Small crib on Cisco CSS 11500
Good afternoon, dear readers! Unfortunately, there are almost no references to these wonderful devices on Habré, apparently due to their age, but there are articles on younger Cisco ACE equipment. But, despite some unpopularity, Cisco CSS 11500 Series Content Services Switches are still found in corporate networks and the first encounter with an unprepared administrator can cause him a little confusion. Do not pay attention to the apparent complexity, these glands are surprisingly easy to configure.
I, perhaps, will skip the description of the hardware features of this equipment, as it is on the manufacturer's website and I will immediately get down to business.
The first thing we start with is a software update and the creation of a comfortable mode of operation.
Control Interface Setup:
')
Let's set the device name displayed in the console (no more than 16 characters):
I draw your attention to the fact that in the description line of the user from under which administration is performed, the keyword superuser must be present, otherwise you may need to get acquainted with the password recovery process using the console.
Update the software:
We create our configuration. Suppose that we have a network 192.168.200.0/24, in which there are 2 servers: 192.168.200.100 and 192.168.200.101. The address of the balancer in this network is 192.168.200.10. The external interface address of the balancer is 192.168.100.10/24. Here and below are examples from the configuration file, without specifying the command line header.
Ports can be configured and trunk 802.1Q:
Let's configure simple balancing between two servers. In order for us to ask for confirmation of the creation of services, you can enable expert mode. In my case, the server availability check is carried out by sending a GET request to the server, the resulting response (I send OK) is analyzed and compared with the reference value. The first step is describing the services.
We create the owner ("owner") and content. The concept of "owner" is necessary only for ease of administration. Pay attention to the balancing method used - most modern applications will require that the user communicate with the same node during the session. 192.168.100.11 will be the address of the content to which users will go.
Since we, for sure, want the answers to users to also return from the address 192.168.100.11, it is necessary to create the corresponding group:
Let's check what we got:
Now imagine that your balancer has an SSL module, and you want to use it to organize a secure connection of users to the service. We need to create a request for a certificate (or make a self-signed), configure the module and create groups.
We generate the key:
Bind the key to the file:
Here we can go two ways - either create a self-signed certificate or generate a Certificate Signing Request (CSR). In the case of CSR, we need to copy the output and provide it to the CA, to issue a certificate:
We generate a self-signed certificate:
Attach the certificate to the file:
Or import the certificate, and then bind it to the file. Note that the password must match the password of the key with which the CSR was generated. As you can see, when using the SSL module, we get traffic compression functionality. If you use multiple SSL modules, you can configure balancing between them by adding the line advanced-balance ssl to the content description (in the example, “content site-https”).
I think that you should be interested in tracking the validity of certificates, so you should remember the command:
Deal with certificates, now we adjust logic. Paying attention. that this part complements, and does not replace, the setting up of the services and groups mentioned above.
Please note that the balancer is quite free to handle the order of the lines within the services. If you are accustomed to everything being parallel and perpendicular, then it is better to delete the entire service and start it again, rather than delete the old ones and insert new lines.
Used Books:
Cisco CSS 11500 Series Content Services Switches Configuration Guides
PS Considering how much such a technique is on ebay, I think this is a good option for organizing balancing resources, despite some obsolescence. Most balancers have a decent weight (for frail engineers this can be a problem), the ability to install multiple power supplies and I / O modules, which in some way supports the reliability of these devices.
I, perhaps, will skip the description of the hardware features of this equipment, as it is on the manufacturer's website and I will immediately get down to business.
The first thing we start with is a software update and the creation of a comfortable mode of operation.
Control Interface Setup:
CSS11503# conf t CSS11503(config)# boot CSS11503(config-boot)# ip address 192.168.1.2 CSS11503(config-boot)# subnet mask 255.255.255.0 CSS11503(config-boot)# gateway address 192.168.1.1 ')
Let's set the device name displayed in the console (no more than 16 characters):
CSS11503# prompt megabalanser megabalanser# save_profile I draw your attention to the fact that in the description line of the user from under which administration is performed, the keyword superuser must be present, otherwise you may need to get acquainted with the password recovery process using the console.
Update the software:
megabalanser# archive script admin-profile megabalanser# save_profile megabalanser(config)# ftp-record ftpname 10.10.10.10 ftpuser "ftppassword" megabalanser# copy ftp ftpname sg0820601.adi boot-image megabalanser(config)# boot megabalanser(config-boot)# unpack sg0820601.adi megabalanser(config-boot)# primary boot-file sg0820601 megabalanser(config-boot)# reboot Are you sure you want to reboot the system, [y/n]:y ** Message from [admin] ** System Reboot from:vty1, All sessions will terminate... ** ... megabalanser# restore admin-profile script We create our configuration. Suppose that we have a network 192.168.200.0/24, in which there are 2 servers: 192.168.200.100 and 192.168.200.101. The address of the balancer in this network is 192.168.200.10. The external interface address of the balancer is 192.168.100.10/24. Here and below are examples from the configuration file, without specifying the command line header.
ip route 0.0.0.0 0.0.0.0 192.168.100.1 1 interface 2/1 bridge vlan 10 interface 3/1 bridge vlan 20 circuit VLAN10 description "--- External ---" ip address 192.168.100.10 255.255.255.0 circuit VLAN20 description "--- Internal ---" ip address 192.168.200.10 255.255.255.0 Ports can be configured and trunk 802.1Q:
interface 2/1 trunk vlan 10 vlan 20 circuit VLAN10 description "--- External ---" ip address 192.168.100.10 255.255.255.0 circuit VLAN20 description "--- Internal ---" ip address 192.168.200.10 255.255.255.0 Let's configure simple balancing between two servers. In order for us to ask for confirmation of the creation of services, you can enable expert mode. In my case, the server availability check is carried out by sending a GET request to the server, the resulting response (I send OK) is analyzed and compared with the reference value. The first step is describing the services.
service server-1 port 80 ip address 192.168.200.100 keepalive type http keepalive method get keepalive uri "/ping.html" keepalive hash "e0aa021e21dddbd6d8cecec71e9cf564" active service server-2 port 80 ip address 192.168.200.101 keepalive type http keepalive method get keepalive uri "/ping.html" keepalive hash "e0aa021e21dddbd6d8cecec71e9cf564" active We create the owner ("owner") and content. The concept of "owner" is necessary only for ease of administration. Pay attention to the balancing method used - most modern applications will require that the user communicate with the same node during the session. 192.168.100.11 will be the address of the content to which users will go.
owner site-1 content site-http vip address 192.168.100.11 add service server-1 add service server-2 advanced-balance sticky-srcip-dstport port 80 protocol tcp active Since we, for sure, want the answers to users to also return from the address 192.168.100.11, it is necessary to create the corresponding group:
group site-http add destination service server-1 add destination service server-2 vip address 192.168.100.11 active Let's check what we got:
megabalanser# sh group site-http Group: site-http - Active (192.168.100.11 Not Redundant) Session Redundancy: Disabled Last Clearing of Stats Counters: 01/24/2013 21:44:18 Associated ACLs: NONE Source Services: NONE Destination Services: DNS Name: Hits: State: Load: Trans: Keepalive: Conn: ----- ----- ------ ----- ------ ---------- ----- server-1 0 Alive 2 0 HTTP-80:GET 0 server-2 0 Alive 2 0 HTTP-80:GET 0 Group Service Total Counters: Hits/Frames/Bytes: 0/0/0 Connections Total/Current: 0/0 FTP Control Total/Current: 0/0 Total No Portmap Errors: 0 Now imagine that your balancer has an SSL module, and you want to use it to organize a secure connection of users to the service. We need to create a request for a certificate (or make a self-signed), configure the module and create groups.
We generate the key:
ssl genrsa rsakeyfiletest 1024 "password" Bind the key to the file:
ssl associate rsakey rsa-test-name rsakeyfiletest Here we can go two ways - either create a self-signed certificate or generate a Certificate Signing Request (CSR). In the case of CSR, we need to copy the output and provide it to the CA, to issue a certificate:
ssl gencsr rsa-test-name -----BEGIN CERTIFICATE REQUEST----- MIIB0DCCATkCAQAwgY8xCzAJBgNVBAYTAlJVMQ8wDQYDVQQIEwZNb3Njb3cxDzAN BgNVBAcTBk1vc2NvdzEcMBoGA1UEChQTUm9zc2dvc3N0YWtoIExyf3RkLjEQMA4G A1UECxQHVGVsY28gfzERMA8GA1UEAxQIKi5yZ3MucnUxGzAZBgkqhkiG9w0BCQEW DHRlbGNvQHJncy5ydTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxZTYAx/o VA4KzpX7pq4013egDFC1BfVDRzWJJhno7k5K4ydPrmVZhECKormSebSGBL00cFKs M8ve7WGW370YxaIKbKZBFF88Dz+PbtphpcneN1DWakmz7H063tiUl4zb2cv09cMn XTKIgL6z5RyVyqjMtC5ba5XWVGdeD25N6OkCAwEAAaAAMA0GCSqGSIb3DQEBBAUA A4GBABRNbvf4a3SC8RZdSoaOjwuRvqs5rgO3z+CPlgqER7xQZx/FVOHu6y9fv6bZ hiq0bP1meRmMDmb2aXbk2RysVeKRIY6c6fYrhuddT8gd4E0BkIVF299D4m2nqLyQ SK0X9VaLIVD59oX2BYNBXpFiXNdv1nmwZL4uNP6I4D5dXgVo -----END CERTIFICATE REQUEST----- We generate a self-signed certificate:
ssl gencert certkey rsa-test-name signkey rsa-test-name certfiletest "password" Attach the certificate to the file:
ssl associate cert cert-test-name certfiletest Or import the certificate, and then bind it to the file. Note that the password must match the password of the key with which the CSR was generated. As you can see, when using the SSL module, we get traffic compression functionality. If you use multiple SSL modules, you can configure balancing between them by adding the line advanced-balance ssl to the content description (in the example, “content site-https”).
copy ssl ftp ftpname import mycert.crt PEM "password" ssl associate cert mycert-name mycert.crt I think that you should be interested in tracking the validity of certificates, so you should remember the command:
megabalanser# sh ssl cert-expiration Certificate Expiration Summary: Advanced Warning: 30 days mycert-name 2014-01-24(YMD) TTL: 364 cert-test-name 2014-01-10(YMD) TTL: 350 <No CRL records are configured> Deal with certificates, now we adjust logic. Paying attention. that this part complements, and does not replace, the setting up of the services and groups mentioned above.
ssl-proxy-list my-ssl ssl-server 10 ssl-server 10 rsacert mycert-name ssl-server 10 rsakey rsa-test-name ssl-server 10 cipher rsa-with-rc4-128-md5 192.168.100.11 80 ssl-server 10 vip address 192.168.100.11 service ssl_module type ssl-accel keepalive type none compress encode force-gzip slot 3 compress accept-omit gzip compress type default add ssl-proxy-list my-ssl active content site-https vip address 192.168.100.11 add service ssl_module port 443 protocol tcp application ssl active Please note that the balancer is quite free to handle the order of the lines within the services. If you are accustomed to everything being parallel and perpendicular, then it is better to delete the entire service and start it again, rather than delete the old ones and insert new lines.
Used Books:
Cisco CSS 11500 Series Content Services Switches Configuration Guides
PS Considering how much such a technique is on ebay, I think this is a good option for organizing balancing resources, despite some obsolescence. Most balancers have a decent weight (for frail engineers this can be a problem), the ability to install multiple power supplies and I / O modules, which in some way supports the reliability of these devices.
Source: https://habr.com/ru/post/167037/
All Articles