This document describes changes to features and commands that are different or not described in the Cisco LocalDirector Installation and Configuration Guide (Document Number 78-5192-01). It describes releases 2.1.1 to 2.2.3.
This section contains configuration matrixes to help you order LocalDirector products. The following table lists the software releases that are compatible with the various hardware platforms.
Software Release
LocalDirector 410
LocalDirector 415
LocalDirector 416
LocalDirector 420
LocalDirector 430
2.1.1
x
x
x
2.1.2
x
x
x
2.1.3
x
x
x
2.2.1
x
x
x
x
x
2.2.2
x
x
x
x
x
2.2.3
x
x
x
x
x
The following table lists the 4-port network interface cards that can be installed in the LocalDirector 430 or 420 hardware platforms with the appropriate software release. Check the type of card you have with the show interface command. An Intel card displays the information "Hardware is i82557" and the RNS card displays "Hardware is rns23x0."
LocalDirector Hardware Platforms
Intel Network Card
RNS Network Card
LocalDirector 420
Release 2.1.2 and greater
Release 2.1.1 and greater
Local Director 430
Release 2.2.1 and greater
Release 2.2.1 and greater
Failover is only supported between LocalDirector platforms of the same model number, for example failover will not work between the 410 and the 416 or between the 420 and 430. Additionally, both the primary and secondary LocalDirectors must have the same number of interfaces connecting to the same network; for example the primary LocalDirector interface 1 must be connected to the same network as the secondary LocalDirector interface 1.
In a failover setup, the active unit replicates the configuration to the standby unit when the standby unit is available. Before the configuration is replicated, the current configuration on the standby unit is erased. However, in version 2.2.2, the static commands were not erased before replication, which caused LocalDirector to reboot if the show static command was used.[CSCdm47752]
A four-port RNS Ethernet card with Intel chips could have had a 2 percent allignment errors. Alignment errors were correlated to packet size. The bigger the packet and the bigger the file transfer, the greater the percentage of error. [CSCdm23831]
Changes for Version 2.2.2
Cisco LocalDirector version 2.2.2 includes the following changes.
"Bug Fixes," describes the bugs that were fixed since release 2.2.1.
If you attempted to create a real server that already existed on LocalDirector, an error message without a carriage return displayed, which made the output look garbled.[CSCdk38075]
All show commands were accessible in unprivileged mode on LocalDirector. This information was available upon logging in and should not have been available without the enable password. Now all show commands except show configuration and show password are available in unprivileged mode. [CSCdk42246]
A LocalDirector Telnet password was reset to the default (cisco) after a certain number of reloads. [CSCdk62948]
LocalDirector ran out of resources if an Intel-based NIC had a memory leak with its packet buffers. [CSCdk87051]
The failover cable status was incorrectly reported in the output for the show failover command. [CSCdk88217]
A bug in the Intel card driver code caused a false bridge loop to be reported. [CSCdk91148]
Note This bug existed only on the Intel cards (both single-port and 4-port). The output of the show interface command for the 4-port card is "Hardware is i82557 ethernet."
The help text for for the interface command incorrectly specified uppercase letters for Base and BaseTX; however, only lowercase letters are accepted. [CSCdm04212]
A LocalDirector virtual server would not pass incoming or outgoing fragmented packets. [CSCdm06821]
If a real server bound to a virtual server with the sticky feature enabled was taken out-of-service (with the oos command), LocalDirector could reboot because the sticky associations in memory were corrupt. [CSCdm08559]
If the replication feature was enabled, but failover is turned off, LocalDirector rebooted while trying to replicate connections. [CSCdm13507]
Using the delay command caused LocalDirector to reboot in certain scenarios. The most common reboot occurred when a TCP SYN packet arrived for a delayed connection, and was added to the connection table more than once. This caused a problem when the connection was removed from table. [CSCdm15910]
Some fragmented packets were dropped, due to the order that LocalDirector validated packets. [CSCdm23852]
If a user entered the command syslog console during a telnet session to the LocalDirector and did not enter the no syslog console command before exiting the telnet session, a reboot occurred on the next syslog message that was generated. [CSCdk41006]
In failover configuration, incorrect configurations were reflected on the standby unit if the active unit underwent a reload, crash, or power off when replicating configurations to the standby unit. [CSCdk41008]
Any configuration changes that were made during a telnet session corrupted the configuration in flash when the write memory command was entered. [CSCdk63801]
If the LocalDirector was configured for synguard protection using the synguard command, it rebooted as soon as it entered synguard mode. [CSCdk64945]
A LocalDirector with FDDI interfaces would not work in a DecNet environment. Enabling DecNet caused the upper bit of the MAC address to be set so the LocalDirector regarded the packet as having an RIF field (used in source-route bridging). Since an RIF field was not present, the LocalDirector misinterpreted the packet. This bug resulted in the addition of the multiring command. (See New or Changed Commands in Version 2.2.1.) [CSCdk64947]
Problems resulted when the command failline appeared before the command failip_address in the config file. [CSCdk66746]
Connections that did not receive data (either incoming or outgoing) were timed-out after two minutes. This created a problem for applications that did not send data within this time-out period. Connections now time out in two minutes only if they have not completed the TCP handshake. [CSCdk67535]
For active FTP connections that were being load balanced via a virtual server, the LocalDirector did not translate the DATA connection for connections where the FTP server was not using port 20 as the source port. [CSCdj82574]
When upgrading from Version 1.6.6 to Version 2.1.1, LocalDirector incorrectly rebooted due to an invalid map command in the configuration file. [CSCdk46233]
If the backup command did not successfully complete, the next command that was entered caused LocalDirector to hang. [CSCdk50468]
If a connection request was sent to an out-of-service virtual server, or a non-defined virtual server port, the TCP RST generated by the LocalDirector had an incorrect TCP acknowledgment number, which caused it to be ignored by the client. [CSCdk55852]
If a client IP address of 0.0.0.0 arrived on a virtual server that was using the sticky feature, it corrupted the sticky associations in memory, which led to a Watchdog timeout. The Watchdog timeout forces a reboot. [CSCdk65048]
If an interface in a Failover configuration failed, the output of the show failover command on the active unit only showed that the standby unit had failed. It did not show the interface failure. You had to use the show failover command on the failed unit to see exact interface failure. [CSCdj84478]
Newer FDDI cards reported information from the show interface command that was counter intuitive. The newer cards reported the state of the FDDI ring as "isolated" rather than thru, wrap A, or wrap B. There are two ways to determine whether you have a new or an old FDDI card. The first is through the software. If you use the show interface command, the LocalDirector responds with "isolated" for the state. The interface still reports a "down" state, but all other states (thru, wrap A, or wrap B) are reported as isolated. This is only a reporting problem, and the card still functions properly. The second way to determine if you have a newer FDDI card is to look at the physical connector in the back. The newer cards are completely black, while the older cards have some metallic color inside. [CSCdk21935]
When a virtual server was using the sticky command, directed an incoming connection to a real server that responded with a TCP RST message, it incorrectly set the sticky information for the connection. When the client sent the next TCP SYN request for the connection, the client could not connect with the real server, since the sticky history was lost. [CSCdk26910]
The static command did not perform as described in the Cisco LocalDirector Installation and Configuration Guide, Version 2.1. The following three problems occurred:
Port definitions could not be made for the real machine; when the real_port option was used to configure a real machine, an "Invalid IP address" error message was returned.
Virtual addresses that were set up using the port:bind ID default values for the static machine could not be used; an "Invalid IP address" error message was returned.
Once a static machine was created, it could not be removed with the no static command. [CSCdk31832]
In failover mode, using the write standby command on the active unit corrupted the configuration by adding some configuration commands more than once. Note that this was also true for the configuration replication that occurred when a standby unit became available. [CSCdk34226]
In the first packet of a connection, if any bit other than SYN was set in the TCP flags, LocalDirector rejected the packet. This usually only happened with clients running Microsoft Windows 3.1, which had the PUSH bit set. [CSCdk35089]
The show statistics command incorrectly displayed negative numbers in some fields. [CSCdk39441]
In failover mode, if a standby unit was bought up with some Fast EtherChannels configured, the replication from the active unit did not clear this information before writing to the standby. As a result, the standby unit contained old and new configuration information, putting it out of sync with the active unit. [CSCdk39755]
LocalDirector did not respond correctly to the traceroute command a for a defined Virtual Server. [CSCdk40724]
The show commands were accessible in unprivileged mode on LocalDirector. This information was available upon logging in, and should not have been available without the enable password. [CSCdk42246]
When a virtual definition did not include the port for the virtual server (that is, you were using the default port), the client networks assigned to the virtual with the assign command would not get sent to correct set of real servers. [CSCdk43770]
If a packet arrived without having its TCP SYN bit set, LocalDirector quietly discarded the packet when it should have responded with a TCP RST packet. [CSCdk44929]
In the DEC-based OSICOM driver, "framing errors" were not counted. This caused the output of the show interfaces command for framing errors to display a zero. (Framing errors occur when a frame contains a noninteger multiple of eight bits, producing a CRC error.) [CSCdk45083]
For access to customer sites from behind a firewall, passive FTP did not work. Connections could not complete because the source address changed from the clients expected communication address and the firewall was only open to return traffic from the virtual address. [CSCdj61333]
Polling sysUpTime returned 0 instead of the uptime for the hardware. [CSCdj67096]
In a failover configuration, if an interface was pulled (or went down) it would, in some cases, not "auto recover" when the interface went back up. [CSCdj93114]
The high-order byte of the source MAC address of Ethernet packets for all traffic going through LocalDirector was set to zero. This is not a problem for most users since this byte is only set in a FDDI or Token-Ring environment using source route bridging. If the MAC address was changed on the Ethernet device that set this byte, it could cause problems. [CSCdj73694]
In a switched environment, the switch connected to LocalDirector could forget LocalDirector's MAC address in a non-failover configuration. This was because the LocalDirector preserved the source MAC address for all load-balanced packets, and did not source packets with its own MAC address unless the LocalDirector had a Telnet session or was sending syslog/SNMP messages to a defined server. This caused the CAM table on the switch to exclude the LocalDirector's MAC address. [CSCdk02195]
Packets destined for servers on a different subnet than the LocalDirector traverse the outside Ethernet three times before being forwarded to the appropriate server if directly connected multiple logical subnets are running on the inside interface.
The workaround is to place an additional router behind the LocalDirector to manage the traffic to multiple subnets, and add appropriate route statements to the LocalDirector configuration. [CSCdj69947]
Using the sticky command creates a load inbalance when clients are coming from a site that uses a proxy server to access the Internet. Since sticky only uses the client's IP address for storing the association to a real server, all clients coming from a proxy server are sent to the same real server.
A potential workaround is to use a port-bound virtual server for the SSL port and set sticky only for that virtual address. If sticky is being used for regular web traffic, this does not help. [CSCdj81299]
LocalDirector needs to disable the Cisco Syslog MIB, so it does not send traps for every SYSLOG message when an SNMP host is configured. [CSCdj82485]
For active FTP connections that were load balanced via a virtual server, LocalDirector did not translate the DATA connection when the FTP server was not using port 20 as the source port. In most cases, this did not cause a problem; however, if a customer was using a proxy server for FTP, it could use a port other than port 20 for the DATA connection. In this case, the FTP DATA connection appeared to be coming directly from the server instead of the virtual address and packets were not translated. [CSCdj82574]
The SNMP community string cannot be switched off. Allowing LocalDirector to switch between on and off would be helpful. [CSCdk16901]
If the standby unit is not present when the active LocalDirector is receiving connections in a failover configuration, it does not replicate already established connections to the standby unit when it becomes available. [CSCdk20283]
You cannot retrieve values for MIB instances in cldVirtualTable except for the first instance in the table. [CSCdk33149]
When using a switch to support multiple VLANS (and a VLAN is in front of and following the LocalDirector), performance is optimized if each VLAN is on a separate switch. [CSCdk42247]
There is no value for the SNMP object sysobjectOID for Version 2.1. [CSCdk50678]
If the snmp-server contact command with a value greater than 57 characters is written to flash memory, the show config command causes LocalDirector Version 2.1.2 to reboot.
When trying to bind a server on a port higher than 32768, LocalDirector responds with the error message "machine does not exist; can't bind." [CSCdk58223]
If LocalDirector has any 4-port RNS cards with the DEC chip set, you can cause internal looping behavior if you manually change the line speed from 10 to 100 and then back to 10.
Check the type of NIC that you are using with the show interface command. The output for this card displays "Hardware is rns23x0."[CSCdk87047]
LocalDirector performs a gratuitous ARP for each enabled interface. These gratuitous ARPs are propagated to each interface. This can cause additional log entries in networks that log events such as MAC address changes for IP addresses. [CSCdm02673]
The channel information is lost on the standby unit when the active unit rewrites its configuration. The data that is lost is somewhat random: different channels can be lost between replications and sometimes the bind information is lost. [CSCdm19211]
If LocalDirector fails, it shuts down its interfaces. This is done as a precautionary measure to prevent a failed unit from harming the rest of the network (constantly transmitting trash, and so forth). If you use the write mem command on LocalDirector while it is failed, it saves the information that the interfaces are down. [CSCdm22062]
Versions prior to 2.1 allowed the out-of-service and in-service commands to be entered from enabled mode. In version 2.1, you must be in config mode.
The entire configuration is read by the configure net command. If a command that is executed changes the system IP address, communication with LocalDirector is lost and has to be re-established.
If an interface is secured by the secure command, it may not be possible to communicate with a standby unit from an external device; however, the failover mechanism works in the event of a failure on the active unit.
The 4-port RNS Ethernet card in the LocalDirector does not autonegotiate, and does not accept the auto option with the interface ethernet command. The ports on the 4-port Ethernet card default to 100BaseTX. The 10baset|100basetx|100full options are available, but the auto option is not.
If the peer port autonegotiates, the 4-port interface speed must be set with the 10baset or 100basetx options; setting it to 100full confuses the autonegotiation process on the peer port, resulting in unpredictable behavior.
Check the type of NIC that you are using with the show interface command. The output for this card displays "Hardware is rns23x0."
The LED behavior on the 4-port RNS Ethernet interface is different from other Cisco products.
Green - Indicates data transmission activities relative to the amount of traffic.
Flashing amber - Autosensing in progress (even with no configuration and no cable connections).
Steady amber - Active connection (this is normal operation).
Identical LocalDirector units should be used in a failover configuration. For example, a LocalDirector 420 should be used to back up another LocalDirector 420, and each unit must have the same number and type of interfaces.
If failover is configured, use the no interface command to disable unused interfaces. Otherwise, the unused interfaces are seen as failed and the unit fails.
The map command has been removed, and configurations that include the map command are not allowed. To upgrade to LocalDirector version 2.1.1, create a new configuration that uses port-bound servers instead.
Use a colon as a delimiter for ports and bind-IDs when defining virtual and real servers.
Failover now auto-detects a failover cable at boot time and enables failover automatically. This overrides a "no failover" statement in the configuration settings. If a failover cable is present, but not connected to the other unit, a standalone LocalDirector can remain in Standby mode at boot time, even if the "no failover" setting is stored in the configuration. If a standby unit is removed, the failover cable should also be removed to prevent this from occurring.
If a configuration command fails, either during or after the boot process, a syslog message is generated to reflect that the command failed. For example, if the map command failed, it would generate the syslog message:
<163> Config FAILED: map 10.10.10.50 80 8080
Table 2-1 in the Cisco LocalDirector Installation and Configuration Guide, Version 2.1 incorrectly states that the LocalDirector 420 supports 1,000,00,000 simultaneous TCP connections. The correct number of connections is 1,000,000.
The LocalDirector 430 and LocalDirector 416 platforms are introduced with the LocalDirector 2.2.1 software and replace the LocalDirector 420 and LocalDirector 410 platforms, respectively.
LocalDirector security features include the following:
Secure Access
LocalDirector can determine how to handle connections based on the source IP address of the client. By using the assign command and the bind-ID on a virtual server, traffic can be directed to a specific location or dropped altogether.
Secure Bridging
Before version 2.1.1, LocalDirector bridged traffic that was not destined for a virtual server. If a real server had a valid registered IP address, clients could access the server through its IP address and bridge directly through the LocalDirector. For security, you can now turn bridging off and not allow direct access to real servers. By using the secure command to turn bridging off for real servers, client traffic must go through a LocalDirector virtual address.
This works with the current failover option to ensure that active connections to a virtual are not dropped in the event of a LocalDirector failover. Before version 2.1.1, the state of client connections to virtual servers was not maintained if a LocalDirector unit failed. Now, connection state can be maintained on a per-virtual basis. This feature is turned on or off for each virtual server with the replicate command.
State information is maintained on connections for the virtual server, and state information is passed from the active to the standby unit via the network (not the failover cable). You can specify which interface monitors state information and dedicate an Ethernet interface on each LocalDirector to provide state information (on units with three or more interfaces) with the replicate interface command.
Stateful failover is beneficial for applications with a long connection time such as Telnet. It is not recommended for short-lived (and high volume) connections such as HTTP. However, it could be beneficial to have stateful failover turned on when the HTTP connections are using the KEEP-ALIVE option and there is a low volume of HTTP traffic for the virtual server.
LocalDirector version 2.1.1 supports up to 16 interfaces on the LocalDirector 420 and 3 on the LocalDirector 415 and 410. This can be useful in a number of ways. For example:
In some situations, the LocalDirector can have Ethernet-switch-like capabilities, where each individual web server is placed on a separate interface, avoiding the need for a switch between the LocalDirector and the server farm.
If the web farm has web servers and back-end database servers, the web farm can access the database farm through a virtual interface, thus obtaining the benefits of load-balancing and server redundancy from the web servers to the database servers.
Multiple interfaces make Fast EtherChannel possible.
An interface can be dedicated to communicating state information between LocalDirector units by using the replicate interface command. This is useful for stateful failover.
LocalDirector interface numbering has changed, so that the interfaces are numbered from left to right and top down, as shown in the following illustration:
Note If you are upgrading a LocalDirector 415 to version 2.1.1, the numbering of the interfaces will follow the numbering scheme described previously, and the interface numbers will reverse.
Note If you are upgrading a LocalDirector 415 unit, remove all other interfaces before installing 4-port cards. Single-port and 4-port cards cannot be mixed.
Fast EtherChannel is a method of multiplexing 100BaseT interfaces into a single, scalable, virtual channel, and it is currently available on Cisco Catalyst 5000 switches. More than one Fast EtherChannel can be defined on a LocalDirector provided the LocalDirector has more than two interfaces.
LocalDirector real and virtual server (server farm) configuration files can be stored on a TFTP server. The commands associated with TFTP are as follows:
The tftp-server command sets the IP address of the TFTP server and the directory where the configuration files are stored.
[no] tftp-servertftp-server-iptftp-directory
The configure net command reads configuration information from the TFTP server after LocalDirector is booted and running. The filename option can be a full path name that is different from the TFTP directory set by the tftp-server command, or it can be a base name in the TFTP directory.
configure net [filename [tftp-server-ip] ]
The write net command saves configuration information to the server defined with the tftp-server command. The filename option can be a full path name that is different from the TFTP directory set by the tftp-server command, or it can be a base name in the TFTP directory. On some UNIX servers, the file must be defined before LocalDirector can write to it.
write net [ [tftp-server-ip]filename ]
The boot config command is stored in Flash memory and enables the LocalDirector to get the server farm configuration via TFTP at boot time. If the boot config command is active, the write floppy|memory command only saves the tftp-server, configure net, and boot config commands in the system configuration. The filename option must be a full path name.
[no] boot configfilename tftp-server-ip
The boot image command enables booting from a remote image (version of LocalDirector software) on a TFTP server. The image-filename option must be a full path name.
The static command enables the source IP address of the outbound packet to be translated to a virtual address for connections initiated from a real server.
This feature allows clients that reach a particular virtual address to get load balanced to different real servers according to the source IP address of the client. That is, different clients going to the same virtual server can be directed to different real server bindings for the same virtual address. This is accomplished by extending the concept of a virtual to include a bind-ID. The bind-ID is used with the assign command to associate a client IP address with a specific virtual server.
There are many possible uses of this feature, including:
Grades of Service
You can assign known client IP addresses to a collection of more powerful servers to obtain faster service for them.
Special Services
You could take client IP addresses known to be a part of your company to an internal page, but send unknown clients to a generic home page.
Not Welcome Mats
You can assign "problem" client IP addresses to a real machine that serves a page indicating that the user is not welcome to your site.
Previously, commands that referenced virtual servers and real servers could reference a machine as the IP address and an optional space-separated port number. Real servers and virtual servers are now described as an IP address followed by a colon, followed by the port number. Virtual servers can include an optional colon-separated bind-ID. When an existing configuration is upgraded to version 2.1.1, a colon is used as a delimiter automatically.
The default bind-ID is 0, and any client IP address not configured with the assign command is directed to the default bind-ID of 0. If you do not create the default bind-ID version of the virtual server (a virtual server with a bind-ID of 0), then only IP addresses configured with the assign command are allowed in and all other requests are blocked. This can be used as a powerful security feature.
The LocalDirector-specific MIB gives the ability to view real and virtual servers and information about failover. The SNMP SET command is not supported.
The LocalDirector now performs a CRC (cyclic redundancy check) on the software image. If LocalDirector is booted from a diskette or TFTP file with a bad image, it returns an error message and hangs.
Table 1 lists commands that are new or changed in version 2.2.1. Table 2 lists commands that are new or changed in version 2.1.1. For detailed information about version 2.1.1 commands including syntax, usage guidelines, and examples, refer to the Cisco LocalDirector Installation and Configuration Guide, Version 2.1.
(New) Enables or disables the specified interface's ability to collect and use source-route information (RIF) for routable protocols. The all keyword enables the multiring for all frames. See the chapter "Configuring Source-Route Bridging" in the document Router Products Configuration and Reference for more information.
In FDDI (and token-ring), a RIF (Routing Information Field) can exist in the IP header. The multiring command, which is on by default in LocalDirector, interprets and uses the RIF field in the header. When this is turned off (using no multiring all), the RIF field is not used in the IP header for routing packets in a "source-route bridged" network.
[no] interface interface_number
(Changed) This command no longer is used to enable and disable an interface. Use the shutdown command instead.
[no] shutdown ethernet|fddi interface_number
(New) Disables an interface. The no form of the command enables an interface. For example, to enable an interface and configure its speed, use the commands:
no shutdown ethernet 0 interface ethernet 0 100full
To disable this same interface, use the commands:
shutdown ethernet 0 interface ethernet 0 100full
Use the write memory command to save configurations to flash memory.
The replicate command enables stateful failover, and the replicate interface command sends replication data to the standby unit via a dedicated interface.
Cisco Connection Online (CCO) is Cisco Systems' primary, real-time support channel. Maintenance customers and partners can self-register on CCO to obtain additional information and services.
Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to Cisco's customers and business partners. CCO services include product information, product documentation, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files.
CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously: a character-based version and a multimedia version that resides on the World Wide Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information.
Modem: From North America, 408 526-8070; from Europe, 33 1 64 46 40 82. Use the following terminal settings: VT100 emulation; databits: 8; parity: none; stop bits: 1; and connection rates up to 28.8 kbps.
For a copy of CCO's Frequently Asked Questions (FAQ), contact ccohelp@cisco.com. For additional information, contact ccoteam@cisco.com.
If you are a network administrator and need personal technical assistance with a Cisco product that is under warranty or covered by a maintenance contract, contact Cisco's Technical Assistance Center (TAC) at 800 553-2447, 408 526-7209, or tac@cisco.com. To obtain general information about Cisco Systems, Cisco products, or upgrades, contact 800 553-6387, 408 526-7208, or csrep@cisco.com
Cisco documentation and additional literature are available on a CD-ROM package, which ships with your product. The Documentation CD-ROM, a member of the Cisco Connection Family, is updated monthly. Therefore, it might be more up to date than printed documentation. To order additional copies of the Documentation CD-ROM, contact your local sales representative or call customer service. The CD-ROM package is available as a single package or as an annual subscription. You can also access Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.
If you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco. We appreciate your comments.
