DECIPHER CSS CONFIG

Unanswered Question
May 25th, 2009
User Badges:
  • Blue, 1500 points or more

Folks:


Im a CSS-retard, so I need some to decipher this config for me. It doesnt have t be line-by-line, but at leat something close to it.


You know...like explain "circuit" config"...or "service" config...


I just need to make sense out of this config. I do understand CSS principles pretty well, just never configured one.


HELP!!! :-)



NYTAR777-CLB04# sh run

!Generated on 05/25/2009 11:06:52

!Active version: sg0810107s


configure



!*************************** GLOBAL ***************************

prelogin-banner "login-banner"

virtual authentication primary tacacs

virtual authentication secondary local


snmp community [email protected] read-only

snmp community BXL*%5K] read-write

snmp trap-host 138.69.6.10 public


app session 10.36.48.249 15 authChallenge S1lv3rf1sh! encryptMd5hash rcmdEnabl

e

app port 30666

app


logging commands enable

logging buffer 10000


tacacs-server 10.36.217.3 49 10 TaCaCS2004 primary frequency 255

tacacs-server 172.22.0.1 49 10 TaCaCS2004 frequency 255

tacacs-server authorize config

tacacs-server authorize non-config

tacacs-server account config

tacacs-server account non-config


ip route 0.0.0.0 0.0.0.0 10.36.48.254 1


!************************* INTERFACE *************************

interface 1/1

bridge vlan 717


interface 1/2

trunk


vlan 718


vlan 719


vlan 720


vlan 721


vlan 722


vlan 777

default-vlan


interface 2/1

isc-port-one


interface 2/2

isc-port-two



!************************** REPORTER **************************

reporter VRRP_MONITOR

type vrid-peering

vrid 10.36.48.250 17

vrid 10.36.50.125 20

active


!************************** SERVICE **************************

service nyvector_1_443

ip address 10.36.50.1

protocol tcp

port 443

redundant-index 5

keepalive frequency 30

keepalive retryperiod 10

keepalive type ssl


service nyvector_1_80

ip address 10.36.50.1

keepalive frequency 30

keepalive retryperiod 10

protocol tcp

port 80

keepalive type http

redundant-index 3

active


service nyvector_2_443

ip address 10.36.50.2

protocol tcp

port 443

redundant-index 6

keepalive frequency 30

keepalive retryperiod 10

keepalive type ssl


service nyvector_2_80

ip address 10.36.50.2

redundant-index 4

protocol tcp

port 80

keepalive frequency 30

keepalive retryperiod 10

keepalive type http

active


service ping_VLAN720

ip address 10.36.50.1

keepalive frequency 2

keepalive retryperiod 2

redundant-index 2

keepalive type script ap-kal-pinglist "10.36.50.1 10.36.50.2"

active


service ping_slf01

ip address 10.36.48.254

keepalive type script ap-kal-pinglist "10.36.48.254"

keepalive frequency 2

keepalive retryperiod 2

redundant-index 1

active


!*************************** OWNER ***************************

owner acs


content nyvector_443

vip address 10.36.48.1

port 443

protocol tcp

add service nyvector_1_443

add service nyvector_2_443

redundant-index 2

advanced-balance sticky-srcip

active


content nyvector_80

vip address 10.36.48.1

protocol tcp

port 80

add service nyvector_1_80

add service nyvector_2_80

redundant-index 1

advanced-balance sticky-srcip

active


NYTAR777-CLB04#



THANKS!!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jon Marshall Mon, 05/25/2009 - 10:39
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Victor


A service as in "service nyvector_2_443" is a physical location for content so


service nyvector_2_443

ip address 10.36.50.2

protocol tcp

port 443

redundant-index 6

keepalive frequency 30

keepalive retryperiod 10

keepalive type ssl


is a server for HTTPS with IP address 10.36.50.2.



The content is as in


content nyvector_443

vip address 10.36.48.1

port 443

protocol tcp

add service nyvector_1_443

add service nyvector_2_443

redundant-index 2

advanced-balance sticky-srcip

active


in effect configures the Virtual farm and references the physical services. So in the above users would connect to 10.36.48.1 and be load-balanced to either one of 2 physical services - nyvector_1_443 or nyvector_2_443.

Under the content is where you can define the type of load-balancing used, stickiness for the sessions etc.


The owner i must admit has always slightly confused me. Technically it is just the name of the person owning the contents.


Does this help ?


Jon

lamav Mon, 05/25/2009 - 12:46
User Badges:
  • Blue, 1500 points or more

It helps plenty, Jon.


Funny though, that was the part of the config I was not TOO unclear about. The part that I am REALLY confused about is something I forgot to post. :-)


************************** CIRCUIT **************************

circuit VLAN717

description "VIPs for Internal Web Server DMZ"


ip address 10.36.48.250 255.255.255.0

ip virtual-router 17 priority 95

ip redundant-interface 17 10.36.48.251

ip redundant-vip 17 10.36.48.1

ip critical-service 17 ping_slf01

ip critical-reporter 17 VRRP_MONITOR


circuit VLAN720

description "TSS PCI Internal Web Servers"


ip address 10.36.50.125 255.255.255.128

ip virtual-router 20 priority 95

ip redundant-interface 20 10.36.50.126

ip critical-reporter 20 VRRP_MONITOR


Would you say that this CSS module is configured in bridged mode?


Thanks

Jon Marshall Mon, 05/25/2009 - 13:11
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

I would say it is in routed mode as the physical servers are from the subnet 10.36.50.0/25 whereas the VIP's that are used for these physical servers are from the 10.36.48.0/24 subnet.


So the CSS must be routing between the VIP subnet and the physical subnet that the servers reside on.


As for circuits -


"A circuit on the CSS is a logical entity that maps IP interfaces to a logical port or group of logical ports, for example, a VLAN." ie. int this case it's just how you can define vlans on the CSS.


Jon

lamav Mon, 05/25/2009 - 13:57
User Badges:
  • Blue, 1500 points or more

Jon, this sucks, man...i thought by looking at an SLB config I would be able to figure it out....its tough...confusing...seems like theres a zillion combinations....


frustrating...


If the CSS is running in routed mode, is it doing the inter vlan routing between the server VIPs and the real addresses?

Jon Marshall Mon, 05/25/2009 - 14:25
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

"i thought by looking at an SLB config I would be able to figure it out."


I sympathise because it's not that easy especially as the CSS uses counterintuitive terms such as service, context, owner etc. To my mind the CSM terminology is far more logical - guess that's because the CSM is Cisco's own whereas they purchased the company that produced the CSS.


Basically if the VIP's and real addresses are out of the same subnet then you are looking at bridged mode. If they are different you are looking at routed mode. The CSS is indeed handling the inter-vlan routing for vlan 717 and vlan 720.


Note that the following lines -


interface 1/1

bridge vlan 717


simply allocates interface 1/1 into vlan 717 ie. it is nothing to do with bridging in the sense we are talking about.


Don't feel too bad about this config, i don't fully understand it all and like i say the terminology is a lot simpler on Cisco's own load-balancers.


Jon



lamav Mon, 05/25/2009 - 14:44
User Badges:
  • Blue, 1500 points or more

Jon, I guess whats hard i sunderstanding the many many ways that the LBs and FWs can be connected....so many choices and variations.


Id love to see ONE implementation that comes with a drawing and the configurations for EACH device. That would help me understand...not just tid bits of info or overarching theory, but an actual implementation...


Victor

Jon Marshall Mon, 05/25/2009 - 14:54
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Victor


Unfortunately i don't have access to old design docs i did for our virtualised DC. You may have seen this doc but it provides useful information on the different setups you can deploy using FWSM + ACE. Bear in mind that the same considerations apply to standalone ASA or ACE devices -


http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/ACE_FWSM.html


Jon

lamav Mon, 05/25/2009 - 15:06
User Badges:
  • Blue, 1500 points or more

something funny....when I telnet into the CSS, the output is screwy.


I get output text on the far left and then on the far rght. Its a "word wrap" issue, Im sure, but I dont have this problem with any other device, except this CSS.


Any ideas?

Actions

This Discussion