CISCO CSM- IP transparency

Answered Question
Apr 9th, 2010

Hi,

I work for a software development company. Our application clients (Typically different TCP/IP devices) connect to the server a over custom port (44XX).

Now we want to support server farms, load balancing using CISCO CSM to fulfill a customer need.

Our application requires knowing the IP address of the client connecting. If load balancer is in between client and server, when client connected to our server port, Do we (Server) see the IP address of load balancer or IP address of the client when opening the socket or sending the data ?

If Server sees load balancer IP, is there any thing we can configure in load balancer so that Server/port sees the IP address of client instead of load balancer IP ?

Thanks for your help.

I have this problem too.
0 votes
Correct Answer by Pablo about 6 years 7 months ago

Hi,

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;} /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

All depends on your logical/physical topology between your 6500/CSM/Servers.

Iif the CSM is configured on bridging mode meaning that your servers are on a L2 VLAN on the MSFC and pointing their default gateway to the CSM then you won't require source NAT on your set up. In this case the backend servers will be able to see/log the real IP address of your clients as the CSM does not modify anything at L3.

On the other hand if you have a "routed" mode where your servers are sitting on a L3 VLAN on the MSFC and their default gateway usually points to the SVI they belong to then most likely you'll face asymmetric routing issues where the response from a load balance connection will bypass the CSM as the servers are able to respond to the client directly. In this case you do implement source NAT on your SF's which will overwrite the source IP address of the client with the IP address that you configure on the Natpool in question.

In the second case for HTTP traffic you can always perform the header-insert function on the CSM so that the real IP address of the client will be appended to a new HTTP header, the configuration will look like this:


map HEADER-INSERT header
  insert protocol http header X-Forwarder-For header-value %is

policy INSERT
header-map HEADER-INSERT
serverfarm WEBFARM

vserver Webfarm               
  virtual 10.44.60.160 any
  slb-policy INSERT <--- Policy
  advertise
  persistent rebalance
  inservice

You will see the following in the HTTP header:

Hypertext Transfer Protocol
    GET / HTTP/1.1\r\n
        Request Method: GET
        Request URI: /
        Request Version: HTTP/1.1
           X-Forwarder-For: 161.44.77.112\r\n

Hope this helps.
__ __
Pablo
Cisco TAC

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Pablo Fri, 04/09/2010 - 11:27

Hi,

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;} /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

All depends on your logical/physical topology between your 6500/CSM/Servers.

Iif the CSM is configured on bridging mode meaning that your servers are on a L2 VLAN on the MSFC and pointing their default gateway to the CSM then you won't require source NAT on your set up. In this case the backend servers will be able to see/log the real IP address of your clients as the CSM does not modify anything at L3.

On the other hand if you have a "routed" mode where your servers are sitting on a L3 VLAN on the MSFC and their default gateway usually points to the SVI they belong to then most likely you'll face asymmetric routing issues where the response from a load balance connection will bypass the CSM as the servers are able to respond to the client directly. In this case you do implement source NAT on your SF's which will overwrite the source IP address of the client with the IP address that you configure on the Natpool in question.

In the second case for HTTP traffic you can always perform the header-insert function on the CSM so that the real IP address of the client will be appended to a new HTTP header, the configuration will look like this:


map HEADER-INSERT header
  insert protocol http header X-Forwarder-For header-value %is

policy INSERT
header-map HEADER-INSERT
serverfarm WEBFARM

vserver Webfarm               
  virtual 10.44.60.160 any
  slb-policy INSERT <--- Policy
  advertise
  persistent rebalance
  inservice

You will see the following in the HTTP header:

Hypertext Transfer Protocol
    GET / HTTP/1.1\r\n
        Request Method: GET
        Request URI: /
        Request Version: HTTP/1.1
           X-Forwarder-For: 161.44.77.112\r\n

Hope this helps.
__ __
Pablo
Cisco TAC

Actions

This Discussion