|
Table Of Contents
Configuring Service Ports on the DPE
Provisioning Group Scalability and Failover
Adding DPE to a Provisioning Group
Configuring CWMP Service
This chapter describes how to configure the CWMP service in Broadband Access Center (BAC). Topics covered are:
– Configuring Service Ports on the DPE
– Discovering Data from Devices
• Provisioning Group Scalability and Failover
– Adding DPE to a Provisioning Group
Note Through the provisioning API, you can also execute many of the operations that are possible from the administrator user interface.
CWMP Service Configuration
CWMP is a specification of a set of remote procedure calls (RPCs), for example, GetParameterValues, SetParameterValues, and so on. These RPCs define the generic mechanism by which BAC reads or writes parameters to customer premises equipment (CPE) in order to manage it. These parameters include:
•Device configuration information
•Status information
•Performance statistics
You can enable or disable CWMP features on the DPE by using the DPE CLI.
Among the features that you can configure on the DPE are:
•HTTP-based Basic or Digest authentication
•Certificate-based authentication
•HTTP over SSL/TLS service settings
•Handling of unknown devices
•Debugging settings
•Session management settings
•CWMP service settings
•HTTP file service settings
For information on how to configure these properties, refer to the Cisco Broadband Access Center DPE CLI Reference, Release 3.0.
Configuring Service Ports on the DPE
You can configure the ports on which the CWMP services communicate with a device. You can independently configure each instance of the CWMP services—the CWMP RPC service and the HTTP file service—to suit your requirements. Table 12-1 describes how you configure ports for each service.
Connection Request Service
Connection requests instruct the device to establish a CWMP session with the DPE. You can use the BAC connection request service to activate a configuration on a device, execute firmware changes to the device, or execute immediate operations upon the device.
Initiated by the DPE, connection requests are the only method available to the DPE to establish a session with a device. Once a session is established, the device or the DPE may perform any RPCs, including device operations and configuration changes.
Figure 12-1 Connection Request in BAC
Figure 12-1 describes the flow of a connection request in BAC. The RDU delegates the connection request to the best available DPE in the device's provisioning group. Once the connection request ends, the DPE notifies the RDU of the result.
Configuring Connection Request Options
You can use BAC to control the behavior of connection requests by configuring your preferences for:
• Configuring Connection Request Methods
Note You can set your preferences on the device object or in its property hierarchy.
Configuring Authentication
Two properties that you set on the device object in the RDU affect authentication. They are:
•On the API:
–
IPDeviceKeys.CONNECTION_REQUEST_USERNAME
–
IPDeviceKeys.CONNECTION_REQUEST_PASSWORD
•On the administrator user interface:
–Devices > Modify Device > Connection Request User Name field
–Devices > Modify Device > Connection Request Password field
You can also set the connection request username and password while adding a device on the Add Device page, and change the username and password in the Modify Device page.
Both properties control the connection request username and password that are used in DPE-CPE authentication. This username and password differ from the username and password used to authenticate CWMP sessions between the DPE and a device. These properties are for a single device; thus, they can be set only on the device object.
If you have not specified a connection request password, the CWMP session password that authenticates a device to the DPE is used. If the connection request username is also not specified, the device ID is used.
Note It is up to the device to issue an authentication challenge during connection request authentication, as illustrated in Figure 12-1. The DPE expects to be challenged with HTTP Digest authentication. There is no DPE configuration for connection request handling.
Note The API properties do not automatically update device parameters. You must preconfigure the corresponding values on the device or configure the values via a configuration template which can reference these properties.
Configuring Connection Request Methods
You can specify the method in which BAC attempts to perform a connection request by using the provisioning API or the administrator user interface. The selected method dictates how BAC determines the connection request URL to be used to contact the device.
The API property
IPDeviceKeys.CONNECTION_REQUEST_METHOD
specifies the connection request method (subsequent descriptions provide the details of each method).
Note You can specify this property anywhere in the device hierarchy.
To configure the default connection request method by using the administrator user interface, choose Configuration > Default > CWMP Defaults, and select an option from the drop-down list.
BAC supports three methods to configure a connection request:
•Discovered
•Using FQDN
•Using IP
When selecting a connection request method, it is important to consider performance and manageability, as each method provides different levels of both. Refer to the recommendation for each method before choosing your method of connection requests.
Discovered Connection Request
The Discovered method, during CPE interactions with the DPE, modifies the data synchronization instruction to discover the device's connection request URL, which corresponds to the parameter InternetGatewayDevice.ManagementServer.ConnectionRequestURL, whenever the DPE interacts with the device. The RDU records any updates to this parameter value and uses it when making connection requests.
Note This value must be discovered before connection requests are attempted.
Recommendation: Because this parameter value changes each time the device's WAN IP address changes and every update has to be stored at the RDU, it is not the optimal method for
connection requests.Use FQDN Connection Request
The Use FQDN method uses the fully qualified domain name (FQDN) specified for the device at the RDU to construct a connection request URL for the device. It uses the FQDN along with the values specified in the following properties on the API:
•
IPDeviceKeys.CONNECTION_REQUEST_PORT
•
IPDeviceKeys.CONNECTION_REQUEST_PATH
You can also specify these properties on the administrator user interface:
Step 1 Choose Devices > Manage Devices.
Step 2 Use one of these methods:
•Add a device record. To do this, click the Add button. The Add Device page appears.
•Search for a device record. To do this, specify a Search Type and enter values for the screen components that are unique to the search type that you select. A list of devices appears. Click the Identifier link corresponding to the desired device. The Modify Device page appears.
Step 3 From the Property Name drop-down list, select the /IPDevice/connectionRequestPort and /IPDevice/connectionRequestPath properties, and enter appropriate values in the Property Value field.
Note The API constants for /IPDevice/connectionRequestPort and /IPDevice/connectionRequestPath are
IPDeviceKeys.CONNECTION_REQUEST_PORT
andIPDeviceKeys.CONNECTION_REQUEST_PATH
, respectively.Step 4 Click Add.
Note You can specify the port and path properties anywhere in the property hierarchy.
Recommendation: Because the Use FQDN method relies on the DNS being updated with the device's correct IP address, you do not need to update BAC whenever the device IP address changes. Subsequently, this option is the most scalable one for connection requests.
Use IP Connection Request
The Use IP method discovers the device's WAN IP address by using the same mechanism as the Discovered method. Then, it constructs a connection request URL for the device by using the values in the following API properties:
•
IPDeviceKeys.CONNECTION_REQUEST_PORT
•
IPDeviceKeys.CONNECTION_REQUEST_PATH
You can also specify these properties on the administrator user interface:
Step 1 Choose Devices > Manage Devices.
Step 2 Use one of these methods:
•Add a device record. To do this, click the Add button. The Add Device page appears.
•Search for a device record. To do this, specify a Search Type and enter values for the screen components that are unique to the search type that you select. A list of devices appears. Click the Identifier link corresponding to the desired device. The Modify Device page appears.
Step 3 From the Property Name drop-down list, select the /IPDevice/connectionRequestPort and /IPDevice/connectionRequestPath properties, and enter appropriate values in the Property Value field.
Note The API constants for /IPDevice/connectionRequestPort and /IPDevice/connectionRequestPath are
IPDeviceKeys.CONNECTION_REQUEST_PORT
andIPDeviceKeys.CONNECTION_REQUEST_PATH
, respectively.Step 4 Click Add.
Recommendation: Because the Use IP method relies on the RDU having the device's WAN IP address, it requires the WAN IP address to be discovered before connection requests are attempted. And because the device's WAN IP address changes, the RDU must be updated with the new IP address. Subsequently, this option is not the optimal method for connection requests.
Disabling Connection Requests
You can choose to disable the connection request service. This option is useful if a device uses NAT and connection requests are not possible.
Note You can use ConnectionRequest via API device operations even if you disable connection requests.
Configuring Reachability
Reachability plays an important role in configuring connection requests. BAC refuses connection requests if a device's reported IP address and its source IP address do not match because this implies that the device uses the NAT standard, and therefore, configuration requests would not normally succeed. You can change this behavior from the administrator user interface or the API.
By using the API, set the property
IPDeviceKeys.FORCE_ROUTABLE_IP_ADDRESS
to true to allow connection requests regardless of a mismatch in the device source IP address.From the administrator user interface:
Step 1 Choose Devices > Manage Devices.
Step 2 Use one of these methods:
•Add a device record. To do this, click the Add button. The Add Device page appears.
•Search for a device record. To do this, specify a Search Type and enter values for the screen components that are unique to the search type that you select. A list of devices appears. Click the Identifier link corresponding to the desired device. The Modify Device page appears.
Step 3 From the Property Value drop-down list, select /IPDevice/forceRouteIPAddress, and set a property value.
Note The API constant for /IPDevice/forceRouteIPAddress is
IPDeviceKeys.FORCE_ROUTABLE_IP_ADDRESS
.Step 4 Click Add.
Note You can specify this property anywhere on the device's hierarchy.
Discovering Data from Devices
This section describes the Discovery of Data feature, which you use to retrieve a predefined set of parameters from the device, and store these parameters in the RDU for future use. You can use this discovered data to manage device firmware and device configurations by providing some key attributes of the device and its current configuration. Discovered parameters are updated at the RDU any time their values change on the device.
You can configure data discovery at the RDU. The RDU forwards discovery policy instructions and the values of parameters, discovered for each device during the previous discovery process, to the appropriate DPEs. During interactions with the device, the DPE consults the discovery policy instructions specific to the device to determine what parameters need to be discovered.
Once parameter values are discovered, existing device parameters are compared with those already stored for the device. If the values have changed or are being obtained for the first time, this data is updated at the RDU. If the RDU is not available to receive the update, the newly discovered data is dropped, and the entire process of data discovery is initiated the next time the device connects with the DPE.
Discovered parameters are stored on device records and you can view them by using the administrator user interface or obtain them via the API
IPDevice.getDetails()
call. To view discovered parameters via the user interface, access the Manage Devices page under the Devices tab on the primary navigation bar. Locate the device by using the search options, and click the View Details icon () corresponding to the device. The Device Details page appears, displaying details of the discovered parameters for the device.The following sections describe:
• Troubleshooting Data Discovery
Configuring Data Discovery
Data discovery policy is configured via the RDU and includes parameters checked:
•On every device contact.
•Only upon a firmware upgrade.
While the discovery of data process executes every time a device establishes contact with the DPE, you can configure validation of certain parameters to occur only if the device has reported a new firmware version. This check eliminates the need to validate parameters whose values change only with a firmware upgrade. For example, the device model name does not change without a firmware upgrade; thus, you do not need to check this parameter on the device unless the firmware has been upgraded.
BAC ships with a default configuration for data discovery. You can augment this default configuration in two ways:
•Add parameters to a custom list.
•Change the default list. This option, however, is not recommended.
Configuring Parameters Checked on Every Contact
You can configure the default list of parameters discovered everytime the device connects with the DPE by using the
ServerDefaultsKeys.CWMP_DISCOVER_PARAMETERS
property. You can add more parameters to the default list by providing a comma-separated list of parameters as a value to theIPDeviceKeys.CWMP_CUSTOM_DISCOVER_PARAMETERS
property. The default list includes:•Inform.DeviceId.Manufacturer
•Inform.DeviceId.ManufacturerOUI
•Inform.DeviceId.ProductClass
•InternetGatewayDevice.DeviceInfo.HardwareVersion
•InternetGatewayDevice.DeviceInfo.SoftwareVersion
•InternetGatewayDevice.ManagementServer.ParameterKey
For example:
IPDeviceKeys.CWMP_CUSTOM_DISCOVER_PARAMETERS= InternetGatewayDevice.ManagementServer.URL, InternetGatewayDevice.ManagementServer.PeriodicInformEnable
Configuring Parameters Checked on Firmware Upgrade
You can configure the default list of parameters discovered after every firmware upgrade by using the
ServerDefaultsKeys.CWMP_FIRMWARE_CHANGED_CPE_PARAMETERS
property. This default list includes the InternetGatewayDevice.DeviceInfo.ModelName parameter.To customize this list to include more parameters, use the
IPDeviceKeys.CWMP_CUSTOM_FIRMWARE_CHANGED_PARAMETERS
property.Troubleshooting Data Discovery
You can also troubleshoot data discovery from the DPE CLI by using any of the tasks described in Table 12-2.
Provisioning Group Scalability and Failover
This section describes the scalability and failover features provided in this release of BAC.
BAC's scalability and failover provide a high degree of availability to suit networks of virtually any size, even those with millions of devices deployed. The product also provides such critical features as DPE redundancy and failover protection.
Scalability in a BAC deployment is accomplished through provisioning groups, each of which is a cluster of redundant DPE servers that communicate with a set of CPE. Provisioning groups enhance the scalability of the BAC network by making each provisioning group responsible only for a subset of devices. This partitioning of devices can be along regional groupings or any other policy defined by the service provider.
To scale a deployment, the administrator can:
•Upgrade existing DPE server hardware.
•Add DPE servers to a provisioning group.
•Add provisioning groups and redistribute devices among them.
BAC supports explicit assignment and automatic membership of devices to provisioning groups. For more information, see CPE Management Overview.
Redundancy in BAC
Redundancy helps to ensure:
•High availability for your network applications.
•Users do not experience long network delays or black holes due to a single point of failure.
BAC supports local as well as regional server redundancy.
Local Redundancy
The BAC provisioning group is a cluster of redundant DPE servers that communicate with a set of CPE. A single URL identifies each provisioning group. All CPE requests to a provisioning group are load-balanced between available DPEs, with each DPE capable of processing any device in its provisioning group.
Regional Redundancy
Regional redundancy ensures that DPEs in a different location temporarily process CPE requests in case of regional failure. The simplest way of facilitating this deployment is to set up DPEs within a provisioning group in different geographic locations. In such a setup, CPE requests are serviced by DPEs located in different regions, providing regional failover within the confines of the provisioning group.
In some deployments, however, you may require that CPE requests be processed by servers in one location and fail over to DPEs in another location only in case of failure. In such a scenario, you can also locate DPEs for a provisioning group in different regions yet configure the network such that, under normal conditions, CPE requests are directed only to a subset of the DPEs in a particular region.
Typically, you can configure regional redundancy by using DNS techniques. To configure the network for regional redundancy, ensure that the BAC hostname of a given provisioning name normally resolves to IP address(es) representing one set of DPEs. But when none of the DPE servers in that set responds to keepalives, such as ICMP, HTTP GET, or a TCP handshake), the DNS server should resolve the BAC hostname to the IP address(es) of the DPEs from a second set. CPE requests are then directed to a different set of DPEs. Since DPEs in both sets belong to the same provisioning group, the new DPEs are ready to respond to requests. Subsequent DNS lookup requests fall back to the primary set of DPEs as soon as they become available.
You can configure regional redundancy by using any software or hardware that provide load-balancing features, such as the Cisco 11500 Content Services Switch.
DPE Load-Balancing
BAC supports the following mechanisms for DPE redundancy and load-balancing:
• Using a Hardware Load Balancer
Using DNS Round Robin
In using the DNS round-robin mechanism, the DNS server shuffles the list of DPE IPs when resolving the autoconfiguration server (ACS) hostname for the device. The device then takes the first IP address in the list as the ACS hostname.
This option is not recommended if the service provider does not control DNS caching servers. Also, DNS round-robinning performs less than ideally in a power outage scenario, when a large number of devices may receive the same order IP address cached by the DNS server, thus impacting performance. To work around this issue, Cisco recommends configuring a very short TTL of 1 second on the DNS server.
Using a Hardware Load Balancer
In using a hardware load balancer, the ACS URL contains the IP address or is resolved by the DNS server to a single IP address. All DPEs for a provisioning group are hidden behind a single virtual IP address of the hardware load balancer, such as the Cisco 11500 Content Services Switch (CSS). You configure the hardware load balancer to translate its virtual IP address to a specific DPE IP address based on any number of load-balancing algorithms. A redundant pair of load balancers can improve redundancy and may service more than one provisioning group.
Adding DPE to a Provisioning Group
This section describes how to add a DPE to a new provisioning group. In adding a DPE to a provisioning group, there are three possible options:
•Adding a DPE to a provisioning group
•Add a DPE to a provisioning group in a deployment that uses a hardware load balancer, such as Cisco 11500 CSS, between the device and the DPE. In this case, you must update the load balancer.
•Adding a DPE to a provisioning group in a deployment in which a DNS server, using round robin, resolves to multiple DPEs for a provisioning group.
To add a DPE to a provisioning group:
Step 1 Configure the DPE from the DPE CLI. Among the configurations you must perform are:
•Specifying the provisioning group to which the DPE must belong. Enter:
dpe# dpe provisioning-group primary name
–name—Identifies the assigned primary provisioning group.
•Specifying the RDU to which the DPE connects. Enter:
dpe# dpe rdu-server {host | ip} port
–host—Identifies the FQDN of the host on which the RDU is running.
–ip—Identifies the IP address of the RDU.
–port—Identifies the port number on which RDU is listening for DPE connections. By default, this port number is 49187.
•Configuring the FQDN for a specific interface. The provisioning FQDN is the FQDN that is given to a device to contact the specific DPE interface. Enter:
dpe# interface ethernet {intf0 | intf1} provisioning fqdn fqdn
–intf0 | intf1—Identifies the Ethernet interface.
–fqdn—Identifies the FQDN that is set on the specified interface.
You must use the same FQDN for all DPEs in a given provisioning group. If DPEs are located behind the load balancer, use the FQDN of the load balancer as the interface FQDN, and ensure that it is the same for all DPEs which are part of the same load-balancing group.
Note You must also configure the CWMP service and the HTTP file service on one DPE to match the configurations on other DPEs. For more information on configuration options, refer to the Cisco Broadband Access Center DPE CLI Reference, Release 3.0. Also, refer to Configuration Workflows and Checklists.
Step 2 Start the DPE by using the dpe start command, and allow the DPE to synchronize and populate device configuration instructions from the RDU.
Step 3 Optionally, if you are using a load balancer, add the DPE address to the load balancer.
Step 4 Optionally, if you are using the DNS round robin technique, add the DPE address to the DNS server.
DPE Load-Balancing by Using Cisco CSS
This section describes how to configure Cisco 11501 CSS for load-balancing BAC traffic. The Cisco CSS front-end server handles the incoming TCP traffic from the CWMP devices that BAC supports and load-balances the TCP sessions across the Cisco CSS back-end servers, in this case, the DPEs.
Note If configured, Cisco CSS supports HTTP over SSL (referred to as SSL in this section) on the front-end and the back-end servers.
Initial CSS Configuration
When you first power up a Cisco CSS, a startup configuration menu appears, in which you set a minimum configuration, which includes the IP address, subnet mask and default gateway for the Ethernet management port. Do not configure this information.
Then, you are prompted to change the default username (admin) and password (system). Optionally, you can change these credentials. The username should be between 1 and 16 characters long and the password should be between 6 and 16 characters.
You are then prompted for additional configuration information, which you must provide if the running-configuration and the startup-configuration are cleared later.
Example 12-1 shows a Cisco CSS initial configuration:
Example 12-1 Cisco CSS Initial Configuration
Checking for Existing Config...
No startup-config was found, continue with the setup script [y/n]? y
Note: Pressing 'q' after any prompt quits setup.
Pressing <CR> after any [y/n] defaults to 'y'.
Warning: All circuit VLAN IP addresses must be on a different
subnet than the Ethernet Mgt port IP address.
The existing Ethernet Mgt port IP address is: 0.0.0.0
Add an IP address to VLAN1: [default = 192.168.10.1]? 10.86.147.51
Add an IP subnet mask to VLAN1: [default = 255.255.255.0]? 255.255.255.224
Would you like to specify a default gateway? [y/n]? y
Warning: The default gateway IP address must be on the same subnet
as VLAN1. VLAN1 IP address is: 10.86.147.51
Add IP address for default gateway: [default = 10.86.147.2]? 10.86.147.33
Pinging the default gateway: 0% Success.
Which feature do you want to configure?
[1] Layer3 load balancing
[2] Layer5 load balancing
[3] Proxy cache
[4] Transparent cache
[5] Exit script
Enter the number of the feature you want to configure: 5
Showing the Running Config
CSS11501# show running-config
!Generated on 07/17/2006 13:00:30
!Active version: sg0750103
configure
!*************************** GLOBAL ***************************
ip route 0.0.0.0 0.0.0.0 10.86.147.33 1
!************************** CIRCUIT **************************
circuit VLAN1
ip address 10.86.147.51 255.255.255.224
CSS11501#
Since VLAN 1 is the default VLAN, all eight ports on Cisco CSS can be used as the front-end port for Cisco CSS. But for the purpose of this example, Ethernet port 0 is used as the front-end server port. The front-end router or switch is used to allow access to Cisco CSS or the DPEs from the customer network, and the IP address of the interface on this switch or router connected to Cisco CSS is the address configured on Cisco CSS for the default gateway (10.86.147.33). The FTP server (IP address 10.86.147.53) is connected to Ethernet port 8 on Cisco CSS. This FTP server is used in a later configuration.
Configuring DPE Load-balancing on Cisco CSS
You can use the configuration described in this section to perform simple load-balancing of the traffic from devices in the customer network between the back-end DPE servers. The load-balancing algorithm used is a simple round-robin. The CWMP devices use HTTP to connect to Cisco CSS, and the connections are passed through as HTTP to the DPE servers.
Note For detailed information on configuring CSS, refer to the Cisco Content Services Switch SSL Configuration Guide (Software Version 7.40).
Example 12-2 Configuring DPE Load-Balancing on Cisco CSS
The following example describes a configuration with two DPE servers on the same subnet. The DPE servers in this example have IP addresses of 11.32.0.26/12 and 11.32.0.27/12. The IP address of the back-end server Cisco CSS VLAN assigned to the Ethernet ports is 11.32.0.1/12. The VIP address and TCP port that are configured in the content rule are 10.86.147.52 and 7547. The CWMP devices use a URL to connect to Cisco CSS to load-balance between the DPEs; the URL is http://10.86.147.52:7547/acs.
Step 1 Log into the configuration mode on Cisco CSS.
CSS11501#config t<cr>
Step 2 Configure the two interfaces that the DPEs use and assign them to VLAN2 using the following commands.
CSS11501(config)#interface e1<cr>
CSS11501(config-if[e1])#bridge vlan 2<cr>
CSS11501(config-if[e1])#interface e2<cr>
CSS11501(config-if[e2])#bridge vlan 2<cr>
CSS11501(config-if[e2]}#exit<cr>
Step 3 Configure VLAN 2 that the two DPEs will use:
CSS11501(config)#circuit VLAN2<cr>
CSS11501(config-circuit[VLAN2])#ip address 11.32.0.1/12<cr>
Create ip interface <11.32.0.1>, [y/n]:y<cr>
CSS11501(config-circuit-ip[VLAN2-11.32.0.1])#exit<cr>
CSS11501(config-circuit[VLAN2])#exit<cr>
Step 4 Configure the services that are assigned to each DPE, and activate the services.
Note The two services are later added to the content rule, which is configured to load-balance HTTP traffic across the two DPEs.
CSS11501(config)# service DPE-1<cr>
Create service <DPE-1>, [y/n]:y
CSS11501(config-service[DPE-1])#keepalive type tcp<cr>
CSS11501(config-service[DPE-1])#keepalive port tcp 7547<cr>
CSS11501(config-service[DPE-1])#ip address 11.32.0.26<cr>
CSS11501(config-service[DPE-1])#active<cr>
CSS11501(config-service[DPE-1])# service DPE-2<cr>
Create service <DPE-2>, [y/n]:y
CSS11501(config-service[DPE-2])# keepalive type tcp<cr>
CSS11501(config-service[DPE-2])# keepalive port 7547<cr>
CSS11501(config-service[DPE-2])# ip address 11.32.0.27<cr>
CSS11501(config-service[DPE-2])# active<cr>
CSS11501(config-service[DPE-2])#exit<cr>
Step 5 Configure an owner who will contain the content rule used to load-balance incoming HTTP traffic. You can choose any name as the owner name.
CSS11501(config)# owner User1<cr>
Create owner <User1>, [y/n]:y
CSS11501(config-owner[User1])#
Step 6 Configure the content rule and activate it by using:
Note The VIP address for the content rule is the IP address that CWMP devices will use to connect to Cisco CSS.
CSS11501(config-owner[User1])# content Clear-text<cr>
Create content <Clear-text>, [y/n]:y
CSS11501(config-owner-content[User1-Clear-text])# protocol tcp<cr>
CSS11501(config-owner-content[User1-Clear-text])# port 7547<cr>
CSS11501(config-owner-content[User1-Clear-text])# add service DPE-1<cr>
CSS11501(config-owner-content[User1-Clear-text])# add service DPE-2<cr>
CSS11501(config-owner-content[User1-Clear-text])# vip address 10.86.147.52<cr>
CSS11501(config-owner-content[User1-Clear-text])#active<cr>
CSS11501(config-owner-content[User1-Clear-text])#exit<cr>
CSS11501(config-owner[User1])#exit<cr>
CSS11501(config)#exit<cr>
CSS11501#
Step 7 The configuration is now complete. Copy the running-configuration to the startup-configuration to make a permanent record of the configuration that is loaded whenever Cisco CSS reboots.
CSS11501# copy running-config startup-config<cr>
Working..(\) 100%
CSS11501#
Configuring Client Certificate Authentication on Cisco CSS
In the following example, the device uses SSL to connect to Cisco CSS. The connections are passed through as HTTP to the DPE servers. Cisco CSS authenticates the certificates that the devices send. Optionally, it can allow certificates to be forwarded through the HTTP headers to the DPEs.
Example 12-3 Configuring Client Certificate Authentication on Cisco CSS
The following example describes a configuration with two DPE servers on the same subnet. The DPE servers in this example have an IP address of 11.32.0.26/12 and 11.32.0.27/12. The IP address of the back-end server Cisco CSS VLAN assigned to the Ethernet ports to which the DPEs are connected is 11.32.0.1/12. The VIP address and TCP port configured in the content rule are 10.86.147.52 and 7548. The URL that the device uses to connect to Cisco CSS is https://10.86.147.52:7548/acs.
Step 1 Log into the configuration mode on Cisco CSS.
CSS11501#config t<cr>
Step 2 Configure the two interfaces that the DPEs use and assign them to VLAN2 by using:
CSS11501(config)#interface e1<cr>
CSS11501(config-if[e1])#bridge vlan 2<cr>
CSS11501(config-if[e1])#interface e2<cr>
CSS11501(config-if[e2])#bridge vlan 2<cr>
CSS11501(config-if[e2]}#exit<cr>
Step 3 Configure VLAN 2 that the two DPEs will use:
CSS11501(config)#circuit VLAN2<cr>
CSS11501(config-circuit[VLAN2])#ip address 11.32.0.1/12<cr>
Create ip interface <11.32.0.1>, [y/n]:y<cr>
CSS11501(config-circuit-ip[VLAN2-11.32.0.1])#exit<cr>
CSS11501(config-circuit[VLAN2])#exit<cr>
Step 4 Configure the services that are assigned to each DPE, and activate the services.
Note The two services are later added to the content rule, which is configured to load-balance HTTP traffic across the two DPEs.
CSS11501(config)# service DPE-1<cr>
Create service <DPE-1>, [y/n]:y
CSS11501(config-service[DPE-1])#keepalive type tcp<cr>
CSS11501(config-service[DPE-1])#keepalive port tcp 7547<cr>
CSS11501(config-service[DPE-1])#ip address 11.32.0.26<cr>
CSS11501(config-service[DPE-1])#active<cr>
CSS11501(config-service[DPE-1])# service DPE-2<cr>
Create service <DPE-2>, [y/n]:y
CSS11501(config-service[DPE-2])# keepalive type tcp<cr>
CSS11501(config-service[DPE-2])# keepalive port 7547<cr>
CSS11501(config-service[DPE-2])# ip address 11.32.0.27<cr>
CSS11501(config-service[DPE-2])# active<cr>
CSS11501(config-service[DPE-2])#exit<cr>
Step 5 Configure an owner who will contain the content rule used to load-balance incoming HTTP traffic. You can choose any name as the owner name.
CSS11501(config)# owner User1<cr>
Create owner <User1>, [y/n]:y
CSS11501(config-owner[User1])#
Step 6 Configure an ftp-record for the FTP server. The ftp-record is used to download the root certificates for the device. Cisco CSS uses this configuration to authenticate the client certificates from the device, and the Cisco CSS server certificate and private key, which are sent to the device to authenticate the Cisco CSS server.
Note The ftp-record, named
ssl-machine
in this example, is a user-defined name and is used only as a reference to the FTP server when the certificates are loaded on Cisco CSS.For the purpose of this example, the username and password used to make an FTP connection are
root
andcisco
, respectively. The directory on the FTP server in which the certificates and keys are stored is /var/tmp/ftp.CSS11501(config)#ftp-record ssl-machine 10.86.147.53 root "cisco" /var/tmp/ftp<cr>
CSS11501(config)#exit<cr>
CSS11501#
Step 7 Load the certificates and keys from the FTP server.
For this example, the CWMP root certificate is called
cwmp_root.cer
, the Cisco CSS server certificate is calledcss.cer
, and the Cisco CSS private key is calledcss.key
.CSS11501#copy ssl ftp ssl-machine import cwmp_root.cer PEM "password"<cr>
CSS11501#copy ssl ftp ssl-machine import css.cer PEM "password"<cr>
CSS11501#copy ssl ftp ssl-mcahine import css.key PKCS12 "password"<cr>
Note The certificates used in this example are in PEM format, and the Cisco CSS private key is in PKCS12 format. The supported formats for these files are DER, PEM, and PKCS12. The user-definable password (password) encodes files in the Data Encryption Standard files.
Step 8 Associate the certificates and the key that you just loaded with names that can be referenced when the SSL proxy list is configured later, using the following commands:
CSS11501#config t<cr?
CSS11501(config)#ssl associate cert ca-root-cert cwmp_root.cer <cr>
CSS11501(config)#ssl associate cert css-server-cert css.cer <cr>
CSS11501(config)#ssl associate rsakey css-server-key css.key <cr>
CSS11501(config)#
Step 9 Configure the SSL proxy list. This list configures the:
–Certificates and the keys that will be used.
–Preferred cipher with the VIP address of the content rule for the back-end DPE servers.
–VIP address and the TCP port used by the device to connect to Cisco CSS.
Note You can define any name for the proxy list.
CSS11501(config)#ssl-proxy-list SSL<cr>
Create Ssl-list <SSL>, [y/n]:y
CSS11501(config-ssl-proxy-list[SSL]}#ssl-server 1<cr>
CSS11501(config-ssl-proxy-list[SSL])#ssl-server 1 port 7548<cr>
CSS11501(config-ssl-proxy-list[SSL])#ssl-server 1 rsakey css-server-key<cr>
CSS11501(config-ssl-proxy-list[SSL])#ssl-server 1 rsacert css-server-cert<cr>
CSS11501(config-ssl-proxy-list[SSL])#ssl-server 1 cacert ca-root-cert<cr>
CSS11501(config-ssl-proxy-list[SSL]}#ssl-server 1 cipher rsa-with-rc4-128-md5 10.86.147.60 7547
CSS11501(config-ssl-proxy-list[SSL])#ssl-server 1 authentication enable<cr>
CSS11501(config-ssl-proxy-list[SSL])#ssl-server 1 vip address 10.86.147.52<cr>
Step 10 If you want to pass the client certificate in the HTTP header to the DPE, add:
CSS11501(config-ssl-proxy-list[SSL])#ssl-server 1 http-header client-cert<cr>
Step 11 Activate the ssl-proxy-list.
CSS11501(config-ssl-proxy-list[SSL])#active<cr>
CSS11501(config-ssl-proxy-list[SSL])#exit<cr>
CSS11501(config)#
Step 12 Configure the SSL service that references the ssl-proxy-list. The service name is user-definable.
CSS11501(config)# service SSL<cr>
Create service <SSL>, [y/n]:y
CSS11501(config-service[SSL])#type ssl-accel<cr>
CSS11501(config-service[SSL])#add ssl-proxy-list SSL <cr>
CSS11501(config-service[SSL])#keepalive type none<cr>
CSS11501(config-service[SSL])#slot 2<cr>
CSS11501(config-service[SSL])#active<cr>
CSS11501(config-service[SSL])#exit<cr>
CSS11501(config)#
Step 13 Define a content rule that matches the VIP address and the port number output from the ssl-proxy-list.
CSS11501(config)#owner User1<cr>
CSS11501(config-owner[User1])#content Clear-text<cr>
CSS11501(config-owner[User1])#protocol tcp<cr>
CSS11501(config-owner[User1])#port 7547<cr>
CSS11501(config-owner[User1])# vip address 10.86.147.60<cr>
CSS11501(config-owner[User1])#add service DPE-1<cr>
CSS11501(config-owner[User1])#add service DPE-2<cr>
CSS11501(config-owner[User1])#active<cr>
CSS11501(config-owner[User1])#exit<cr>
Step 14 Configure the content rule that matches the address and the port number in the URL that the device sent.
CSS11501(config)#owner User1<cr>
CSS11501(config-owner[User1])#content SSL
Create content <SSL>, [y/n]:y
CSS11501(config-owner-content[User1-SSL])#protocol tcp<cr>
CSS11501(config-owner-content[User1-SSL])#port 7548<cr>
CSS11501(config-owner-content[User1-SSL])#add service SSL<cr>
CSS11501(config-owner-content[User1-SSL])#vip address 10.86.147.52<cr>
CSS11501(config-owner-content[User1-SSL])#active<cr>
CSS11501(config-owner-content[User1-SSL])#exit<cr>
CSS11501(config-owner[User1])#exit<cr>
CSS11501(config)#exit<cr>
CSS11501#
Step 15 Finally, save the running-configuration to the startup-configuration.
CSS11501#copy running-config startup-config<cr>
Working..(\) 100%
CSS11501#
Posted: Thu Aug 31 23:35:24 PDT 2006
All contents are Copyright © 1992--2006 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.