Cisco CSS11501 - 100Mbps Ethernet Load Balancing Device Configuration Manual page 169
11000 series secure content accelerator
Hide thumbs
Also See for CSS11501 - 100Mbps Ethernet Load Balancing Device:
- Hardware installation manual (184 pages) ,
- Datasheet (10 pages) ,
- Product support bulletin (3 pages)
Table of Contents
Advertisement
Appendix B
Deployment Examples
Use with the CSS
The upstream CSS is configured as if the Secure Content Accelerator devices are
transparent caches with redirection at Layer 4. Port 80 traffic is forwarded via
Layer 3 to the downstream CSS, avoiding any potential Port 80 bottleneck at the
Secure Content Accelerator level. Because the Secure Content Accelerator is a
Layer 2 device, it must be configured to ensure that bridge loops are not created.
The Secure Content Accelerator intercepts all port 443 traffic for the IP addresses
configured on it, decrypts the traffic, and forwards it as clear text on another TCP
service port to the downstream CSS. The downstream CSS is configured with
Layer 5 rules for all origin servers and multiple ECMP routes, each to a different
upstream VLAN. The default ECMP configuration is to prefer ingress, ensuring
that outbound traffic needing to be encrypted is routed to the Secure Content
Accelerator responsible for decrypting traffic for that session. Outbound Port 80
traffic bypasses the Secure Content Accelerator devices completely.
Traffic "sourced" from a server in the server farm can be routed through one of
the Secure Content Accelerator devices. There is no way to differentiate between
equal cost paths without mapping to an ingress flow. Table B-2 shows basic
configuration actions for the CSS devices and Secure Content Accelerator.
Cisco 11000 Series Secure Content Accelerator Configuration Guide
B-9
78-13124-05
Advertisement
Table of Contents
Troubleshooting
