Configuring Reverse-Sticky For Firewalls; Understanding Reverse-Sticky For Firewalls - Cisco catalyst 6500 series Configuration Note
Content switching module
Hide thumbs
Also See for catalyst 6500 series:
- Software configuration manual (570 pages) ,
- Configuration manual (392 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Configuring Reverse-Sticky for Firewalls
Command
Step 14
Switch-B(config-module-csm)# vserver
SEC-200-VS
Step 15
Switch-B(config-slb-vserver)# virtual
200.0.0.0 255.255.255.0 any
Step 16
Switch-B(config-slb-vserver))# vlan 200
Step 17
Switch-B(config-slb-vserver)# serverfarm
SEC-SF
Step 18
Switch-B(config-slb-vserver)# inservice
1.
2.
3.
4.
5.
6.
Configuring Reverse-Sticky for Firewalls
The reverse-sticky feature creates a database of load-balancing decisions based on the client's IP
address. This feature overrides the load-balancing decision when a reverse-sticky entry is available in
the database. If there is no reverse-sticky entry in the database, a load-balancing decision takes place,
and the result is stored for future matching.
Understanding Reverse-Sticky for Firewalls
Reverse-sticky provides a way of inserting entries into a sticky database as if the connection came from
the other direction. A virtual server with reverse-sticky places an entry into the specified database
containing the inbound real server.
The inbound real server must be a real server within a server farm.
Note
This entry is matched by a sticky command on a different virtual server. The other virtual server sends
traffic to the client, based on this pregenerated entry.
The CSM stores reverse-sticky information as links from a source IP key to a real server. When the load
balancer gets a new session on a virtual server with an assigned sticky database, it first checks the
database for an existing entry. If a matching entry is found, the session is connected to the specified real
server. Otherwise, a new entry is created linking the sticky key with the appropriate real server.
Figure 11-8
Catalyst 6500 Series Content Switching Module Configuration Note
11-24
GENERIC-VS allows traffic from the internal server farms and the internal network that is destined for the Internet to reach
the secure side of the firewalls (through VLAN 101).
Clients reach the server farm represented by this virtual server through this address.
The server farm exists in the internal server farms network.
SEC-20-VS allows traffic from the Internet to reach the internal server farms (through VLAN 20).
The server farm contains firewalls rather than real servers.
SEC-200-VS allows traffic from the Internet to reach the internal network (through VLAN 20).
shows how the reverse-sticky feature is used for firewalls.
Chapter 11
Configuring Firewall Load Balancing
Purpose
6
Specifies SEC-20-VS
as the virtual server that is
being configured and enters virtual server
configuration mode.
Specifies the IP address, netmask, and protocol (any)
2
for this virtual server
.
Specifies that the virtual server will only accept
traffic arriving on VLAN 200, which is traffic
arriving from the internal network.
Specifies the server farm for this virtual server
Enables the virtual server.
5
.
OL-4612-01
Advertisement
Table of Contents
