Server Load-balancing and ACL router decision

Unanswered Question
Nov 12th, 2008
User Badges:


My 2 server farm distribution switches are running in "hybrid" mode, with CAT OS on the switch and IOS on the MSFC.

My server team is asking to block traffic to a specific server that is load balanced using Cisco's CSM load-balancer which is also installed in the chassis.

The question that I have is this.

Does anyone know in what order the MSFC will inspect and apply the ACL and when will the CSM make the load balancing decision?

The reason I need to know this is that the CSM is setup in bridged mode, where traffic to the server comes into the MSFC with a destination IP of a VIP which resides on the CSM. Subsequently, the CSM forwards the traffic to the one of the real servers in the load-balanced server farm after it makes its load-balancing decision. Which ocurrs first??

Does anyone have any info on what ocurrs first and so forth??

Is there a link to Cisco's website that explains this process??

Thanks in advance for your help.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
bhedlund Wed, 11/12/2008 - 18:46
User Badges:
  • Silver, 250 points or more


It sounds as if your setup is like this:

Client VLAN----MSFC----VLAN A----CSM----Server VLAN

With VLAN A and Server VLAN being the same IP subnet.

In this case all client traffic reaching the VIPs on the CSM first traverses the MSFC. So, if you want to block traffic to a specific VIP or Server IP you can do that on the MSFC's Interface for Client VLAN. You could configure an access list that filters inbound traffic on that VLAN interface.

Make sense?


amaiale Thu, 11/13/2008 - 14:17
User Badges:


Thank you for your reply.

What you are saying makes sense if I apply the ACL inbound to the client side interface on the MSFC using the VIP IP address as the destination.

Alternatively, if I apply the ACL outbound to the server side interface, the CSM will have already made a load balancing decision and I will need to use the server IP address in the destination.

Does this sound right??

Thanks again,


bhedlund Thu, 11/13/2008 - 18:40
User Badges:
  • Silver, 250 points or more


No, actually. That doesn't sound right.

In my example above, if you applied an outbound ACL on the MSFC interface VLAN A, that would work as well, because the CSM would never see that traffic. The CSM in this case will only see traffic that is passed to it from the MSFC on VLAN A.

Make sense?



This Discussion