January 25, 2013 at 12:42Cisco CSS 11500 Small Cheat Sheet
Good afternoon, dear readers! Unfortunately, there are practically no references to these wonderful devices on Habré, apparently due to their age, but there are articles on younger Cisco ACE equipment. But, despite some unpopularity, Cisco CSS 11500 Series Content Services Switches are still found on corporate networks and the first encounter with an unprepared administrator can cause him a slight bewilderment. Ignore the apparent complexity, these glands are surprisingly easy to configure.
I’ll probably skip the description of the hardware features of this equipment, as it is on the manufacturer’s website and I’ll get down to business immediately.
The first thing we will start with is updating the software and creating a comfortable working mode.
Configuring the control interface:
Set the device name displayed in the console (no more than 16 characters):
I draw your attention to the fact that the superuser keyword should be in the description line of the user under whom the administration is performed , otherwise you may need a fascinating acquaintance with the password recovery process using the console.
Update software:
We create our configuration. Suppose we have a network 192.168.200.0/24, in which there are 2 servers: 192.168.200.100 and 192.168.200.101. The address of the balancer in this network is 192.168.200.10. The address of the external balancing interface is 192.168.100.10/24. Here and below are examples from the configuration file, without specifying a command line header.
Ports can also be configured with an 802.1Q trunk:
Let's configure simple balancing between two servers. In order for us to be asked for confirmation on the creation of services, you can enable expert mode . In my case, the availability of servers is checked by sending a GET request to the server, the received response (I send “OK”) is analyzed and compared with the reference value. The first step is to describe the services.
We create the owner ("owner") and content. The concept of "owner" is necessary only for the convenience of administration. pay attention to the balancing method used - most modern applications will require that the user, within the session, communicate with the same node. 192.168.100.11 will act as the content address where users will contact.
Since we probably want the answers to users to also be returned from the address 192.168.100.11, we need to create the appropriate group:
Let's check what we got:
Now imagine that your balancer has an SSL module, and you want to use it to organize a secure connection of users to the service. We need to form a certificate request (or make a self-signed one), configure the module and create groups.
Generate a key:
Bind the key to the file:
Here we can go in two ways - either create a self-signed certificate or generate a Certificate Signing Request (CSR). In the case of CSR, we need to copy the output and provide it to the CA to issue the certificate:
Generate a self-signed certificate:
Bind the certificate to the file:
Or we import the certificate, and then attach it to the file. Please note that the password must match the password of the key with which the CSR was generated. As you may have noticed, when using the SSL module, we get traffic compression functionality. If you use several SSL modules, you can adjust the balance between them by adding the advanced-balance ssl line to the content description (in the example, “content site-https”).
I think it should be interesting for you to keep track of the validity of certificates, so you should remember the command:
We sorted out the certificates, now we are setting up the logic. Paying attention. that this part complements, but does not replace, the configuration of services and groups mentioned above.
Please note that the balancer is very free to handle the order of the lines inside the services. If you are used to everything to be parallel and perpendicular, it is better to delete the entire service and start it again, rather than deleting old ones and inserting new lines.
References:
Cisco CSS 11500 Series Content Services Switches Configuration Guides
PS Considering how much this technique costs on ebay, I think this is a good option for organizing resource balancing, despite some obsolescence. Most of the balancers have a decent weight (for puny engineers this can be a problem), the ability to install several power supplies and I / O modules, which in some way speaks in favor of the reliability of these devices.
I’ll probably skip the description of the hardware features of this equipment, as it is on the manufacturer’s website and I’ll get down to business immediately.
The first thing we will start with is updating the software and creating a comfortable working mode.
Configuring the control interface:
CSS11503# conf t
CSS11503(config)# boot
CSS11503(config-boot)# ip address 192.168.1.2
CSS11503(config-boot)# subnet mask 255.255.255.0
CSS11503(config-boot)# gateway address 192.168.1.1Set the device name displayed in the console (no more than 16 characters):
CSS11503# prompt megabalanser
megabalanser# save_profileI draw your attention to the fact that the superuser keyword should be in the description line of the user under whom the administration is performed , otherwise you may need a fascinating acquaintance with the password recovery process using the console.
Update software:
megabalanser# archive script admin-profile
megabalanser# save_profile
megabalanser(config)# ftp-record ftpname 10.10.10.10 ftpuser "ftppassword"
megabalanser# copy ftp ftpname sg0820601.adi boot-image
megabalanser(config)# boot
megabalanser(config-boot)# unpack sg0820601.adi
megabalanser(config-boot)# primary boot-file sg0820601
megabalanser(config-boot)# reboot
Are you sure you want to reboot the system, [y/n]:y
** Message from [admin] **
System Reboot from:vty1, All sessions will terminate...
**
...
megabalanser# restore admin-profile scriptWe create our configuration. Suppose we have a network 192.168.200.0/24, in which there are 2 servers: 192.168.200.100 and 192.168.200.101. The address of the balancer in this network is 192.168.200.10. The address of the external balancing interface is 192.168.100.10/24. Here and below are examples from the configuration file, without specifying a command line header.
ip route 0.0.0.0 0.0.0.0 192.168.100.1 1
interface 2/1
bridge vlan 10
interface 3/1
bridge vlan 20
circuit VLAN10
description "--- External ---"
ip address 192.168.100.10 255.255.255.0
circuit VLAN20
description "--- Internal ---"
ip address 192.168.200.10 255.255.255.0Ports can also be configured with an 802.1Q trunk:
interface 2/1
trunk
vlan 10
vlan 20
circuit VLAN10
description "--- External ---"
ip address 192.168.100.10 255.255.255.0
circuit VLAN20
description "--- Internal ---"
ip address 192.168.200.10 255.255.255.0
Let's configure simple balancing between two servers. In order for us to be asked for confirmation on the creation of services, you can enable expert mode . In my case, the availability of servers is checked by sending a GET request to the server, the received response (I send “OK”) is analyzed and compared with the reference value. The first step is to describe the services.
service server-1
port 80
ip address 192.168.200.100
keepalive type http
keepalive method get
keepalive uri "/ping.html"
keepalive hash "e0aa021e21dddbd6d8cecec71e9cf564"
active
service server-2
port 80
ip address 192.168.200.101
keepalive type http
keepalive method get
keepalive uri "/ping.html"
keepalive hash "e0aa021e21dddbd6d8cecec71e9cf564"
activeWe create the owner ("owner") and content. The concept of "owner" is necessary only for the convenience of administration. pay attention to the balancing method used - most modern applications will require that the user, within the session, communicate with the same node. 192.168.100.11 will act as the content address where users will contact.
owner site-1
content site-http
vip address 192.168.100.11
add service server-1
add service server-2
advanced-balance sticky-srcip-dstport
port 80
protocol tcp
activeSince we probably want the answers to users to also be returned from the address 192.168.100.11, we need to create the appropriate group:
group site-http
add destination service server-1
add destination service server-2
vip address 192.168.100.11
activeLet's check what we got:
megabalanser# sh group site-http
Group: site-http - Active (192.168.100.11 Not Redundant)
Session Redundancy: Disabled
Last Clearing of Stats Counters: 01/24/2013 21:44:18
Associated ACLs: NONE
Source Services:
NONE
Destination Services:
DNS
Name: Hits: State: Load: Trans: Keepalive: Conn:
----- ----- ------ ----- ------ ---------- -----
server-1
0 Alive 2 0 HTTP-80:GET 0
server-2
0 Alive 2 0 HTTP-80:GET 0
Group Service Total Counters:
Hits/Frames/Bytes: 0/0/0
Connections Total/Current: 0/0
FTP Control Total/Current: 0/0
Total No Portmap Errors: 0Now imagine that your balancer has an SSL module, and you want to use it to organize a secure connection of users to the service. We need to form a certificate request (or make a self-signed one), configure the module and create groups.
Generate a key:
ssl genrsa rsakeyfiletest 1024 "password"Bind the key to the file:
ssl associate rsakey rsa-test-name rsakeyfiletestHere we can go in two ways - either create a self-signed certificate or generate a Certificate Signing Request (CSR). In the case of CSR, we need to copy the output and provide it to the CA to issue the certificate:
ssl gencsr rsa-test-name
-----BEGIN CERTIFICATE REQUEST-----
MIIB0DCCATkCAQAwgY8xCzAJBgNVBAYTAlJVMQ8wDQYDVQQIEwZNb3Njb3cxDzAN
BgNVBAcTBk1vc2NvdzEcMBoGA1UEChQTUm9zc2dvc3N0YWtoIExyf3RkLjEQMA4G
A1UECxQHVGVsY28gfzERMA8GA1UEAxQIKi5yZ3MucnUxGzAZBgkqhkiG9w0BCQEW
DHRlbGNvQHJncy5ydTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxZTYAx/o
VA4KzpX7pq4013egDFC1BfVDRzWJJhno7k5K4ydPrmVZhECKormSebSGBL00cFKs
M8ve7WGW370YxaIKbKZBFF88Dz+PbtphpcneN1DWakmz7H063tiUl4zb2cv09cMn
XTKIgL6z5RyVyqjMtC5ba5XWVGdeD25N6OkCAwEAAaAAMA0GCSqGSIb3DQEBBAUA
A4GBABRNbvf4a3SC8RZdSoaOjwuRvqs5rgO3z+CPlgqER7xQZx/FVOHu6y9fv6bZ
hiq0bP1meRmMDmb2aXbk2RysVeKRIY6c6fYrhuddT8gd4E0BkIVF299D4m2nqLyQ
SK0X9VaLIVD59oX2BYNBXpFiXNdv1nmwZL4uNP6I4D5dXgVo
-----END CERTIFICATE REQUEST-----
Generate a self-signed certificate:
ssl gencert certkey rsa-test-name signkey rsa-test-name certfiletest "password"Bind the certificate to the file:
ssl associate cert cert-test-name certfiletestOr we import the certificate, and then attach it to the file. Please note that the password must match the password of the key with which the CSR was generated. As you may have noticed, when using the SSL module, we get traffic compression functionality. If you use several SSL modules, you can adjust the balance between them by adding the advanced-balance ssl line to the content description (in the example, “content site-https”).
copy ssl ftp ftpname import mycert.crt PEM "password"
ssl associate cert mycert-name mycert.crtI think it should be interesting for you to keep track of the validity of certificates, so you should remember the command:
megabalanser# sh ssl cert-expiration
Certificate Expiration Summary:
Advanced Warning: 30 days
mycert-name 2014-01-24(Y-M-D) TTL: 364
cert-test-name 2014-01-10(Y-M-D) TTL: 350
We sorted out the certificates, now we are setting up the logic. Paying attention. that this part complements, but does not replace, the configuration of services and groups mentioned above.
ssl-proxy-list my-ssl
ssl-server 10
ssl-server 10 rsacert mycert-name
ssl-server 10 rsakey rsa-test-name
ssl-server 10 cipher rsa-with-rc4-128-md5 192.168.100.11 80
ssl-server 10 vip address 192.168.100.11
service ssl_module
type ssl-accel
keepalive type none
compress encode force-gzip
slot 3
compress accept-omit gzip
compress type default
add ssl-proxy-list my-ssl
active
content site-https
vip address 192.168.100.11
add service ssl_module
port 443
protocol tcp
application ssl
activePlease note that the balancer is very free to handle the order of the lines inside the services. If you are used to everything to be parallel and perpendicular, it is better to delete the entire service and start it again, rather than deleting old ones and inserting new lines.
References:
Cisco CSS 11500 Series Content Services Switches Configuration Guides
PS Considering how much this technique costs on ebay, I think this is a good option for organizing resource balancing, despite some obsolescence. Most of the balancers have a decent weight (for puny engineers this can be a problem), the ability to install several power supplies and I / O modules, which in some way speaks in favor of the reliability of these devices.