11-26
Catalyst 6500 Series Content Switching Module Configuration Note
OL-4612-01
Chapter 11 Configuring Firewall Load Balancing
Configuring Stateful Firewall Connection Remapping
Configuring Reverse-Sticky for Firewalls
To configure IP reverse-sticky for firewall load balancing, perform this task:
Configuring Stateful Firewall Connection Remapping
To configure the Firewall Reassignment feature, you must have an MSFC image from Cisco IOS
12.1(19)E software release.
To configure firewall reassignment, follow these steps:
Step 1 In the serverfarm submode for firewalls, configure the action:
Cat6k-2(config)# serverfarm FW-FARM
failaction reassign
Step 2 Assign a backup real server for each firewall if it failed (probe or ARP), with these commands:
Cat6k-2(config-slb-sfarm)# serverfarm FW-FARM
Cat6k-2(config-slb-sfarm)# real 1.1.1.1
Cat6k(config-slb-module-real)# backup real 2.2.2.2
Cat6k(config-slb-module-real)# inservice
Cat6k-2(config-slb-sfarm)# real 2.2.2.2
Cat6k(config-slb-module-real)# backup real 3.3.3.3
Cat6k(config-slb-module-real)# inservice
Cat6k-2(config-slb-sfarm)# real 3.3.3.3
Cat6k(config-slb-module-real)# backup real 1.1.1.1
Cat6k(config-slb-module-real)# inservice
Step 3 Configure the ICMP probe (through firewall) for this serverfarm.
Step 4 Configure the ICMP probes for the CSMs outside and inside the firewall.
Make sure that the backup real server is configured in the same order in both CSM's.
The inservice standby option assigned to a real server specifies that this server only receives connections
if they destined or load-balanced to the failed primary server. If you configure the real server designated
as real 2.2.2.2 with inservice standby, then all connections would go to either of the real servers
designated as real 1.1.1.1 or real 3.3.3.3. When real server real 1.1.1.1 failed, the real server designated
as real 2.2.2.2 will be active in place of real server real 1.1.1.1.
Command Purpose
Step 1
SLB-Switch(config)# module csm
slot
Associates load-balancing commands to a specific
CSM module and enters the CSM module
configuration submode for the specified slot.
Step 2
SLB-Switch(config-module-csm)# vserver
virtserver-name
Identifies a virtual server and enters the virtual
server configuration submode.
Step 3
SLB-Switch(config-slb-vserver)# sticky
duration
[group
group-id
] [netmask
ip-netmask
] [source | destination | both]
Defines the portion of the IP information (source,
destination, or both) that is used for the sticky entry
key.
Step 4
SLB-Switch(config-slb-vserver)#
reverse-sticky
group-id
Ensures that the CSM maintains connections in the
opposite direction back to the original source.
Step 5
SLB-Switch# show module csm
slot
sticky
Displays the sticky database.
To Next Page
Loading...
