C H A P T E R 4 |
Setting Up Sun Fire Blades for Load Balancing SSL Traffic |
This chapter describes how to set up a Sun Fire B1600 for load balancing SSL traffic with the Sun Fire B10n content load balancing blade and the Sun Fire B10p SSL proxy blades.
This chapter includes the following sections:
You must configure the following components to load balance SSL traffic:
In addition to modifying these components, you must set up three VLANS:
The following limitations apply:
1. Set the IP address on interface 0:
Where N is the number of the data/client VLAN.
3. Enable the data/client VLAN:
5. Enable the management VLAN:
Note - Refer to Chapter 4, "Command-Line Options" and "Configuring SSL Blade Entries" of the Sun Fire B10n Content Load Balancing Blade Administration Guide for detailed descriptions of the commands. |
1. Create an SSL blade entry on the B10n content load balancing blade with the following command.
This command creates an SSL blade device name ssl1.
Note - The interface IP address must correspond to the one configured on the SSL proxy blade with the set management command. |
2. Add a port pair to the entry with the secureport specified at 443 and the clearport specified at 880.
Note - These values must correspond to the same values specified on the SSL proxy blade with the set portpair command. |
|
1. Display the basic information about all the SSL blades configured on the B10n content load balancing blade:
2. Display detailed information about the SSL proxy blade entry ssl1:
|
1. Create an SSL service on the B10n content load balancing blade that is load balanced on Layer 7 for the HTTP protocol.
puma{admin}# config service name svc1 vip 110.10.10.1:443:tcp ssl 880 interface 0 lb-layer 7 l7-proto http |
The previous example shows the service svc1 is bound to interface 0 and is offered at the VIP 110.10.10.1, port 443 and the TCP protocol. The port specified after the ssl keyword, that is, 880, is the decrypted port.
2. Configure the default load balancing group of the service with two servers (192.50.50.10, and 192.50.50.11 in this example) and the load balancing scheme specified as weighted round robin.
puma{admin}# config service lb-group default svc1 server 192.50.50.10:0:tcp:2:1 192.50.50.11:0:tcp:3:1 scheme wt-round-robin |
3. Add the SSL proxy blade entry ssl1 to the service in an active mode.
An SSL service cannot be enabled until one or more SSL entries are added to it using the config service ssl command.
Where N is the VLAN ID number.
The B10n content load balancing blade will tag all traffic from this service, destined to the server blades with the VLAN ID number specified here when VLAN is enabled on the service.
5. Enable VLAN tagging for the service.
6. Enable the service svc1 on the B10n content load balancing blade:
7. Check the service configuration on the B10n content load balancing blade:
1. Telnet to the Sun Fire B1600 console.
Where sc_ip-addr is the IP address of the Sun Fire B1600.
2. Get to the SSL proxy blade console:
Where n is the slot number of the SSL proxy blade.
1. Create the key on the SSL proxy blade:
This example creates the key key1 on the SSL proxy blade.
2. Use the show key command to display all the keys configured on the SSL proxy blade.
3. Create a self-signed certificate:
The previous example creates a certificate using the key key1. Use the show key command to display the certificate along with the key.
4. Set the parameters on port 1 for operation of the SSL proxy blade in the routed mode.
The router inbound IP address corresponds to the management IP address configured on the B10n content load balancing blade with the config ip command.
5. Set the inband (data) IP address on port 1 (192.100.100.205 in this example) and the subnet mask (255.255.255.0 in this example):
CLI# set inband Enter port number (1..2) (1): 1 Enter inband (data) IP Address (0.0.0.0): 192.100.100.205 Enter inband (data) netmask (255.255.255.0): 255.255.255.0 |
Note - This address has to be on the same subnet as the outbound router IP address as configured by the set routed command. |
6. Set the management parameters on port 1.
CLI# set management Enter port number (1..2) (1): 1 Enter inband (admin) IP Address (0.0.0.0): 192.50.50.205 Enter inband (admin) netmask (255.255.255.0): 255.255.255.0 |
In this example, the management IP is set to 192.50.50.205 with a subnet mask of 255.255.255.0.
8. Set the management VLAN on port 1:
CLI# set vlan management Enter port number (1..2) (1): 1 Enter management vlan tag (admin) (0..4095): 3 |
9. Set the inband (data) VLAN on port 1:
10. Enable the VLAN filtering on the SSL proxy blade:
For a B10n content load balancing blade with an SSL proxy blade, the VLAN filter must be enabled. This means that the SSL proxy blade will not process any incoming traffic on the client VLAN (10 in this example). This filtering is a security measure on the SSL proxy blade.
11. Configure port pair 1 on the SSL proxy with the secure port specified as 443 and the clear port specified as 880:
CLI# set portpair Enter portpair number (1..4) (1): 1 Enter secure port (https) (443): 443 Enter clear port (http) (880): 880 |
Note - Up to four such port pairs can be configured on the SSL proxy blade. The maximum value of each port cannot exceed 1023. Each of the eight ports in the four port pairs must be unique. |
12. Create a service svc1 on the SSL proxy with the key key1 associated with it:
In this example, the service is offered at the IP address 110.10.10.1. The best cipher is chosen for this service and port pair 1 (with secure port 443 and clear port 880) is configured for the service.
13. Use show service to display all the services configured on the SSL proxy blade.
Configure the following interfaces on the router.
1. On the client/data VLAN, configure one or more interfaces for the SSL proxy blades and the Sun Fire B100s Solaris server blades to reach the clients.
Note - The address of this interface will be the one configured as the outbound router on the SSL Proxy blade, that is, 192.100.100.254 in this example. |
If the router was a Solaris system, the following command would configure an interface on a client VLAN of 10.
2. On the client/data VLAN, configure one interface on each subnet on which services are provided. This provides routes from the clients/external routers to the VIPs (on the VIP side).
In this example, one interface has to be configured on the 110.10.10.0 subnet.
If the router was a Solaris system, the following command would configure an interface on a client VLAN of 10.
3. On the client/data VLAN, configure one interface on each subnet on which clients are configured. This provides routes from the clients/external routers to the services (on the client side).
If the router was a Solaris system, the following command would configure an interface on a client VLAN of 10, for clients/external routers in the 199.99.9.0 subnet.
1. If you are not already logged into the switch, Telnet to the Sun Fire B1600 console.
Where sc_ip-addr is the IP address of the Sun Fire B1600.
1. Configure the VLAN database:
2. Create the management VLAN (3 in this example):
3. Create the client/data on VLAN (10 in this example):
4. Create the service VLAN (5 in this example):
5. Exit to the console prompt:
1. Configure a slot for the B10n content load balancing blade to allow the management, client, and service VLANs:
Where SNP is the internal port and 13 is the slot number in which the B10n content load balancing blade is located.
2. Configure a slot for the SSL proxy blade to allow the management, client and service VLAN.:
Where SNP is the internal port and 15 is the slot number in which the SSL proxy blade is located.
3. Configure slots for server blades to allow the management, client, and service VLANs:
Where SNP is the internal port and 10 is the slot number in which the server blade is located.
4. Configure uplink slot with Router to allow the management and client VLANs.
Console# configure Console(config)# interface ethernet NETP7 Console(config-if)# Console(config-if)# switchport allowed vlan add 3 tagged Console(config-if)# switchport allowed vlan add 10 tagged |
Where NETP is the uplink port and 7 is the uplink port number to which the router is connected.
5. Configure uplink slots with clients/external routers to allow the management and client VLANs.
Console# configure Console(config)# interface ethernet NETP5 Console(config-if)# Console(config-if)# switchport allowed vlan add 3 tagged Console(config-if)# switchport allowed vlan add 10 tagged |
Where NETP is the uplink port and 5 is the uplink port number to which a client/external router is connected.
1. Return to the Solaris prompt and download and install the clbmod packages:
2. Configure the real IP address on the management VLAN (3 in this example):
This example shows switch 0 as active, so interface ce0 is being configured.
3. Configure any (unique) IP on the service VLAN (5 in this example):
4. Configure IP on the client/data VLAN (10 in this example) to reach the clients through the router:
5. Configure the VIPs on the loopback interface, for example:
6. Add the interfaces to the clbmod:
# /opt/SUNWclb/bin/clbconfig add ce3000 # /opt/SUNWclb/bin/clbconfig add ce5000 # /opt/SUNWclb/bin/clbconfig add ce10000 |
Add ce3000, ce5000, ce10000 to /etc/opt/SUNWclb/clb.conf, one on each line, to automatically add the interfaces to clbmod across reboots.
7. Check the interfaces on which the module is plumbed:
8. Make sure the Sun Fire B100s solaris server blade is not routing, that is, /etc/notrouter file should be present.
9. Configure your web server to listen on the decrypted port, that is, 880 in this example.
10. Repeat the above steps for each server blade you want to configure.
On the clients/external routers add routes to the VIPs to use interfaces on the client VLAN (10 in this example) with the target address specified as the client side interface on the router as specified in section Setting Up the Router.
On a Solaris client directly connected to one of the uplink ports of the B1600, the following commands can be used:
This command configures a ce0 interface on VLAN 10 with an IP address of 199.99.9.101 which is on the same subnet as the client side interface (199.99.9.254) on the router as specified in section Setting Up the Router.
This adds a static route to the VIPs in the 110.10.10.0 subnet through the client side interface (199.99.9.254) on the router as specified in section Setting Up the Router.
Copyright © 2004, Sun Microsystems, Inc. All rights reserved.