Super-Networking Blog

I have been working lately on setting up a new design on our CSM. It currently is running in bridged mode and all of our servers need routes on them to function correctly. The default gateway on the servers in the CSM and any internal traffic you want to work needs a route on the server. This is one of my pet peeves, I completely disagree with having routes on the servers. For one if it a pain when you add a new subnet and you need to add a router to 100 servers and the other is the reason you have routers is to route!

So unlike the currently design One-Armed routed mode sends all traffic to the MSFC or “router” and only seems load balanced traffic through the CSM, this is done without routes on the servers. So the servers have a default route of the MSFC and through the use of route-maps decides if the traffic needs to be routed through the CSM. Two of the best benefits to this method is that it gets rid of excess traffic going through the CSM and it takes away the needs of routes on the servers.

Here is a document from Cisco that will help you when putting this method into place. This will not work for everyone’s situation but is a good starting point. One thing that I had to modify in this design is I had to change my route map to change “ip next-hop” instead of “ip default next-hop”. The reason for this is that the ip default next-hop basically assigns a new default route and will only take affect if the router doesn’t have a route for that IP address the server is trying to go to. If you use BGP on the same router this traffic is going through the default route will have little effect, in a BGP situation where you have routes to the majority of subnets the default route is used very little. How I got around this is as follows.

route-map server-client-traffic-CSM permit 10
match ip address 1
continue
set ip default next-hop X.X.X.1
route-map server-client-traffic-CSM permit 20
match ip address 2
set ip next-hop X.X.X.2

This first route-map points to access-list 1 which I tell it to look for any traffic from the load balanced servers to an internal IP. It then switches the default gateway to the regular default-gateway. This route-map is to weed out internal non load balanced traffic. The continue key work tells it to continue to the next route map if it doesn’t match current one. In the second route map it points to access-list 2 and in access-list 2 I tell it to watch for any traffic coming from the load balanced servers going to anywhere not internal and set next-hop to the CSM.

The other tricky part to this setup is the server initiated traffic which you don’t want going through the CSM but is going external so it matches the 2nd route map. A side effect to this is a routing loop between the CSM and the MSFC for server initiated traffic. How I got around this is to nat the real server in the CSM and on the MSFC. What happens then is the real server sends out traffic to say get windows updates to the MSFC, the traffic matches the 2nd route-map, goes to the CSM, the CSM nats it and sends the traffic to the MSFC which sends the traffic to the Internet, the traffic comes back to the MSFC and goes straight to the server bypassing the CSM. This config is working well so far but I am still testing and tweaking it.