Recently I’ve invested some time integrating indeni with our newly supported Blue Coat’s X-series chassis (previously known as Crossbeam). So here are a few tips on setting up VAPs on Crossbeam. Blue Coat X-Series Chassis is designed to run applications from third-party security software vendors (for example, Check Point) on VAPs (Virtual Application Processes). A Blue Coat Chassis supports up to 14 VAPs and is divided into three types of hardware blades or modules:
- Network Processor Module (NPM)
- Control Processor Module (CPM)
- Application Processor Module (APM)
The setup of the security models is managed by the CPM. The CPM CLI allows defining and running the security modules on the APMs through VAP (Virtual Application Processing) groups. These are essentially Security Software virtual modules that can be allocated to run on APMs dynamically.
Initial Setup to Create VAP Groups on Blue Coat
To create a VAP group in XOS using the CLI, run the following commands in sequence:
Configure vap-group <vap group name> <xslinux_v3/v5/v5_64/xsve>
There are 4 different Linux versions, make sure the Linux version is supported by the APM:
|xslinux_v5_64 *||APM-8600/8650, APM-9600|
* The determination between xslinux_v5 and xslinux_v5_64 is based on the target application’s requirements and XOS will prompt you for the correct version when you install the application on the VAP Group.
** Platform that allows non-Linux based applications to run on APMs.
vap-count is the number of VAPs (APMs) in this group. For example, in Check Point (standalone) security gateway this would be set to 1; for a cluster it would be set to 2.
max-load-count <number of APMs to dynamically allocate to>
The maximum number of VAP members in the VAP group cannot exceed the vap-count.
ap-list <list of potential APMs ap1..ap14>
Assign APMs to support the VAP group. This command specifies the list of APMs to be loaded.
load-balance-vap-list <indexes 1..14>
This is a list of VAP indexes that the NPM uses to load balance new flows. By default, the NPM load balances over all the VAPs in the VAP group.
ip-flow-rule <flow rule name>
Create the load balancing flow rule for the VAP group.
Set flow rule action to load-balance traffic to all available VAP members.
Set the activate flag to enable the action.
Example for Initial Setup:
vap-group r7540cxl xslinux_v5_64 vap-count 2 max-load-count 2 ap-list ap1 ap2 ap3 ap4 ap5 ap6 ap7 ap8 ap9 ap10 load-balance-vap-list 1 2 3 4 5 6 7 8 9 10 ip-flow-rule r7540cxl_lb action load-balance activate
When you’ve finished configuring the VAPs, it is recommended that you save the config by running the following command:
copy running-config startup-config
To view the allocation of VAPs on the APMs, run the following command, which displays VAP group to APMs mapping. It will give you a quick indication of which VAP groups are running on which APMs:
As part of indeni’s monitoring of Blue Coat’s XOS, we:
- Compare the VAPs as defined under the vap-group section of the configuration with the output of show ap-vap-mapping. If indeni finds VAPs that are defined but not running, we alert you.
- Run show application vap-group periodically for all the VAPs that are set up. If indeni finds VAPs that have a status different than ‘Up’, we alert you.