CSS 11503 - multiple content groups

georgefont · ‎10-05-2011

Hi All,

Not too faniliar with Ciscos and have question.

I currently have a content group as follows;

content My_Group

add service blade1

add service blade2

add service blade3

vip address 1.2.3.4

advanced-balance arrowpoint-cookie

arrowpoint-cookie name dave

protocol tcp

port 8080

url "/*"

So I have 3 blades which are proxy servers and user go first to an MS ISA server then the VIP of the CSS and then the rules processes them give them a blade and chuck them out onto the Internet.

I want to leave the above rule, but remove one blade create an additional content group with that blade and have it process requests for a particular site so, I would create the following

content My_Group2

add service blade3

vip address 1.2.3.4

advanced-balance arrowpoint-cookie

arrowpoint-cookie name jenny

protocol tcp

port 8080

url "www.thewebsite.com/*"

So my question is can I do that having the same VIP's etc so if a request comes in and it matches www.thewebsite.com that the second content rule matches it 'better' and therefore processes it or would it still be caught by the "/*" content group. I don't want to create more VIPS as I have a real ache getting firewall rules done.

Thanks in advance,

George

Daniel Arrondo Ostiz · ‎10-05-2011

Hi George,

Yes, this is possible. The CSS will always try to match the most restrictive rule first, so, you could have two content rules with the same IP address and port matching on different URLs.

However, the configuration you used as example is wrong. Matching on a domain needs to be done based on what are called "Domain Qualifier Lists". Check the link below for more information on how to use them:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/configuration/content_lb/guide/ContRule.html#wp1079132

Regards

Daniel

georgefont · ‎10-06-2011

Hi Daniel,

Thanks for that. So looking at the instructions I would do as above but I would add a dql

dql thiswebsite

description "whatever we like"

domain www.thewebsite.com

and then I would have

content My_Group

add service blade1

add service blade2

add service blade3

vip address 1.2.3.4

advanced-balance arrowpoint-cookie

arrowpoint-cookie name dave

protocol tcp

port 8080

url "/*"

for standard internet browsing and

content My_Group2

add service blade3

vip address 1.2.3.4

advanced-balance arrowpoint-cookie

arrowpoint-cookie name jenny

protocol tcp

port 8080

url "/*" dql thiswebsite

So access to anything but the domain configured in the dql gets processed by the My_Group content group and any request with www.thewebsite.com in the URL gets processed by the My_Group2 content group and the VIPS, ports etc can remain the same ?

Thanks again for your help with this, I don't have a test environment to play with so have to go straight to live with 40,000 users going out to the internet via these things !

George

Daniel Arrondo Ostiz · ‎10-06-2011

Hi George,

The configuration looks fine, but, since you are not going to test it before putting it into production, I would strongly recommend you to appy the changes during a maintenance window in case something unexpected happens.

Regards

Daniel

georgefont · ‎10-26-2011

Hi Dan,

Mmm, not quite.

I did have the following config;

Owner OwnerName

content HTTP_sticky

add service upstreamproxy1

    add service upstreamproxy2
    add service upstreamproxy3
    add service upstreamproxy4
    add service upstreamproxy5
    add service upstreamproxy6
    add service upstreamproxy7
    add service upstreamproxy8
    vip address 1.2.3.4

advanced-balance arrowpoint-cookie

arrowpoint-cookie name COOKINAME

    protocol tcp
    port 8080
    url "/*"
    active

So I wanted to have 2 of the upstream proxies service requests for a particular domain

So I removed updtream proxy 7 and 8 from the above content group and created a DQL list and a new content group as follows

DQL descriptivename

description "something or other"

domain www.thedomain.com

content HTTP_NEW

add service upstreamproxy7

add service upstreamproxy8

protocol tcp

port 8080

url "/*" dql descriptivename

arrowpoint-cookie name A_NEW_COOKIE_NAME

advanced-balance arrowpoint-cookie

vip address 1.2.3.4

active

All done within the same owner

So I was hoping the result would be for all outbound internet traffic use upstream proxies 1 through 6 and for all outbound internet traffic where the domain name is equal to www.thedomain.com with anything after that then use upstream proxies 7 and 8

Does that make sense, I did it in the same owner group am I missing something ?

Cheers,

Daniel Arrondo Ostiz · ‎10-27-2011

Hi George,

As far as I can see, this configuration should do what you are trying to achieve. What is the behavior you are getting?

If you want to troubleshoot it further, you can always open a TAC service request. We'll be glad to assist.

Regards

Daniel

georgefont · ‎10-27-2011

Hey Dan,

Thanks for taking a look.

I think the config is OK to. When testing the guy said he could see requests being serviced by 7 and 8 for that domain but that he also saw some requests being serviced by 1 to 6 for that domain specified in the DQL. I'm wondering if he had a weather ticker or something in his browser that went elsewhere and perhaps confused the situation.

I am going to try again in a few days, out of interest, I couldn't see a command along the lines of show content, that allowed me to see the content of a particular content group as opposed to all content, do you know of one ?

Thanks again,

George

Daniel Arrondo Ostiz · ‎10-27-2011

Hi George,

I would suggest checking the requests themselves. Maybe the domain they are sending is similar but not maching the DQL (for example, a request without the www)

For your other question, I guess the command you are looking for is "show rule "

Daniel

georgefont · ‎11-18-2011

Hi,

Sorry been hiding for a while !

I just wondered that.....well the site we are trying to get to is an HTTPS site, so I have the following;

DQL descriptivename

description "something or other"

domain www.thedomain.com

at the moment, I just wondered if I should also add www.thedomain.com:443

So what I was seeing before where hits were getting to two proxies, perhaps were the non-SSL bits but then there was no rule to match on www.thedomain.com:443, what do you think or am I barking up the wrong tree ?

Thanks,

George

Daniel Arrondo Ostiz · ‎11-22-2011

Hi George,

If you are using HTTPS, matching on the domain name will not work because the traffic is encrypted.

In order to get this to work, you would need to first do SSL-termination on the CSS to decrypt the traffic and then apply any L7 processing on the connections. For more details, please, refer to

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/configuration/ssl/guide/terminat.html

Regards

Daniel