MSFC ACL filtering and CSM load-balancing

Unanswered Question
Nov 12th, 2008

Hello,

My 2 server farm distribution switches are running in "hybrid" mode, with CAT OS on the switch and IOS on the MSFC.

My server team is asking to block traffic to a specific server that is load balanced using Cisco's CSM load-balancer which is also installed in the chassis.

The question that I have is this.

Does anyone know in what order the MSFC will inspect and apply the ACL and when will the CSM make the load balancing decision?

The reason I need to know this is that the CSM is setup in bridged mode, where traffic to the server comes into the MSFC with a destination IP of a VIP which resides on the CSM. Subsequently, the CSM forwards the traffic to the one of the real servers in the load-balanced server farm after it makes its load-balancing decision. Which ocurrs first??

Does anyone have any info on what ocurrs first and so forth??

Is there a link to Cisco's website that explains this process??

Thanks in advance for your help.

Tony

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Thu, 11/13/2008 - 01:10

Hello Tony,

usually we use a different method to avoid the CSM to send traffic to a specific real server:

we go under the serverfarm config and we put it in out of service so that the load balancer will not use it.

Actually the MSFC cannot filter traffic to the real server because from its point of view traffic is directed to the Virtual server IP and has no knowledge of what real the traffic will be sent to.

I see that the request can be to block traffic directed to the real ip address.

You can do it on the MSFC.

the scenario should be:

users --- supervisor --- MSFC VL_C-- CSM -VL_S-- real servers

I see this in c6500 native IOS but I think is valid also for hybrid.

so if you put an ACL on the MSFC for the so called client Vlan SVI VL_C outgoing that denies traffic to the specific real server you should achieve the desired result

Hope to help

Giuseppe

Jon Marshall Thu, 11/13/2008 - 01:35

Giuseppe

You've confused me now :-)

"Actually the MSFC cannot filter traffic to the real server because from its point of view traffic is directed to the Virtual server IP and has no knowledge of what real the traffic will be sent to."

I agree totally with what you wrote here. But you then go on to give an example where you could filter it by using an ACL outbound on the client vlan. But the destination would be the VIP not the real address. It only becomes the real address after it has gone through the CSM.

I agree the easiest way is to take the server out of service under the serverfarm if that's possible but Tony may want to just block only certain traffic to that server.

Jon

Giuseppe Larosa Thu, 11/13/2008 - 01:44

Hello Jon,

sorry I changed mind during the post writing ...

at first I was thinking of putting out of service the real server.

Then I realized that I can reach a real server from outside if I point directly to its ip address.

We do this to verify they are reachable.

Actually in our case the picture is even more complex because there is also the FWSM in the middle.

So for us it is:

users --- supervisor --- MSFC - FWSM --VL_C --- CSM --- VL_S --- real servers

I could add we have started to put ACE blades instead of CSM but I stop here.

>> Tony may want to just block only certain traffic to that server

This is the point probably server people wants to hide this real from direct access because it can make this server more loaded then the others for example.

Hope to help

Giuseppe

Jon Marshall Thu, 11/13/2008 - 02:19

That makes more sense now.

Yes, if the aim is to restrict access to the real server and only allow it via the VIP then an ACL on the MSFC client vlan interfaces would do the trick.

Jon

amaiale Thu, 11/13/2008 - 14:14

Giuseppe & Jon,

Thank you for your replies and for the info too.

I was looking to block only certain tcp port numbers to protect the servers from a problem/bug. I still want to be able to reach the real servers directly or outside of the VIP.

Basically, what you are saying makes sense if I apply the ACL inbound to the client side interface on the MSFC using the VIP IP address as the destination.

Alternatively, if I apply the ACL outbound to the server side interface, the CSM will have already made a load balancing decision and I will need to use the server IP address in the destination.

Does this sound right??

Thanks again,

Tony

Actions

This Discussion