Cisco CSS HTTP Redirects

kevin-shaw · ‎07-20-2011

All,

I have a number of web sites that are currently being load balanced by CSS 11503s runninng 8x code. I was recently requested to configure HTTP --> HTTPS redirects on the CSS for every site. In the past, I have only configured the redirects for sites that had a requirement. Now it appears that the server teams want all content encrypted.

1) What impact will this have on the CPU?

2) What impact will this have on Memory utilization?

3) Is there a maximum nubmer on redirects?

4) Are there other things I should be concerned about?

Thanks!

pablo.nxh · ‎07-22-2011

Hi Kevin,

It depends on the number of sites that you're currently load balancing. For example if you're currently doing load balance for say 20+ sites and most of them have L5 "inspection" then you'll be moving all that config to a single layer 5 content rule per VIP with a wildcard URL "/*" so you actually will end up saving resources along with configuration lines.

I don't see the hard numbers for how many redirects you can configure I think that's because there are two ways of configuring HTTP redirection but I do know it goes hand-to-hand with the HW module 11501/11503/11506, the

available RAM (256/512) and most importantly the number of configuration lines which should not exceed 8K per design.

HTH

__ __

Pablo

kevin-shaw · ‎07-25-2011

I took a look at a few of the larger configs and they are typically under 4K.

Below is some info on the system memory:

System Resources for 1/1:

Installed Memory: 268,435,456 (256 MB)

Free Memory: 126,424,176 (120 MB)

service bea-ssl-transfer

ip address 3.3.3.3

keepalive type none

type redirect

no prepend-http

domain "

https://beatest.air.ups.com

"

active

System Resources for 1/1:
Installed Memory: 268,435,456 (256 MB)
Free Memory: 126,424,176 (120 MB)

I am currently configuring my redirects in the below manner:

service app-ssl-transfer
ip address 3.3.3.3
keepalive type none
type redirect
no prepend-http
domain "https://app.my-fqdn.com"
active

I am not sure I understand your example. You mention being able to save configuration lines, but I am not clear how. Would you be so kind as to insert a config snippet?

Thanks!!

pablo.nxh · ‎07-25-2011

Hi Kevin,

As I mentioned there are two ways of doing redirects with the CSS, first is using services type redirect as you're doing and the second is using a redirect as a default action under a L5 content rule (this is where you would save some config lines).

i.e Let's say you have the site www.abz.com with 1 URI www.abz.com and www.abz.com/news; where news is balanced to a different server cluster.

In this case the configuration would look like this:

content ABZ

port 80

protocol tcp

vip address 192.168.10.10

add service Web-1

add service Web-2

url "/*"

active

content ABZ-News

port 80

protocol tcp

vip address 192.168.10.10

add service Web-3

add service Web-4

url "/news/*"

active

Now if you want to redirect all the content to HTTPS regardless of the URI to the main site https:///www.abz.com then you can just do a single content rule like this:

content ABZ

port 80

protocol tcp

vip address 192.168.10.10

url "/*"

redirect "https://www.abz.com"

active

If you do need to keep the URI after the redirection; for example the new request to be like https://www.abz.com/news/ then you would do it with the type service redirect and the domain option as you're currently doing it.

HTH

__ __

Pablo