IP Spoofing with CSS or CSM module and Cache

pbadorrey · ‎07-18-2003

Hello:

I need configure IP Spoofing, and me scheme the configuration is:

Transparent mode with CSS (or Switch Catalyst 6500 w/CSM module) and one Cache 7320.

There is some way for do its, how is?

Thanks you.

Guillermo

Gilles Dufour · ‎07-20-2003

I did it with a CSS.

So it is feasible.

client --- router1 --- CSS---- Router2 -- Internet

|

cache

since you want to do ip spoofind on the cache, you need the clients to be 1 hop away from the CSS (so router1) and you need traffic from cache to internet to use another router (so router2).

This is required so the CSS knows what to do with the response from the server to the client ip address.

(one time sent to cache and one time sent to client).

On the CSS you need the following static routes

ip route

ip route 0.0.0.0 0.0.0.0

Then create the service :

service cache

ip address x.x.x.x

type transparent

active

Then the rule

owner mycompany

content cache

proto tcp

port 80

add service cache

active

Finally, you need an acl to avoid redirecting traffic from the cache

acl 1

clause 20 bypass any any destination any

apply circuit(VLAN)

acl 2

clause 80 permit any any destination any

apply circuit(VLAN)

With a CSM, it should be possible as well with less restrictions

+-------------+

client ---|-MSFC----csm-|--vlan- internet

+-----------|-+

|<-----Vlan

cache

mod csm

vlan client

vlan server

gateway x.x.x.x

vlan server

serverfarm cache

no nat client

no nat server

real

x.x.x.x

inservice

!

serverfarm route

no nat client

no nat server

predictor forward

!

vserver tocache

virtual 0.0.0.0 /0 tcp 80

vlan x

vlan y

serverfarm cache

inservice

vserver fromcache

virtual 0.0.0.0 /0 any

serverfarm route

vlan

inservice

!

Regards,

Gilles.

pbadorrey · ‎07-21-2003

Hello, Gilles:

Thank you, for all your information.

Is it possible, with it scheme?

client ---- router ------ Internet

|

CSS (or CSM)

| |

cache1 cache2

The router will have two vlan againt the CSS (one for return internet from the cache, and other for redirection of the packets from the client).

I need that the CSS work balancing on either Cache's (with the application of IP Spoofing between they).

Thank you.

Guillermo.

Gilles Dufour · ‎07-21-2003

Guillermo,

the problem with ip spoofing is that the Cache will use the ip address of the client as source.

So, the server response will go back to the client ip address.

When the response gets to the router, it will see that it is directly connected to the client and will forward the response there bypassing the cache/CSS and the client will not accept understand this response.

You could use policy routing to redirect the http response to the CSS (on another vlan otherwise it will still not work) but be carefull about the performance of the box when using policy routing.

It's much better to have 2 routers.

Gilles.

pbadorrey · ‎07-21-2003

Sorry, the scheme is:

client ---- router ------ Internet

.................. |

................ CSS (or CSM)

................ |.......... |

............ cache1.. cache2

And:

Client------- Router------CSS------Router------Internet

.........................................|

.....................................cache

Can here applicated Ip spoofing?

Thank you.

Guillermo.

pbadorrey · ‎07-22-2003

Hello:

With CSM module in Catalyst 6500 and Cache 7320 (mode transparent)

how enable and configured IP Spoofing in both?

I only know the command "wccp spoof-client-ip enable", for cache; but that configuration have do in the Catalyst.

Client----Router------CSM--------Router-------Internet

.......................................|

..................................cache

Client-------Router------------Internet

.........................|

......................CSM

.........................|

.....................cache

Thank you

Guillermo.

Gilles Dufour · ‎07-22-2003

you enable ip spoofing on the cahce with the command you gave : "wccp spoof-client-ip enable"

It works even if you don't use wccp.

On the CSS, you define the cache as a service with 'type transparent-cache'.

If using a CSM, you define a serverfarm with 'no nat client' and 'no nat server'

Once again, I think in term of design you need 2 separate routers.

Gilles.

pbadorrey · ‎07-22-2003

I don´t understand if I need to configure WCCP in any of the routers or only configuring WCCP SPOOF-CLIENT-IP ENABLE in the cache is enough.

Thank you very much for your help.

Guillermo

Gilles Dufour · ‎07-23-2003

do not configure WCCP.

It is not required.

Just use the command 'wccp spoof-client-ip' on the cache.

Gilles.

pbadorrey · ‎07-23-2003

With the Catalyst 6500 w/csm module I need two Routers (1-Client and 1-Internet), or is possible other scheme.

In the Catalyst not have that configure acl, and static route; or have that configure the same that in the CSS.

How configure if I have two or more CACHE and I need balance between they.

Guillermo.

Gilles Dufour · ‎07-23-2003

with a cat6500 and a csm and a msfc, this is possible to do this.

+----------------+

client --| MSFC --- CSM --|----- Internet

+-----------|----+

|

Cache

on MSFC

-------

vlan 10 --> client

vlan 20 --> msfc/csm

On CSM

-------

vlan 20

vlan 30 -> internet

vlan 40 -> Cache

The config of the CSM should be

mod csm slot

vlan 20 client

ip x.x.x.x

route ....

vlan 30 server

ip x.x.x.x

gateway ....

vlan 40 server

ip x.x.x.x

!

serverfarm Caches

no nat client

no nat server

real x.x.x.x

inservice

real x.x.x.x

inservice

!

serverfarm route

no nat client

no nat server

predictor forward

!

vserver bypass

virtual 0.0.0.0/0

vlan 20

serverfarm route

inservice

!

vserver cacheme

virtual 0.0.0.0 /0 tcp 80

vlan 20

serverfarm Caches

inservice

!

vserver response

virtual 0.0.0.0/0

vlan 30

serverfarm Caches

inservice

!

vserver fromcache

virtual 0.0.0.0/0

vlan 40

serverfarm route

inservice

!

Something like this should work.

Gilles.

pbadorrey · ‎07-28-2003

Gilles.

Thank you for all information, it was very good. I probe it and solve the problem, but now need connected two or more CACHE with one CSS, and I don't can make correctly.

How redirected the traffic from Internet the CACHE that make the request, and not the other cache?

I use static route with one Cache, OK (example, the config send for you); but with more cache. How? (in one CSS).

Guillermo.