topic Re: Introduction of SSLM into a MSFC-FWSM-CSM Bridge Mode Config in Application Networking

Introduction of SSLM into a MSFC-FWSM-CSM Bridge Mode Configuration

zeremy — Sat, 21 Jan 2006 09:31:54 GMT

Hi,

Need serious help here..

I'm facing a challenging situation here.

Customer just purchased a pair of SSLM module for their web server HTTPS termination.

Here's the situation.

Currently customer already have a pair of Catalyst 6509 running with MSFC->FWSM<->CSM Bridge Configuration (i.e. client and server vlan on the same subnet).

I've been assigned the task to deploy SSLSM module seaminglessly onto this existing setup without any other major configuration changes required on their systems by this week.

My question is currently they doing bridge configuration between FWSM - CSM. How do I transparently deploy SSLM in this situation ? without changing any i.p. addresses which will break their server-to-server communications.

I read and understand CSM-SSLM bridge configuration but that requires changing their i.p. addressing scheme? hopefully somebody shed some light on this...

Re: Introduction of SSLM into a MSFC-FWSM-CSM Bridge Mode Config

zeremy — Sat, 21 Jan 2006 09:40:05 GMT

I've attached a logical diagram of the existing setup as well as the SSLM placement (where i think it fits in).

I've also came up with a draft configuration below, i don't really understand NAT client and NAT server applications:

module ContentSwitchingModule 7

ft group 1 vlan 201

priority 110 alt 100

heartbeat-time 1

failover 3

preempt

vlan 6 client

ip address 192.168.20.4 255.255.255.0 alt 192.168.20.5 255.255.255.0

gateway 192.168.20.1

alias 192.168.20.6 255.255.255.0

vlan 60 server

ip address 192.168.20.4 255.255.255.0 alt 192.168.20.5 255.255.255.0

vlan 7 client

ip address 192.168.10.4 255.255.255.0 alt 192.168.10.5 255.255.255.0

alias 192.168.10.6 255.255.255.0

vlan 70 server

ip address 192.168.10.4 255.255.255.0 alt 192.168.10.5 255.255.255.0

vlan 40 server

ip address 192.168.60.4 255.255.255.0 alt 192.168.60.5 255.255.255.0

alias 192.168.60.6 255.255.255.0

probe ICMP icmp

interval 3

failed 5

probe HTTPWEB http

interval 3

failed 5

probe HTTPSWEB tcp

interval 3

failed 5

port 445

probe TCP tcp

interval 2

failed 3

serverfarm MOCINT-VIP1

nat server

no nat client

predictor leastconns

real 192.168.20.71

inservice

real 192.168.20.72

inservice

probe ICMP

probe HTTPWEB

serverfarm MOCWEB-VIP1

nat server

no nat client

predictor leastconns

real 192.168.10.65

inservice

real 192.168.10.66

inservice

probe ICMP

probe HTTPWEB

serverfarm SSL-MOCINT

nat server

no nat client

real 192.168.60.11 445

inservice

real 192.168.60.12 445

inservice

probe TCP

serverfarm SSL-MOCWEB

nat server

no nat client

real 192.168.60.21 445

inservice

real 192.168.60.22 445

inservice

probe TCP

sticky 10 netmask 255.255.255.255 timeout 20

sticky 20 cookie cookie-server timeout 30

vserver DECRYPT-MOCINT

virtual 192.168.60.10 tcp 445

vlan 40

serverfarm MOCINT-VIP1

replicate csrp sticky

persistent rebalance

parse-length 4000

inservice

vserver DECRYPT-MOCWEB

virtual 192.168.60.20 tcp 445

vlan 40

serverfarm MOCWEB-VIP1

replicate csrp sticky

persistent rebalance

parse-length 4000

inservice

vserver HTTP-MOCINT

virtual 192.168.20.70 tcp www

vlan 6

serverfarm MOCINT-VIP1

advertise active

sticky 20 group 10

replicate csrp sticky

persistent rebalance

parse-length 4000

inservice

vserver HTTP-MOCWEB

virtual 192.168.10.60 tcp www

vlan 7

serverfarm MOCWEB-VIP1

advertise active

sticky 30 group 20

replicate csrp sticky

persistent rebalance

parse-length 4000

inservice

vserver HTTPS-MOCINT

virtual 192.168.20.70 tcp https

vlan 6

serverfarm SSL-MOCINT

persistent rebalance

inservice

vserver HTTPS-MOCWEB

virtual 192.168.10.60 tcp https

vlan 7

serverfarm SSL-MOCWEB

persistent rebalance

inservice

Re: Introduction of SSLM into a MSFC-FWSM-CSM Bridge Mode Config

Gilles Dufour — Mon, 23 Jan 2006 13:37:52 GMT

There is a sample config for sslm and csm in bridge mode.

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00802c1201.shtml

The firewall module should simply be placed in the upper vlan [vlan 50] in the example.

I wrote the document so I hope you will find it useful.

Regards,

Gilles.

Thanks for rating this answer.

Re: Introduction of SSLM into a MSFC-FWSM-CSM Bridge Mode Config

zeremy — Thu, 26 Jan 2006 02:51:16 GMT

Thank you for the url, I find it very useful.

I'll study it and test it out in our labs, thanks again

Re: Introduction of SSLM into a MSFC-FWSM-CSM Bridge Mode Config

vramanaiah — Mon, 13 Feb 2006 19:18:51 GMT

Hi, Did you get a chance to test the above config.. Could you please post the working configs for both the CSM and the SSL Module..

Btw, I have this very basic question... I am trying to design a similar setup with CSM in bridged mode for multiple segments (I mean multiple Server/Client pairs), just the same way zeremy has in his network. I see that zeremy has used Vlan40 for the SSL segment. My question is whether this VLan40 SSL segment can serve both the Internet as well as the Intranet server farms (See Zeremy's diag)? My assumption was that i will need one proxy-ssl vlan for each of the server/client pair that i am trying to load balance. Isnt this true..? Please advise..

Re: Introduction of SSLM into a MSFC-FWSM-CSM Bridge Mode Config

Gilles Dufour — Tue, 14 Feb 2006 08:12:13 GMT

you only need 1 proxy-vlan to go from csm to ssl.

The SSLM is not aware of how many vlans you have on the CSM. One proxy-vlan can server all internal and external traffic.

The CSM is the device that will do the routing.

Gilles.

Re: Introduction of SSLM into a MSFC-FWSM-CSM Bridge Mode Config

zeremy — Tue, 14 Feb 2006 08:54:09 GMT

Hi, attached is the working config. I've tested so far no problems..I just need to tweak the stickiness configuration,. Comments anyone?

I've only used Vlan40 (SSL segment) to serve both my internet and intranet server farms.

Re: Introduction of SSLM into a MSFC-FWSM-CSM Bridge Mode Config

vramanaiah — Wed, 15 Feb 2006 10:04:53 GMT

Thank you both for your prompt replies..

Just a follow up question on SSL redundancy.. I have got two CSM-S modules on 2 diff 6K chassis. I assume, we can configure the CSMs only in Active/Standby mode. However, is it possible to make the SSL daughter boards to load share in Active-Active mode. I know if these were SSL modules instead of daughter boards, we can load share the SSL Modules. However, in my case, both the SSL are part of CSM. So, i will have to configure the local keyword while defining the REAL-SSL-offloaders. When the CSMs switchover, the local keyword will result in conflict. Hope i made my question clear..