DECIPHER CSS CONFIG

lamav · ‎05-25-2009

Folks:

Im a CSS-retard, so I need some to decipher this config for me. It doesnt have t be line-by-line, but at leat something close to it.

You know...like explain "circuit" config"...or "service" config...

I just need to make sense out of this config. I do understand CSS principles pretty well, just never configured one.

HELP!!! :-)

NYTAR777-CLB04# sh run

!Generated on 05/25/2009 11:06:52

!Active version: sg0810107s

configure

!*************************** GLOBAL ***************************

prelogin-banner "login-banner"

virtual authentication primary tacacs

virtual authentication secondary local

snmp community YE!@ZP72 read-only

snmp community BXL*%5K] read-write

snmp trap-host 138.69.6.10 public

app session 10.36.48.249 15 authChallenge S1lv3rf1sh! encryptMd5hash rcmdEnabl

e

app port 30666

app

logging commands enable

logging buffer 10000

tacacs-server 10.36.217.3 49 10 TaCaCS2004 primary frequency 255

tacacs-server 172.22.0.1 49 10 TaCaCS2004 frequency 255

tacacs-server authorize config

tacacs-server authorize non-config

tacacs-server account config

tacacs-server account non-config

ip route 0.0.0.0 0.0.0.0 10.36.48.254 1

!************************* INTERFACE *************************

interface 1/1

bridge vlan 717

interface 1/2

trunk

vlan 718

vlan 719

vlan 720

vlan 721

vlan 722

vlan 777

default-vlan

interface 2/1

isc-port-one

interface 2/2

isc-port-two

!************************** REPORTER **************************

reporter VRRP_MONITOR

type vrid-peering

vrid 10.36.48.250 17

vrid 10.36.50.125 20

active

!************************** SERVICE **************************

service nyvector_1_443

ip address 10.36.50.1

protocol tcp

port 443

redundant-index 5

keepalive frequency 30

keepalive retryperiod 10

keepalive type ssl

service nyvector_1_80

ip address 10.36.50.1

keepalive frequency 30

keepalive retryperiod 10

protocol tcp

port 80

keepalive type http

redundant-index 3

active

service nyvector_2_443

ip address 10.36.50.2

protocol tcp

port 443

redundant-index 6

keepalive frequency 30

keepalive retryperiod 10

keepalive type ssl

service nyvector_2_80

ip address 10.36.50.2

redundant-index 4

protocol tcp

port 80

keepalive frequency 30

keepalive retryperiod 10

keepalive type http

active

service ping_VLAN720

ip address 10.36.50.1

keepalive frequency 2

keepalive retryperiod 2

redundant-index 2

keepalive type script ap-kal-pinglist "10.36.50.1 10.36.50.2"

active

service ping_slf01

ip address 10.36.48.254

keepalive type script ap-kal-pinglist "10.36.48.254"

keepalive frequency 2

keepalive retryperiod 2

redundant-index 1

active

!*************************** OWNER ***************************

owner acs

content nyvector_443

vip address 10.36.48.1

port 443

protocol tcp

add service nyvector_1_443

add service nyvector_2_443

redundant-index 2

advanced-balance sticky-srcip

active

content nyvector_80

vip address 10.36.48.1

protocol tcp

port 80

add service nyvector_1_80

add service nyvector_2_80

redundant-index 1

advanced-balance sticky-srcip

active

NYTAR777-CLB04#

THANKS!!

Jon Marshall · ‎05-25-2009

Victor

A service as in "service nyvector_2_443" is a physical location for content so

service nyvector_2_443

ip address 10.36.50.2

protocol tcp

port 443

redundant-index 6

keepalive frequency 30

keepalive retryperiod 10

keepalive type ssl

is a server for HTTPS with IP address 10.36.50.2.

The content is as in

content nyvector_443

vip address 10.36.48.1

port 443

protocol tcp

add service nyvector_1_443

add service nyvector_2_443

redundant-index 2

advanced-balance sticky-srcip

active

in effect configures the Virtual farm and references the physical services. So in the above users would connect to 10.36.48.1 and be load-balanced to either one of 2 physical services - nyvector_1_443 or nyvector_2_443.

Under the content is where you can define the type of load-balancing used, stickiness for the sessions etc.

The owner i must admit has always slightly confused me. Technically it is just the name of the person owning the contents.

Does this help ?

Jon

lamav · ‎05-25-2009

It helps plenty, Jon.

Funny though, that was the part of the config I was not TOO unclear about. The part that I am REALLY confused about is something I forgot to post. :-)

************************** CIRCUIT **************************

circuit VLAN717

description "VIPs for Internal Web Server DMZ"

ip address 10.36.48.250 255.255.255.0

ip virtual-router 17 priority 95

ip redundant-interface 17 10.36.48.251

ip redundant-vip 17 10.36.48.1

ip critical-service 17 ping_slf01

ip critical-reporter 17 VRRP_MONITOR

circuit VLAN720

description "TSS PCI Internal Web Servers"

ip address 10.36.50.125 255.255.255.128

ip virtual-router 20 priority 95

ip redundant-interface 20 10.36.50.126

ip critical-reporter 20 VRRP_MONITOR

Would you say that this CSS module is configured in bridged mode?

Thanks

Jon Marshall · ‎05-25-2009

I would say it is in routed mode as the physical servers are from the subnet 10.36.50.0/25 whereas the VIP's that are used for these physical servers are from the 10.36.48.0/24 subnet.

So the CSS must be routing between the VIP subnet and the physical subnet that the servers reside on.

As for circuits -

"A circuit on the CSS is a logical entity that maps IP interfaces to a logical port or group of logical ports, for example, a VLAN." ie. int this case it's just how you can define vlans on the CSS.

Jon

lamav · ‎05-25-2009

Jon, this sucks, man...i thought by looking at an SLB config I would be able to figure it out....its tough...confusing...seems like theres a zillion combinations....

frustrating...

If the CSS is running in routed mode, is it doing the inter vlan routing between the server VIPs and the real addresses?

Jon Marshall · ‎05-25-2009

"i thought by looking at an SLB config I would be able to figure it out."

I sympathise because it's not that easy especially as the CSS uses counterintuitive terms such as service, context, owner etc. To my mind the CSM terminology is far more logical - guess that's because the CSM is Cisco's own whereas they purchased the company that produced the CSS.

Basically if the VIP's and real addresses are out of the same subnet then you are looking at bridged mode. If they are different you are looking at routed mode. The CSS is indeed handling the inter-vlan routing for vlan 717 and vlan 720.

Note that the following lines -

interface 1/1

bridge vlan 717

simply allocates interface 1/1 into vlan 717 ie. it is nothing to do with bridging in the sense we are talking about.

Don't feel too bad about this config, i don't fully understand it all and like i say the terminology is a lot simpler on Cisco's own load-balancers.

Jon

lamav · ‎05-25-2009

Jon, I guess whats hard i sunderstanding the many many ways that the LBs and FWs can be connected....so many choices and variations.

Id love to see ONE implementation that comes with a drawing and the configurations for EACH device. That would help me understand...not just tid bits of info or overarching theory, but an actual implementation...

Victor

Jon Marshall · ‎05-25-2009

Victor

Unfortunately i don't have access to old design docs i did for our virtualised DC. You may have seen this doc but it provides useful information on the different setups you can deploy using FWSM + ACE. Bear in mind that the same considerations apply to standalone ASA or ACE devices -

http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/ACE_FWSM.html

Jon

lamav · ‎05-25-2009

something funny....when I telnet into the CSS, the output is screwy.

I get output text on the far left and then on the far rght. Its a "word wrap" issue, Im sure, but I dont have this problem with any other device, except this CSS.

Any ideas?