Cisco CSS 11500 Small Cheat Sheet

    Good afternoon, dear readers! Unfortunately, there are practically no references to these wonderful devices on Habré, apparently due to their age, but there are articles on younger Cisco ACE equipment. But, despite some unpopularity, Cisco CSS 11500 Series Content Services Switches are still found on corporate networks and the first encounter with an unprepared administrator can cause him a slight bewilderment. Ignore the apparent complexity, these glands are surprisingly easy to configure.

    I’ll probably skip the description of the hardware features of this equipment, as it is on the manufacturer’s website and I’ll get down to business immediately.
    The first thing we will start with is updating the software and creating a comfortable working mode.

    Configuring the control interface:

     CSS11503# conf t
     CSS11503(config)# boot
     CSS11503(config-boot)# ip address
     CSS11503(config-boot)# subnet mask
     CSS11503(config-boot)# gateway address

    Set the device name displayed in the console (no more than 16 characters):

      CSS11503# prompt megabalanser
     megabalanser# save_profile

    I draw your attention to the fact that the superuser keyword should be in the description line of the user under whom the administration is performed , otherwise you may need a fascinating acquaintance with the password recovery process using the console.

    Update software:

     megabalanser# archive script admin-profile
     megabalanser# save_profile
     megabalanser(config)# ftp-record ftpname ftpuser "ftppassword"
     megabalanser# copy ftp ftpname sg0820601.adi boot-image
     megabalanser(config)# boot
     megabalanser(config-boot)# unpack sg0820601.adi
     megabalanser(config-boot)# primary boot-file sg0820601
     megabalanser(config-boot)# reboot
     Are you sure you want to reboot the system, [y/n]:y
    ** Message from [admin] **
    System Reboot from:vty1, All sessions will terminate...
     megabalanser# restore admin-profile script

    We create our configuration. Suppose we have a network, in which there are 2 servers: and The address of the balancer in this network is The address of the external balancing interface is Here and below are examples from the configuration file, without specifying a command line header.

     ip route 1
    interface 2/1
       bridge vlan 10
    interface 3/1
       bridge vlan 20
    circuit VLAN10
       description "--- External ---"
      ip address
    circuit VLAN20
       description "--- Internal ---"
      ip address

    Ports can also be configured with an 802.1Q trunk:

    interface 2/1
      vlan 10
      vlan 20
    circuit VLAN10
       description "--- External ---"
      ip address
    circuit VLAN20
       description "--- Internal ---"
      ip address

    Let's configure simple balancing between two servers. In order for us to be asked for confirmation on the creation of services, you can enable expert mode . In my case, the availability of servers is checked by sending a GET request to the server, the received response (I send “OK”) is analyzed and compared with the reference value. The first step is to describe the services.

    service server-1
       port 80
       ip address
       keepalive type http
       keepalive method get
       keepalive uri "/ping.html"
       keepalive hash "e0aa021e21dddbd6d8cecec71e9cf564"
    service server-2
       port 80
       ip address
       keepalive type http
       keepalive method get
       keepalive uri "/ping.html"
       keepalive hash "e0aa021e21dddbd6d8cecec71e9cf564"

    We create the owner ("owner") and content. The concept of "owner" is necessary only for the convenience of administration. pay attention to the balancing method used - most modern applications will require that the user, within the session, communicate with the same node. will act as the content address where users will contact.

    owner site-1
      content site-http
         vip address
         add service server-1
         add service server-2
         advanced-balance sticky-srcip-dstport
         port 80
         protocol tcp

    Since we probably want the answers to users to also be returned from the address, we need to create the appropriate group:

    group site-http
       add destination service server-1
       add destination service server-2
       vip address

    Let's check what we got:

     megabalanser# sh group site-http
    Group: site-http - Active ( Not Redundant)
       Session Redundancy: Disabled
      Last Clearing of Stats Counters: 01/24/2013 21:44:18
    Associated ACLs: NONE
       Source Services:
      Destination Services:
       Name:       Hits:   State:    Load:    Trans:       Keepalive:     Conn:
       -----       -----   ------    -----     ------       ----------     -----
                     0      Alive     2           0        HTTP-80:GET 0
                     0      Alive     2           0        HTTP-80:GET 0
      Group Service Total Counters:
         Hits/Frames/Bytes: 0/0/0
         Connections Total/Current: 0/0
         FTP Control Total/Current: 0/0
         Total No Portmap Errors: 0

    Now imagine that your balancer has an SSL module, and you want to use it to organize a secure connection of users to the service. We need to form a certificate request (or make a self-signed one), configure the module and create groups.

    Generate a key:

    ssl genrsa rsakeyfiletest 1024 "password"

    Bind the key to the file:

    ssl associate rsakey rsa-test-name rsakeyfiletest

    Here we can go in two ways - either create a self-signed certificate or generate a Certificate Signing Request (CSR). In the case of CSR, we need to copy the output and provide it to the CA to issue the certificate:

     ssl gencsr rsa-test-name

    Generate a self-signed certificate:

    ssl gencert certkey rsa-test-name signkey rsa-test-name certfiletest "password"

    Bind the certificate to the file:

     ssl associate cert cert-test-name certfiletest

    Or we import the certificate, and then attach it to the file. Please note that the password must match the password of the key with which the CSR was generated. As you may have noticed, when using the SSL module, we get traffic compression functionality. If you use several SSL modules, you can adjust the balance between them by adding the advanced-balance ssl line to the content description (in the example, “content site-https”).

     copy ssl ftp ftpname import mycert.crt PEM "password"
     ssl associate cert mycert-name mycert.crt

    I think it should be interesting for you to keep track of the validity of certificates, so you should remember the command:

    megabalanser# sh ssl cert-expiration
    Certificate Expiration Summary:
      Advanced Warning:    30 days
    mycert-name                           2014-01-24(Y-M-D)  TTL:  364
    cert-test-name                         2014-01-10(Y-M-D)  TTL:  350

    We sorted out the certificates, now we are setting up the logic. Paying attention. that this part complements, but does not replace, the configuration of services and groups mentioned above.

     ssl-proxy-list my-ssl
       ssl-server 10
       ssl-server 10 rsacert mycert-name
       ssl-server 10 rsakey rsa-test-name
       ssl-server 10 cipher rsa-with-rc4-128-md5 80
       ssl-server 10 vip address
    service ssl_module
       type ssl-accel
       keepalive type none
       compress encode force-gzip
       slot 3
       compress accept-omit gzip
       compress type default
       add ssl-proxy-list my-ssl
      content site-https
       vip address
       add service ssl_module
       port 443
       protocol tcp
       application ssl

    Please note that the balancer is very free to handle the order of the lines inside the services. If you are used to everything to be parallel and perpendicular, it is better to delete the entire service and start it again, rather than deleting old ones and inserting new lines.


    Cisco CSS 11500 Series Content Services Switches Configuration Guides

    PS Considering how much this technique costs on ebay, I think this is a good option for organizing resource balancing, despite some obsolescence. Most of the balancers have a decent weight (for puny engineers this can be a problem), the ability to install several power supplies and I / O modules, which in some way speaks in favor of the reliability of these devices.

    Also popular now: