Cisco CSS 11500 Series Content Services Switches

Introduction

You should configure Hypertext Transfer Protocol (HTTP) redirection on the Content Services Switch (CSS) 11000 to maintain stickiness for these reasons:

• It is the most accurate form of session persistence available for the Secure Socket Layer (SSL) protocol.

• SSL sticky has an SSL ID renegotiation problem with Internet Explorer 5.0.

• Generic sticky has an America Online (AOL) mega-proxy issue.

• Cookie sticky does not work with encrypted traffic or with browsers that reject cookies.

HTTP redirects have long been an option to maintain server stickiness in load-balanced environments. Redirects are very reliable and ensure that an Internet/Intranet client stays on a specific server for the duration of a session. The CSS 11000 allows a network administrator to have the CSS 11000 send the HTTP redirect, which eliminates the need for the Web server administrator to redesign a Web site to accommodate HTTP redirects.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

• CSS 11000 running WebNS Software 4.10, Build 10 or WebNS Software 5.x or 6.x

• CSS 11500 running WebNS Software 5.20 or 7.x

• all CSS 11000 content services switches that run Cisco Web Network Services (WebNS) Software Release 3.02 and later

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

For more information on document conventions, refer to the Cisco Technical Tips Conventions.

HTTP Redirection Caveats

These problems are associated with HTTP redirection:

• Each service being load balanced requires a unique public Internet Protocol (IP) address.

• Some Domain Name Service (DNS) configuration is required. This can be configured on the CSS as well.

• There is a bookmark problem after the redirect takes place. When users bookmark a Web site, they bookmark the redirected page, not the original load balanced page. You can resolve this problem by using the main Uniform Resource Locator (URL) as a backup.

• Each domain name requires a unique SSL certificate. This is typically a licensing requirement, regardless whether the servers have the same domain name.

Because of limitations in the CSS 11000, redirects only can be sent from HTTP (Port 80) to HTTP or from HTTP to HTTPS (Port 443). If there is a requirement to send a redirect from Secure Hypertext Transfer Protocol (HTTPS), then the redirect must be sent from the Web server.

If you configure a service as type redirect, you can specify a redirect string that you would like the CSS 11000 to use when it sends the redirect to the client. One advantage of using redirects to accomplish this is that the client sends cookie data with a new request.

Configure HTTP Redirects

In this section, you are presented with the information to configure the features described in this document.

To set up HTTP redirects, you need a redirect service for each server and, typically, a redirect service that redirects back to the main content rule for use as a backup.

1. Set up the DNS entries for the URLs to be used. Typically, they would be www, ww1, and ww2. You can use any arbitrary domain name you wish. In this example, these DNS A-Records have been created:

   www.cisco.com <--> 200.200.200.200
   ww1.cisco.com <--> 200.200.200.201
   ww2.cisco.com <--> 200.200.200.202
   

   This example assumes that you already have two services defined:

   service ww1
     ip address 10.0.0.11
     keepalive type tcp
     keepalive port 80
     active
   
   service ww2
     ip address 10.0.0.12
     keepalive type tcp
     keepalive port 80
     active
   

2. Create a redirect service that redirects a user to www.cisco.com. This redirect will serve as a backup if a user bookmarks an URL that is not in service:

   service www-redirect 
     ip address 2.2.2.2 
     keepalive type none 
     type redirect 
     no prepend-http 
     domain http://www.cisco.com/ 
     active
   

3. Create a redirect for each service individually:

   service ww1-redirect 
     ip address 10.0.0.11 
     keepalive type tcp 
     keepalive port 80 
     type redirect 
     no prepend-http 
     domain http://ww1.cisco.com/ 
     active
   
   service ww2-redirect 
     ip address 10.0.0.12 
     keepalive type tcp 
     keepalive port 80 
     type redirect 
     no prepend-http 
     domain http://ww2.cisco.com/ 
     active
   

   Alternatively, a redirect can go directly to HTTPS by entering a redirect string such as domain https://ww1.cisco.com. This is typically done on Web sites that use HTTPS exclusively.

   Note: The command no prepend-http enables the redirect to go to other protocols such as HTTPS. Without the no prepend-http command, the redirect goes to the HTTP://<domain string>.

4. Create these content rules:

   owner cisco.com
   content main_rule
     vip address 200.200.200.200
     protocol tcp
     port 80
     url "/*"
     add service ww1-redirect
     add service ww2-redirect
     active
   
   content ww1_rule
     vip address 200.200.200.201
     protocol tcp
     port 80
     url "/*"
     add service ww1
   
    
     !--- You could configure the www-redirect service
     !--- as a primary sorry server, however, this is not required
     !--- since the CSS always prefers a normal server to a service
     !--- of type redirect.
   
     add service www-redirect
     active
   
   content ww1_rule_443
     vip address 200.200.200.201
     protocol tcp
     port 443
     add service ww1
     active
   
   content ww2_rule
     vip address 200.200.200.202
     protocol tcp
     port 80
     url "/*"
     add service ww2
     add service www-redirect
     active
   
   content ww2_rule_443
     vip address 200.200.200.202
     protocol tcp
     port 443
     add service ww2
     active
   

   Note: The www-redirect redirect service is added to the ww1_rule and the ww2_rule to solve the bookmark problem. If a user bookmarks a ww1 or ww2 rule and that service is not active when the user comes back, the user will be redirected to the main rule and load-balanced again. The CSS 11000 always sends requests to local servers before choosing a service of type redirect.

This configuration shows sample output from a CSS 11000 that has a HTTP redirect, which is used to maintain stickiness:

CSS150# show run
!Generated on 06/22/2001 08:18:02
!Active version: ap0410010
configure
!*************************** GLOBAL ***************************


!--- The DNS configuration below is just an example on
!--- how to use the CSS to answer DNS requests.
 
  dns-record a ww1.cisco.com 200.200.200.201 50 single kal-none 
  dns-record a ww2.cisco.com 200.200.200.202 50 single kal-none 
  dns-record a www.cisco.com 200.200.200.200 50 single kal-icmp 
     200.200.200.200 254 sticky-disabled 
  dns-server zone 1 tier1 "cisco.com" 
  dns-server 
  ip route 0.0.0.0 0.0.0.0 200.200.200.1 1 
!************************* INTERFACE *************************
interface e1
  bridge vlan 2 
!************************** CIRCUIT **************************
circuit VLAN1
  ip address 200.200.200.254 255.255.255.0 
circuit VLAN2
  ip address 10.0.0.254 255.255.255.0 
!************************** SERVICE **************************
service ww1 
  ip address 10.0.0.11 
  keepalive type tcp 
  keepalive port 80 
  active 
service ww1-redirect 
  ip address 10.0.0.11 
  keepalive type tcp 
  keepalive port 80 
  type redirect 
  no prepend-http 
  domain http://ww1.cisco.com/ 
  active
service ww2 
  ip address 10.0.0.12 
  keepalive type tcp 
  keepalive port 80 
  active 
service ww2-redirect 
  ip address 10.0.0.12 
  keepalive type tcp 
  keepalive port 80 
  type redirect 
  no prepend-http 
  domain http://ww2.cisco.com/ 
  active
service www-redirect 
  ip address 2.2.2.2 
  keepalive type none
  type redirect  
  no prepend-http
  domain http://www.cisco.com 
  active 
!*************************** OWNER ***************************
owner cisco.com 
  content main_rule 
    vip address 200.200.200.200 
    protocol tcp 
    port 80 
    url "/*" 
    add service ww1-redirect 
    add service ww2-redirect 
    active 
  content ww1_rule 
    VIP address 200.200.200.201 
    protocol tcp 
    port 80 
    url "/*" 
    add service ww1 
    www-redirect 
    active 
  content ww1_rule_443 
    VIP address 200.200.200.201 
    protocol tcp 
    port 443 
    add service ww1 
  
  
    !--- For HTTPS traffic, it is not possible to return a
    !--- redirect response because the traffic is encrypted.
    !--- Do not add the redirect service.

    active 
  content ww2_rule 
    VIP address 200.200.200.202 
    protocol tcp 
    port 80 
    url "/*" 
    add service ww2 
    www-redirect 
    active 
  content ww2_rule_443 
    VIP address 200.200.200.202 
    protocol tcp 
    port 443 
    add service ww2  
    active 
CSS150# 

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Related Information

• CSS 11000 Series Hardware Support
• CSS 11500 Series Hardware Support
• Cisco WebNS CSS11000 Software Downloads
• Cisco WebNS CSS11500 Software Downloads
• Web Network Services Software Support
• Technical Support - Cisco Systems