Guest

Cisco CSS 11500 Series Content Services Switches

Configuring Stickiness on a Cisco CSS 11xxx Using HTTP Redirects

Cisco - Configuring Stickiness on a Cisco CSS 11xxx Using HTTP Redirects

Document ID: 15051

Updated: Dec 27, 2007

   Print

Introduction

You should configure Hypertext Transfer Protocol (HTTP) redirection on the Content Services Switch (CSS) 11000 to maintain stickiness for these reasons:

  • It is the most accurate form of session persistence available for the Secure Socket Layer (SSL) protocol.

  • SSL sticky has an SSL ID renegotiation problem with Internet Explorer 5.0.

  • Generic sticky has an America Online (AOL) mega-proxy issue.

  • Cookie sticky does not work with encrypted traffic or with browsers that reject cookies.

HTTP redirects have long been an option to maintain server stickiness in load-balanced environments. Redirects are very reliable and ensure that an Internet/Intranet client stays on a specific server for the duration of a session. The CSS 11000 allows a network administrator to have the CSS 11000 send the HTTP redirect, which eliminates the need for the Web server administrator to redesign a Web site to accommodate HTTP redirects.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

  • CSS 11000 running WebNS Software 4.10, Build 10 or WebNS Software 5.x or 6.x

  • CSS 11500 running WebNS Software 5.20 or 7.x

  • all CSS 11000 content services switches that run Cisco Web Network Services (WebNS) Software Release 3.02 and later

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

For more information on document conventions, refer to the Cisco Technical Tips Conventions.

HTTP Redirection Caveats

These problems are associated with HTTP redirection:

  • Each service being load balanced requires a unique public Internet Protocol (IP) address.

  • Some Domain Name Service (DNS) configuration is required. This can be configured on the CSS as well.

  • There is a bookmark problem after the redirect takes place. When users bookmark a Web site, they bookmark the redirected page, not the original load balanced page. You can resolve this problem by using the main Uniform Resource Locator (URL) as a backup.

  • Each domain name requires a unique SSL certificate. This is typically a licensing requirement, regardless whether the servers have the same domain name.

Because of limitations in the CSS 11000, redirects only can be sent from HTTP (Port 80) to HTTP or from HTTP to HTTPS (Port 443). If there is a requirement to send a redirect from Secure Hypertext Transfer Protocol (HTTPS), then the redirect must be sent from the Web server.

If you configure a service as type redirect, you can specify a redirect string that you would like the CSS 11000 to use when it sends the redirect to the client. One advantage of using redirects to accomplish this is that the client sends cookie data with a new request.

Configure HTTP Redirects

In this section, you are presented with the information to configure the features described in this document.

To set up HTTP redirects, you need a redirect service for each server and, typically, a redirect service that redirects back to the main content rule for use as a backup.

  1. Set up the DNS entries for the URLs to be used. Typically, they would be www, ww1, and ww2. You can use any arbitrary domain name you wish. In this example, these DNS A-Records have been created:

    www.cisco.com <--> 200.200.200.200
    ww1.cisco.com <--> 200.200.200.201
    ww2.cisco.com <--> 200.200.200.202
    

    This example assumes that you already have two services defined:

    service ww1
      ip address 10.0.0.11
      keepalive type tcp
      keepalive port 80
      active
    
    service ww2
      ip address 10.0.0.12
      keepalive type tcp
      keepalive port 80
      active
    
  2. Create a redirect service that redirects a user to www.cisco.com. This redirect will serve as a backup if a user bookmarks an URL that is not in service:

    service www-redirect 
      ip address 2.2.2.2 
      keepalive type none 
      type redirect 
      no prepend-http 
      domain http://www.cisco.com/ 
      active
    
  3. Create a redirect for each service individually:

    service ww1-redirect 
      ip address 10.0.0.11 
      keepalive type tcp 
      keepalive port 80 
      type redirect 
      no prepend-http 
      domain http://ww1.cisco.com/ 
      active
    
    service ww2-redirect 
      ip address 10.0.0.12 
      keepalive type tcp 
      keepalive port 80 
      type redirect 
      no prepend-http 
      domain http://ww2.cisco.com/ 
      active
    

    Alternatively, a redirect can go directly to HTTPS by entering a redirect string such as domain https://ww1.cisco.com. This is typically done on Web sites that use HTTPS exclusively.

    Note: The command no prepend-http enables the redirect to go to other protocols such as HTTPS. Without the no prepend-http command, the redirect goes to the HTTP://<domain string>.

  4. Create these content rules:

    owner cisco.com
    content main_rule
      vip address 200.200.200.200
      protocol tcp
      port 80
      url "/*"
      add service ww1-redirect
      add service ww2-redirect
      active
    
    content ww1_rule
      vip address 200.200.200.201
      protocol tcp
      port 80
      url "/*"
      add service ww1
    
     
      !--- You could configure the www-redirect service
      !--- as a primary sorry server, however, this is not required
      !--- since the CSS always prefers a normal server to a service
      !--- of type redirect.
    
      add service www-redirect
      active
    
    content ww1_rule_443
      vip address 200.200.200.201
      protocol tcp
      port 443
      add service ww1
      active
    
    content ww2_rule
      vip address 200.200.200.202
      protocol tcp
      port 80
      url "/*"
      add service ww2
      add service www-redirect
      active
    
    content ww2_rule_443
      vip address 200.200.200.202
      protocol tcp
      port 443
      add service ww2
      active
    

    Note: The www-redirect redirect service is added to the ww1_rule and the ww2_rule to solve the bookmark problem. If a user bookmarks a ww1 or ww2 rule and that service is not active when the user comes back, the user will be redirected to the main rule and load-balanced again. The CSS 11000 always sends requests to local servers before choosing a service of type redirect.

This configuration shows sample output from a CSS 11000 that has a HTTP redirect, which is used to maintain stickiness:

CSS 11150 (WebNS 4.10, Build 10)
CSS150# show run
!Generated on 06/22/2001 08:18:02
!Active version: ap0410010
configure
!*************************** GLOBAL ***************************


!--- The DNS configuration below is just an example on
!--- how to use the CSS to answer DNS requests.
 
  dns-record a ww1.cisco.com 200.200.200.201 50 single kal-none 
  dns-record a ww2.cisco.com 200.200.200.202 50 single kal-none 
  dns-record a www.cisco.com 200.200.200.200 50 single kal-icmp 
     200.200.200.200 254 sticky-disabled 
  dns-server zone 1 tier1 "cisco.com" 
  dns-server 
  ip route 0.0.0.0 0.0.0.0 200.200.200.1 1 
!************************* INTERFACE *************************
interface e1
  bridge vlan 2 
!************************** CIRCUIT **************************
circuit VLAN1
  ip address 200.200.200.254 255.255.255.0 
circuit VLAN2
  ip address 10.0.0.254 255.255.255.0 
!************************** SERVICE **************************
service ww1 
  ip address 10.0.0.11 
  keepalive type tcp 
  keepalive port 80 
  active 
service ww1-redirect 
  ip address 10.0.0.11 
  keepalive type tcp 
  keepalive port 80 
  type redirect 
  no prepend-http 
  domain http://ww1.cisco.com/ 
  active
service ww2 
  ip address 10.0.0.12 
  keepalive type tcp 
  keepalive port 80 
  active 
service ww2-redirect 
  ip address 10.0.0.12 
  keepalive type tcp 
  keepalive port 80 
  type redirect 
  no prepend-http 
  domain http://ww2.cisco.com/ 
  active
service www-redirect 
  ip address 2.2.2.2 
  keepalive type none
  type redirect  
  no prepend-http
  domain http://www.cisco.com 
  active 
!*************************** OWNER ***************************
owner cisco.com 
  content main_rule 
    vip address 200.200.200.200 
    protocol tcp 
    port 80 
    url "/*" 
    add service ww1-redirect 
    add service ww2-redirect 
    active 
  content ww1_rule 
    VIP address 200.200.200.201 
    protocol tcp 
    port 80 
    url "/*" 
    add service ww1 
    www-redirect 
    active 
  content ww1_rule_443 
    VIP address 200.200.200.201 
    protocol tcp 
    port 443 
    add service ww1 
  
  
    !--- For HTTPS traffic, it is not possible to return a
    !--- redirect response because the traffic is encrypted.
    !--- Do not add the redirect service.

    active 
  content ww2_rule 
    VIP address 200.200.200.202 
    protocol tcp 
    port 80 
    url "/*" 
    add service ww2 
    www-redirect 
    active 
  content ww2_rule_443 
    VIP address 200.200.200.202 
    protocol tcp 
    port 443 
    add service ww2  
    active 
CSS150# 

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Related Information

Updated: Dec 27, 2007
Document ID: 15051