×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

IP Spoofing with CSS or CSM module and Cache

Unanswered Question
Gilles Dufour Sun, 07/20/2003 - 01:42
User Badges:
  • Cisco Employee,

I did it with a CSS.

So it is feasible.


client --- router1 --- CSS---- Router2 -- Internet

|

cache


since you want to do ip spoofind on the cache, you need the clients to be 1 hop away from the CSS (so router1) and you need traffic from cache to internet to use another router (so router2).

This is required so the CSS knows what to do with the response from the server to the client ip address.

(one time sent to cache and one time sent to client).


On the CSS you need the following static routes

ip route

ip route

ip route 0.0.0.0 0.0.0.0


Then create the service :

service cache

ip address x.x.x.x

type transparent

active


Then the rule

owner mycompany

content cache

proto tcp

port 80

add service cache

active


Finally, you need an acl to avoid redirecting traffic from the cache


acl 1

clause 20 bypass any any destination any

apply circuit(VLAN)


acl 2

clause 80 permit any any destination any

apply circuit(VLAN)




With a CSM, it should be possible as well with less restrictions

+-------------+

client ---|-MSFC----csm-|--vlan- internet

+-----------|-+

|<-----Vlan

cache


mod csm

vlan client

vlan server

gateway x.x.x.x

vlan server

serverfarm cache

no nat client

no nat server

real

x.x.x.x

inservice

!

serverfarm route

no nat client

no nat server

predictor forward

!

vserver tocache

virtual 0.0.0.0 /0 tcp 80

vlan x

vlan y

serverfarm cache

inservice

vserver fromcache

virtual 0.0.0.0 /0 any

serverfarm route

vlan

inservice

!


Regards,


Gilles.

Hello, Gilles:


Thank you, for all your information.

Is it possible, with it scheme?


client ---- router ------ Internet

|

CSS (or CSM)

| |

cache1 cache2


The router will have two vlan againt the CSS (one for return internet from the cache, and other for redirection of the packets from the client).

I need that the CSS work balancing on either Cache's (with the application of IP Spoofing between they).


Thank you.


Guillermo.

Gilles Dufour Mon, 07/21/2003 - 05:15
User Badges:
  • Cisco Employee,

Guillermo,


the problem with ip spoofing is that the Cache will use the ip address of the client as source.

So, the server response will go back to the client ip address.

When the response gets to the router, it will see that it is directly connected to the client and will forward the response there bypassing the cache/CSS and the client will not accept understand this response.


You could use policy routing to redirect the http response to the CSS (on another vlan otherwise it will still not work) but be carefull about the performance of the box when using policy routing.

It's much better to have 2 routers.


Gilles.

Sorry, the scheme is:



client ---- router ------ Internet

.................. |

................ CSS (or CSM)

................ |.......... |

............ cache1.. cache2


And:


Client------- Router------CSS------Router------Internet

.........................................|

.....................................cache


Can here applicated Ip spoofing?


Thank you.


Guillermo.

Hello:


With CSM module in Catalyst 6500 and Cache 7320 (mode transparent)

how enable and configured IP Spoofing in both?

I only know the command "wccp spoof-client-ip enable", for cache; but that configuration have do in the Catalyst.


Client----Router------CSM--------Router-------Internet

.......................................|

..................................cache



Client-------Router------------Internet

.........................|

......................CSM

.........................|

.....................cache


Thank you


Guillermo.

Gilles Dufour Tue, 07/22/2003 - 07:51
User Badges:
  • Cisco Employee,

you enable ip spoofing on the cahce with the command you gave : "wccp spoof-client-ip enable"

It works even if you don't use wccp.


On the CSS, you define the cache as a service with 'type transparent-cache'.


If using a CSM, you define a serverfarm with 'no nat client' and 'no nat server'


Once again, I think in term of design you need 2 separate routers.


Gilles.

Gilles Dufour Wed, 07/23/2003 - 01:15
User Badges:
  • Cisco Employee,

do not configure WCCP.

It is not required.

Just use the command 'wccp spoof-client-ip' on the cache.


Gilles.

With the Catalyst 6500 w/csm module I need two Routers (1-Client and 1-Internet), or is possible other scheme.

In the Catalyst not have that configure acl, and static route; or have that configure the same that in the CSS.

How configure if I have two or more CACHE and I need balance between they.



Guillermo.

Gilles Dufour Wed, 07/23/2003 - 05:15
User Badges:
  • Cisco Employee,

with a cat6500 and a csm and a msfc, this is possible to do this.

+----------------+

client --| MSFC --- CSM --|----- Internet

+-----------|----+

|

Cache


on MSFC

-------

vlan 10 --> client

vlan 20 --> msfc/csm

On CSM

-------

vlan 20

vlan 30 -> internet

vlan 40 -> Cache


The config of the CSM should be

mod csm slot

vlan 20 client

ip x.x.x.x

route ....

vlan 30 server

ip x.x.x.x

gateway ....

vlan 40 server

ip x.x.x.x

!

serverfarm Caches

no nat client

no nat server

real x.x.x.x

inservice

real x.x.x.x

inservice

!

serverfarm route

no nat client

no nat server

predictor forward

!

vserver bypass

virtual 0.0.0.0/0

vlan 20

serverfarm route

inservice

!

vserver cacheme

virtual 0.0.0.0 /0 tcp 80

vlan 20

serverfarm Caches

inservice

!

vserver response

virtual 0.0.0.0/0

vlan 30

serverfarm Caches

inservice

!

vserver fromcache

virtual 0.0.0.0/0

vlan 40

serverfarm route

inservice

!


Something like this should work.


Gilles.

Gilles.


Thank you for all information, it was very good. I probe it and solve the problem, but now need connected two or more CACHE with one CSS, and I don't can make correctly.

How redirected the traffic from Internet the CACHE that make the request, and not the other cache?

I use static route with one Cache, OK (example, the config send for you); but with more cache. How? (in one CSS).


Guillermo.

Actions

This Discussion