Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

MSFC ACL filtering and CSM load-balancing

Hello,

My 2 server farm distribution switches are running in "hybrid" mode, with CAT OS on the switch and IOS on the MSFC.

My server team is asking to block traffic to a specific server that is load balanced using Cisco's CSM load-balancer which is also installed in the chassis.

The question that I have is this.

Does anyone know in what order the MSFC will inspect and apply the ACL and when will the CSM make the load balancing decision?

The reason I need to know this is that the CSM is setup in bridged mode, where traffic to the server comes into the MSFC with a destination IP of a VIP which resides on the CSM. Subsequently, the CSM forwards the traffic to the one of the real servers in the load-balanced server farm after it makes its load-balancing decision. Which ocurrs first??

Does anyone have any info on what ocurrs first and so forth??

Is there a link to Cisco's website that explains this process??

Thanks in advance for your help.

Tony

5 REPLIES
Hall of Fame Super Silver

Re: MSFC ACL filtering and CSM load-balancing

Hello Tony,

usually we use a different method to avoid the CSM to send traffic to a specific real server:

we go under the serverfarm config and we put it in out of service so that the load balancer will not use it.

Actually the MSFC cannot filter traffic to the real server because from its point of view traffic is directed to the Virtual server IP and has no knowledge of what real the traffic will be sent to.

I see that the request can be to block traffic directed to the real ip address.

You can do it on the MSFC.

the scenario should be:

users --- supervisor --- MSFC VL_C-- CSM -VL_S-- real servers

I see this in c6500 native IOS but I think is valid also for hybrid.

so if you put an ACL on the MSFC for the so called client Vlan SVI VL_C outgoing that denies traffic to the specific real server you should achieve the desired result

Hope to help

Giuseppe

Hall of Fame Super Blue

Re: MSFC ACL filtering and CSM load-balancing

Giuseppe

You've confused me now :-)

"Actually the MSFC cannot filter traffic to the real server because from its point of view traffic is directed to the Virtual server IP and has no knowledge of what real the traffic will be sent to."

I agree totally with what you wrote here. But you then go on to give an example where you could filter it by using an ACL outbound on the client vlan. But the destination would be the VIP not the real address. It only becomes the real address after it has gone through the CSM.

I agree the easiest way is to take the server out of service under the serverfarm if that's possible but Tony may want to just block only certain traffic to that server.

Jon

Hall of Fame Super Silver

Re: MSFC ACL filtering and CSM load-balancing

Hello Jon,

sorry I changed mind during the post writing ...

at first I was thinking of putting out of service the real server.

Then I realized that I can reach a real server from outside if I point directly to its ip address.

We do this to verify they are reachable.

Actually in our case the picture is even more complex because there is also the FWSM in the middle.

So for us it is:

users --- supervisor --- MSFC - FWSM --VL_C --- CSM --- VL_S --- real servers

I could add we have started to put ACE blades instead of CSM but I stop here.

>> Tony may want to just block only certain traffic to that server

This is the point probably server people wants to hide this real from direct access because it can make this server more loaded then the others for example.

Hope to help

Giuseppe

Hall of Fame Super Blue

Re: MSFC ACL filtering and CSM load-balancing

That makes more sense now.

Yes, if the aim is to restrict access to the real server and only allow it via the VIP then an ACL on the MSFC client vlan interfaces would do the trick.

Jon

New Member

Re: MSFC ACL filtering and CSM load-balancing

Giuseppe & Jon,

Thank you for your replies and for the info too.

I was looking to block only certain tcp port numbers to protect the servers from a problem/bug. I still want to be able to reach the real servers directly or outside of the VIP.

Basically, what you are saying makes sense if I apply the ACL inbound to the client side interface on the MSFC using the VIP IP address as the destination.

Alternatively, if I apply the ACL outbound to the server side interface, the CSM will have already made a load balancing decision and I will need to use the server IP address in the destination.

Does this sound right??

Thanks again,

Tony

187
Views
0
Helpful
5
Replies
CreatePlease login to create content