Cisco CSS cipher key strength

There are various cipher suites available in the CSS for encrypting SSL traffic (if you have the SSL module, that is…).  You can choose which to support and weight them in your SSL proxy list if you don’t agree with Cisco’s interpretation of which should be used first.

A customer just asked me what key length the “rsa-with-3des-ede-cbc-sha” cipher used, since most of the other cipher names have a key-length in their name, but this one doesn’t.  Also, confusingly, browsers didn’t seem to agree on what was in use either – IE6 said it was 128-bit, Firefox said 168-bit and IE7 didn’t say anything at all/

So I did a bit of exploring to find out what 3DES was all about. Read the rest of this entry »

CSS alternatives to IOS commands

Here are some notes I made on the CSS equivalents to commonly-used IOS commands.

Note – this is based on software version 8.1, but is probably fine with versions 7.x of CSS code. Read the rest of this entry »

ACE context configuration

Contexts are used to partition the ACE module into multiple “virtual modules”. This enables its use in a Datacentre (for example) where customers can manage their own load-balancing configuration without affecting the configuration of other customers.

Obviously you don’t want to give complete access to a customer – there are some parameters that you don’t want them to change at all, such as IP addressing on the interfaces etc. So within a customer’s context, they get only a subset of the available commands. Read the rest of this entry »

ACE in layer 3 mode – diagram

I’ve been meaning to diagram my layer-3 configuration of the ACE for some time and only just got round to doing so! The instructions and sample config are here if you’re interested.

Cisco ACE module – a few basic admin things

Just a few things I found while messing with this product:
Read the rest of this entry »

Configuring the New Cisco ACE Card in Layer 3 Mode

I’ve recently been configuring up a pair of Cisco ACE (Application Control Engine) blades for a customer to install into a Cat 6509. These things are pretty new and constitute the latest generation of their content-switching products. They’re so new in fact that there doesn’t appear to be a sample configuration to be had anywhere on Cisco’s website.

If you want some basic product overview stuff, have a look at this page.

What I wanted to do was to configure basic layer-3 load-balancing, with a public Virtual IP address (VIP) and a pair of servers at the back-end. If you’ve not used a service module in a Catalyst 6500 before, it is a bit odd to get your head around.

Read the rest of this entry »