Configuring Reverse-Sticky For Firewalls; Configuring Stateful Firewall Connection Remapping - Cisco catalyst 6500 series Configuration Note

Configuring Stateful Firewall Connection Remapping

Configuring Reverse-Sticky for Firewalls

To configure IP reverse-sticky for firewall load balancing, perform this task:
Command
Step 1
SLB-Switch(config)# module csm slot
Step 2
SLB-Switch(config-module-csm)# vserver
virtserver-name
Step 3
SLB-Switch(config-slb-vserver)# sticky
duration [group group-id ] [netmask
ip-netmask ] [source | destination | both]
Step 4
SLB-Switch(config-slb-vserver)#
reverse-sticky group-id
Step 5
SLB-Switch# show module csm slot sticky
Configuring Stateful Firewall Connection Remapping
To configure the Firewall Reassignment feature, you must have an MSFC image from Cisco IOS
12.1(19)E software release.
To configure firewall reassignment, follow these steps:
In the serverfarm submode for firewalls, configure the action:
Step 1
Cat6k-2(config)# serverfarm FW-FARM
failaction reassign
Assign a backup real server for each firewall if it failed (probe or ARP), with these commands:
Step 2
Cat6k-2(config-slb-sfarm)# serverfarm FW-FARM
Cat6k-2(config-slb-sfarm)# real 1.1.1.1
Cat6k(config-slb-module-real)# backup real 2.2.2.2
Cat6k(config-slb-module-real)# inservice
Cat6k-2(config-slb-sfarm)# real 2.2.2.2
Cat6k(config-slb-module-real)# backup real 3.3.3.3
Cat6k(config-slb-module-real)# inservice
Cat6k-2(config-slb-sfarm)# real 3.3.3.3
Cat6k(config-slb-module-real)# backup real 1.1.1.1
Cat6k(config-slb-module-real)# inservice
Configure the ICMP probe (through firewall) for this serverfarm.
Step 3
Configure the ICMP probes for the CSMs outside and inside the firewall.
Step 4
Make sure that the backup real server is configured in the same order in both CSM's.
The inservice standby option assigned to a real server specifies that this server only receives connections
if they destined or load-balanced to the failed primary server. If you configure the real server designated
as real 2.2.2.2 with inservice standby, then all connections would go to either of the real servers
designated as real 1.1.1.1 or real 3.3.3.3. When real server real 1.1.1.1 failed, the real server designated
as real 2.2.2.2 will be active in place of real server real 1.1.1.1.
Catalyst 6500 Series Content Switching Module Configuration Note
11-26
Chapter 11 Configuring Firewall Load Balancing
Purpose
Associates load-balancing commands to a specific
CSM module and enters the CSM module
configuration submode for the specified slot.
Identifies a virtual server and enters the virtual
server configuration submode.
Defines the portion of the IP information (source,
destination, or both) that is used for the sticky entry
key.
Ensures that the CSM maintains connections in the
opposite direction back to the original source.
Displays the sticky database.
OL-4612-01