01-21-2006 01:31 AM
Hi,
Need serious help here..
I'm facing a challenging situation here.
Customer just purchased a pair of SSLM module for their web server HTTPS termination.
Here's the situation.
Currently customer already have a pair of Catalyst 6509 running with MSFC->FWSM<->CSM Bridge Configuration (i.e. client and server vlan on the same subnet).
I've been assigned the task to deploy SSLSM module seaminglessly onto this existing setup without any other major configuration changes required on their systems by this week.
My question is currently they doing bridge configuration between FWSM - CSM. How do I transparently deploy SSLM in this situation ? without changing any i.p. addresses which will break their server-to-server communications.
I read and understand CSM-SSLM bridge configuration but that requires changing their i.p. addressing scheme? hopefully somebody shed some light on this...
Solved! Go to Solution.
02-14-2006 12:12 AM
you only need 1 proxy-vlan to go from csm to ssl.
The SSLM is not aware of how many vlans you have on the CSM. One proxy-vlan can server all internal and external traffic.
The CSM is the device that will do the routing.
Gilles.
01-21-2006 01:40 AM
I've attached a logical diagram of the existing setup as well as the SSLM placement (where i think it fits in).
I've also came up with a draft configuration below, i don't really understand NAT client and NAT server applications:
module ContentSwitchingModule 7
ft group 1 vlan 201
priority 110 alt 100
heartbeat-time 1
failover 3
preempt
!
vlan 6 client
ip address 192.168.20.4 255.255.255.0 alt 192.168.20.5 255.255.255.0
gateway 192.168.20.1
alias 192.168.20.6 255.255.255.0
!
vlan 60 server
ip address 192.168.20.4 255.255.255.0 alt 192.168.20.5 255.255.255.0
!
vlan 7 client
ip address 192.168.10.4 255.255.255.0 alt 192.168.10.5 255.255.255.0
alias 192.168.10.6 255.255.255.0
!
vlan 70 server
ip address 192.168.10.4 255.255.255.0 alt 192.168.10.5 255.255.255.0
!
vlan 40 server
ip address 192.168.60.4 255.255.255.0 alt 192.168.60.5 255.255.255.0
alias 192.168.60.6 255.255.255.0
!
probe ICMP icmp
interval 3
failed 5
!
probe HTTPWEB http
interval 3
failed 5
!
probe HTTPSWEB tcp
interval 3
failed 5
port 445
!
probe TCP tcp
interval 2
failed 3
!
serverfarm MOCINT-VIP1
nat server
no nat client
predictor leastconns
real 192.168.20.71
inservice
real 192.168.20.72
inservice
probe ICMP
probe HTTPWEB
!
serverfarm MOCWEB-VIP1
nat server
no nat client
predictor leastconns
real 192.168.10.65
inservice
real 192.168.10.66
inservice
probe ICMP
probe HTTPWEB
!
serverfarm SSL-MOCINT
nat server
no nat client
real 192.168.60.11 445
inservice
real 192.168.60.12 445
inservice
probe TCP
!
serverfarm SSL-MOCWEB
nat server
no nat client
real 192.168.60.21 445
inservice
real 192.168.60.22 445
inservice
probe TCP
!
sticky 10 netmask 255.255.255.255 timeout 20
!
sticky 20 cookie cookie-server timeout 30
!
vserver DECRYPT-MOCINT
virtual 192.168.60.10 tcp 445
vlan 40
serverfarm MOCINT-VIP1
replicate csrp sticky
persistent rebalance
parse-length 4000
inservice
!
vserver DECRYPT-MOCWEB
virtual 192.168.60.20 tcp 445
vlan 40
serverfarm MOCWEB-VIP1
replicate csrp sticky
persistent rebalance
parse-length 4000
inservice
!
vserver HTTP-MOCINT
virtual 192.168.20.70 tcp www
vlan 6
serverfarm MOCINT-VIP1
advertise active
sticky 20 group 10
replicate csrp sticky
persistent rebalance
parse-length 4000
inservice
!
vserver HTTP-MOCWEB
virtual 192.168.10.60 tcp www
vlan 7
serverfarm MOCWEB-VIP1
advertise active
sticky 30 group 20
replicate csrp sticky
persistent rebalance
parse-length 4000
inservice
!
vserver HTTPS-MOCINT
virtual 192.168.20.70 tcp https
vlan 6
serverfarm SSL-MOCINT
persistent rebalance
inservice
!
vserver HTTPS-MOCWEB
virtual 192.168.10.60 tcp https
vlan 7
serverfarm SSL-MOCWEB
persistent rebalance
inservice
!
01-23-2006 05:37 AM
There is a sample config for sslm and csm in bridge mode.
The firewall module should simply be placed in the upper vlan [vlan 50] in the example.
I wrote the document so I hope you will find it useful.
Regards,
Gilles.
Thanks for rating this answer.
01-25-2006 06:51 PM
Thank you for the url, I find it very useful.
I'll study it and test it out in our labs, thanks again
02-13-2006 11:18 AM
Hi, Did you get a chance to test the above config.. Could you please post the working configs for both the CSM and the SSL Module..
Btw, I have this very basic question... I am trying to design a similar setup with CSM in bridged mode for multiple segments (I mean multiple Server/Client pairs), just the same way zeremy has in his network. I see that zeremy has used Vlan40 for the SSL segment. My question is whether this VLan40 SSL segment can serve both the Internet as well as the Intranet server farms (See Zeremy's diag)? My assumption was that i will need one proxy-ssl vlan for each of the server/client pair that i am trying to load balance. Isnt this true..? Please advise..
02-14-2006 12:12 AM
you only need 1 proxy-vlan to go from csm to ssl.
The SSLM is not aware of how many vlans you have on the CSM. One proxy-vlan can server all internal and external traffic.
The CSM is the device that will do the routing.
Gilles.
02-14-2006 12:54 AM
02-15-2006 02:04 AM
Thank you both for your prompt replies..
Just a follow up question on SSL redundancy.. I have got two CSM-S modules on 2 diff 6K chassis. I assume, we can configure the CSMs only in Active/Standby mode. However, is it possible to make the SSL daughter boards to load share in Active-Active mode. I know if these were SSL modules instead of daughter boards, we can load share the SSL Modules. However, in my case, both the SSL are part of CSM. So, i will have to configure the local keyword while defining the REAL-SSL-offloaders. When the CSMs switchover, the local keyword will result in conflict. Hope i made my question clear..
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: