Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
864
Views
2
Helpful
4
Replies

cisco CSM balancing

Go to solution
danilodicesare
Level 1
Level 1

‎12-11-2009 05:23 PM

HI all,

i've got two questions about CSM:

     1     i've got this config:

real foo

  address 1.1.1.5

  inservice

real bar

  address 1.1.1.6

  inservice

real foo1

address 1.1.1.7

  inservice

!

serverfarm S_foo

  nat server

  no nat client

  real foo 53

   inservice

  real bar 53

   inservice

  real foo1 53

   inservice

!

serverfarm ROUTE

  no nat server

  no nat client

  predictor forward

!

vserver V_route

  virtual 1.1.1.0 255.255.255.0 any

  serverfarm ROUTE

  persistent rebalance

  inservice

!

vserver V_foo

  virtual 1.1.1.1 udp dns

  serverfarm  S_foo

  idle 4

  persistent rebalance

  inservice

!

vserver V_bar

  virtual 1.1.1.2 udp dns

  serverfarm  S_foo

  idle 4

  persistent rebalance

  inservice

may you see any issue in having serverfarm and vserver for forwarding real address and having some VIP for load balancing with different subnet?

what is order of hit for CSM? I need to reach real IP and also to loadbalnce...do you thing i'll have some problem? do you think should be better to have different subnet for real ip and vserver?

     2     sometimes when i query balanced DNS server (resolver) i can see (checking on a firewall beetwen CSM and client, inside interface is csm side, outside client side) some connection that seems to be generated from 1.1.1.1, 1.1.1.2...is pretty strange 'cause all response from the DNS should be in conn table of ASA and not generated from DNS towards client. on firewall i can see an ACL (applied on inside interface CSM side) increasing hits (ACL is permit 1.1.1.1-2 to any). My expectation was seeing just outside ACL increasing HITS (client --> DNS trought ASA and CSM).

tnx for any response

Dan                            

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎12-14-2009 07:19 AM

Dan,

1/ this is ok.  You can have multiple vip subnets.

CSM does a longest match - so first /32 and then /24.

2/ You should configure a very low idle timeout - 4sec.

Because currently, the CSM will setup flows and keep them for one hour.

Since this is UDP, the connections will stay there and if the server sends a udp packet which matches an existing connections, the CSM will forward assume it belongs to the old connection and send everything to the firewall doing nat with the virtual ip.

Gilles.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
busterswt
Level 1
Level 1

‎12-11-2009 06:05 PM

On a CSS I would recommend implementing some sort of source group rule if your DNS servers are replying directly back to the client. I've never used a CSM, but I would imagine you would would want to NAT the source address of the client so that your DNS servers will reply back through the CSM and then back out to the clients.

Consider this existing serverfarm:

serverfarm S_foo

  nat server

  no nat client

  real foo 53

   inservice

  real bar 53

   inservice

  real foo1 53

   inservice

You can create a NAT pool consisting of (1) or more IP's, and use that to NAT incoming client traffic:

natpool MY_POOL 1.1.1.254 1.1.1.254 netmask 255.255.255.0


serverfarm S_foo

  nat server

  nat client MY_POOL

  real foo 53

   inservice

  real bar 53

   inservice

  real foo1 53

   inservice

All incoming requests to your DNS servers would appear to come from 1.1.1.254, and the DNS servers would reply to that address. The CSM would then perform NAT to change 1.1.1.254 to the VIP that was originally requested, and the destination IP would be that of the client. On the ASA you would then only see DNS traffic to/from the VIP. 1.1.1.1 and 1.1.1.2 should not be seen unless they initiate outbound traffic.

Hope I'm even close to what you're asking for!

- James

Go to solution
danilodicesare
Level 1
Level 1
In response to busterswt

‎12-11-2009 11:56 PM

Hi James,

tnx but i think is not the answer....'cause i can reach DNS server from the real IP address of client (clients are on internet). I need not source group and src NAT for letting infrastructure works properly.

I wonder wheter serverfarm 'forward' serverfarm balanced can work without problem toghether if i have same subnet fot both (as i said befor for SF balancing i've got two /32 and for serverfarm forward i've got /24 on same 1.1.1.0).

And why sometimes i can see traffic beginning from server in subnet 1.1.1.0 BUT the source is 1.1.1.1 and 1.1.1.2 (are vserver IP address) ports 53 towards client port random. I can see that traffic begin from there because hit an ACL on a firewall on inside interface, inside interface side to CSM and outside interface side to internet.

tnx

Dan

0 Helpful

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎12-14-2009 07:19 AM

Dan,

1/ this is ok.  You can have multiple vip subnets.

CSM does a longest match - so first /32 and then /24.

2/ You should configure a very low idle timeout - 4sec.

Because currently, the CSM will setup flows and keep them for one hour.

Since this is UDP, the connections will stay there and if the server sends a udp packet which matches an existing connections, the CSM will forward assume it belongs to the old connection and send everything to the firewall doing nat with the virtual ip.

Gilles.

0 Helpful

Go to solution
danilodicesare
Level 1
Level 1
In response to Gilles Dufour

‎12-15-2009 12:44 AM

Merci Gilles.

Observe

Dan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents