CSM - Client & server on same VLAN, work?

Unanswered Question
Jun 1st, 2007

Hi,

Is the CSM able to be configure to work in this way with the client and server in the same VLAN. What is the implication?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Fri, 06/01/2007 - 06:31

yes, it is possible.

But since they are both in the same vlan you need to configure client-nat on the CSM to make sure the response from the server goes back through the CSM and does not go directly to the client as the client expects a response from the VIP, not the server.

Gilles.

jim.papantonopo... Mon, 06/25/2007 - 16:58

Giles,

Can you go into a little more detail here. I have a situation where clients access a vitural pointing to webservers. Then I have app servers on the same VLAN as the webservers that also need to make calls to the same virtual pointing to the same webservers on 443. Heres a sample config. I cant seem to get it to work. Do I need another serverfarm or possibly another virtual allowing all vlans not just the client vlan? Thanks for your help.

vlan 2115 client

ip address 10.159.15.146 255.255.255.224

gateway 10.159.15.129

alias 10.159.15.145 255.255.255.224

!

vlan 115 server

ip address 10.159.15.146 255.255.255.224

!

vlan 933 server

ip address 10.17.133.2 255.255.255.0

alias 10.17.133.1 255.255.255.0

!

natpool PORTAL-NATPOOL 137.x.x.155 137.159.15.155 netmask 255.255.255.224

serverfarm PORTAL-SSLMOD

no nat server

no nat client

real 10.17.133.3

inservice

probe ICMP

serverfarm PORTAL-WEB

nat server

nat client PORTAL-NATPOOL

real 10.159.15.140 8001

inservice

real 10.159.15.141 8001

inservice

probe HTTP

sticky 1 cookie PORTALSIGNON insert timeout 30

vserver PORTAL-443

virtual 10.159.15.144 tcp https

serverfarm PORTAL-SSLMOD

no persistent rebalance

parse-length 4000

inservice

!

vserver PORTAL-DECRYPT

virtual 10.159.15.144 tcp 81

vlan 933

serverfarm PORTAL-WEB

sticky 30 group 1

persistent rebalance

parse-length 4000

inservice

Gilles Dufour Tue, 06/26/2007 - 05:00

is the config that you show the modified one you used in order to solve the problem ?

What was wrong with it ?

I would suggest to catpure a sniffer trace of the csm portchannel. The portchannel # is 256 + csm_slot.

Otherwise, here is how I would have done it myself to nat only requests from the servers.

serverfarm PORTAL-SSLMOD-CNAT

no nat server

nat client PORTAL-NATPOOL

real 10.17.133.3

inservice

probe ICMP

vserver PORTAL-443-from-server

virtual 10.159.15.144 tcp https

serverfarm PORTAL-SSLMOD-CNAT

vlan 115

no persistent rebalance

parse-length 4000

inservice

!

gohyeeshiang Tue, 06/26/2007 - 08:11

Hi Gilles,

I am trying to configure the CSM to load balance some netcache servers with the CSM configured are the proxy IP. PBR is used to divert all web traffic to the CSM.

I configure the proxy IP as a virtual server and the netcache as real in the serverfarm.

The user PC are configured to use the proxy (virtual server IP) when accessing the net.

With this setup, whether i do NAT for server or client or both, i can not get it to work. I do not have a client vlan as all client traffic are routed to this csm switch from using a routed interface.

With no NAT configure ---

Traffic at the netcache is registered with source as the client IP and destination as the proxy server IP. This cause a loop with the netcache and CSM sending traffic to each other.

With Server NAT configured only ---

The server will direct return to the client. This client will drop all the connections as it is expecting the virtual server reply and not the real server reply.

With Client NAT configured only ----

I cannot see the traffic at the netcache and CSM, dont know why... still founding out.

With both server and Client NAT ----

I cannot see the traffic at the netcache and CSM, dont know why... still founding out.

gohyeeshiang Wed, 06/27/2007 - 06:45

Hi Gilles,

Yes, i read that document before and its good. It work fine for my transparent caching, just that i configure it in a direct server response mode.

Recently while trying to configure load balancing for proxy server, i am hit with problem due to CSM is unable to act in such a way that traffic from the client is to be terminated at the CSM and the CSM will in turn send out the packets using its virtual IP to the netcache for the real destination in the http traffic.

The scenario is as such,

1)user configure the proxy ip in the broswer.

2)The CSM is setup with a vserver with IP of the proxy server in the user broswer.

3)When user send a http traffic, the destination IP is the proxy server IP with the real http destination encap in the http header in the data segment of the packet.

4)In such case i need to configure the CSM to do NAT on the server and client so that i can control the traffic so as to get all the IP address right for all party. At this moment i still unable to get the vserver working with nat server and nat client.

Can i know what is the use of "nat client static" command, is it only 1 session is allow at any 1 time, and what is the source IP of the packet. Anyway to overload the nat like in router?

Thanks.

Gilles Dufour Thu, 06/28/2007 - 11:47

the CSM can't extract the destination in the http header. This is not a proxy.

All we can do is forward the traffic as such to a destination and perform nat if needed.

The csm will do pat all the time it's necessary.

The static nat feature is when the server open connection through the CSM and you need it to nat. This is a one-to-one mapping. 1 inside ip with 1 outside ip.

To do pat, just create a natpool and use client nat under the serverfarm.

This should be enough.

Capture a sniffer trace and verify that the CSM did nat client ip and destination ip.

Don't forget the destination will be the server ip as configured in the serverfarm or the vip if configured with no nat server.

Gilles.

Actions

This Discussion