Getting Something Out of the CSM
My buddy told me that my site is the only place on the web with documentation on the Cisco Content Switching Module (CSM). I also noticed a few months ago that every TAC case I’ve opened on the CSM has been handled by the same guy. I seriously think that the only people in the world that really know about these things are me and him. Cool. I better get some more content up.
The CSM is configured and controlled by the IOS running on the 6500. Unlike the FWSM, it is not independent from the switch’s operation, which is sometimes good. One good thing out of that is the fact that you can pull stats and stuff from the IOS without having to session or SSH to another module. The bad part of that, though, is that the commands wind up being long.
To start with, all show and clear commands start like this.
show|clear module contentSwitchingModule <SLOT> <COMMAND>
Do you see how long that command is? And we didn’t even tell it what we wanted to do yet. You can use the auto-complete, though, f you’re lazy like I am.
sho|cl mod csm <SLOT> <COMMAND>
Yes, it takes csm instead of contentSwitchingModule. That’s not in the contextual help. Heh.
SLOT is where the module is in the chassis, so, if your CSM is in slot 8, you…can figure it out. COMMAND is what you want to do, right? Yeah…I won’t insult your intelligence.
What are some show commands? There’s a lot of them, but here’s some I use every day. My production CSMs are in slot 3, so I’ll just use that for the slot.
- show mod csm 3 arp : Shows you the ARP table (duh!). This is good to see if the CSM can contact the real servers or the gateways properly.
- show mod csm 3 conns : Shows the current connections through the CSM. This shows you what client IP is connected to what virtual IP and on what real IP that connection lands.
- show mod csm 3 ft : Fault tolerance. This shows what your FT VLAN and status is. It also shows if your secondary configs are out-of-sync with the primary.
- show mod csm 3 reals : Shows all the real servers involved in all serverfarms along with the weight, state, and current number of connections. This shows you a lot of information that could be helpful in troubleshooting a problem. Look for FAILED, PROBE_FAILED, or OUTOFSERVICE; these are bad.
- show mod csm 3 serverfarms : Shows your setup and status of the serverfarms. Also great for troubleshooting.
- show mod csm 3 vservers : Shows the IP, VLAN, and state of your vservers along with the current number of connections.
- show mod csm 3 vlan : Shows the VLAN ID, subnet and mask, and VLAN type (server, client, FT)
Be sure to use your contextual help for more detail on these commands; most of them actually can get very specific. For example, ft shows your status, but ft detail shows your message counts, resets, and other good and bad things that deal with the fault tolerance.
How about something to clear?
- clear mod csm 3 connections : Clears the connections through the CSM. This is probably very close to clear conns on a PIX, FWSM, or ASA, so be careful not to kick everybody off.
- clear mod csm 3 arp-cache : Clears ARP
- clear mod csm 3 ft active : Forces the primary to fail over.
- clear mod csm 3 counters : Do you have to ask?
Again, these guys need to be explored with the question mark to get the full effect.
Since I’ve established myself as the long authority in the world on the CSM [sic], drop a comment with any questions.
on June 10th, 2008 at 10:37 pm
Said in the voices from the guys in the Guinness commercials… “BRILLIANT!” This is good stuff, keep it coming!
on June 12th, 2008 at 8:18 am
Thanks, Clint. I’m trying to get back on track.
on June 23rd, 2008 at 8:17 am
[...] Getting Something Out of the CSM [...]
on September 16th, 2008 at 5:12 pm
Hey Aaron,
Thanks for teh great info. I don’t know if this is the right place to post this but here goes.
I understand the basic functions of the CSM but when traffic comes into a VIP and then to a farm, how do you get the CSM to pass the source IP to the destination? Wouldn’t that info be of some value?
on September 16th, 2008 at 10:16 pm
Hi, Droudpeyma. Thanks for commenting.
In the serverfarm configuration, there are two lines that deal with NAT — “nat client” and “nat server”. By default, client (source) NATting is off, and server (destination) NATting is on, so the source IP of the connection inbound to the serverfarm does not get changed before it’s passed on to the servers in the farm.
Here’s what the source and destination of the packets are at various steps in the process. Let’s assume the source IP is 12.34.56.78, the VIP is 1.1.1.1, and the serverfarm only has one server with the IP of 2.2.2.2. Assume that no other NATting is done in our little setup.
The packet leaves the client:
S: 12.34.56.78, D: 1.1.1.1
The CSM receives the packet and passes it on to the RIP:
S: 12.34.56.78, D: 2.2.2.2
The packet lands on the server:
S: 12.34.56.78, D: 2.2.2.2
The server generates a return packet:
S: 2.2.2.2, D: 12.34.56.78
The CSM gets the packet and sends it back to the client:
S: 1.1.1.1, D: 12.34.56.78
The client receives the packet:
S: 1.1.1.1, D: 12.34.56.78
Hope that helps. Let me know if it doesn’t.
on September 17th, 2008 at 12:19 pm
Aaron,
Thanks so much for the info. I understand now why our farms are showing the source IP to be of the VIP. At the moment the farms are assigned to a NATPOOL on the client side. When that is removed the connection to the site breaks. Is there something else that needs to be done on the (client) Nat in order to restore the connection?
Thanks,
David
on September 18th, 2008 at 8:45 pm
Hey, David.
I think if you turn off cleint NAT, you should be alright. Just go into your serverfarm for the VIP and do a “no nat client”. After such, you should see the clients appear unNATted.
on September 27th, 2008 at 4:33 pm
one more very (at least for me) useful command run from switch# level
“show run mod X”, where X is slot number where CSM resides
it shows only configuration block for the csm
works with other modules as well
on October 10th, 2008 at 10:11 am
[...] me know if you have any questions and check out my page on getting output from Cisco’s fine mid-tier load [...]