cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
898
Views
14
Helpful
7
Replies

Introduction of SSLM into a MSFC-FWSM-CSM Bridge Mode Configuration

zeremy
Level 1
Level 1

Hi,

Need serious help here..

I'm facing a challenging situation here.

Customer just purchased a pair of SSLM module for their web server HTTPS termination.

Here's the situation.

Currently customer already have a pair of Catalyst 6509 running with MSFC->FWSM<->CSM Bridge Configuration (i.e. client and server vlan on the same subnet).

I've been assigned the task to deploy SSLSM module seaminglessly onto this existing setup without any other major configuration changes required on their systems by this week.

My question is currently they doing bridge configuration between FWSM - CSM. How do I transparently deploy SSLM in this situation ? without changing any i.p. addresses which will break their server-to-server communications.

I read and understand CSM-SSLM bridge configuration but that requires changing their i.p. addressing scheme? hopefully somebody shed some light on this...

1 Accepted Solution

Accepted Solutions

you only need 1 proxy-vlan to go from csm to ssl.

The SSLM is not aware of how many vlans you have on the CSM. One proxy-vlan can server all internal and external traffic.

The CSM is the device that will do the routing.

Gilles.

View solution in original post

7 Replies 7

zeremy
Level 1
Level 1

I've attached a logical diagram of the existing setup as well as the SSLM placement (where i think it fits in).

I've also came up with a draft configuration below, i don't really understand NAT client and NAT server applications:

module ContentSwitchingModule 7

ft group 1 vlan 201

priority 110 alt 100

heartbeat-time 1

failover 3

preempt

!

vlan 6 client

ip address 192.168.20.4 255.255.255.0 alt 192.168.20.5 255.255.255.0

gateway 192.168.20.1

alias 192.168.20.6 255.255.255.0

!

vlan 60 server

ip address 192.168.20.4 255.255.255.0 alt 192.168.20.5 255.255.255.0

!

vlan 7 client

ip address 192.168.10.4 255.255.255.0 alt 192.168.10.5 255.255.255.0

alias 192.168.10.6 255.255.255.0

!

vlan 70 server

ip address 192.168.10.4 255.255.255.0 alt 192.168.10.5 255.255.255.0

!

vlan 40 server

ip address 192.168.60.4 255.255.255.0 alt 192.168.60.5 255.255.255.0

alias 192.168.60.6 255.255.255.0

!

probe ICMP icmp

interval 3

failed 5

!

probe HTTPWEB http

interval 3

failed 5

!

probe HTTPSWEB tcp

interval 3

failed 5

port 445

!

probe TCP tcp

interval 2

failed 3

!

serverfarm MOCINT-VIP1

nat server

no nat client

predictor leastconns

real 192.168.20.71

inservice

real 192.168.20.72

inservice

probe ICMP

probe HTTPWEB

!

serverfarm MOCWEB-VIP1

nat server

no nat client

predictor leastconns

real 192.168.10.65

inservice

real 192.168.10.66

inservice

probe ICMP

probe HTTPWEB

!

serverfarm SSL-MOCINT

nat server

no nat client

real 192.168.60.11 445

inservice

real 192.168.60.12 445

inservice

probe TCP

!

serverfarm SSL-MOCWEB

nat server

no nat client

real 192.168.60.21 445

inservice

real 192.168.60.22 445

inservice

probe TCP

!

sticky 10 netmask 255.255.255.255 timeout 20

!

sticky 20 cookie cookie-server timeout 30

!

vserver DECRYPT-MOCINT

virtual 192.168.60.10 tcp 445

vlan 40

serverfarm MOCINT-VIP1

replicate csrp sticky

persistent rebalance

parse-length 4000

inservice

!

vserver DECRYPT-MOCWEB

virtual 192.168.60.20 tcp 445

vlan 40

serverfarm MOCWEB-VIP1

replicate csrp sticky

persistent rebalance

parse-length 4000

inservice

!

vserver HTTP-MOCINT

virtual 192.168.20.70 tcp www

vlan 6

serverfarm MOCINT-VIP1

advertise active

sticky 20 group 10

replicate csrp sticky

persistent rebalance

parse-length 4000

inservice

!

vserver HTTP-MOCWEB

virtual 192.168.10.60 tcp www

vlan 7

serverfarm MOCWEB-VIP1

advertise active

sticky 30 group 20

replicate csrp sticky

persistent rebalance

parse-length 4000

inservice

!

vserver HTTPS-MOCINT

virtual 192.168.20.70 tcp https

vlan 6

serverfarm SSL-MOCINT

persistent rebalance

inservice

!

vserver HTTPS-MOCWEB

virtual 192.168.10.60 tcp https

vlan 7

serverfarm SSL-MOCWEB

persistent rebalance

inservice

!

Gilles Dufour
Cisco Employee
Cisco Employee

There is a sample config for sslm and csm in bridge mode.

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00802c1201.shtml

The firewall module should simply be placed in the upper vlan [vlan 50] in the example.

I wrote the document so I hope you will find it useful.

Regards,

Gilles.

Thanks for rating this answer.

Thank you for the url, I find it very useful.

I'll study it and test it out in our labs, thanks again

Hi, Did you get a chance to test the above config.. Could you please post the working configs for both the CSM and the SSL Module..

Btw, I have this very basic question... I am trying to design a similar setup with CSM in bridged mode for multiple segments (I mean multiple Server/Client pairs), just the same way zeremy has in his network. I see that zeremy has used Vlan40 for the SSL segment. My question is whether this VLan40 SSL segment can serve both the Internet as well as the Intranet server farms (See Zeremy's diag)? My assumption was that i will need one proxy-ssl vlan for each of the server/client pair that i am trying to load balance. Isnt this true..? Please advise..

you only need 1 proxy-vlan to go from csm to ssl.

The SSLM is not aware of how many vlans you have on the CSM. One proxy-vlan can server all internal and external traffic.

The CSM is the device that will do the routing.

Gilles.

Hi, attached is the working config. I've tested so far no problems..I just need to tweak the stickiness configuration,. Comments anyone?

I've only used Vlan40 (SSL segment) to serve both my internet and intranet server farms.

Thank you both for your prompt replies..

Just a follow up question on SSL redundancy.. I have got two CSM-S modules on 2 diff 6K chassis. I assume, we can configure the CSMs only in Active/Standby mode. However, is it possible to make the SSL daughter boards to load share in Active-Active mode. I know if these were SSL modules instead of daughter boards, we can load share the SSL Modules. However, in my case, both the SSL are part of CSM. So, i will have to configure the local keyword while defining the REAL-SSL-offloaders. When the CSMs switchover, the local keyword will result in conflict. Hope i made my question clear..

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: