cc/td/doc/product/webscale/css/css_sca
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Deployment Examples

Deployment Examples

The following examples demonstrate how the Secure Content Accelerator can be integrated into a network.

This appendix contains the following sections:

Single Device

A single Secure Content Accelerator provides SSL offloading and processing for an entire server farm, as shown in Figure B-1.


Figure B-1: Single Secure Content Accelerator Installation




    1. Install the appliance as instructed previously.

    2. Connect the "Network" Ethernet interface to the Internet.

    3. Connect the "Server" Ethernet interface to Web server access.

Load Balancing

Secure Content Accelerator devices can be installed in front of or behind a load balancer. If the load balancer is using URL- or cookie-related load balancing, install the appliance in front of the load balancer. In this configuration, the load balancer receives clear text packets decrypted by the SSL device. Figure B-2 shows a typical installation.


Figure B-2: Secure Content Accelerator Installation with a Load Balancer




    1. Install the appliance as instructed previously.

    2. Connect the "Network" Ethernet interface to the Internet. Connect the "Server" Ethernet interface to the load balancer.

For information about configuring the Secure Content Accelerator in conjunction with the CSS 11000 Series Content Services Switch (hereinafter referred to as the CSS), see "Use with the CSS".

Use with the CSS

Using the Secure Content Accelerator with the CSS allows Layer 4 load balancing of the Secure Content Accelerator and Layer 5 routing and load balancing for content decrypted by the Secure Content Accelerator. Four deployment scenarios are recommended:

In-Line

Placing the Secure Content Accelerator in front of the CSS increases performance of the server farm by offloading all SSL processing from the servers. The Secure Content Accelerator is completely transparent to the CSS and servers.

This deployment is the simplest to configure because it requires no specific inter-operational configuration on either the Secure Content Accelerator or the CSS. However, the deployment provides a low level of scalability, based upon the capacity of the CSS. An example deployment is shown in Figure B-3.


Figure B-3: Secure Content Accelerator In-Line Installation




The CSS is used to front-end one or more Secure Content Accelerator devices. Because the Secure Content Accelerator is a Layer 2 device, it must be configured to ensure that bridge loops are not created. If multiple Secure Content Accelerator devices are used, each must be attached to a separate VLAN on the CSS and/or the upstream Layer 2 switch. The Secure Content Accelerator intercepts all port 443 traffic for the IP addresses configured on it, decrypts the traffic, and forwards it as clear text on another TCP service port to the CSS. All port 80 traffic is bridged transparently to the CSS. Table B-1 shows basic configuration actions for both the CSS and Secure Content Accelerator.


Table B-1: In-Line Installation Device Configuration
CSS Configuration Secure Content Accelerator Configuration
  • Create a VLAN for each Secure Content Accelerator

  • Create a VLAN for the servers

  • Create services as required for each server, adding "keepalive" attributes as necessary

  • Create a default ECMP route for each load balanced Secure Content Accelerator using the upstream router as the gateway for each upstream VLAN

  • Create Layer 5 rules for the secure content

  • Create content rules as required for non-secure content

  • Export keys and certificates from any existing secure servers, if necessary

  • Assign an IP address to each Secure Content Accelerator as specified in the CSS configuration

  • Assign a default route for each Secure Content Accelerator using the CSS VLAN circuit IP address as the gateway

  • Set up one or more logical secure servers using QuickStart wizard (Chapter 3) or configuration manager (Chapter 4)

The following listing shows a sample configuration for the CSS.

!Generated on 11/18/2000 11:01:18 !Active version: ap0400007s configure !*************************** GLOBAL *************************** bridge spanning-tree disabled no restrict web-mgmt ip route 0.0.0.0 0.0.0.0 10.176.11.1 1 !************************* INTERFACE ************************* interface ethernet-8 bridge vlan 8 !************************** CIRCUIT ************************** circuit VLAN1 ip address 10.176.10.1 255.255.255.0 circuit VLAN8 ip address 10.176.11.2 255.255.255.0 !************************** SERVICE ************************** service s1 ip address 10.176.10.10 protocol tcp active service s2 ip address 10.176.10.11 protocol tcp active service s3 ip address 10.176.10.12 protocol tcp active service s4 ip address 10.176.10.13 protocol tcp active !*************************** OWNER *************************** owner test content http-non-secure-port-80 vip address 10.176.11.100 protocol tcp port 80 url "/*" add service s1 add service s2 add service s3 add service s4 active content http-secure-port-81 vip address 10.176.11.100 add service s1 add service s2 add service s3 add service s4 protocol tcp port 81 url "/secure/*" active

Transparent Sandwich

This deployment places one or more Secure Content Accelerator devices between two CSS devices, allowing load balancing of up to 15 Secure Content Accelerator devices. Applications such as reverse proxy caching and content type separation can be enabled.

The transparent sandwich deployment is moderately difficult to configure with good scalability. A minimum of two CSS devices are required. Figure B-4 shows a typical deployment.


Figure B-4: Secure Content Accelerator Transparent Sandwich Installation




The upstream CSS is configured as if the Secure Content Accelerator devices are transparent caches with redirection at Layer 4. Port 80 traffic is forwarded via Layer 3 to the downstream CSS, avoiding any potential Port 80 bottleneck at the Secure Content Accelerator level. Because the Secure Content Accelerator is a Layer 2 device, it must be configured to ensure that bridge loops are not created.

The Secure Content Accelerator intercepts all port 443 traffic for the IP addresses configured on it, decrypts the traffic, and forwards it as clear text on another TCP service port to the downstream CSS. The downstream CSS is configured with Layer 5 rules for all origin servers and multiple ECMP routes, each to a different upstream VLAN. The default ECMP configuration is to prefer ingress, ensuring that outbound traffic needing to be encrypted is routed to the Secure Content Accelerator responsible for decrypting traffic for that session. Outbound Port 80 traffic bypasses the Secure Content Accelerator devices completely.

Traffic "sourced" from a server in the server farm can be routed through one of the Secure Content Accelerator devices. There is no way to differentiate between equal cost paths without mapping to an ingress flow. Table B-2 shows basic configuration actions for the CSS devices and Secure Content Accelerator.


Table B-2: Transparent Sandwich Installation Device Configuration
Upstream CSS Configuration Secure Content Accelerator Configuration Downstream CSS Configuration
  • Create a VLAN for each Secure Content Accelerator to be load balanced

  • Create a separate VLAN to connect to the downstream CSS to route port 80 traffic directly

  • Create a service for each Secure Content Accelerator with the IP address of the corresponding circuit address on the downstream Secure Content Accelerator; define the services as type "transparent-cache"

  • Create a Layer 4 content rule to balance the Secure Content Accelerators, using advanced-balance ssl and application ssl to assist SSL v.3 key reuse, in one of the following ways:

    • Without a VIP: if you do not specify a VIP, all port 443 traffic is forwarded to the Secure Content Accelerators

    • With a VIP: when you specify a VIP, any port 443 traffic not destined to that VIP can be routed over the VLAN specified for port 80 and SSL traffic terminated on origin servers

  • Export keys and certificates from any existing secure servers, if necessary

  • Assign an IP address to each Secure Content Accelerator as specified in the CSS configuration

  • Assign a default route for each Secure Content Accelerator using the upstream CS VLAN circuit IP address as the gateway

  • Set up one or more logical secure servers using QuickStart wizard (Chapter 3) or configuration manager (Chapter 4); you may wish to use TCP service port 81 as the remoteport

  • Assign a static route for the VIP to point to the downstream CSS VLAN circuit IP address

  • Create a VLAN for each Secure Content Accelerator

  • Create a VLAN to connect to the upstream CSS to route port 80 traffic directly

  • Create services as required for each server, adding "keepalive" attributes as necessary

  • Create a default ECMP route for each load balanced Secure Content Accelerator using the upstream router as the gateway for each upstream VLAN

  • Create a default route to the upstream CSS to allow non-SSL traffic to bypass the Secure Content Accelerator

  • Create Layer 5 rules for the secure content

  • Create content rules as required for non-secure content

The following is a sample configuration for the upstream CSS.

!Generated on 11/18/2000 11:03:28 !Active version: ap0400007s configure !*************************** GLOBAL *************************** ip route 0.0.0.0 0.0.0.0 10.100.1.1 1 ip route 10.176.10.0 255.255.255.0 10.176.11.0 !************************* INTERFACE ************************* interface ethernet-2 bridge vlan 2 interface ethernet-3 bridge vlan 3 interface ethernet-4 bridge vlan 4 interface ethernet-5 bridge vlan 5 interface ethernet-6 bridge vlan 6 interface ethernet-7 bridge vlan 7 interface ethernet-8 bridge vlan 8 !************************** CIRCUIT ************************** circuit VLAN1 ip address 10.176.1.1 255.255.255.0 circuit VLAN2 ip address 10.176.2.1 255.255.255.0 circuit VLAN3 ip address 10.176.3.1 255.255.255.0 circuit VLAN4 ip address 10.176.4.1 255.255.255.0 circuit VLAN5 ip address 10.176.5.1 255.255.255.0 circuit VLAN6 ip address 10.176.6.1 255.255.255.0 circuit VLAN7 ip address 10.176.11.1 255.255.255.0 circuit VLAN8 ip address 10.100.132.101 255.255.0.0 !************************** SERVICE ************************** service ssl1 port 443 protocol tcp ip address 10.176.1.3 type transparent-cache active service ssl2 port 443 protocol tcp ip address 10.176.2.3 type transparent-cache active service ssl3 port 443 protocol tcp ip address 10.176.3.3 type transparent-cache active service ssl4 port 443 protocol tcp ip address 10.176.4.3 type transparent-cache active service ssl5 port 443 protocol tcp ip address 10.176.5.3 type transparent-cache active service ssl6 port 443 protocol tcp ip address 10.176.6.3 type transparent-cache active !*************************** OWNER *************************** owner test content ssl protocol tcp port 443 add service ssl1 add service ssl2 add service ssl3 add service ssl4 add service ssl5 add service ssl6 active

The following is a sample configuration for the downstream CSS.

!Generated on 11/18/2000 11:01:18 !Active version: ap0400007s configure !*************************** GLOBAL *************************** bridge spanning-tree disabled no restrict web-mgmt ip route 0.0.0.0 0.0.0.0 10.176.1.1 1 ip route 0.0.0.0 0.0.0.0 10.176.2.1 1 ip route 0.0.0.0 0.0.0.0 10.176.3.1 1 ip route 0.0.0.0 0.0.0.0 10.176.4.1 1 ip route 0.0.0.0 0.0.0.0 10.176.5.1 1 ip route 0.0.0.0 0.0.0.0 10.176.6.1 1 ip route 0.0.0.0 0.0.0.0 10.176.11.1 1 !************************* INTERFACE ************************* interface ethernet-2 bridge vlan 2 interface ethernet-3 bridge vlan 3 interface ethernet-4 bridge vlan 4 interface ethernet-5 bridge vlan 5 interface ethernet-6 bridge vlan 6 interface ethernet-7 bridge vlan 7 interface ethernet-8 bridge vlan 8 !************************** CIRCUIT ************************** circuit VLAN2 ip address 10.176.2.3 255.255.255.0 circuit VLAN3 ip address 10.176.3.3 255.255.255.0 circuit VLAN4 ip address 10.176.4.3 255.255.255.0 circuit VLAN5 ip address 10.176.5.3 255.255.255.0 circuit VLAN6 ip address 10.176.6.3 255.255.255.0 circuit VLAN7 ip address 10.176.10.1 255.255.255.0 circuit VLAN8 ip address 10.176.11.2 255.255.255.0 circuit VLAN1 ip address 10.176.1.3 255.255.255.0 !************************** SERVICE ************************** service s1 ip address 10.176.10.10 protocol tcp active service s2 ip address 10.176.10.11 protocol tcp active service s3 ip address 10.176.10.12 protocol tcp active service s4 ip address 10.176.10.13 protocol tcp active !*************************** OWNER *************************** owner test content http-non-secure-port-80 vip address 10.176.11.100 protocol tcp port 80 url "/*" add service s1 add service s2 add service s3 add service s4 active content http-secure-port-81 vip address 10.176.11.100 add service s1 add service s2 add service s3 add service s4 protocol tcp port 81 url "/secure/*" active

One-Armed Non-Transparent Proxy

This deployment uses a single CSS for load balancing SSL offloading and Layer 5 switching, allowing load balancing at up to the limit of transactions per second of the CSS. Applications such as reverse proxy caching and content type separation can be enabled.The level depends upon the type of content and the mix of HTTP 1.0 and HTTP 1.1 traffic.

The one-armed non-transparent proxy deployment is complex to configure, but it provides a high degree of scalability. If IP address accounting is required, use the command log-url when configuring the Secure Content Accelerator. This command instructs the device to write a client access log to a specific host. The resulting log file can be utilized by all popular log analysis tools. Figure B-5 shows a typical deployment.


Figure B-5: Secure Content Accelerator One-Armed Non-Transparent Proxy Installation




In this deployment the CSS is configured with both Layer 4 and Layer 5 rules. For each VIP configured on the CSS for services terminating on the Secure Content Accelerator, a service must be defined for the Secure Content Accelerator devices, each with a different destination port definition.

The Secure Content Accelerator does not use the IP address to ensure traffic is sent to the correct server because the CSS changes the destination IP address to that of the Secure Content Accelerator. The Secure Content Accelerator is configured only at Layer 4. This configuration requires setting multiple destination IP/destination port pairs on the Secure Content Accelerator. Bridge loops are not created because all port 443 traffic terminates on Secure Content Accelerator devices each connected to the CSS via a single port. Table B-3 shows basic configuration actions for both the CSS and Secure Content Accelerator.


Table B-3: One-Armed Non-Transparent Proxy Installation Device Configuration
CSS Configuration Secure Content Accelerator Configuration
  • Create a VLAN for the upstream router

  • Create one VLAN for all connected Secure Content Accelerator devices

  • Create a separate VLAN for the servers

  • Create a service for each Secure Content Accelerator IP address and destination port pair

  • Create services as required for each server (adding "keepalive" attributes as necessary)

  • Create a default route to the upstream router

  • Create Layer 4 rules for each incoming VIP and add appropriate Secure Content Accelerator services

  • Create Layer 5 rules for the secure content

  • Create content rules as required for non-secure content

  • Export keys and certificates from any existing secure servers, if necessary

  • Assign an IP address to each Secure Content Accelerator as specified in the CSS configuration

  • Assign a default route for each Secure Content Accelerator using the CSS VLAN circuit IP address as the gateway

  • Set up one or more logical secure servers using the QuickStart wizard (Chapter 3) or configuration manager (Chapter 4)

  • Set up single-port operation using the mode one-port command (Appendix C)

  • If client IP accounting is necessary, use the log-url command to specify the host for writing the access log

Below is a sample configuration for the CSS.

!Generated on 11/18/2000 17:38:37 !Active version: ap0400007s configure !*************************** GLOBAL *************************** bridge spanning-tree disabled ip route 0.0.0.0 0.0.0.0 10.100.1.1 1 !************************* INTERFACE ************************* interface ethernet-7 bridge vlan 7 interface ethernet-8 bridge vlan 8 !************************** CIRCUIT ************************** circuit VLAN1 ip address 10.176.1.1 255.255.255.0 circuit VLAN7 ip address 10.176.10.1 255.255.255.0 circuit VLAN8 ip address 10.100.132.101 255.255.0.0 !************************** SERVICE ************************** service s1 ip address 10.176.10.10 protocol tcp active service s2 ip address 10.176.10.11 protocol tcp active service s3 ip address 10.176.10.12 protocol tcp active service s4 ip address 10.176.10.13 protocol tcp active service ssl1-443 port 443 protocol tcp ip address 10.176.1.3 active service ssl1-444 ip address 10.176.1.3 protocol tcp port 444 active service ssl2-443 port 443 protocol tcp ip address 10.176.1.4 active service ssl2-444 port 444 protocol tcp ip address 10.176.1.4 active service ssl3-443 port 443 protocol tcp ip address 10.176.1.5 active service ssl3-444 port 444 protocol tcp ip address 10.176.1.5 active service ssl4-443 port 443 protocol tcp ip address 10.176.1.6 active service ssl4-444 port 444 protocol tcp ip address 10.176.1.6 active service ssl5-443 port 443 protocol tcp ip address 10.176.1.7 active service ssl5-444 port 444 protocol tcp ip address 10.176.1.7 active service ssl6-443 port 443 protocol tcp ip address 10.176.1.8 active service ssl6-444 port 444 protocol tcp ip address 10.176.1.8 active !*************************** OWNER *************************** owner test content http-secure-port-81 vip address 10.176.11.100 add service s1 add service s2 add service s3 add service s4 protocol tcp port 81 url "/secure/*" active content http-non-secure-port-80 vip address 10.176.11.100 add service s1 add service s2 add service s3 add service s4 protocol tcp port 81 url "/*" active content ssl vip address 10.176.11.100 protocol tcp port 443 add service ssl1-443 add service ssl2-443 add service ssl3-443 add service ssl4-443 add service ssl5-443 add service ssl6-443 active content ssl-444 protocol tcp vip address 10.176.11.101 port 443 add service ssl2-444 add service ssl1-444 add service ssl3-444 add service ssl4-444 add service ssl5-444 add service ssl6-444 active

One-Armed Transparent Proxy

This deployment uses a single CSS for load balancing up to 15 Secure Content Accelerator devices. The deployment combines the single CSS solution of the proxy deployment with the transparency of the sandwich deployment.

The one-armed transparent proxy deployment is the most complex to configure, but it provides a high degree of scalability and extended features, including IP address accounting. Figure B-6 shows a typical deployment.


Figure B-6: Secure Content Accelerator One-Armed Transparent Proxy Installation




This deployment has several constraints:

Caution   ACLs and static routes must be configured carefully. If a device or network is specified in an ACL or static route in such a way that it will force all traffic to the upstream router's ECMP route, all traffic matching the ACL or static route will bypass the Secure Content Accelerator devices. Thus management of the Secure Content Accelerator devices and management stations requiring ICMP or SNMP to operate will not have access to SSL processing.

Table B-4 shows basic configuration actions for both the CSS and Secure Content Accelerator.


Table B-4: One-Armed Transparent Proxy Installation Device Configuration
CSS Configuration Secure Content Accelerator Configuration
  • Create a VLAN for each Secure Content Accelerator to be load balanced

  • Create a VLAN for the upstream router

  • Create a separate VLAN for the servers

  • Create a default route with the upstream router as the gateway

  • Create a default route with each Secure Content Accelerator as a gateway

  • Define a static route for each management workstation not connected to a directly attached subnet

  • Define a service for each Secure Content Accelerator with its IP address, ensuring that the type is "transparent" and that "no cache-bypass" is configured

  • Create services as required for each server (adding "keepalive" attributes as necessary)

  • Create Layer 4 content rules to balance the Secure Content Accelerator devices; you may use "advanced-balance ssl" and "application ssl" to assist with SSL V.3 key reuse

  • Create Layer 5 rules for secure content

  • Create content rules as required for non-secure content

  • Define ACLs and upstream router service to ensure proper routing of traffic not terminated on the CSS

  • Export keys and certificates from any existing secure servers, if necessary

  • Assign an IP address to each Secure Content Accelerator as specified in the CSS configuration

  • Assign a default route for each Secure Content Accelerator using the CSS VLAN circuit IP address as the gateway

  • Set up one or more logical secure servers using QuickStart wizard (Chapter 3) or configuration manager (Chapter 4)

  • Set up single-port operation using the mode one-port command (Appendix C)

Below is a sample configuration for the CSS.

!Generated on 11/28/2000 16:15:49 !Active version: ap0400007s configure !*************************** GLOBAL *************************** acl enable ip route 0.0.0.0 0.0.0.0 10.176.50.1 1 ip route 0.0.0.0 0.0.0.0 10.176.1.3 1 ip route 0.0.0.0 0.0.0.0 10.176.2.3 1 ip route 0.0.0.0 0.0.0.0 10.176.3.3 1 ip route 0.0.0.0 0.0.0.0 10.176.4.3 1 ip route 0.0.0.0 0.0.0.0 10.176.5.3 1 ip route 0.0.0.0 0.0.0.0 10.176.6.3 1 ! network management station static route ip route 10.176.50.100 255.255.255.255 10.176.50.1 1 !************************* INTERFACE ************************* interface ethernet-2 bridge vlan 2 interface ethernet-3 bridge vlan 3 interface ethernet-4 bridge vlan 4 interface ethernet-5 bridge vlan 5 interface ethernet-6 bridge vlan 6 interface ethernet-7 bridge vlan 7 interface ethernet-8 bridge vlan 8 !************************** CIRCUIT ************************** circuit VLAN1 ip address 10.176.1.1 255.255.255.0 circuit VLAN2 ip address 10.176.2.1 255.255.255.0 circuit VLAN3 ip address 10.176.3.1 255.255.255.0 circuit VLAN4 ip address 10.176.4.1 255.255.255.0 circuit VLAN5 ip address 10.176.5.1 255.255.255.0 circuit VLAN6 ip address 10.176.6.1 255.255.255.0 circuit VLAN7 ip address 10.176.10.1 255.255.255.0 circuit VLAN8 ip address 10.176.50.2 255.255.255.0 !************************** SERVICE ************************** service s1 ip address 10.176.10.10 protocol tcp active service s2 ip address 10.176.10.11 protocol tcp active service s3 ip address 10.176.10.12 protocol tcp active service s4 ip address 10.176.10.13 protocol tcp active service ssl1 port 443 protocol tcp ip address 10.176.1.3 type transparent-cache no cache-bypass active service ssl2 port 443 protocol tcp type transparent-cache no cache-bypass ip address 10.176.2.3 active service ssl3 port 443 protocol tcp type transparent-cache no cache-bypass ip address 10.176.3.3 active service ssl4 port 443 protocol tcp type transparent-cache no cache-bypass ip address 10.176.4.3 active service ssl5 port 443 protocol tcp type transparent-cache no cache-bypass ip address 10.176.5.3 active service ssl6 port 443 protocol tcp type transparent-cache no cache-bypass ip address 10.176.6.3 active service upstream-router ip address 10.176.50.1 type transparent-cache active !*************************** OWNER *************************** owner test content http-secure-port-81 vip address 10.176.11.100 add service s1 add service s2 add service s3 add service s4 protocol tcp port 81 url "/secure/*" active content http-non-secure-port-80 vip address 10.176.11.100 add service s1 add service s2 add service s3 add service s4 protocol tcp port 80 url "/*" active content ssl protocol tcp port 443 add service ssl1 add service ssl2 add service ssl3 add service ssl4 add service ssl5 add service ssl6 vip address 10.176.11.100 active !**************************** ACL **************************** acl 8 clause 10 permit any any destination any apply circuit-(VLAN8) acl 7 clause 10 permit any any destination any apply circuit-(VLAN7) acl 6 clause 10 permit any any destination any eq 443 clause 20 permit any any destination any eq 81 clause 30 permit tcp any destination any eq 2932 clause 40 permit udp any destination any eq 2932 clause 50 permit udp any eq 2932 destination any prefer upstream-router clause 99 permit any any destination any apply circuit-(VLAN6) apply circuit-(VLAN5) apply circuit-(VLAN4) apply circuit-(VLAN3) apply circuit-(VLAN2) apply circuit-(VLAN1)

Connecting the Device to a Terminal Server

The Secure Content Accelerator can be connected to a terminal server, such as the Cisco 2511 Access Server. You will need a standard RJ45-DB9F adapter (CAB-9AS-FDTE, part number 74-0495-01).

    1. Attach the RJ45-DB9F adapter to the CONSOLE port of the Secure Content Accelerator.

    2. Using an octal cable with RJ45 connectors, attach the terminal server to the Secure Content Accelerator via the RJ45-DB9F adapter.

    3. Using the line interface on the terminal server, use these commands:

    line 1 autocommand connect transport input all
    Note   If you are using firmware older than 3.0.5 on the Secure Content Accelerator, also use the command speed 115200.

Web Site Changes

You must make changes to your existing Web pages before users can access them.

    1. Install and configure the Secure Content Accelerator.

    2. Create a non-secure ("http://"-prefixed) Web page as an entry point for the Web site. Include some method of transferring the user to the secure ("https://"-prefixed) URL. You may use a button, hypertext link, image map, automatic redirection, or any other method you choose.

    3. If your site does not use relative links, change the "http://" portion of every link (including graphic links) to "https://"; otherwise, links should remain the same.

    Note   If you are using IIS and have a redirection in your Web page, the URL must have a trailing slash ("/") to work properly, e.g., <href="/issamples/default/learn/">.


hometocprevnextglossaryfeedbacksearchhelp
Posted: Wed Aug 21 01:46:05 PDT 2002
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.