Advertisement

Powered by Squarespace
Popular Categories
Blog Posts
Discussion Activity
Cisco Live 365

Blog (Broadcast)

Home > Blog

Broadcasting news, tips, and troubleshooting on networking technologies.

 

 

Thursday
Nov152012

End-of-Life (EoL) for the Cisco ACE Load-Balancer

CRN quoted Cisco as confirming rumors about the ACE being dead.

Cisco has decided it will not develop further generations of its ACE load-balancing products.

I suppose I was cursed from the start with the Cisco ACE Module. In late 2006 / early 2007, I attempted to rollout a couple of ACE10 modules after getting a great many assurances that the product was ready for prime-time since it had only been released 9 months earlier; the claim was the platform was stable and on v3 of the code. 

Unable to launch a new site after running into a couple of severe bugs, we had to ditch the ACE Modules and find another load-balancer.  We encountered bugs in the platform from not being able to persist persistent connections for L5 rules to randomly resetting the TCP MSS to values greater than negotiated in the beginning of the flow for which firewalls didn’t take kindly too.

Click to read more ...

Tuesday
Nov132012

Cisco CSS 11500 HTTP-to-HTTPS (SSL) Redirection

A simple approach to handle sites that require SSL (HTTPS) encryption is to not allow plain-text HTTP, but that’s not very user-friendly and no one likes having to type extra characters into the browser to indicate HTTPS as the URI scheme.  So the elegant solution for the client-side request is to allow HTTP, but then to redirect all such requests over to SSL.  If you’re doing SSL Acceleration on your CSS 11500 load-balancer anyway, and you have public facing sites, you should also be doing HTTP-to-HTTPS (SSL) redirection.

Assuming you already have SSL termination configured, you’ll already have SSL and HTTP VIPs that work together.  The trick is to add a different VIP (virtual IP adddress) for the SSL proxy and convert the existing HTTP rule to a redirect rule.  Optionally, you could use a redirect service in the rule instead.  Entire config snippets available here.

Click to read more ...

Monday
Nov122012

Cisco CSS 11500 L5 Rules via SSL Acceleration (proxy)

An interesting issue arose when trying to configure two L5 rules behind a SSL proxy on a Cisco CSS 11500.

When doing SSL termination on the CSS load-balancer, a ssl-proxy-list is configured to add a virtual server that ties the SSL VIP to the plain-text HTTP VIP used by the proxy.

Read up on configuring SSL termination on the CSS 11500 if you’re not familiar.

Normally, a SSL rule VIP is proxied to a single, matching plain-text HTTP VIP when you need to ensure the site is protected by SSL.  This is done with two L4 rules, one matching [port] :443 and the other on :80.  It’s not a requirement that the two VIPs match, but doing so will make your config easier to understand and conserve IP space.  See the post on *todo* for CSS HTTP to HTTPS redirection.

Click to read more ...

Friday
Apr132012

Cisco ACE Module HTTP-to-HTTPS (SSL) Redirection

A simple approach to handle sites that require SSL (HTTPS) encryption is to not allow plain-text HTTP, but that’s not very user-friendly and no one likes having to type extra characters into the browser to indicate HTTPS as the URI scheme.  So the elegant solution for the client-side request is to allow HTTP, but then to redirect all such requests over to SSL.  If you’re doing SSL Acceleration on your ACE load-balancer anyway, your configuration will become simpler in the long-run since you won’t have to maintain as much duplicate configuration to handle different load-balance policies for plain-text HTTP and SSL.

The solution is to create a generic redirect rserver and serverfarm that can be used for any  SSL loadbalance policies.  For web applications that may build absolute paths, the web server may need to know that the client protocol has switched over to SSL so you don’t have needless redirects.  A HTTP Header can be sent in the request toward the web server to inform it of the protocol using the de facto standard header called X-Forwarded-Proto — using the standard Via header is another alternative and will be shown in an example.

Click to read more ...

Thursday
Apr052012

NetFlow -- The who/what/when/where of packet flows

Every network engineer reaches a point in their packet life where they need to gain a much better understanding of the type of traffic and patterns that traverse their network.  From corporate users streaming Pandora and YouTube over your Direct Internet Access (DIA) circuits to Data Center spikes putting stress on uplinks, network engineers need to understand who is on the network, what is being done with it, where the packets are flowing, and when this all happens.

For most Cisco routers and higher-end enterprise switches or firewalls, NetFlow, the proprietary Cisco flow metering protocol, and the sFlow open-standard (based on Cisco’s original proprietary protocol like so many others [and many people forget]), give insight into the network traffic and patterns.

Click to read more ...