# vlan 3

Router(vlan)# exit

Router(config-module-csm)# vlan 2

client

Router(config-slb-vlan-client)# ip addr 192.158.38.10 255.255.255.0

Router(config-slb-vlan-client)# gateway 192.158.38.20

Router(config-slb-vlan-client)# gateway 192.158.38.21

Enters the VLAN mode1.

Configures a client-side VLAN2.

Configures a server-side VLAN.

Exits the mode for the configuration to take effect.

Creates the client-side VLAN 2 and enters the SLB VLAN mode

Assigns the CSM IP address on VLAN 2.

Defines the client-side VLAN gateway to Router A.

Defines the client-side VLAN gateway to Router B.

2-2

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Page 31

Chapter 2 Networking with the Content Switching Module

Command Purpose

Step 9

Step 10

Step 11 Step 12

Step 13

Step 14

Step 15

Router(config-slb-vserver)# vlan 3 server

Router(config-slb-vlan-client)# ip addr 192.158.38.10 255.255.255.0

Router(config-slb-vlan-client)# exit

Router(config-module-csm)# vserver

VIP1

Router(config-slb-vserver)# virtual

192.158.38.30 tcp www

Router(config-slb-vserver)# serverfarm farm1

Router(config-module-csm)# inservice

1. Enter the exit command to leave a mode or submode. Enter the end command to return to the menu’s top level.

2. The no form of this command restores the defaults.

3. This step assumes that the server farm has already been configured. (See the “Configuring Server Farms” section on

page 5-1.)

Configuring Modes for Networking

Creates the server-side VLAN 3 and enters the SLB VLAN mode.

Assigns the CSM IP address on VLAN 3.

Exits the submode.

Creates a virtual server and enters the SLB virtual server mode.

Creates a virtual IP address.

Associates the virtual server with the server farm3.

Enables the server.

Note Set the server’s default routes to Router A’s gateway (192.158.38.20) or Router B’s gateway

(192.158.38.21).

OL-4612-01

Catalyst 6500 Series Content Switching Module Configuration Note

2-3

Page 32

CSM Networking Topologies

Configuring the Secure (Router) Mode

In secure (router) mode, the client-side and server-side VLANs are on different subnets.

To configure content switching in secure (router) mode, perform this task:

Command Purpose

Step 1 Step 2 Step 3 Step 4 Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11 Step 12

Step 13

Step 14

Step 15

Router(config-module-csm)# vlan database

Router(vlan)# vlan 2

Router(vlan)# vlan 3

Router(vlan)# exit

Router(config-module-csm)# vlan 2 client

Router(config-slb-vlan-client)# ip addr

192.158.38.10 255.255.255.0

Router(config-slb-vlan-client)# gateway

192.158.38.20

Router(config-slb-vlan-client)# gateway

192.158.38.21

Router(config-module-csm)# vlan 3 server

Router(config-slb-vlan-server)# ip addr

192.158.39.10 255.255.255.0

Router(config-slb-vlan-server)# exit

Router(config-module-csm)# vserver VIP1

Router(config-slb-vserver)# virtual

192.158.38.30 tcp www

Router(config-slb-vserver)# serverfarm

farm1

Router(config-module-csm)# inservice

1. Enter the exit command to leave a mode or submode. Enter the end command to return to the menu’s top level.

2. The no form of this command restores the defaults.

3. This step assumes that the server farm has already been configured. (See the “Configuring Server Farms” section on

page 5-1.)

Chapter 2 Networking with the Content Switching Module

Enters the VLAN mode1.

Configures a client-side VLAN2.

Configures a server-side VLAN.

Exits the mode for the configuration to take effect.

Creates the client-side VLAN 2 and enters the SLB VLAN mode.

Assigns the CSM IP address on VLAN 2.

Defines the client-side VLAN gateway to Router A.

Defines the client-side VLAN gateway to Router B.

Creates the server-side VLAN 3 and enters the SLB VLAN mode.

Assigns the CSM IP address on VLAN 3.

Exits the submode.

Creates a virtual server and enters the SLB virtual server mode.

Creates a virtual IP address.

Associates the virtual server with the server farm3.

Enables the server.

Note Set the server’s default routes to the CSM’s IP address (192.158.39.10).

CSM Networking Topologies

This section describes CSM networking topologies and contains these sections:

• CSM Inline, MSFC Not Involved, page 2-5

• CSM Inline, MSFC on Server Side, page 2-5

Catalyst 6500 Series Content Switching Module Configuration Note

2-4

OL-4612-01

Page 33

Chapter 2 Networking with the Content Switching Module

• CSM Inline, MSFC on Client Side, page 2-6

• CSM in Aggregate Mode, page 2-6

• Direct Server Return, page 2-7

CSM Inline, MSFC Not Involved

Figure 2-2 shows the CSM in a Layer 3 configuration without interaction with the MSFC.

Figure 2-2 CSM Inline, MSFC Not Involved

CSM Networking Topologies

Catalyst

6500

MSFC

Servers

Upstream

router

Client

This configuration has these characteristics:

• The MSFC is not routing CSM VLANs.

• All server-to-server communications (direct Layer 3 or load balanced) are through the CSM.

• The CSM must use static routes to the upstream router (default gateway).

CSM Inline, MSFC on Server Side

Figure 2-3 shows the CSM in a configuration where the MSFC is located on the server side.

Figure 2-3 CSM Inline, MSFC Located on Server Side

Upstream

router

Client

CSM

Catalyst

6500

MSFC

CSM

98154

Servers

98155

OL-4612-01

This configuration has these characteristics:

• Server-to-server direct communications bypass the CSM.

• Server-to-server load-balanced connections always require secure NAT (SNAT).

• The CSM must use static routes to the upstream router (default gateway).

• Routing protocols can be used in the back end.

• Layer 2-rewrite is not possible.

Catalyst 6500 Series Content Switching Module Configuration Note

2-5

Page 34

CSM Networking Topologies

CSM Inline, MSFC on Client Side

Figure 2-4 shows the CSM in a configuration where the MSFC is located on the client side.

Figure 2-4 CSM Inline, MSFC Located on the Client Side

Catalyst

6500

CSM

Chapter 2 Networking with the Content Switching Module

Servers

Upstream

Client

This configuration has these characteristics:

• The configuration is easy to deploy.

• Server-to-server Layer 3 communications pass through the CSM.

• Routing protocols can be used between the MSFC and the upstream router.

• All traffic to or from the servers passes through the CSM.

CSM in Aggregate Mode

Figure 2-5 shows the CSM in an aggregate-mode configuration.

Figure 2-5 CSM Located in Aggregate Mode

router

MSFC

98156

Catalyst

6500

CSM

Servers

2-6

Upstream

router

Client

MSFC

This configuration has these characteristics:

• The CSM is not inline and the module does not see unnecessary traffic.

• Easy routing and CSM configuration.

• Requires PBR or client SNAT because return traffic is required.

• Server-to-server load-balanced connections always require SNAT.

• Layer 2-rewrite is not possible.

Catalyst 6500 Series Content Switching Module Configuration Note

98158

OL-4612-01

Page 35

Chapter 2 Networking with the Content Switching Module

Direct Server Return

Figure 2-6 shows the CSM in a direct server return configuration.

Figure 2-6 Direct Server Return

Routing with the CSM

Catalyst

6500

Upstream

router

Client

This configuration has these characteristics:

• High throughput or bandwidth is not required in the load balancer.

• The load balancer does not recognize return traffic.

• TCP flows have to be always timed-out.

• TCP termination not possible (only Layer 4 load balancing).

• Inband health monitoring is not possible.

• Servers must be Layer 2-adjacent, with a loopback address.

Routing with the CSM

When forwarding and maintaining load-balancing connections, the CSM must make routing decisions. However, the CSM does not run any routing protocols and does not have access to the MSFC routing tables. The CSM builds its own routing table with three types of entries:

VIP

MSFC

CSM

MAC

rewrite

98159

Servers

OL-4612-01

• Directly attached IP subnets

These are the configured on the CSM client or the server VLANs.

• Default gateways

Default gateways are configured with the gateway keyword from within a client or server VLAN configuration submode. See Chapter 4, “Configuring VLANs.” In this release, you may have up to 511 default gateways. However, you cannot have more than seven default gateways for the same VLAN.

Most configurations have (or can be simplified to have) a single default gateway. This gateway points to the upstream router (or to an HSRP IP address that represents the upstream router pair), and eventually to various static routes.

• Static routes

Static routes are configured with the route keyword from within a client or server VLAN configuration submode of configuration. See Chapter 4, “Configuring VLANs.” Static routes are very useful when some servers are not Layer 2 adjacent.

Catalyst 6500 Series Content Switching Module Configuration Note

2-7

Page 36

Protecting Against Denial-of-Service Attacks

Multiple default gateways are supported, however, they create a situation where if the CSM needs to make a routing decision to an unknown destination, the CSM will randomly select one of the gateways without your intervention or control. To control this behavior, use the predictor forward option described in the next paragraph.

There are three situations in which the CSM must make a routing decision:

• Upon receiving a new connection.

At this time, the CSM needs to decide where to send the return traffic for that connection. Unlike other devices, the CSM will not perform a route lookup, but memorizes the source MAC address from where the first packet of the connection was received. Return traffic for that connection is sent back to the source MAC address. This behavior also works with redundancy protocols between upstream routers, such as HSRP.

• The CSM is configured in router mode.

The servers are pointing to the CSM as their default gateway and the servers are originating connections.

• A server farm is configured with the predictor forward option (see Chapter 5, “Configuring Real

Servers and Server Farms”). This predictor instructs the CSM to route the connection instead of load

balancing it.

In case of multiple gateways, the first two situations can be simplified by using a server farm configured with the gateway as a unique real server. See the example “Configuring Source NAT for

Server-Originated Connections to the VIP” section on page A-7.

Chapter 2 Networking with the Content Switching Module

Protecting Against Denial-of-Service Attacks

The CSM implements a variety of features to protect the devices that it is load balancing and to protect itself from a DoS attack. You cannot configure many of these features because they are controlled by the CSM and adjust to the amount of incoming traffic.

The CSM provides these DoS-protection features:

• SYN cookies

Note Do not confuse a SYN cookie with synchronization of cookies because these are different features.

This discussion refers only to the SYN cookies feature.

When the number of pending connections exceeds a configurable threshold, the CSM begins using the SYN cookies feature, encrypting all of the connection state information in the sequence numbers that it generates. This action prevents the CSM from consuming any flow state for pending (not fully established) TCP connections. This behavior is fully implemented in hardware and provides a good protection against SYN attacks.

• Connection pending timeout

This feature is configurable on a per-virtual server basis and allows you to time out connections that have not been properly established within the configured timeout value specified in seconds.

• Connection idle timeout

This feature is configurable on a per-virtual server basis, and allows you to time out established connections that have not been passing traffic for longer than an interval configured on a timer.

2-8

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Page 37

Chapter 2 Networking with the Content Switching Module

• Generic TCP termination

Some connections may not require TCP termination for Layer 7 load balancing. You can configure any virtual server to terminate all incoming TCP connections before load balancing those connections to the real servers. This configuration allows you to take advantage of all the CSM DoS features located in Layer 4 load balancing environments.

Protecting Against Denial-of-Service Attacks

OL-4612-01

Catalyst 6500 Series Content Switching Module Configuration Note

2-9

Page 38

Protecting Against Denial-of-Service Attacks

Chapter 2 Networking with the Content Switching Module

2-10

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Page 39

Getting Started

This chapter describes what is required before you begin configuring the CSM and contains these sections:

• Operating System Support, page 3-1

• Preparing to Configure the CSM, page 3-1

• Saving and Restoring Configurations, page 3-3

• Configuring SLB Modes, page 3-3

• Configuration Overview, page 3-9

• Upgrading to a New Software Release, page 3-11

Operating System Support

CHAPTER

The CSM is supported on switches running both the Catalyst operating system on the supervisor engine and Cisco IOS on the MSFC. The CSM is also supported on switches running Cisco IOS on both the supervisor engine and the MSFC.

Because the CSM is configured through the MSFC CLI, if you are using a switch running both the Catalyst operating system and Cisco IOS, you must first session into the MSFC for access to the MSFC CLI, from where the CSM is configured. When you access the MSFC CLI, the CSM configuration is identical for the Catalyst operating system and Cisco IOS switch.

All the Layer 2 configurations (such as VLAN and port associations) are performed on the supervisor engine when using a switch running both the Catalyst operating system and Cisco IOS.

Note When running the CSM on a switch with only the Cisco IOS software, configured VLANs are

automatically added to the trunk or channel that connects the CSM to the switch backplane. In a switch running both the Catalyst operating system and the Cisco IOS software, you will have to manually add the CSM VLANs to the trunk or channel.

Preparing to Configure the CSM

Before you configure the CSM, you must take these actions:

• Be sure that the Cisco IOS versions for the switch and the module match. Refer to the Catalyst 6500

Series Switch Content Switching Module Installation Guide.

OL-4612-01

Catalyst 6500 Series Content Switching Module Configuration Note

3-1

Page 40

Preparing to Configure the CSM

• Before you can configure server load balancing, you must obtain the following information:

• Configure VLANs on the Catalyst 6500 series switch before you configure VLANs for the CSM.

Chapter 3 Getting Started

–

Network topology that you are using in your installation

–

Real server IP addresses

–

An entry for the CSM VIPs in the Domain Name Server (DNS) (if you want them to be reached through names)

–

Each virtual server’s IP address

VLAN IDs must be the same for the switch and the module. Refer to the Catalyst 6500 Series Software Configuration Guide for details.

This example shows how to configure VLANs:

Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# vlan 130 Router(config-vlan)# name CLIENT_VLAN Router(config-vlan)# exit Router(config)# vlan 150 Router(config-vlan)# name SERVER_VLAN Router(config-vlan)# end

• Place physical interfaces that connect to the servers or to the clients in the corresponding VLAN.

This example shows how to configure a physical interface as a Layer 2 interface and assign it to a VLAN:

Router> Router> enable Router# config Router(config)# interface 3/1 Router(config-if)# switchport Router(config-if)# switchport access vlan 150 Router(config-if)# no shutdown Router(vlan)# exit

• If the Multilayer Switch Function Card (MSFC) is used on the next-hop router on either the client

or the server-side VLAN, then you must configure the corresponding Layer 3 VLAN interface.

Caution You cannot use the MSFC simultaneously as the router for both the client and the server side unless

policy-based routing or source NAT is used and the CSM is configured in router mode. This situation occurs because the CSM must see both flow directions it load balances or forwards. If you use the CSM in bridge (single subnet) mode, do not configure the Layer 3 VLAN interface on the MSFC for both the client and the server side. If you use the CSM in router mode, do not configure the Layer 3 VLAN interface on the MSFC for both the client and the server side unless you properly configure policy-based routing or source NAT to direct return traffic back to the CSM.

This example shows how to configure the Layer 3 VLAN interface:

Router> Router> enable Router# config Router(config)# interface vlan 130 Router(config-if)# ip address 10.10.1.10 255.255.255.0 Router(config-if)# no shutdown Router(vlan)# exit

3-2

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Page 41

Chapter 3 Getting Started

Using the Command-Line Interface

The software interface for the CSM is the Cisco IOS command-line interface. To understand the Cisco IOS command-line interface and Cisco IOS command modes, refer to Chapter 2 in the Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide.

Note Because of each prompt’s character limit, some prompts may be truncated. For example:

Router(config-slb-vlan-server)# may appear as Router(config-slb-vlan-serve)#.

Accessing Online Help

In any command mode, you can get a list of available commands by entering a question mark (?) as follows:

Router> ?

Router(config)# module csm 5 Router(config-module-csm)# ?

Saving and Restoring Configurations

Note Online help shows the default configuration values and ranges available to commands.

Saving and Restoring Configurations

For information about saving and restoring configurations, refer to the Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide.

Configuring SLB Modes

Server load balancing on the Catalyst 6500 series switch can be configured to operate in two modes: the routed processor (RP) mode and the CSM mode. The switch configuration does not affect CSM operation. By default, the CSM is configured in RP mode. The RP mode allows you to configure one or multiple CSMs in the same chassis and run Cisco IOS SLB on the same switch.

Note The RP mode is the default mode and is the recommended mode. The CSM mode is used only for

backward compatibility with CSM software images previous to 2.1. When installing a new CSM or CSM image, use the RP mode.

CSM mode allows you to configure a single CSM only. The CSM mode is supported for backward compatibility with previous software releases. The single CSM configuration will not allow Cisco IOS SLB to run on the same switch.

OL-4612-01

The following sections provide information about the modes:

• Mode Command Syntax, page 3-4

• Migrating Between Modes, page 3-5

Catalyst 6500 Series Content Switching Module Configuration Note

3-3

Page 42

Configuring SLB Modes

• Differences Between CSM and RP Modes, page 3-5

• Changing Modes, page 3-7

Mode Command Syntax

Before you can enter CSM configuration commands on the switch, you must specify the CSM that you want to configure. To specify a CSM for configuration, use the module csm slot-number command. The slot-number value is the chassis slot where the CSM being configured is located.

The module csm command places you in CSM configuration submode. All additional configuration commands that you enter apply to the CSM installed in the slot you have specified.

Note Unless otherwise specified, all the examples in this publication assume that you have already entered

this command and entered the configuration submode for the CSM you are configuring.

The command syntax for CSM mode and RP mode configuration is identical with these exceptions:

• When configuring in CSM mode, you must prefix each top-level command with ip slb.

Chapter 3 Getting Started

Step 1 Step 2

• Prompts are different for CSM mode and for RP mode configurations.

To configure a virtual server for a CSM in slot 5, perform this task:

Command Purpose

Router(config)# module csm 5

Router(config-module-csm)# vserver

VS1

Specifies the location of the CSM you are configuring.

Configures the virtual server.

This example shows the complete list of CSM commands in the config-module-csm mode.

Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# module csm 5 Router(config-module-csm)# ? SLB CSM module config arp configure a static ARP entry capp configure Content Application Peering Protocol default Set a command to its defaults dfp configure Dynamic Feedback Protocol manager exit exit SLB CSM module submode ft configure CSM fault tolerance (ft) feature map configure an SLB map natpool configure client nat pool no Negate a command or set its defaults owner configure server owner policy configure an SLB policy probe configure an SLB probe real configure module real server script configure script files and tasks serverfarm configure a SLB server farm static configure static NAT for server initiated connections sticky configure a sticky group variable configure an environment variable vlan configure a vlan vserver configure an SLB virtual server xml-config settings for configuration via XML

3-4

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Page 43

Chapter 3 Getting Started

Migrating Between Modes

Existing CSM configurations are migrated to the new configuration when the mode is changed from CSM to RP using the ip slb mode command. If a CSM configuration exists, you are prompted for the slot number.

You can migrate from an RP mode configuration to CSM mode configuration on the Catalyst 6500 series switch. You can migrate manually only from a Cisco IOS SLB configuration to a CSM configuration.

Differences Between CSM and RP Modes

The CSM and RP modes only affect the way in which the CSM is configured from CLI, not the operation and functionalities of the CSM itself. The RP mode is required to configure multiple CSMs in one chassis as well as the Cisco IOS SLB in the same chassis with a CSM.

CSM Mode

You can use the ip slb mode csm command mode to configure a CSM in 1.x releases. This mode allows the configuration of a single CSM in the chassis (other CSMs or Cisco IOS SLB cannot be configured in the same chassis).

Configuring SLB Modes

In this mode, all the CSM configuration commands begin with ip slb.

CSM show commands begin with show ip slb.

This mode is not recommended if you are using CSM 2.1 or later releases, where it is provided as an option in the Cisco IOS CLI for backward compatibility.

The following is an example of a configuration for a single CSM in the chassis:

Cat6k# show running-config Building configuration... Current configuration : 5617 bytes

ip slb mode csm ip slb vlan 110 server ip address 10.10.110.1 255.255.255.0

ip slb vlan 111 client ip address 10.10.111.2 255.255.255.0 gateway 10.10.111.1

ip slb probe HTTP_TEST http request method get url /probe/http_probe.html expect status 200 interval 5 failed 5

ip slb serverfarm WEBFARM nat server no nat client real 10.10.110.10 inservice real 10.10.110.20 inservice probe HTTP_TEST

OL-4612-01

ip slb vserver HTTPVIP virtual 10.10.111.100 tcp www

Catalyst 6500 Series Content Switching Module Configuration Note

3-5

Page 44

Configuring SLB Modes

RP Mode

Chapter 3 Getting Started

persistent rebalance serverfarm WEBFARM inservice

You can use the ip slb mode rp command mode (the default) to configure multiple CSMs in a chassis with Cisco IOS SLB. You can only configure the CSM using this mode starting from release 2.1.

In this mode, the CSM is configured from this command submode:

mod csm

The X is the slot number of the CSM that you want to configure.

CSM show commands start with show mod csm X.

Beginning with CSM software release 2.1, the RP mode is the recommended mode when configuring the CSM. While in this mode, all the commands apply to Cisco IOS SLB and not to a CSM in the chassis. These commands begin with ip slb.

The following is an example of a configuration for a single CSM in the chassis:

Cat6k# show running-config Building configuration...

Current configuration : 5597 bytes !---

module ContentSwitchingModule 5 vlan 110 server ip address 10.10.110.1 255.255.255.0

vlan 111 client ip address 10.10.111.2 255.255.255.0 gateway 10.10.111.1

probe HTTP_TEST http request method get url /probe/http_probe.html expect status 200 interval 5 failed 5

serverfarm WEBFARM nat server no nat client real 10.10.110.10 inservice real 10.10.110.20 inservice probe HTTP_TEST

vserver HTTPVIP virtual 10.10.111.100 tcp www persistent rebalance serverfarm WEBFARM inservice

3-6

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Page 45

Chapter 3 Getting Started

Changing Modes

You can change the CSM operating mode from CSM mode to RP mode or RP mode to CSM mode. The next sections provide examples of how to change the modes.

CSM Mode to RP Mode

This example shows how to change from CSM mode to RP mode. This example is typical of a migration from CSM 1.x to 2.1 or later releases and does not require a module reset.

Cat6k# configure terminal Enter configuration commands, one per line. End with CNTL/Z.

Cat6k(config)# ip slb mode ? csm SLB in Content Switching Module rp SLB in IOS system

Cat6k(config)# ip slb mode rp % The current SLB mode is CSM-SLB. % You are selecting RP-SLB mode. % All configuration for CSM-SLB will be moved to module submode. % Confirm switch to RP-SLB mode? [no]: yes % Enter slot number for CSM module configuration, 0 for none [5]: 5 % Please save the configuration. Cat6k(config)# end

Configuring SLB Modes

Cat6k# write Building configuration... [OK] Cat6k#

RP Mode to CSM Mode

This example shows how to migrate from RP mode to CSM mode and requires a module reset:

Cat6k# configure terminal Enter configuration commands, one per line. End with CNTL/Z.

Cat6k(config)# ip slb mode ? csm SLB in Content Switching Module rp SLB in IOS system

Cat6k(config)# ip slb mode csm % The current SLB mode is RP-SLB. % You are selecting CSM-SLB. % All SLB configurations for RP will be ERASED. % After execution of this command, you must % write the configuration to memory and reload. % CSM-SLB module configuration will be moved to ip slb submodes. % Confirm switch to CSM-SLB mode? [no]: yes % Enter slot number for CSM module configuration, 0 for none [5]: 5 % Please save the configuration and reload.

Cat6k(config)# end Cat6k# write Building configuration... Cat6k# reload Proceed with reload? [confirm] y Verify Mode Operation

OL-4612-01

Catalyst 6500 Series Content Switching Module Configuration Note

3-7

Page 46

Configuring SLB Modes

Verifying the Configuration

To confirm that your configuration is working properly, use these commands in the RP mode:

Cat6k# show ip slb mode SLB configured mode = rp

Cat6k# configure terminal Enter configuration commands, one per line. End with CNTL/Z.

Catk6-1(config)# ip slb ? dfp configure Dynamic Feedback Protocol manager entries initial and maximum SLB entries firewallfarm configure an SLB firewall farm mode configure SLB system mode natpool define client nat pool probe configure an SLB probe serverfarm configure an SLB server farm vserver configure an SLB virtual server

To confirm that you configuration is working properly, use these commands in the Cisco IOS SLB mode:

Cat6k(config)# module csm 5 Cat6k(config-module-csm)# ? SLB CSM module config default Set a command to its defaults dfp configure Dynamic Feedback Protocol manager exit exit SLB CSM module submode ft configure CSM fault tolerance (ft) feature map configure an SLB map natpool configure client nat pool no Negate a command or set its defaults policy configure an SLB policy probe configure an SLB probe serverfarm configure an SLB server farm static configure static NAT for server initiated connections sticky configure a sticky group vlan configure a vlan vserver configure an SLB virtual server

Chapter 3 Getting Started

3-8

To confirm that a single CSM in the chassis configuration is working properly, use these commands in the CSM mode:

Cat6k# show ip slb mode SLB configured mode = csm

Catk6-1# configure terminal Enter configuration commands, one per line. End with CNTL/Z.

Cat6k(config)# ip slb ? dfp configure Dynamic Feedback Protocol manager ft configure CSM fault tolerance (ft) feature map configure an SLB map mode configure SLB system mode natpool configure client nat pool policy configure an SLB policy probe configure an SLB probe serverfarm configure an SLB server farm static configure static NAT for server initiated connections sticky configure a sticky group vlan configure a vlan vserver configure an SLB virtual server

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Page 47

Chapter 3 Getting Started

Configuration Overview

The configuration process described here assumes that the switch is in the RP mode. Figure 3-1 shows an overview of the required and optional operations in the configuration process.

Note Configuring policies is not necessary for Layer 4 load balancing.

Figure 3-1 Configuration Overview

Start

VLAN configuration

vlan X {client|server}

HIGHLY RECOMMENDED

Configuration Overview

keepalives configuration

probe NAME TYPE

NAT pools configuration

natpool NAME

Server farms configuration

server farm NAME

Real servers

configuration

real IP

or real name NAME

If the server farm needs to be selected

based on Layer 7 information or source IP

Virtual servers configurations

vserver NAME

End

If user wants to configure

source NAT for a server farm

If user wants to associate server names and IPs

maps / reg-exp configuration

map NAME TYPE

If load balancing

needs to be made

on HTTP header,

URL or cookies

Policy configurations

sticky GROUP TYPE

IOS standard ACLs

access-list …

If load balancing needs to be m ade on source IP address

Real server

name / IP configuration

real NAME

Sticky groups

sticky GROUP TYPE

If clients needs to be “stuck” to servers based on source IP, cookies, SSL ID

99424

OL-4612-01

Catalyst 6500 Series Content Switching Module Configuration Note

3-9

Page 48

Configuration Overview

Chapter 3 Getting Started

To configure the required parameters, see the following sections:

• Configuring Client-Side VLANs, page 4-2

• Configuring Server-Side VLANs, page 4-3

• Configuring Server Farms, page 5-1

• Configuring Real Servers, page 5-2

• Configuring Virtual Servers, page 6-1

After you configure the required load-balancing parameters on the CSM, you can configure the optional parameters in the following sections:

• Configuring Redirect Virtual Servers, page 6-5

• Configuring Client NAT Pools, page 5-5

• Configuring Server-Initiated Connections, page 5-6

• Configuring TCP Parameters, page 6-4

To work with advanced configurations, refer to the following sections in Chapter 2 through Chapter 11:

• Configuring the Single Subnet (Bridge) Mode, page 2-1

• Configuring the Secure (Router) Mode, page 2-4

• Configuring URL Hashing, page 5-6

• Configuring Generic Header Parsing, page 6-12

• Configuring Route Health Injection, page 8-2

• Configuring Fault Tolerance, page 7-1

• Configuring Persistent Connections, page 8-8

• Configuring HSRP, page 7-5

• Configuring Connection Redundancy, page 7-8

• Configuring SNMP Traps for Real Servers, page 8-13

• Configuring Probes for Health Monitoring, page 9-1

• Configuring Inband Health Monitoring, page 9-7

• Configuring HTTP Return Code Checking, page 9-8

• Configuring TCL Scripts, page 10-1

• Configuring Stealth Firewall Load Balancing, page 11-7

• Configuring Regular Firewall Load Balancing, page 11-16

• Configuring Reverse-Sticky for Firewalls, page 11-24

3-10

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Page 49

Chapter 3 Getting Started

Upgrading to a New Software Release

This section describes three methods for upgrading the CSM:

• Upgrading from the Supervisor Engine Bootflash, page 3-11

• Upgrading from a PCMCIA Card, page 3-12

• Upgrading from an External TFTP Server, page 3-14

Note When upgrading to a new software release, you must upgrade the CSM image before upgrading the

Cisco IOS image. Failure to do so causes the supervisor engine not to recognize the CSM. In this case, you would have to downgrade the Cisco IOS image, upgrade the CSM image, and then upgrade the Cisco IOS image.

To upgrade the CSM, you need to session into the CSM module being upgraded. During the upgrade, enter all commands on a console connected to the supervisor engine. Enter each configuration command on a separate line. To complete the upgrade, enter the exit command to return to the supervisor engine prompt. See “Configuring SLB Modes” section on page 3-3.

Upgrading to a New Software Release

Caution You must enter the exit command to terminate sessions with the CSM that is being upgraded. If you do

not terminate the session and you remove the CSM from the Catalyst 6500 series chassis, you cannot enter configuration commands to the CSM unless you press Ctrl + ^, enter x, and enter the disconnect command at the prompt.

Upgrading from the Supervisor Engine Bootflash

Note Refer to the Catalyst 6500 Series Supervisor Engine Flash PC Card Installation Note for instructions

on loading images into bootflash.

To upgrade the CSM from the supervisor engine bootflash, perform these steps:

Step 1 Enable the TFTP server to supply the image from bootflash as follows:

Router> Router> enable Router# configure terminal Router(config)# tftp-server sup-bootflash:c6slb-apc. Router(config)

Step 2 Set up a session between the supervisor engine and the CSM:

Router# session slot

csm-slot-number

processor 0

revision-num

.bin

OL-4612-01

Step 3 Load the image from the supervisor engine to the CSM:

CSM> upgrade 127.0.0.zz c6slb-apc.

revision-num.bin

The zz is 12 if the supervisor engine is installed in chassis slot 1. The zz is 22 if the supervisor engine is installed in chassis slot 2.

Catalyst 6500 Series Content Switching Module Configuration Note

3-11

Page 50

Upgrading to a New Software Release

Note The supervisor engine 1 and 2 can only can be installed in chassis slot 1 or slot 2.

The IP address of a linecard on the backplane is designated 127.0.0.XY, where X is the slot number and Y is the processor number. In a supervisor engine 1 and supervisor engine 2, the LCP was processor 0, the SP was processor 1, and the RP was processor 2. The CSM always upgrades from the RP. For exaample if you have a supervisor engine 1 or supervisor engine 2 in slot 1, the address to upgrade from would be 127.0.0.12 (X = slot1, Y = processor 2). If the supervisor engine 1 or supervisor engine 2 were in slot 2, the address to upgrade from would be 127.0.0.22.

In the case of the supervisor engine 720, the LCP and the SP are consolidated into one processor, and the numbering scheme is changed. The processor that services both LCP functionality and the SP is numbered processor 0, and the RP is numbered processor 1. If the supervisor engine 720 is in slot 1, the upgrade takes place from IP address 127.0.0.11 (X = slot1, Y = processor 1).

Step 4 Close the session to the CSM, and return to the Cisco IOS prompt:

CSM> exit

Step 5 Reboot the CSM by power cycling the CSM or by entering the following commands on the supervisor

engine console:

Router(config)# hw-module module

csm-slot-number

Chapter 3 Getting Started

reset

Upgrading from a PCMCIA Card

Note Throughout this publication, the term Flash PC card is used in place of the term PCMCIA card.

To upgrade the CSM from a removable Flash PC card inserted in the supervisor engine, perform these steps:

Step 1 Enable the TFTP server to supply the image from the removable Flash PC card:

Router> Router> enable Router# configure terminal Router(config)# tftp-server slot

The x value is 0 if the Flash PC card is installed in supervisor engine PCMCIA slot 0.

Step 2 Set up a session between the supervisor engine and the CSM:

Router# session slot

Step 3 Load the image from the supervisor engine to the CSM:

CSM> upgrade slot0: c6slb-apc.

Note The supervisor engine can only be installed in chassis slot 1 or slot 2.

csm-slot-number

:c6slb-apc.

processor 0

revision-num.bin

revision-num

.bin

3-12

Step 4 Close the session to the CSM and return to the IOS prompt:

CSM> exit

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Page 51

Chapter 3 Getting Started

Step 5 Reboot the CSM by power cycling the CSM or by entering the following commands on the supervisor

engine console:

Router# hw-module module

csm-slot-number

Upgrading to a New Software Release

reset

OL-4612-01

Catalyst 6500 Series Content Switching Module Configuration Note

3-13

Page 52

Upgrading to a New Software Release

Upgrading from an External TFTP Server

To upgrade the CSM from an external TFTP server, perform these steps:

Step 1 Create a VLAN on the supervisor engine for the TFTP CSM runtime image download.

Note You can use an existing VLAN, however, for a reliable download, you should create a VLAN

specifically for the TFTP connection.

Step 2 Configure the interface that is connected to your TFTP server. Step 3 Add the interface to the VLAN. Step 4 Enter the CSM vlan command.

See Chapter 4, “Configuring VLANs” for more information.

Step 5 Add an IP address to the VLAN for the CSM. Step 6 Enter the show csm slot vlan detail command to verify your configuration.

Chapter 3 Getting Started

See the Chapter 4, “Configuring VLANs” for more information.

Step 7 Verify the CSM connectivity to the TFTP server:

Router# ping module csm

Step 8 Set up a session between the supervisor engine and the CSM:

Router# session slot

Step 9 Upgrade the image:

CSM> upgrade TFTP-server-IP-address c6slb-apc.rev-number.bin

Step 10 Close the session to the CSM and return to the Cisco IOS prompt:

CSM> exit

Step 11 Reboot the CSM by power cycling the CSM or by entering the following commands on the supervisor

csm-slot-number TFTP-server-IP-address

csm-slot-number

processor 0

engine console:

Router# hw-module module

csm-slot-number

reset

3-14

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Page 53

CHAPTER

Configuring VLANs

This chapter describes how to configure VLANs on the CSM and contains these sections:

• Configuring Client-Side VLANs, page 4-2

• Configuring Server-Side VLANs, page 4-3

When you install the CSM in a Catalyst 6500 series switch, you need to configure client-side and server-side VLANs. (See Figure 4-1.)

Client-side or a server-side VLAN terminology logically distinguishes the VLANs facing the client-side and the VLANs connecting to the servers or destination devices. However, CSM client and server VLANs function very similarly. For example, new connections can be received on a server VLAN, and then be load-balanced out to a client VLAN.

The differences between client-side and server-side VLANs are as follows:

• When configuring bridge mode, you cannot bridge two server VLANs or two client VLANs. You

can only bridge a client and a server VLAN.

• Denial of service (DoS) protection features are more aggressive on the client side VLANs,

especially when rate limiting control traffic is sent to the central processing unit.

Note You must configure VLANs on the Catalyst 6500 series switch before you configure VLANs for the

CSM. VLAN IDs must be the same for the switch and the module.

OL-4612-01

Catalyst 6500 Series Content Switching Module Configuration Note

4-1

Page 54

Configuring Client-Side VLANs

Figure 4-1 Configuring VLANs

Chapter 4 Configuring VLANs

Client side

VLAN IP address

Gateway

router 1

HSRP/VRRP

Gateway

router 2

Internet

Catalyst 6500

Content

Switching

Module

Client

IP address server side VLAN (or alias IP)

Server

Router

Server

Gateway router

Server

99348

Diagram notes:

1— The CSM does not perform a Layer 3 lookup to forward traffic; the CSM cannot respond to ICMP redirects.

2— You can configure up to 7 gateways per VLAN for up to 511 client and server VLANs and up to 224 gateways for the entire system. If an HSRP gateway is configured, the CSM uses 3 of the 224 gateway entries because traffic can come from the virtual and physical MAC addresses of the HSRP group. (See the “Configuring HSRP” section on page 7-5.) The fault tolerant VLAN does not use an IP interface, so it does not apply toward the 512 VLAN limit.

Configuring Client-Side VLANs

To configure client-side VLANs, perform this task:

Caution You cannot use VLAN 1 as a client-side or server-side VLAN for the CSM.

Command Purpose

4-2

Step 1

Step 2

Step 3

Catalyst 6500 Series Content Switching Module Configuration Note

Router(config-module-csm)# vlan client

Router(config-slb-vlan-client)# ip

ip-address netmask

Router(config-slb-vlan-client)# gateway

ip-address

1. Enter the exit command to leave a mode or submode. Enter the end command to return to the menu’s top level.

2. The no form of this command restores the defaults.

vlanid

Configures the client-side VLANs and enters the client VLAN mode

Configures an IP address to the CSM used by probes and ARP requests on this particular VLAN

Configures the gateway IP address.

OL-4612-01

Page 55

Chapter 4 Configuring VLANs

This example shows how to configure the CSM for client-side VLANs:

Router(config-module-csm)# vlan 130 client Router(config-slb-vlan-client)# ip addr 123.44.50.6 255.255.255.0 Router(config-slb-vlan-client)# gateway 123.44.50.1 Router(config-slb-vlan-client)# exit Router# show module csm vlan 1

Configuring Server-Side VLANs

To configure server-side VLANs, perform this task:

Command Purpose

Step 1

Step 2

Step 3

Step 4

Step 5

Router(config-module-csm)# vlan

Router(config-slb-vlan-server)# ip

netmask

Router(config-slb-vlan-server)# alias

ip-address netmask

Router(config-slb-vlan-server)# route

ip-address netmask

Router # show module csm server | ft] [id

1. Enter the exit command to leave a mode or submode. Enter the end command to return to the menu’s top level.

2. The no form of this command restores the defaults.

3. The alias is required in the redundant configuration. (See the Chapter 7, “Configuring Redundant Connections”.)

gateway

vlan-id

slot

] [detail]

vlanid

gw-ip-address

vlan [client |

server

ip-address

Configuring Server-Side VLANs

Configures the server-side VLANs and enters the server VLAN mode

Configures an IP address for the server VLAN2.

(Optional) Configures multiple IP addresses to the CSM as alternate gateways for the real

server

Configures a static route to reach the real servers if they are more than one Layer 3 hop away from the CSM.

Displays the client-side and server-side VLAN configurations.

OL-4612-01

This example shows how to configure the CSM for server-side VLANs:

Router(config-module-csm)# vlan 150 server Router(config-slb-vlan-server)# ip addr 123.46.50.6 255.255.255.0 Router(config-slb-vlan-server)# alias 123.60.7.6 255.255.255.0 Router(config-slb-vlan-server)# route 123.50.0.0 255.255.0.0 gateway 123.44.50.1 Router(config-slb-vlan-server)# exit

Catalyst 6500 Series Content Switching Module Configuration Note

4-3

Page 56

Configuring Server-Side VLANs

Chapter 4 Configuring VLANs

4-4

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Page 57

Configuring Real Servers and Server Farms

This chapter describes how to configure the servers and server farms and contains these sections:

• Configuring Server Farms, page 5-1

• Configuring Real Servers, page 5-2

• Configuring Dynamic Feedback Protocol, page 5-4

• Configuring Client NAT Pools, page 5-5

• Configuring Server-Initiated Connections, page 5-6

• Configuring URL Hashing, page 5-6

Configuring Server Farms

A server farm or server pool is a collection of servers that contain the same content. You specify the server farm name when you configure the server farm and add servers to it, and when you bind the server farm to a virtual server. When you configure server farms, do the following:

• Name the server farm.

CHAPTER

OL-4612-01

Step 1

Step 2

• Configure a load-balancing algorithm (predictor) and other attributes of the farm

• Set or specify a set of real servers. (See the “Configuring Real Servers” section on page 5-2.)

• Set or specify the attributes of the real servers.

You also can configure inband health monitoring for each server farm. (See the “Configuring Inband

Health Monitoring” section on page 9-7.) You can assign a return code map to a server farm to configure

return code parsing. (See the “Configuring HTTP Return Code Checking” section on page 9-8.)

To configure server farms, perform this task:

Command Purpose

Router(config-module-csm)# serverfarm

serverfarm-name

Router(config-slb-sfarm)# predictor [roundrobin | leastconns | hash url | hash

address [source | destination] [ip-netmask] | forward]]

Catalyst 6500 Series Content Switching Module Configuration Note

Creates and names a server farm and enters the server farm configuration mode

Configures the load-balancing prediction algorithm roundrobin.

. If not specified, the default is

1 2

5-1

Page 58

Configuring Real Servers

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10 Step 11 Step 12

Chapter 5 Configuring Real Servers and Server Farms

Command Purpose

Router(config-slb-sfarm)# nat client

client-pool-name

Router(config-slb-sfarm)# no nat server

Router(config-slb-sfarm)# probe

Router(config-slb-sfarm)# bindid

Router(config-slb-sfarm)# failaction {purge | reassign}

Router(config-slb-sfarm)# health retries 20

failed 600

Cat6k-2(config-slb-sfarm)# retcode-map NAME_OF_MAP

Router(config-slb-sfarm)# real

Router(config-slb-real)# inservice

Router# show module csm

serverfarm-name

1. Enter the exit command to leave a mode or submode. Enter the end command to return to the menu’s top level.

2. The no form of this command restores the defaults.

[detail]

slot

probe-name

bind-id

ip_address

serverfarm

(Optional) Enables the NAT mode client2. (See the “Configuring Client NAT Pools” section on

page 5-5.)

(Optional) Specifies that the destination IP address is not changed when the load-balancing decision is made.

(Optional) Associates the server farm to a probe that can be defined by the probe command

(Optional) Binds a single physical server to multiple server farms and reports a different weight for each one

. The bindid command is

used by DFP.

(Optional) Sets the behavior of connections to real servers that have failed

Configures inband health monitoring for all the servers in the server farm.

Configures HTTP return error code checking (requires the configuration of a map of type retcode).

Defines a real server.

Enables the real servers.

Displays information about one or all server farms.

This example shows how to configure a server farm, named p1_nat, using the least-connections (leastconns) algorithm. The real server with the fewest number of active connections will get the next connection request for the server farm with the leastconns predictor.

Router(config-module-csm)# serverfarm Router(config-slb-sfarm)# predictor leastconns Router(config-slb-sfarm)# real 10.1.0.105 Router(config-slb-real)# inservice Router(config-slb-sfarm)# real 10.1.0.106 Router(config-slb-real)# inservice

Configuring Real Servers

Real servers are physical devices assigned to a server farm. Real servers provide the services that are load balanced. When the server receives a client request, it sends the reply to the CSM for forwarding to the client.

You configure the real server in the real server configuration mode by specifying the server IP address and port when you assign it to a server farm. You enter the real server configuration mode from the server farm mode where you are adding the real server.

Catalyst 6500 Series Content Switching Module Configuration Note

5-2

pl_nat

OL-4612-01

Page 59

Chapter 5 Configuring Real Servers and Server Farms

To configure real servers, perform this task:

Command Purpose

Step 1

Step 2

Step 3

Step 4

Step 5 Step 6

Step 7

Router(config-slb-sfarm)# real

ip-address [port

Router(config-slb-real)# weight

weighting-value

Router(config-slb-real)# maxconns

max-conns

Router(config-slb-real)# minconns

min-conns

Router(config-slb-real)# inservice

Router# show module csm

serverfarm-name

Router# show module csm

virtserver-name

[detail]

1. Enter the exit command to leave a mode or submode. Enter the end command to return to the menu’s top level.

2. The no form of this command restores the defaults.

3. Repeat Steps 1 through 5 for each real server you are configuring.

]

] [detail]

] [client

slot

[sfarm

slot

[vserver

ip-address

Configuring Real Servers

Identifies a real server as a member of the server farm and enters the real server configuration mode. An optional translation port can also be configured

(Optional) Sets the weighting value for the virtual server predictor algorithm to assign the server’s workload capacity relative to the other servers in the server farm if the round robin or least connection is selected

Note The only time the sequence of servers starts over

at the beginning (with the first server) is when there is a configuration or server state change (either a probe or DFP agent).

When the least connection predictor is configured, a slow-start mechanism is implemented to avoid sending a high rate of new connections to the servers that have just been put in service.

(Optional) Sets the maximum number of active connections on the real server maximum is reached, no more new connections are sent to that real server until the number of active connections drops below the minimum threshold.

(Optional) Sets the minimum connection threshold2.

Enables the real server for use by the CSM2 3.

(Optional) Displays information about configured real servers. The sfarm option limits the display to real servers associated with a particular virtual server. The detail option displays detailed real server information.

Displays active connections to the CSM. The vserver

]

option limits the display to connections associated with a particular virtual server. The client option limits the display to connections for a particular client. The detail option displays detailed connection information.

. When the specified

1, 2

OL-4612-01

This example shows how to create real servers:

Router(config-module-csm)# serverfarm Router(config-slb-sfarm)# real 10.8.0.7 Router(config-slb-real)# inservice Router(config-slb-sfarm)# real 10.8.0.8 Router(config-slb-real)# inservice Router(config-slb-sfarm)# real 10.8.0.9 Router(config-slb-real)# inservice Router(config-slb-sfarm)# real 10.8.0.10 Router(config-slb-real)# inservice

serverfarm

Catalyst 6500 Series Content Switching Module Configuration Note

5-3

Page 60

Configuring Dynamic Feedback Protocol

Router(config-slb-sfarm)# real 10.1.0.105 Router(config-slb-real)# inservice Router(config-slb-sfarm)# real 10.1.0.106 Router(config-slb-sfarm)# inservice Router(config-slb-real)# end Router# show mod csm Router# show mod csm

The CSM performs graceful server shutdown when a real server is taken out of service using the no inservice command. This command stops all new sessions from being load balanced to the real server

while allowing existing sessions to complete or time out. New sessions are load balanced to other servers in the server farm for that virtual server.

This example shows how to remove a real server from service:

Router(config-slb-real)# no inservice

For more information on configuring server farms, see “Configuring Server Farms” section on page 5-1.

The CSM also performs a graceful server shutdown when a real server fails a health probe and is taken out of service. For more information on configuring CSM health probes, see “Configuring Probes for

Health Monitoring” section on page 9-1.

If a client making a request is stuck to an out-of-service server (using a cookie, SSL ID, source IP, etc), this connection is balanced to an in-service server in the farm. If you want to be stuck to an out-of-service server, enter the inservice standby command. When you enter the inservice standby command no connections are sent to the standby real server with the exception of those connections that are stuck to that server and those servers with existing connections. After the specified standby time, you can use the no inservice command to allow only existing sessions to be sent to that real server. Sticky connections are then sent to an in service real server in the server farm.

slot

reals detail

slot

conns detail

Chapter 5 Configuring Real Servers and Server Farms

Configuring Dynamic Feedback Protocol

When you configure the Dynamic Feedback Protocol (DFP), the servers can provide feedback to the CSM to enhance load balancing. DFP allows host agents (residing on the physical server) to dynamically report the change in status of the host systems providing a virtual service.

Note A DFP agent may be on any host machine. A DFP agent is independent of the IP addresses and port

numbers of the real servers that are managed by the agent. DFP Manager is responsible for establishing the connections with DFP agents and receiving load vectors from DFP agents.

5-4

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Page 61

Chapter 5 Configuring Real Servers and Server Farms

To configure DFP, perform this task:

Command Purpose

Step 1

Step 2

Step 3

Router(config-module-csm)# dfp [password

password

Router(config-slb-dfp)# agent [

activity-timeout [retry-count retry-interval

[

Router# show module csm [detail | [

ip_addr

1. Enter the exit command to leave a mode or submode. Enter the end command to return to the menu’s top level.

2. The no form of this command restores the defaults.

]

]]]

ip-address port

] | detail | weights]

This example shows how to configure the dynamic feedback protocol:

Router(config-module-csm)# dfp password Router(config-slb-dfp)# agent 123.234.34.55 5 6 10 20 Router(config-slb-dfp)# exit

ip-address port

slot

dfp [agent

] | manager

password

Configuring Client NAT Pools

Configures DFP manager, supplies an optional password, and enters the DFP agent submode

1, 2

Configures the time intervals between keepalive messages, the number of consecutive connection attempts or invalid DFP reports, and the interval between connection attempts

Displays DFP manager and agent information.

Configuring Client NAT Pools

When you configure client Network Address Translation (NAT) pools, NAT converts the source IP address of the client requests into an IP address on the server-side VLAN. Use the NAT pool name in the serverfarm submode of the nat command to specify which connections need to be configured for client NAT pools.

To configure client NAT pools, perform this task:

Command Purpose

Step 1

Step 2

Step 3

Step 4

Router(config-module-csm)# natpool

start-ip end-ip

Router(config-module-csm)# serverfarm

serverfarm-name

Router(config-slb-sfarm)# nat client

clientpool-name

Router# show module csm natpool [name

pool-name

1. Enter the exit command to leave a mode or submode. Enter the end command to return to the menu’s top level.

2. The no form of this command restores the defaults.

netmask

] [detail]

mask

This example shows how to configure client NAT pools:

Router(config)# natpool Router(config)# serverfarm farm1 Router(config-slb-sfarm)# nat client pool1

pool1

pool-name

Configures a content-switching NAT. You must create at least one client address pool to use this command

1, 2

Enters the serverfarm submode to apply the client NAT.

Associates the configured NAT pool with the server farm.

Displays the NAT configuration.

102.36.445.2 102.36.16.8 netmask 255.255.255.0

OL-4612-01

Catalyst 6500 Series Content Switching Module Configuration Note

5-5

Page 62

Configuring Server-Initiated Connections

The NAT for the server allows you to support connections initiated by real servers and to provide a default configuration used for servers initiating connections that do not have matching entries in the server NAT configuration. By default, the CSM allows server-originated connections without NAT.

To configure NAT for the server, perform this task:

Command Purpose

Step 1

Step 2

Router(config)# static [drop | nat

ip-address

[

| virtual]]

Configures the server-originated connections. Options include dropping the connections, configuring them with NAT with a given IP address, or with the virtual IP address that they are associated with

Router(config-slb-static)# real [

subnet-mask

]

ip-address

Configures the static NAT submode where the servers will have this NAT option. You cannot use the same real server with multiple NAT configuration options.

1. Enter the exit command to leave a mode or submode. Enter the end command to return to the menu’s top level.

2. The no form of this command restores the defaults.

Chapter 5 Configuring Real Servers and Server Farms

1, 2

Configuring URL Hashing

When you choose a server farm for a connection, you can select a specific real server in that server farm. You can choose least connections, round robin, or URL hashing to select a real server.

URL hashing is a load-balancing predictor for Layer 7 connections. You can configure URL hashing on the CSM on a server farm-by-server farm basis. The CSM chooses the real server by using a hash value based on a URL. This hash value may be computed on the entire URL or on a portion of it. To select only a portion of the URL for hashing, you can specify the beginning and ending patterns in the URL so that only the portion of the URL from the specified beginning pattern through the specified ending pattern is hashed. The CSM supports URL hashing in software release 2.1(1).

Unless you specify a beginning and an ending pattern (see the “Configuring Beginning and Ending

Patterns” section on page 5-7), the entire URL is hashed and used to select a real server.

Configuring a URL Hashing Predictor

You must configure URL hashing for all server farms that will be using the URL hashing predictor, regardless of whether they are using the entire URL or a beginning and ending pattern.

To configure URL hashing as a load-balancing predictor for a server farm, perform this task:

Command Purpose

Router(config-slb-sfarm)#

predictor hash url

Configures the URL hashing and load-balancing predictor for a server farm.

5-6

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Page 63

Chapter 5 Configuring Real Servers and Server Farms

This example shows how to configure URL hashing and load-balancing predictor for a server farm:

Router(config)# mod csm 2 Router(config-module-csm)# serverfarm farm1 Router(config-slb-sfarm)# predictor hash url Router(config-slb-sfarm)# real 10.1.0.105 Router(config-slb-real)# inservice Router(config-slb-real)# exit

Cache servers perform better using URL hashing. However, the hash methods do not recognize weight for the real servers. The weight assigned to the real servers is used in the round-robin and least connection predictor methods.

Note The only time the sequence of servers starts over at the beginning (with the first server) is when there is

a configuration or server state change (either a probe or DFP agent).

To create different weights for real servers, you can list multiple IP addresses of the cache server in the server farm. You can also use the same IP address with a different port number.

To configure real servers with a weight when using the URL hash predictor, perform this task:

Configuring URL Hashing

Command Purpose

Step 1

Step 2

Step 3

Step 4

Step 5

Router(config-slb-sfarm)#

serverfarm MYFARM

Router(config-slb-sfarm)#

real 1.1.1.1 80

Router(config-slb-sfarm)#

inservice

Router(config-slb-sfarm)#

real 1.1.1.1 8080

Router(config-slb-sfarm)#

inservice

Creates a server farm named MYFARM.

Specifies the real server at port 80

Enables the real server in service.

Specifies the real server at port 8080.

Enables the real server in service.

Configuring Beginning and Ending Patterns

You configure a beginning and ending pattern at the virtual server level. The pattern you define applies to all the server farms assigned to all of the policies in that virtual server that have URL hashing enabled.

The beginning and ending pattern delimits the portion of the URL that will be hashed and used as a predictor to select a real server from a server farm that belongs to any policy assigned to that virtual server.

To hash a substring of the URL instead of the entire URL, specify the beginning and ending patterns in

vserver vserver-name submode with the url-hash begin-pattern pattern-a command and url-hash end-pattern pattern-b command. Hashing occurs at the start of the beginning pattern and goes to the

ending pattern.

OL-4612-01

For example, in the following URL, if the beginning pattern is c&k=, and the ending pattern is &, only the substring c&k=c is hashed:

http://quote.yahoo.com/q?s=csco&d=c&k=c1&t=2y&a=v&p=s&l=on&z=m&q=l\

Catalyst 6500 Series Content Switching Module Configuration Note

5-7

Page 64

Configuring URL Hashing

Note Beginning and ending patterns are restricted to fixed constant strings. General regular expressions

Chapter 5 Configuring Real Servers and Server Farms

cannot be specified as patterns. If no beginning pattern is specified, hashing begins at the beginning of the URL. If no ending pattern is specified, hashing ends at the end of the URL.

This example shows how to configure beginning and ending patterns for URL hashing:

Router(config-module-csm)# Router(config-module-csm)# vserver vs1 Router(config-slb-vserver)# virtual 10.1.0.81 tcp 80 Router(config-slb-vserver)# url-hash begin-pattern c&k= end-pattern & Router(config-slb-vserver)# serverfarm farm1 Router(config-slb-vserver)# inservice Router(config-slb-vserver)# Router(config-slb-vserver)# exit Router(config-module-csm)# exit

5-8

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Page 65

Configuring Virtual Servers, Maps, and Policies

This chapter describes how to configure content switching and contains these sections:

• Configuring Virtual Servers, page 6-1

• Configuring Maps, page 6-8

• Configuring Policies, page 6-11

• Configuring Generic Header Parsing, page 6-12

Configuring Virtual Servers

This section describes how to configure virtual servers and contains these sections:

• Configuring TCP Parameters, page 6-4

• Configuring Redirect Virtual Servers, page 6-5

CHAPTER

Note When a virtual server is configured with an IP address, it will start replying to ARP requests for that

specific IP, even if it is still out of service. This is important especially when migrating operational virtual servers from existing devices over to the CSM. Make sure that you never have a virtual server on the CSM configured with the same IP of another device in the same network.

Virtual servers represent groups of real servers and are associated with real server farms through policies. Configuring virtual servers requires that you set the attributes of the virtual server specifying the default server farm (default policy) and that you associate other server farms through a list of policies. The default server farm (default policy) is used if a request does not match any SLB policy or if there are no policies associated with the virtual server.

Before you can associate a server farm with the virtual server, you must configure the server farm. For more information, see the “Configuring Server Farms” section on page 5-1. Policies are processed in the order in which they are entered in the virtual server configuration. For more information, see the

“Configuring Policies” section on page 6-11.

You can configure each virtual server with a pending connection timeout to terminate connections quickly if the switch becomes flooded with traffic. This connection applies to a transaction between the client and server that has not completed the request and reply process.

In a service provider environment in which different customers are assigned different virtual servers, you may need to balance the connections to prevent an individual server from absorbing most or even all of the connection resources on the CSM. You can limit the number of connections going through the CSM

OL-4612-01

Catalyst 6500 Series Content Switching Module Configuration Note

6-1

Page 66

Configuring Virtual Servers

to a particular virtual server by using the VIP connection watermarks feature. With this feature, you may set limits on each virtual server, allowing a fair distribution of connection resources among all virtual servers.

Note You can configure a single virtual server to operate at either Level 4 or Level 7. To configure a virtual

server to operate at Level 4, specify the server farm (default policy) as part of the virtual server configuration. (See Step 3 in the following task table.) To configure a virtual server to operate at Level 7, add SLB policies in the configuration of the virtual server. (See Step 7 in the following task table.)

The CSM can load-balance traffic from any IP protocol. When you configure a virtual server in virtual server submode, you must define the IP protocol that the virtual server will accept.

Note Although all IP protocols have a protocol number, the CSM allows you to specify TCP or UDP by name

instead of requiring you to enter their numbers.

Configure the virtual server in the virtual server configuration submode.

To configure virtual servers, perform this task:

Chapter 6 Configuring Virtual Servers, Maps, and Policies

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Command Purpose

Router(config-module-csm)# owner

owner-name street-address-information billing-address-information

email-address maxconns

Router(config-module-csm)# vserver

virtserver-name

Router(config-slb-vserver)# vs-owner

owner-name

Router(config-slb-vserver)# virtual

ip-address [ip-mask] protocol port-number

address

email-information

1:MAXULONG

maxconns

[service ftp]

billing-info

1:MAXULONG

Restricts access to virtual servers to a specific owner object.

Identifies the virtual server and enters the virtual server configuration mode

Sets the owner object name for this virtual server.

Sets the IP address for the virtual server optional port number or name and the connection coupling and

type

. The protocol value is tcp, udp, Any (no port

number is required), or a number value (no port number is required).

Router(config-slb-vserver)# serverfarm

serverfarm-name

Associates the default server farm with the virtual

2 3

server farm is not specified, all the requests not matching any other policies will be discarded.

Router(config-slb-vserver)# sticky

duration

Router(config-slb-vserver)# sticky

group-number

Router(config-slb-vserver)# client

ip-address network-mask

Router(config-slb-vserver)# slb-policy

policy-name

reverse

[exclude]

(Optional) Configures connections from the client to use the same real server

(Optional) Ensures that the CSM changes connections in the appropriate direction back to the same source.

(Optional) Restricts which clients are allowed to use the virtual server

(Optional) Associates one or more content switching policies with a virtual server

1, 2

. Only one server farm is allowed. If the server

2 3

. The default is sticky off.

2 3

6-2

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Page 67

Chapter 6 Configuring Virtual Servers, Maps, and Policies

Command Purpose

Step 10 Step 11

Router(config-slb-vserver)# inservice

Router# show module csm [details]

1. Enter the exit command to leave a mode or submode. Enter the end command to return to the menu’s top level.

2. The no form of this command restores the defaults.

3. These parameters refer to the default policy.

This example shows how to configure a virtual server named barnett, associate it with the server farm named bosco, and configure a sticky connection with a duration of 50 minutes to sticky group 12:

Router(config)# mod csm 2 Router(config-module-csm)# sticky 1 cookie foo timeout 100 Router(config-module-csm)# exit Router(config-module-csm)# Router(config-module-csm)# serverfarm bosco Router(config-slb-sfarm)# real 10.1.0.105 Router(config-slb-real)# inservice Router(config-slb-real)# exit Router(config-slb-sfarm)# Router(config-slb-sfarm)# vserver barnett Router(config-slb-vserver)# virtual 10.1.0.85 tcp 80 Router(config-slb-vserver)# serverfarm bosco Router(config-slb-vserver)# sticky 50 group 12 Router(config-slb-vserver)# inservice Router(config-slb-vserver)# exit Router(config-module-csm)# end

slot

vserver

Configuring Virtual Servers

Enables the virtual server for use by the CSM2.

Displays information for virtual servers defined for content switching.

This example shows how to configure a virtual server, named vs1, with two policies and a default server farm when client traffic matches a specific policy. The virtual server will be load balanced to the server farm attached to that policy. When client traffic fails to match any policy, the virtual server will be load balanced to the default server farm named bosco.

Router(config)# mod csm 2 Router(config-module-csm)# map map3 url Router(config-slb-map-url)# match protocol http url *finance* Router(config-slb-map-url)# Router(config-slb-map-url)# map map4 url Router(config-slb-map-url)# match protocol http url *mail* Router(config-slb-map-url)# Router(config-slb-map-url)# serverfarm bar1 Router(config-slb-sfarm)# real 10.1.0.105 Router(config-slb-real)# inservice Router(config-slb-real)# Router(config-slb-real)# serverfarm bar2 Router(config-slb-sfarm)# real 10.1.0.106 Router(config-slb-real)# inservice Router(config-slb-real)# Router(config-slb-real)# serverfarm bosco Router(config-slb-sfarm)# real 10.1.0.107 Router(config-slb-real)# inservice Router(config-slb-real)# Router(config-slb-real)# policy pc1 Router(config-slb-policy)# serverfarm bar1 Router(config-slb-policy)# url-map map3 Router(config-slb-policy)# exit Router(config-module-csm)# Router(config-module-csm)# policy pc2 Router(config-slb-policy)# serverfarm bar2

OL-4612-01

Catalyst 6500 Series Content Switching Module Configuration Note

6-3

Page 68

Configuring Virtual Servers

Router(config-slb-policy)# url-map map4 Router(config-slb-policy)# exit Router(config-module-csm)# Router(config-module-csm)# vserver bar1 Router(config-slb-vserver)# virtual 10.1.0.86 tcp 80 Router(config-slb-vserver)# slb-policy pc1 Router(config-slb-vserver)# slb-policy pc2 Router(config-slb-vserver)# serverfarm bosco Router(config-slb-vserver)# inservice Router(config-slb-vserver)#

Configuring TCP Parameters

Transmission Control Protocol (TCP) is a connection-oriented protocol that uses known protocol messages for activating and deactivating TCP sessions. In server load balancing, when adding or removing a connection from the connection database, the Finite State Machine correlates TCP signals such as SYN, SYN/ACK, FIN, and RST. When adding connections, these signals are used for detecting server failure and recovery and for determining the number of connections per server.

The CSM also supports User Datagram Protocol (UDP). Because UDP is not connection-oriented, protocol messages cannot be generically sniffed (without knowing details of the upper-layer protocol) to detect the beginning or end of a UDP message exchange. Detection of UDP connection termination is based on a configurable idle timer. Protocols requiring multiple simultaneous connections to the same real server are supported (such as FTP). Internet Control Management Protocol (ICMP) messages destined for the virtual IP address are also handled (such as ping).

Chapter 6 Configuring Virtual Servers, Maps, and Policies

To configure TCP parameters, perform this task:

Command Purpose

Step 1

Step 2

Router(config-module-csm)# vserver

virtserver-name

Router(config-slb-vserver)# idle

duration

Identifies the virtual server and enters the virtual server configuration mode

Configures the amount of time (in seconds) that connection information is maintained in the absence of packet activity for a connection

1. Enter the exit command to leave a mode or submode. To return to the Router (config)> top level of the menu, enter the end command.

2. The no form of this command restores the defaults.

This example shows how to configure TCP parameters for virtual servers:

Router(config-module-csm)# vserver barnett Router(config-slb-vserver)# idle 10

The CSM provides support for fragmented TCP packets. The TCP fragment feature only works with VIPs that have Level 4 policies defined and will not work for SYN packets or for Layer 7 policies. To support fragmented TCP packets, the CSM matches the TCP fragments to existing data flows or by matching the bridging VLAN ID. The CSM will not reassemble fragments for Layer 7 parsing. Because the CSM has a finite number of buffers and fragment ID buckets, packet resending is required when there are hash collisions.

1,2

6-4

When enabling TCP splicing, you must designate a virtual server as a Layer 7 device even when it does not have a Layer 7 policy. This option is only valid for the TCP protocol.

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Page 69

Chapter 6 Configuring Virtual Servers, Maps, and Policies

To configure TCP splicing, perform this task:

Command Purpose

Step 1

Step 2

Step 3

Router(config-module-csm)# vserver

virtserver-name

Router(config-slb-vserver)# vserver

tcp-protect

Router(config-slb-vserver)# virtual

100.100.100.100 tcp any service tcp-termination

1. Enter the exit command to leave a mode or submode. To return to the Router (config)> top level of the menu, enter the end

command.

2. The no form of this command restores the defaults.

Configuring Redirect Virtual Servers

The redirect-vserver command is a server farm submode command that allows you to configure virtual servers dedicated to real servers. This mapping provides connection persistence, which maintains connections from clients to real servers across TCP sessions.

Configuring Virtual Servers

Identifies the virtual server and enters the virtual server configuration mode

Designates the virtual server for TCP splicing2.

Enables TCP splicing.

1,2

Redirection configuration with the CSM this can be done by creating the initial virtual server which loadbalances to the redirect serverfarm as either a L4 or L7 (policy based) virtual server, depending on your preference.

The redirect server farm must have a redirect virtual server configured along with a redirirection string, as follows:

serverfarm REDIR-FARM nat server nat client CLIENTNAT redirect-vserver REDVS1 webhost relocation 10.86.213.216 inservice

The name given to the redirect virtual server only identifies it and plays no role unless you want the virtual server to stop issuing redirects if the real server is down. You will need to configure a virtual address under the redirect virtual server, add a real server, and configure the real server to the redirect virtual server. When this real server goes down the redirect virtual server goes down and it will stop sending redirects. For example:

! serverfarm REDIR-FARM nat server nat client CLIENTNAT redirect-vserver REDVS1 webhost relocation 10.86.213.216 virtual 10.86.213.216 tcp www inservice real 10.86.213.193 redirect-vserver REDVS1 inservice probe TEST-TCP ! vserver REDVS virtual 10.86.213.212 tcp www serverfarm REDIR-FARM persistent rebalance

OL-4612-01

Catalyst 6500 Series Content Switching Module Configuration Note

6-5

Page 70

Configuring Virtual Servers

inservice

Router(config-slb-real)# do sho mod csm 6 serverfarm name redir-farm det REDIR-FARM, type = SLB, predictor = RoundRobin nat = SERVER, CLIENT(CLIENTNAT) virtuals inservice = 1, reals = 1, bind id = 0, fail action = none inband health config: <none> retcode map = <none> Redirect virtual servers: 1 REDVS1, virtual 10.86.213.216:80, webhost 10.86.213.216 302, OUTOFSERVICE Probes: TEST-TCP, type = tcp Real servers:

10.86.213.193, weight = 8, PROBE_FAILED, conns = 0 Total connections = 0

The server farm always issuess the redirect unless configured in this manner. The virtual address under the redirect virtual server works as a virtual server and load balances to the real ser er configured in a 1-to-1 mapping. You cannot add more real servers to load balance under this virtual server, because you must create unique redirect virtual server for each real server.

serverfarm WEBFARM redirect-vserver SERV40_6000 webhost relocation 172.1.2.40:6000 virtual 172.1.2.40 tcp 6000 inservice redirect-vserver SERV30_6000 webhost relocation 172.1.2.30:6000 virtual 172.1.2.30 tcp 6000 inservice real 10.10.2.40 redirect-vserver SERV40_6000 inservice real 10.10.2.30 redirect-vserver SERV30_6000 inservice probe TEST-TCP ! vserver WEBSITE virtual 172.1.2.150 tcp www serverfarm WEBFARM inservice

Chapter 6 Configuring Virtual Servers, Maps, and Policies

6-6

The webhost backup command allows a backup redirect server to be issued if the real server has failed. This command can only be used when you are using the virtual server under the redirect virtual server, under the server farm. This allows for clients that were given a redirect to this virtual server, but the server has gone down before the new request could come in. The backup string would be sent, which redirects the client to a different virtual server. This command backs up the real server associated with the redirect virtual server, not the redirect virtual server.

In the next example when the probe fails on real 10.86.213.188 8881, a redirect for test.url.com will be sent when a connection is made to the virtual 10.86.213.178 9991.

! serverfarm SF1-REDIR nat server nat client CLIENT-NAT redirect-vserver VS1 webhost relocation 10.86.213.178:9991 webhost backup test.url.com virtual 10.86.213.178 tcp 9991 inservice real 10.86.213.188 8881

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Page 71

Chapter 6 Configuring Virtual Servers, Maps, and Policies

redirect-vserver VS1 inservice probe TCP ! vserver V2 virtual 10.86.213.179 tcp 82 serverfarm SF1-REDIR persistent rebalance inservice !

Additional options for the redirect virtual server are available. You can adding %p to the end of the relocation string so that it appends the remainder of the URL with the redirection. Enter CTRL+V ? to embed a question mark into the URL. The default is to a type 302 redirect, but you can change the redirection to a 301 as follows:

serverfarm SF1-REDIR nat server nat client CLIENT-NAT redirect-vserver 22 webhost relocation www.jw?.com%p 301 inservice

Configuring Virtual Servers

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

You may also put https:// or ftp:// into the string, but this can also be done with the ssl word command Any number other than 21 or 80 prepends the https:// and uses the port number given. Ports 21 and 80 prepend ftp:// and http:// respectively.

Route(config-slb-redirect-vs)# ssl ? <1-65535> ssl port number ftp File Transfer Protocol (21) https Secure Hypertext Transfer Protocol (443) www World Wide Web - Hypertext Transfer Protocol (80)

To configure redirect virtual servers, perform this task:

Command Purpose

Router(config-slb-sfarm)# redirect-vserver

name

Router(config-slb-redirect-v)# webhost relocation

relocation string

Configures virtual servers dedicated to real servers and enters the redirect server submode

1, 2

Configures the destination URL host name when redirecting HTTP requests arrive at this server farm. Only the beginning of the URL can be specified in the relocation string. The remaining portion is taken

Router(config-redirect-v)# webhost backup

backup string

from the original HTTP request

Configures the relocation string sent in response to HTTP requests in the event that the redirect server is out of service. Only the beginning of the relocation string can be specified. The remaining portion is

Router(config-redirect-v)# virtual

v_ipaddress

Router(config-redirect-v)# idle

Router(config-redirect-v)# client

dress network-mask

tcp

port

duration

[exclude]

ip-ad-

taken from the original HTTP request

Configures the redirect virtual server IP address and

port

Sets the CSM connection idle timer for the redirect virtual server

Configures the combination of the IP address and network mask used to restrict which clients are allowed to access the redirect virtual server

OL-4612-01

Catalyst 6500 Series Content Switching Module Configuration Note

6-7

Page 72

Configuring Maps

Step 7

Step 8

Step 9

Chapter 6 Configuring Virtual Servers, Maps, and Policies

Command Purpose

Router(config-redirect-v)# inservice

Router(config-redirect-v)# ssl

Router# show module csm vserver redirect [detail]

1. Enter the exit command to leave a mode or submode. Enter the end command to return to the menu’s-top level.

2. The no form of this command restores the defaults.

port

This example shows how to configure redirect virtual servers to specify virtual servers to real servers in a server farm:

Router (config)# serverfarm FARM1 Router (config-slb-sfarm)# redirect-vserver REDIR_1 Router (config-slb-redirect-)# webhost relocation 127.1.2.30 301 Router (config-slb-redirect-)# virtual 172.1.2.30 tcp www Router (config-slb-redirect-)# inservice Router (config-slb-redirect-)# exit Router (config-slb-sfarm)# redirect-vserver REDIR_2 Router (config-slb-redirect-)# webhost relocation 127.1.2.31 301 Router (config-slb-redirect-)# virtual 172.1.2.31 tcp www Router (config-slb-redirect-)# inservice Router (config-slb-redirect-)# exit Router (config-slb-sfarm)# real 10.8.0.8 Router (config-slb-real)# redirect-vserver REDIR_1 Router (config-slb-real)# inservice Router (config-slb-sfarm)# real 10.8.0.9 Router (config-slb-real)# redirect-vserver REDIR_2 Router (config-slb-real)# inservice Router (config-slb-real)# end Router# show module csm serverfarm detail

Enables the redirect virtual server and begins advertisements

(Optional) Enables SSL forwarding by the virtual server.

Shows all redirect servers configured.

Configuring Maps

You configure maps to define multiple URLs, cookies, HTTP headers, and return codes into groups that can be associated with a policy when you configure the policy. (See the “Configuring Policies” section

on page 6-11.) Regular expressions for URLs (for example, url1 and url2) are based on UNIX filename

specifications. See Table 6 -1 for more information.

To add a URL map, perform this task:

Command Purpose

Step 1

Step 2

Catalyst 6500 Series Content Switching Module Configuration Note

6-8

Router(config-module-csm)#

url-map-name

map

Router(config-slb-map-url)#

match protocol http url

url-path

1. Enter the exit command to leave a mode or submode. Enter the end command to return to the menu’s top level.

2. The no form of this command restores the defaults.

url

Creates a group to hold multiple URL match criteria.1, 2

Specifies a string expression to match against the requested

URL

OL-4612-01

Page 73

Chapter 6 Configuring Virtual Servers, Maps, and Policies

Table 6-1 Special Characters for Matching String Expressions

Convention Description

* Zero or more characters.

? Exactly one character.

\ Escaped character.

Bracketed range [0-9] Matching any single character from the range.

A leading ^ in a range Do not match any in the range. All other characters

.\a Alert (ASCII 7).

.\b Backspace (ASCII 8).

.\f Form-feed (ASCII 12).

.\n New line (ascii 10).

.\r Carriage return (ASCII 13).

.\t Tab (ASCII 9).

.\v Vertical tab (ASCII 11).

.\0 Null (ASCII 0).

.\\ Backslash.

.\x## Any ASCII character as specified in two-digit hex notation.

Configuring Maps

Note You must precede the question mark with a Ctrl-V

command to prevent the CLI Parser from interpretingit as a help request

represent themselves.

Step 1

Step 2

To add a cookie map, perform this task:

Command Purpose

Router(config)# map cookie

Router(config-slb-map-cookie)# match protocol http cookie cookie-value

1. The no form of this command restores the defaults.

cookie-value-expression

cookie-map-name

cookie-name

Configures multiple cookies into a cookie map1.

Configures multiple cookies1.

This example shows how to configure maps and associate them with a policy:

Router(config-module-csm)# serverfarm Router(config-slb-sfarm)# real 10.8.0.26 Router(config-slb-real)# inservice Router(config-slb-real)# exit Router(config-slb-sfarm)# exit Router(config-slb-policy)# serverfarm Router(config-slb-policy)# url-map Router(config-slb-policy)# exit Router(config-module-csm)# serverfarm Router(config-slb-sfarm)# real 10.8.0.27 Router(config-slb-real)# inservice Router(config-slb-real)# exit

pl_url_url_1

url_1

pl_url_url_2

OL-4612-01

Catalyst 6500 Series Content Switching Module Configuration Note

6-9

Page 74

Configuring Maps

Chapter 6 Configuring Virtual Servers, Maps, and Policies

Router(config-slb-sfarm)# exit Router(config-module-csm)# map Router(config-slb-map-url)# match protocol http url Router(config-slb-map-url)# exit Router(config-module-csm)# map Router(config-slb-map-url)# match protocol http url /url/url/url Router(config-slb-map-url)# match protocol http url Router(config-slb-map-url)# exit Router(config-module-csm)# policy Router(config-module-csm)# policy Router(config-slb-policy)# serverfarm Router(config-slb-policy)# url-map Router(config-slb-policy)# exit Router(config-module-csm)# vserver vs_url_url Router(config-slb-vserver)# virtual 10.8.0.145 tcp 80 Router(config-slb-vserver)# slb-policy Router(config-slb-vserver)# slb-policy Router(config-slb-vserver)# inservice Router(config-slb-vserver)# exit

Using the map command, you create a map group with the type HTTP header. When you enter the map command, you are placed in a submode where you can specify the header fields and values for CSM to search for in the request.

url_1

url

url_2

url

policy_url_1 policy_url_2

pl_url_url_2

url_2

/url1

/reg/*long.*

policy_url_1 policy_url_2

To create a map for the HTTP header, perform this task:

Command Purpose

Router(config-module-csm)# map header

name

Creates and names an HTTP header map group.

For more information about header maps, see the “Configuring Generic Header Parsing” section on

page 6-12.

To create a map for return code checking, perform this task:

Command Purpose

Router(config-module-csm)# map retcode

name

Creates and names a return code map group.

To configure HTTP return error code checking, perform this task:

Command Purpose

Router(config-slb-sfarm)# retcode-map

name_of_map

Configures HTTP return error code checking.

For more information about return code maps, see the “Configuring HTTP Return Code Checking”

section on page 9-8.

6-10

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Page 75

Chapter 6 Configuring Virtual Servers, Maps, and Policies

Configuring Policies

Policies are access rules that traffic must match when balancing to a server farm. Policies allow the CSM to balance Layer 7 traffic. Multiple policies can be assigned to one virtual server, creating multiple access rules for that virtual server. When configuring policies, you first configure the access rules (maps, client-groups, and sticky groups) and then you combine these access rules under a particular policy.

Note You must associate a server farm with a policy. A policy that does not have an associated server farm

cannot forward traffic. The server farm associated with a policy receives all the requests that match that policy.

When the CSM is able to match policies, it selects the policy that appears first in the policy list. Policies are located in the policy list in the sequence in which they were bound to the virtual server.

A policy can be matched even if all the servers in the associated server farm are down. The default behavior of the policy in that case is to not accept those connections and send back a reset (RST) to the clients. To change this behavior, add a backup server farm for that policy.

You can reorder the policies in the list by removing policies and reentering them in the correct order. To remove and enter policies, enter the no slb-policy policy name command and the slb-policy policy name command in the virtual server submode.

To configure load-balancing policies, perform this task:

Configuring Policies

Step 1

Step 2

Step 3

Step 4 Step 5

Step 6

Step 7

Step 8

Command Purpose

Router(config-module-csm)# policy

policy-name

Creates the policy and enters the policy submode to configure the policy attributes

Router(config-slb-policy)# url-map

url-map-name

Associates a URL map to a policy2. You must have previously created and configured the URL maps and cookie maps with the map command. See the “Configuring Generic Header Parsing”

section on page 6-12.

Router(config-slb-policy)# cookie-map

cookie-map-name

Router(config-slb-policy)# header-map

Router(config-slb-policy)# sticky-group

group-id

Router(config-slb-policy)# client-group

std-access-list-name

name

value

Associates a cookie map to a policy2.

Associates an HTTP header map to a policy.

Associates this policy to a specific sticky

group

Configures a client filter associated with a policy. Only standard IP access lists are used to define a client filter.

Router(config-slb-policy)# serverfarm

serverfarm-name

Router(config-slb-policy)# set ip dscp

dscp-value

1. Enter the exit command to leave a mode or submode. Enter the end command to return to the menu’s top level.

2. The no form of this command restores the defaults.

Configures the server farm serving a particular load-balancing policy. Only one server farm can be configured per policy

Marks traffic with a DSCP value if packets matched with the load-balancing policy

OL-4612-01

Catalyst 6500 Series Content Switching Module Configuration Note

6-11

Page 76

Configuring Generic Header Parsing

This example assumes that the URL map, map1, has already been configured and shows how to configure server load-balancing policies and associate them to virtual servers:

Router(config-slb-policy)# serverfarm Router(config-slb-sfarm)# real 10.1.0.105 Router(config-slb-sfarm)# inservice Router(config-slb-policy)# exit Router(config-module-csm)# policy Router(config-slb-policy)# serverfarm Router(config-slb-policy)# url-map map1 Router(config-slb-policy)# exit Router(config-module-csm)# vserver Router(config-slb-vserver)# virtual 10.1.0.80 tcp 80 Router(config-slb-vserver)# slb-policy Router(config-slb-sfarm)# inservice Router(config-slb-policy)# exit

pl_sticky

policy_sticky_ck

pl_sticky

vs_sticky_ck

policy_sticky_ck

Configuring Generic Header Parsing

In software release 2.1(1), the CSM supports generic HTTP request header parsing. The HTTP request header contains fields that describe how content should be formatted to meet the user’s requirements.

Chapter 6 Configuring Virtual Servers, Maps, and Policies

Understanding Generic Header Parsing

The CSM uses the information it learns by parsing and matching fields in the HTTP header along with policy information to make load-balancing decisions. For example, by parsing the browser-type field in the HTTP header, the CSM can determine if a user is accessing the content with a mobile browser and can select a server that contains content formatted for a mobile browser.

An example of a HTTP Get request header record is as follows:

GET /?u HTTP/1.1<0D><0A> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg<0D><0A> Referer: http://www.yahoo.com/<0D><0A> Accept-Language: en-us<0D><0A> Accept-Encoding: gzip, deflate<0D><0A> User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt)<0D><0A> Host: finance.yahoo.com<0D><0A> Connection: Keep-Alive<0D><0A> Cookie: B=51g3cjstaq3vm; Y=1<0D><0A> <0D><0A>

Generic Header Parsing Configuration

You configure generic header parsing by entering commands that instruct the CSM to perform policy matching on fields in the HTTP header. These sections describe how to configure generic header parsing on the CSM:

6-12

• Creating a Map for the HTTP Header, page 6-13

• Specifying Header Fields and Match Values, page 6-14

• Assigning an HTTP Header Map to a Policy, page 6-14

• Assigning the Policy to a Virtual Server, page 6-15

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Page 77

Chapter 6 Configuring Virtual Servers, Maps, and Policies

• Generic Header Parsing Example, page 6-15

Creating a Map for the HTTP Header

Configuring Generic Header Parsing

OL-4612-01

Catalyst 6500 Series Content Switching Module Configuration Note

6-13

Page 78

Configuring Generic Header Parsing

To create a map for the HTTP header, perform this task:

Command Purpose

Router(config-module-csm)# map

Note Other map types include a URL and a cookie.

Specifying Header Fields and Match Values

You can specify the name of the field and the corresponding value for the CSM to match when receiving an HTTP request by using the match command.

To specify head fields and match values, perform this task:

Command Purpose

Router(config-slb-map-header)# match protocol http header

field

header-value

name

header

expression

Chapter 6 Configuring Virtual Servers, Maps, and Policies

Creates and names a HTTP header map group.

Specifies the name of the field and value. The field can be any HTTP header except cookie. You can configure cookie map if you want to configure cookie header.

Note The CSM allows you to specify one or more fields in the HTTP header to be the criteria for policy

matching. When multiple fields are configured in a single HTTP header group, all of the expressions in this group must match in order to satisfy this criteria.

Assigning an HTTP Header Map to a Policy

In policy submode, you specify the header map to include in that policy. The header map contains the HTTP header criteria to be included in a policy.

To assign an HTTP header map to a policy, perform this task:

Command Purpose

Step 1

Step 2

Note By default, a policy rule can be satisfied with any HTTP header information. The HTTP URL and HTTP

Router(config-module-csm)# policy policy-

Router(config-slb-policy)# header-map

name

cookie are specific types of header information and are handled separately by the CSM.

Creates a policy.

Assigns an HTTP header map to a policy.

6-14

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Page 79

Chapter 6 Configuring Virtual Servers, Maps, and Policies

Assigning the Policy to a Virtual Server

In virtual server submode, specify the name of the policy that has the header map assigned, using the vserver virtserver-name command.

To specify a policy with a header map assigned, perform this task:

Command Purpose

Step 1

Step 2

Router(config-module-csm)# vserver virtserver-

Router(config-slb-policy)# header-map

name

Generic Header Parsing Example

This example shows how to configure generic header parsing:

Router(config)# mod csm 2 Router(config-module-csm)# !!!configure generic header map Router(config-module-csm)# map map2 header Router(config-slb-map-heaer)# $col http header Host header-value *.yahoo.com

Configuring Generic Header Parsing

Configures a virtual server.

Assigns an HTTP header map to a policy.

Router(config-slb-map-header)# !!! configure serverfarm Router(config-slb-map-header)# serverfarm farm2 Router(config-slb-sfarm)# real 10.1.0.105 Router(config-slb-real)# inservice Router(config-slb-real)# exit Router(config-slb-sfarm)# exit

Router(config-module-csm)# !!! configurate policy Router(config-module-csm)# policy pc2 Router(config-slb-policy)# serverfarm farm2 Router(config-slb-policy)# header-map map2 Router(config-slb-policy)# exit

Router(config-module-csm)# !!! config vserver Router(config-module-csm)# vserver vs2 Router(config-slb-vserver)# virtual 10.1.0.82 tcp 80 Router(config-slb-vserver)# slb-policy pc2 Router(config-slb-vserver)# inservice Router(config-slb-vserver)# end Router(config)# show module csm 2 map det

OL-4612-01

Catalyst 6500 Series Content Switching Module Configuration Note

6-15

Page 80

Configuring Generic Header Parsing

Chapter 6 Configuring Virtual Servers, Maps, and Policies

6-16

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Page 81

Configuring Redundant Connections

This chapter describes how to configure redundant connections and contains these sections:

• Configuring Fault Tolerance, page 7-1

• Configuring HSRP, page 7-5

• Configuring Connection Redundancy, page 7-8

• Configuring a Hitless Upgrade, page 7-9

Configuring Fault Tolerance

This section describes a fault-tolerant configuration. In this configuration, two separate Catalyst 6500 series chassis each contain a CSM.

CHAPTER

Note You can also create a fault-tolerant configuration with two CSMs in a single Catalyst 6500 series

chassis. You also can create a fault-tolerant configuration in either the secure (router) mode or nonsecure (bridge) mode.

In the secure (router) mode, the client-side and server-side VLANs provide the fault-tolerant (redundant) connection paths between the CSM and the routers on the client side and the servers on the server side. In a redundant configuration, two CSMs perform active and standby roles. Each CSM contains the same IP, virtual server, server pool, and real server information. From the client-side and server-side networks, each CSM is configured identically. The network sees the fault-tolerant configuration as a single CSM.

Note When you configure multiple fault-tolerant CSM pairs, do not configure multiple CSM pairs to use the

same FT VLAN. Use a different fault-tolerant VLAN for each fault-tolerant CSM pair.

Configuring fault tolerance requires the following:

• Two CSMs that are installed in the Catalyst 6500 series chassis.

• Identically configured CSMs. One CSM is configured as the active; the other is configured as the

standby.

• Each CSM connected to the same client-side and server-side VLANs.

• Communication between the CSMs provided by a shared private VLAN.

• A network that sees the redundant CSMs as a single entity.

OL-4612-01

Catalyst 6500 Series Content Switching Module Configuration Note

7-1

Page 82

Configuring Fault Tolerance

• Connection redundancy by configuring a link that has a 1-GB per-second capacity. Enable the

Because each CSM has a different IP address on the client-side and server-side VLAN, the CSM can send health monitor probes (see the “Configuring Probes for Health Monitoring” section on page 9-1) to the network and receive responses. Both the active and standby CSMs send probes while operational. If the passive CSM assumes control, it knows the status of the servers because of the probe responses it has received.

Connection replication supports both non-TCP connections and TCP connections. Enter the replicate csrp {sticky | connection} command in the virtual server mode to configure replication for the CSMs.

Note The default setting for the replicate command is disabled.

Chapter 7 Configuring Redundant Connections

calendar in the switch Cisco IOS software so that the CSM state change gets stamped with the correct time.

The following command enables the calendar:

Cat6k-2# configure terminal Cat6k-2(config)# clock timezone WORD offset from UTC Cat6k-2(config)# clock calendar-valid

To use connection replication for connection redundancy, enter these commands:

Cat6k-2# configure terminal Cat6k-2(config)# no ip igmp snooping

You need to enter the no ip igmp snooping command because the replication frame has a multicast type destination MAC with a unicast IP address. When the switch listens to the Internet Group Management Protocol (IGMP) to find the multicast group membership and build its multicast forwarding information database (FIB), the switch does not find group members and prunes the multicast table. All multicast frames, from active to standby, are dropped causing erratic results.

If no router is present on the server-side VLAN, then each server’s default route points to the aliased IP address.

Figure 7-1 shows how the secure (router) mode fault-tolerant configuration is set up.

7-2

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Page 83

Chapter 7 Configuring Redundant Connections

Figure 7-1 Fault-Tolerant Configuration

Configuring Fault Tolerance

Content Switching Module

Client-side Server-side

Alias IP adress (default gateway)

192.158.39.20

Client

workstation

NAS

router

Gateway

192.158.38.20

Router A

HSRP

Virtual server 1

192.158.38.10

VLAN 2

VLAN 9

IP address

Router B

Gateway

192.158.38.40

Virtual server 1

192.158.38.20 B

Alias IP adress (default gateway)

192.158.39.20

Content Switching Module

Note The addresses in Figure 7-1 refer to the steps in the following two task tables.

Server A

192.158.39.10

192.158.39.30

Server B

120181

OL-4612-01

Step 1

Step 2

Step 3

Step 4

To configure the active (A) CSM for fault tolerance, perform this task:

Command Purpose

Router(config-module-csm)# vlan 2 client

Router(config-slb-vlan-client)# ip addr

192.158.38.10 255.255.255.0

Router(config-slb-vlan-client)# gateway

192.158.38.20

Router(config-module-csm)# vserver vip1

Creates the client-side VLAN 2 and enters the SLB VLAN mode

Assigns the content switching IP address on VLAN 2.

(Optional) Defines the client-side VLAN gateway for an HSRP-enabled gateway.

Creates a virtual server and enters the SLB vserver mode.

Catalyst 6500 Series Content Switching Module Configuration Note

7-3

Page 84

Configuring Fault Tolerance

Command Purpose

Step 5

Step 6 Step 7

Step 8

Step 9

Step 10 Step 11

Step 12 Step 13 Step 14 Step 15 Step 16

Router(config-slb-vserver)# virtual

192.158.38.30 tcp www

Router(config-module-csm)# inservice

Router(config-module-csm)# vlan 3 server

Router(config-slb-vlan-server)# ip addr

192.158.39.10 255.255.255.0

Router(config-slb-vlan-server)# alias ip addr 192.158.39.20 255.255.255.0

Router(config-slb-vlan-server) vlan 9

Router(config-module-csm)# ft group

ft-group-number

Router(config-module-csm)# vlan

Router(vlan)# vlan 2

Router(vlan)# vlan 3

Router(vlan)# vlan 9

Router(vlan)# exit

1. Enter the exit command to leave a mode or submode. Enter the end command to return to the menu’s top level.

2. The no form of this command restores the defaults.

vlan 9

Chapter 7 Configuring Redundant Connections

Creates a virtual IP address.

Enables the server.

Creates the server-side VLAN 3 and enters the SLB VLAN mode.

Assigns the CSM IP address on VLAN 3.

Assigns the default route for VLAN 3.

Defines VLAN 9 as a fault-tolerant VLAN.

Creates the content switching active and standby (A/B) group VLAN 9.

Enters the VLAN mode1.

Configures a client-side VLAN 22.

Configures a server-side VLAN 3.

Configures a fault-tolerant VLAN 9.

Enters the exit command to have the configuration take affect.

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6 Step 7

Step 8

Step 9

Step 10

To configure the standby (B) CSM for fault tolerance, perform this task (see Figure 7-1):

Command Purpose

Router(config-module-csm)# vlan 2 client

Router(config-slb-vlan-client)# ip addr

192.158.38.40 255.255.255.0

Router(config-slb-vlan-client)# gateway

192.158.38.20

Router(config-module-csm)# vserver vip1

Creates the client-side VLAN 2 and enters the SLB VLAN mode

Assigns the content switching IP address on VLAN 2.

Defines the client-side VLAN gateway.

Creates a virtual server and enters the SLB virtual server mode.

Router(config-slb-vserver)# virtual

192.158.38.30 tcp www

Router(config-module-csm)# inservice

Router(config-module-csm)# vlan 3 server

Creates a virtual IP address.

Enables the server.

Creates the server-side VLAN 3 and enters the SLB VLAN mode.

Router(config-slb-vserver)# ip addr

192.158.39.30 255.255.255.0

Router(config-slb-vserver)# alias

192.158.39.20 255.255.255.0

Router(config-module-csm) vlan 9

Assigns the CSM IP address on VLAN 3.

Assigns the default route for VLAN 2.

Defines VLAN 9 as a fault-tolerant VLAN.

7-4

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Page 85

Chapter 7 Configuring Redundant Connections

Command Purpose

Step 11

Step 12

Router(config-module-csm)# ft group

ft-group-number

Router(config-module-csm)# show module csm

all

1. Enter the exit command to leave a mode or submode. Enter the end command to return to the menu’s top level.

vlan 9

Configuring HSRP

This section provides an overview of a Hot Standby Router Protocol (HSRP) configuration (see Figure 7-2) and describes how to configure the CSMs with HSRP and CSM failover on the Catalyst 6500 series switches.

HSRP Configuration Overview

Figure 7-2 shows that two Catalyst 6500 series switches, Switch 1 and Switch 2, are configured to route

from a client-side network (10.100/16) to an internal CSM client network (10.6/16, VLAN 136) through an HSRP gateway (10.100.0.1). The configuration shows the following:

• The client-side network is assigned an HSRP group ID of HSRP ID 2.

Configuring HSRP

Creates the CSM active and standby (A/B) group VLAN 9.

Displays the state of the fault tolerant system.

• The internal CSM client network is assigned an HSRP group ID of HSRP ID 1.

Note HSRP group 1 must have tracking turned on so that it can track the client network ports on HSRP group

2. When HSRP group 1 detects any changes in the active state of those ports, it duplicates those changes so that both the HSRP active (Switch 1) and HSRP standby (Switch 2) switches share the same knowledge of the network.

In the example configuration, two CSMs (one in Switch 1 and one in Switch 2) are configured to forward traffic between a client-side and a server-side VLAN:

• Client VLAN 136

Note The client VLAN is actually an internal CSM VLAN network; the actual client network is

on the other side of the switch.

• Server VLAN 272

The actual servers on the server network (10.5/1) point to the CSM server network through an aliased gateway (10.5.0.1), allowing the servers to run a secure subnet.

In the example configuration, an EtherChannel is set up with trunking enabled, allowing traffic on the internal CSM client network to travel between the two Catalyst 6500 series switches. The setup is shown in Figure 7-2.

OL-4612-01

Note EtherChannel protects against a severed link to the active switch and a failure in a non-CSM

component of the switch. EtherChannel also provides a path between an active CSM in one switch and another switch, allowing CSMs and switches to fail over independently, providing an extra level of fault tolerance.

Catalyst 6500 Series Content Switching Module Configuration Note

7-5

Page 86

Configuring HSRP

Figure 7-2 HSRP Configuration

Switch 1

Name: "FT1"

HSRP Primary

10.100.0.2

10.6.0.2

Chapter 7 Configuring Redundant Connections

CSM#1

FT Primary

EtherChannel

Client

Network

ID=100 (Trunk)

VLAN 136

10.100/16

10.100.0.3

HSRP ID 2 (Gateway = 10.100.0.1)

Creating the HSRP Gateway

This procedure describes how to create an HSRP gateway for the client-side network. The gateway is HSRP ID 2 for the client-side network.

Allowed

Switch 2

Name: "FT2"

HSRP Secondary

Internal

CSM

Client

Network

10.6/16

10.6.0.3

VLAN 136, - Client Net

HSRP ID 1

(Gateway = 10.6.0.1)

With tracking ON

VLAN 71

FT Network

CSM#2

FT Secondary

Secure Subnet and IP Alias

10.5.0.2

Server

Network

10.5.0.3

10.5/16

VLAN 272, - Server Net

(Gateway = 10.5.0.1) via

120180

7-6

Note In this example, HSRP is set on Fast Ethernet ports 3/6.

To create an HSRP gateway, follow these steps:

Step 1 Configure Switch 1—FT1 (HSRP active) as follows:

Router(config)# interface FastEthernet3/6 Router(config)# ip address 10.100.0.2 255.255.0.0 Router(config)# standby 2 priority 110 preempt Router(config)# standby 2 ip 10.100.0.1

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Page 87

Chapter 7 Configuring Redundant Connections

Step 2 Configure Switch 2—FT2 (HSRP standby) as follows:

Router(config)# interface FastEthernet3/6 Router(config)# ip address 10.100.0.3 255.255.0.0 Router(config)# standby 2 priority 100 preempt Router(config)# standby 2 ip 10.100.0.1

Creating Fault-Tolerant HSRP Configurations

This section describes how to create a fault-tolerant HSRP secure-mode configuration. To create a nonsecure-mode configuration, enter the commands described with these exceptions:

• Assign the same IP address to both the server-side and the client-side VLANs.

• Do not use the alias command to assign a default gateway for the server-side VLAN.

To create fault-tolerant HSRP configurations, follow these steps:

Step 1 Configure VLANs on HSRP FT1 as follows:

Router(config)# module csm 5 Router(config-module-csm)# vlan 136 client Router(config-slb-vlan-client)# ip address 10.6.0.245 255.255.0.0 Router(config-slb-vlan-client)# gateway 10.6.0.1 Router(config-slb-vlan-client)# exit

Configuring HSRP

Router(config-module-csm)# vlan 272 server Router(config-slb-vlan-server)# ip address 10.5.0.2 255.255.0.0 Router(config-slb-vlan-server)# alias 10.5.0.1 255.255.0.0 Router(config-slb-vlan-server)# exit

Router(config-module-csm)# vlan 71

Router(config-module-csm)# ft group 88 vlan 71 Router(config-slb-ft)# priority 30 Router(config-slb-ft)# preempt Router(config-slb-ft)# exit

Router(config-module-csm)# interface Vlan136 ip address 10.6.0.2 255.255.0.0 standby 1 priority 100 preempt standby 1 ip 10.6.0.1 standby 1 track Fa3/6 10

Step 2 Configure VLANs on HSRP FT2 as follows:

Router(config)# module csm 6 Router(config-module-csm)# vlan 136 client Router(config-slb-vlan-client)# ip address 10.6.0.246 255.255.0.0 Router(config-slb-vlan-client)# gateway 10.6.0.1 Router(config-slb-vlan-client)# exit

Router(config-module-csm)# vlan 272 server Router(config-slb-vlan-server)# ip address 10.5.0.3 255.255.0.0 Router(config-slb-vlan-server)# alias 10.5.0.1 255.255.0.0 Router(config-slb-vlan-server)# exit

OL-4612-01

Router(config-module-csm)# vlan 71

Catalyst 6500 Series Content Switching Module Configuration Note

7-7

Page 88

Configuring Connection Redundancy

Router(config-module-csm)# ft group 88 vlan 71 Router(config-slb-ft)# priority 20 Router(config-slb-ft)# preempt Router(config-slb-ft)# exit

Router(config-module-csm)# interface Vlan136 ip address 10.6.0.3 255.255.0.0 standby 1 priority 100 preempt standby 1 ip 10.6.0.1 standby 1 track Fa3/6 10

Note To allow tracking to work, preempt must be on.

Step 3 Configure EtherChannel on both switches as follows:

Router(console)# interface Port-channel100 Router(console)# switchport Router(console)# switchport trunk encapsulation dot1q Router(console)# switchport trunk allowed vlan 136

Chapter 7 Configuring Redundant Connections

Note By default, all VLANs are allowed on the port channel.

Step 4 To prevent problems, remove the server and fault-tolerant CSM VLANs as follows:

Router(console)# switchport trunk remove vlan 71 Router(console)# switchport trunk remove vlan 272

Step 5 Add ports to the EtherChannel as follows:

Router(console)# interface FastEthernet3/25 Router(console)# switchport Router(console)# channel-group 100 mode on

Configuring Connection Redundancy

Connection redundancy prevents open connections from ceasing to respond when the active CSM fails and the standby CSM becomes active. With connection redundancy, the active CSM replicates forwarding information to the standby CSM for each connection that is to remain open when the active CSM fails over to the standby CSM.

To configure connection redundancy, perform this task:

Command Purpose

Step 1 Step 2

Step 3

Router# configure terminal

Router(config)# no ip igmp

snooping

Router(config-module-csm)#

vserver

virtserver-name

Enters router configuration mode.

Removes IGMP snooping from the configuration.

Identifies a virtual server and enters the virtual server submode.

7-8

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Page 89

Chapter 7 Configuring Redundant Connections

Command Purpose

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

Step 12

Step 13

Router(config-slb-vserver)# virtual

protocol

ftp]

Router(config-slb-vserver)#

serverfarm

Router(config-slb-vserver)# sticky

group-id ip-netmask

Router(config-slb-vserver)# replicate csrp sticky

Router(config-slb-vserver)# replicate csrp connection

Router(config-slb-vserver)#

inservice

Router(config-module-csm)# ft

group

Router(config-slb-ft)# priority

Router(config-slb-ft)# failover

Router(config-slb-ft)#

preempt

ip-address [ip-mask]

port-number

serverfarm-name

duration

] [netmask

]

group-id

value

failover-time

[group

vlan

[service

vlanid

Configuring a Hitless Upgrade

Configures the virtual server attributes.

Associates a server farm with a virtual server.

Ensures that connections from the same client use the same real server.

Enables sticky replication.

Enables connection replication.

Enables the virtual server for load balancing.

Configures fault tolerance and enters the fault-tolerance submode.

Sets the priority of the CSM.

Sets the time for a standby CSM to wait before becoming an active CSM.

Allows a higher priority CSM to take control of a fault-tolerant group when it comes online.

This example shows how to set fault tolerance for connection redundancy:

Router(config-module-csm)# vserver VS_LINUX-TELNET Router(config-slb-vserver)# virtual 10.6.0.100 tcp telnet Router(config-slb-vserver)# serverfarm SF_NONAT Router(config-slb-vserver)# sticky 100 group 35 Router(config-slb-vserver)# replicate csrp sticky Router(config-slb-vserver)# replicate csrp connection Router(config-slb-vserver)# inservice Router(config-slb-vserver)# exit Router(config-module-csm)# ft group 90 vlan 111 Router(config-slb-ft)# priority 10 Router(config-slb-ft)# failover 3 Router(config-slb-ft)# preempt Router(config-slb-ft)# exit

Configuring a Hitless Upgrade

A hitless upgrade allows you to upgrade to a new version without any major service disruption due to the downtime for the upgrade. To configure a hitless upgrade, perform these steps:

Step 1 If you have preempt enabled, turn it off. Step 2 Perform a write memory on standby. Step 3 Upgrade the standby system with the new release, and then reboot the CSM.

OL-4612-01

Catalyst 6500 Series Content Switching Module Configuration Note

7-9

Page 90

Configuring a Hitless Upgrade

The standby CSM boots as standby with the new release. If you have sticky backup enabled, keep the standby CSM in standby mode for at least 5 minutes.

Step 4 Upgrade the active CSM. Step 5 Reboot the active CSM.

When the active CSM reboots, the standby CSM becomes the new active CSM and takes over the service responsibility.

Step 6 The rebooted CSM comes up as standby.

Chapter 7 Configuring Redundant Connections

7-10

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Page 91

Configuring Additional Features and Options

This chapter describes how to configure content switching and contains these sections:

• Configuring Sticky Groups, page 8-1

• Configuring Route Health Injection, page 8-2

• Environmental Variables, page 8-4

• Configuring Persistent Connections, page 8-8

• Configuring Global Server Load Balancing, page 8-8

• Configuring Network Management, page 8-13

Configuring Sticky Groups

CHAPTER

Configuring a sticky group involves configuring the attributes of that group and associating it with a policy. Sticky time specifies the period of time that the sticky information is kept. The default sticky time value is 1440 minutes (24 hours).

To configure sticky groups, perform this task:

Command Purpose

Router(config-module-csm)# sticky

sticky-group-id name

| ssl} [address [source | destination |

both]][timeout

1. The no form of this command restores the defaults.

{netmask

sticky-time

netmask

]

| cookie

Ensures that connections from the same client matching the same policy use the same real

server

This example shows how to configure a sticky group and associate it with a policy:

Router(config-module-csm)# sticky 1 cookie Router(config-module-csm)# serverfarm Router(config-slb-sfarm)# real 10.8.0.18 Router(config-slb-real)# inservice Router(config-slb-sfarm)# real 10.8.0.19 Router(config-slb-real)# inservice Router(config-slb-real)# exit Router(config-slb-sfarm)# exit Router(config-module-csm)# policy Router(config-slb-policy)# serverfarm

policy_sticky_ck

foo

pl_stick

timeout

100

OL-4612-01

Catalyst 6500 Series Content Switching Module Configuration Note

8-1

Page 92

Configuring Route Health Injection

Chapter 8 Configuring Additional Features and Options

Router(config-slb-policy)# sticky-group Router(config-slb-policy)# exit Router(config-module-csm)# vserver Router(config-slb-vserver)# virtual 10.8.0.125 tcp 90 Router(config-slb-vserver)# slb-policy Router(config-slb-vserver)# inservice Router(config-slb-vserver)# exit

vs_sticky_ck

Configuring Route Health Injection

These sections describe how to configure route health injection (RHI):

• Understanding RHI, page 8-2

• Configuring RHI for Virtual Servers, page 8-4

Understanding RHI

These sections describe the RHI:

• RHI Overview, page 8-2

• Routing to VIP Addresses Without RHI, page 8-3

• Routing to VIP Addresses with RHI, page 8-3

policy_sticky_ck

RHI Overview

Note RHI is restricted to intranets because the CSM advertises the VIP address as a host route and most routers

• Understanding How the CSM Determines VIP Availability, page 8-3

• Understanding Propagation of VIP Availability Information, page 8-4

RHI allows the CSM to advertise the availability of a VIP address throughout the network. Multiple CSM devices with identical VIP addresses and services can exist throughout the network. One CSM can override the server load-balancing services over the other devices if the services are no longer available on the other devices. One CSM also can provide the services because it is logically closer to the client systems than other server load-balancing devices.

do not propagate the host-route information to the Internet.

To enable RHI, configure the CSM to do the following:

• Probe real servers and identify available virtual servers and VIP addresses

• Advertise accurate VIP address availability information to the MSFC whenever a change occurs

Note On power-up with RHI enabled, the CSM sends a message to the MSFC as each VIP address

becomes available.

8-2

The MSFC periodically propagates the VIP address availability information that RHI provides.

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Page 93

Chapter 8 Configuring Additional Features and Options

Note RHI is normally restricted to intranets; for security reasons, most routers do not propagate host-route

information to the Internet.

Routing to VIP Addresses Without RHI

Without RHI, traffic reaches the VIP address by following a route to the client VLAN to which the VIP address belongs. When the CSM powers on, the MSFC creates routes to client VLANs in its routing table and shares this route information with other routers. To reach the VIP, the client systems rely on the router to send the requests to the network subnet address where the individual VIP address lives.

If the subnet or segment is reachable but the virtual servers on the CSM at this location are not operating, the requests fail. Other CSM devices can be at different locations. However, the routers only send the requests based on the logical distance to the subnet.

Without RHI, traffic is sent to the VIP address without any verification that the VIP address is available. The real servers attached to the VIP might not be active.

Note By default, the CSM will not advertise the configured VIP addresses.

Configuring Route Health Injection

Routing to VIP Addresses with RHI

With RHI, the CSM sends advertisements to the MSFC when VIP addresses become available and withdraws advertisements for VIP addresses that are no longer available. The router looks in the routing table to find the path information it needs to send the request from the client to the VIP address. When the RHI feature is turned on, the advertised VIP address information is the most specific match. The request for the client is sent through the path where it reaches the CSM with active VIP services.

When multiple instances of a VIP address exist, a client router receives the information it needs (availability and hop count) for each instance of a VIP address, allowing it to determine the best available route to that VIP address. The router chooses the path where the CSM is logically closer to the client system.

Note With RHI, you must also configure probes because the CSM determines if it can reach a given VIP

address by probing all the real servers that serve its content. After determining if it can reach a VIP address, the CSM shares this availability information with the MSFC. The MSFC, in turn, propagates this VIP availability information to the rest of the intranet.

Understanding How the CSM Determines VIP Availability

For the CSM to determine if a VIP is available, you must configure a probe (HTTP, ICMP, Telnet, TCP, FTP, SMTP, or DNS) and associate it with a server farm. When probes are configured, the CSM performs these checks:

OL-4612-01

• Probes all real servers on all server farms configured for probing

• Identifies server farms that are reachable (have at least one reachable real server)

• Identifies virtual servers that are reachable (have at least one reachable server farm)

• Identifies VIPs that are reachable (have at least one reachable virtual server)

Catalyst 6500 Series Content Switching Module Configuration Note

8-3

Page 94

Environmental Variables

Understanding Propagation of VIP Availability Information

With RHI, the CSM sends advertise messages to the MSFC containing the available VIP addresses. The MSFC adds an entry in its routing table for each VIP address it receives from the CSM. The routing protocol running on the MSFC sends routing table updates to other routers. When a VIP address becomes unavailable, its route is no longer advertised, the entry times out, and the routing protocol propagates the change.

Note For RHI to work on the CSM, the MSFC in the chassis in which the CSM resides must run Cisco IOS

Release 12.1.7(E) or later and must be configured as the client-side router.

Configuring RHI for Virtual Servers

To configure RHI for the virtual servers, follow these steps:

Step 1 Verify that you have configured VLANs. (See the Chapter 4, “Configuring VLANs”.) Step 2 Associate the probe with a server farm. (See the “Configuring Probes for Health Monitoring” section

on page 9-1.)

Chapter 8 Configuring Additional Features and Options

Step 3 Configure the CSM to probe real servers. (See the “Configuring Probes for Health Monitoring” section

on page 9-1.)

Step 4 Enter the advertise active SLB virtual server command to enable RHI for each virtual server:

Router(config-module-csm)# vserver Router(config-slb-vserver)# advertise active

This example shows how to enable RHI for the virtual server named vserver1:

Router(config-module-csm)# vserver vserver1 Router(config-slb-vserver)# advertise active

Environmental Variables

This example shows how to enable the environmental variables configuration:

Router(config-module-csm)# variable

You can get the current set of variables by running the show module csm slot variable [detail] command. For example:

Router# show mod csm 5 variable

variable value

---------------------------------------------------------------ARP_INTERVAL 300 ARP_LEARNED_INTERVAL 14400 ARP_GRATUITOUS_INTERVAL 15 ARP_RATE 10 ARP_RETRIES 3 ARP_LEARN_MODE 1

virtual_server_name

name string

8-4

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Page 95

Chapter 8 Configuring Additional Features and Options

ARP_REPLY_FOR_NO_INSERVICE_VIP 0 ADVERTISE_RHI_FREQ 10 AGGREGATE_BACKUP_SF_STATE_TO_VS 0 DEST_UNREACHABLE_MASK 0xffff FT_FLOW_REFRESH_INT 60 GSLB_LICENSE_KEY (no valid license) HTTP_CASE_SENSITIVE_MATCHING 1 MAX_PARSE_LEN_MULTIPLIER 1 NAT_CLIENT_HASH_SOURCE_PORT 0 ROUTE_UNKNOWN_FLOW_PKTS 0 NO_RESET_UNIDIRECTIONAL_FLOWS 0 SYN_COOKIE_INTERVAL 3 SYN_COOKIE_THRESHOLD 5000 TCP_MSS_OPTION 1460 TCP_WND_SIZE_OPTION 8192 VSERVER_ICMP_ALWAYS_RESPOND false XML_CONFIG_AUTH_TYPE Basic Cat6k-2# Cat6k-2# Cat6k-2#show mod csm 5 variable detail Name:ARP_INTERVAL Rights:RW Value:300 Default:300 Valid values:Integer (15 to 31536000) Description: Time (in seconds) between ARPs for configured hosts

Environmental Variables

Name:ARP_LEARNED_INTERVAL Rights:RW Value:14400 Default:14400 Valid values:Integer (60 to 31536000) Description: Time (in seconds) between ARPs for learned hosts

Name:ARP_GRATUITOUS_INTERVAL Rights:RW Value:15 Default:15 Valid values:Integer (10 to 31536000) Description: Time (in seconds) between gratuitous ARPs

Name:ARP_RATE Rights:RW Value:10 Default:10 Valid values:Integer (1 to 60) Description: Seconds between ARP retries

Name:ARP_RETRIES Rights:RW Value:3 Default:3 Valid values:Integer (2 to 15) Description: Count of ARP attempts before flagging a host as down

Name:ARP_LEARN_MODE Rights:RW Value:1 Default:1 Valid values:Integer (0 to 1) Description: Indicates whether CSM learns MAC address on responses only (0) or all traffic (1)

OL-4612-01

Name:ARP_REPLY_FOR_NO_INSERVICE_VIP Rights:RW Value:0

Catalyst 6500 Series Content Switching Module Configuration Note

8-5

Page 96

Environmental Variables

Chapter 8 Configuring Additional Features and Options

Default:0 Valid values:Integer (0 to 1) Description: Whether the CSM would reply to ARP for out-of-service vserver

Name:ADVERTISE_RHI_FREQ Rights:RW Value:10 Default:10 Valid values:Integer (1 to 65535) Description: The frequency in second(s) the CSM will check for RHI updates

Name:AGGREGATE_BACKUP_SF_STATE_TO_VS Rights:RW Value:0 Default:0 Valid values:Integer (0 to 1) Description: Whether to include the operational state of a backup serverfarm into the state of a virtual server

Name:DEST_UNREACHABLE_MASK Rights:RW Value:0xffff Default:65535 Valid values:Integer (0 to 65535) Description: Bitmask defining which ICMP destination unreachable codes are to be forwarded

Name:FT_FLOW_REFRESH_INT Rights:RW Value:60 Default:60 Valid values:Integer (1 to 65535) Description: FT slowpath flow refresh interval in seconds

Name:GSLB_LICENSE_KEY Rights:RW Value:(no valid license) Default:(no valid license) Valid values:String (1 to 63 chars) Description: License key string to enable GSLB feature

Name:HTTP_CASE_SENSITIVE_MATCHING Rights:RW Value:1 Default:1 Valid values:Integer (0 to 1) Description: Whether the URL (Cookie, Header) matching and sticky to be case sensitive

Name:MAX_PARSE_LEN_MULTIPLIER Rights:RW Value:1 Default:1 Valid values:Integer (1 to 16) Description: Multiply the configured max-parse-len by this amount

Name:NAT_CLIENT_HASH_SOURCE_PORT Rights:RW Value:0 Default:0 Valid values:Integer (0 to 1) Description: Whether to use the source port to pick client NAT IP address

8-6

Name:ROUTE_UNKNOWN_FLOW_PKTS Rights:RW Value:0

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Page 97

Chapter 8 Configuring Additional Features and Options

Default:0 Valid values:Integer (0 to 1) Description: Whether to route non-SYN packets that do not matched any existing flows

Name:NO_RESET_UNIDIRECTIONAL_FLOWS Rights:RW Value:0 Default:0 Valid values:Integer (0 to 1) Description: If set, unidirectional flows will not be reset when timed out

Name:SYN_COOKIE_INTERVAL Rights:RW Value:3 Default:3 Valid values:Integer (1 to 60) Description: The interval, in seconds, at which a new syn-cookie key is generated

Name:SYN_COOKIE_THRESHOLD Rights:RW Value:5000 Default:5000 Valid values:Integer (0 to 1048576) Description: The threshold (in number of pending sessions) at which syn-cookie is engaged

Environmental Variables

Name:TCP_MSS_OPTION Rights:RW Value:1460 Default:1460 Valid values:Integer (1 to 65535) Description: Maximum Segment Size (MSS) value sent by CSM for L7 processing

Name:TCP_WND_SIZE_OPTION Rights:RW Value:8192 Default:8192 Valid values:Integer (1 to 65535) Description: Window Size value sent by CSM for L7 processing

Name:VSERVER_ICMP_ALWAYS_RESPOND Rights:RW Value:false Default:false Valid values:String (1 to 5 chars) Description: If "true" respond to ICMP probes regardless of vserver state

Name:XML_CONFIG_AUTH_TYPE Rights:RW Value:Basic Default:Basic Valid values:String (5 to 6 chars) Description: HTTP authentication type for xml-config:Basic or Digest

OL-4612-01

Catalyst 6500 Series Content Switching Module Configuration Note

8-7

Page 98

Configuring Persistent Connections

The CSM allows HTTP connections to be switched based on a URL, cookies, or other fields contained in the HTTP header. Persistent connection support in the CSM allows for each successive HTTP request in a persistent connection to be switched independently. As a new HTTP request arrives, it may be switched to the same server as the prior request, it may be switched to a different server, or it may be reset to the client preventing that request from being completed.

In software release 2.1(1), the CSM supports HTTP 1.1 persistence. This feature allows browsers to send multiple HTTP requests on a single persistent connection. After a persistent connection is established, the server keeps the connection open for a configurable interval, anticipating that it may receive more requests from the same client. Persistent connections eliminate the overhead involved in establishing a new TCP connection for each request.

HTTP 1.1 persistence is enabled by default on all virtual servers configured with Layer 7 policies. To disable persistent connections, enter the no persistent rebalance command. To enable persistent connection, enter the persistent rebalance command.

This example shows how to configure persistent connection:

Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# mod csm 2 !!! configuring serverfarm Router(config-module-csm)# serverfarm sf3 Router(config-slb-sfarm)# real 10.1.0.105 Router(config-slb-real)# inservice !!! configuring vserver Router(config-slb-real)# vserver vs3 Router(config-slb-vserver)# virtual 10.1.0.83 tcp 80 Router(config-slb-vserver)# persistent rebalance Router(config-slb-vserver)# serverfarm sf3 Router(config-slb-vserver)# inservice Router(config-slb-vserver)# end

Chapter 8 Configuring Additional Features and Options

Configuring Global Server Load Balancing

This section contains the Content Switching Module (CSM) global server load balancing (GSLB) advanced feature set option and instructions for its use. You should review the terms of the “Software

License Agreement” carefully before using the advanced feature set option.

Note By downloading or installing the software, you are consenting to be bound by the license agreement. If

you do not agree to all of the terms of this license, then do not download, install, or use the software.

Catalyst 6500 Series Content Switching Module Configuration Note

8-8

OL-4612-01

Page 99

Chapter 8 Configuring Additional Features and Options

Configuring Global Server Load Balancing

Using the GSLB Advanced Feature Set Option

To enable GSLB, perform this task in privileged mode:

Command Purpose

Router# config t Router(config)# mod csm 5

Router(config-module-csm)# variable

Router(config-module-csm)# exit Router (config)# write mem

Router#:hw-module

1. GSLB requires a separately purchased license. To purchase your GSLB license, contact your Cisco representative.

slot number

reset

name value

Enters the configuration mode, and enters CSM configuration mode for the specific CSM (for example, module 5, as used here).

Enables GSLB by using the name and value provided as follows: Name=

Va lu e =

Exits CSM module configuration mode, and save the configuration changes.

Reboots your CSM to activate changes.

Configuring GSLB

Global Server Load Balancing (GSLB) performs load balancing between multiple, dispersed hosting sites by directing client connections through DNS to different server farms and real servers based on load availability. GSLB is performed using access lists, maps, server farms, and load balancing algorithms.

Table 8 -1 gives an overview of what is required for a GSLB configuration on the CSM.

Table 8-1 GSLB Operations

Client Request (From) Domain (For) Server farm (To) Algorithm (Method)

Access lists can be used to filter incoming DNS requests, and policies are used to associate the configured maps, client-groups, and server farms for incoming DNS requests.

A map is configured to specify the domain names that client requests must match. Regular expression syntax is supported.

For example, domain names are cnn.com or yahoo.com that a client request must be matched against. If the domain name matches the specified map of a policy, the primary server farm is queried for a real server to respond to the request.

A server farm specifies a group of real servers where information is located that satisfies the client’s request.

The GSLB probe is available for determining a target real server’s availability, using the probe type configured on the real server.

GSLB server farm predictors are round-robin least load, ordered list, hash address source, hash domain, hash domain address source.

OL-4612-01

Figure 8-1 shows a basic configuration for GSLB.

Catalyst 6500 Series Content Switching Module Configuration Note

8-9

Page 100

Configuring Global Server Load Balancing

Figure 8-1 Global Server Load Balancing Configuration

Chapter 8 Configuring Additional Features and Options

Step 1

Step 2

Step 3

Step 4

Step 5

In this configuration illustration, the following guidelines apply to the configuration task and example:

• CSM 1 does both GSLB and SLB, while CSM 2 and CSM 3 only do SLB.

• CSM 1 has both a virtual server for SLB where the real servers in the server farm are the IP addresses

of the local servers and a virtual server for GSLB.

• The DNS policy uses a primary server farm where one of the real servers is local and the other two

real servers are virtual servers configured on CSM 2 and CSM 3, respectively.

• Probes should be added for both the remote locations and the local real and virtual server.

• DNS requests sent to a CSM 1 management IP address (a CSM 1 VLAN address or alias IP) will

receive as a response one of the three real server IPs configured in the server farm GSLBFARM.

To configure GSLB, perform these tasks:

Command Purpose

Router(config-slb-vserver)# serverfarm

Router(config-module-csm)#

vserver

Router(config-slb-vserver)# virtual

protocol

ftp]

Router(config-slb-vserver)#

inservice

Router(config-module-csm)#

vserver

serverfarm-name

virtserver-name

ip-address [ip-mask]

port-number

virtserver-name

[service

dns

Creates a server farm to associate with the virtual server.

Identifies a virtual server for SLB on CSM 1, and enters the virtual server submode.

Configures the virtual server attributes.

Enables the virtual server for load balancing.

Identifies a virtual server for GSLB, and enters the virtual server submode.

8-10

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Cisco catalyst 6500 series, catalyst 6000 series Configuration Note

CONTENTS

Preface

Audience

Organization

Conventions

Safety Overview

Related Documentation

Obtaining Documentation

Cisco.com

Obtaining Technical Assistance

Documentation CD-ROM

Ordering Documentation

Documentation Feedback

Cisco TAC Website

Opening a TAC Case

TAC Case Priority Definitions

Obtaining Additional Publications and Information

Product Overview

Features

Front Panel Description

Status LED

RJ-45 Connector

Operation

Traffic Flow

Networking with the Content Switching Module

Configuring Modes for Networking

Configuring the Single Subnet (Bridge) Mode

CSM Networking Topologies

Configuring the Secure (Router) Mode

CSM Inline, MSFC Not Involved

CSM Inline, MSFC on Server Side

CSM Inline, MSFC on Client Side

CSM in Aggregate Mode

Direct Server Return

Routing with the CSM

Protecting Against Denial-of-Service Attacks

Getting Started

Operating System Support

Preparing to Configure the CSM

Using the Command-Line Interface

Accessing Online Help

Saving and Restoring Configurations

Configuring SLB Modes

Mode Command Syntax

Migrating Between Modes

Differences Between CSM and RP Modes

CSM Mode

RP Mode

Changing Modes

CSM Mode to RP Mode

RP Mode to CSM Mode

Verifying the Configuration

Configuration Overview

Upgrading to a New Software Release

Upgrading from the Supervisor Engine Bootflash

Upgrading from a PCMCIA Card

Upgrading from an External TFTP Server

Configuring VLANs

Configuring Client-Side VLANs

Configuring Server-Side VLANs

Configuring Real Servers and Server Farms

Configuring Server Farms

Configuring Real Servers

Configuring Dynamic Feedback Protocol

Configuring Client NAT Pools

Configuring Server-Initiated Connections

Configuring URL Hashing

Configuring a URL Hashing Predictor

Configuring Beginning and Ending Patterns

Configuring Virtual Servers, Maps, and Policies

Configuring Virtual Servers

Configuring TCP Parameters

Configuring Redirect Virtual Servers

Configuring Maps

Configuring Policies

Configuring Generic Header Parsing

Understanding Generic Header Parsing

Generic Header Parsing Configuration

Creating a Map for the HTTP Header