Blue Coat Setting up VAPs Crossbeam

Recently I’ve invested some time integrating indeni with our newly supported Blue Coat’s X-series chassis (previously known as Crossbeam). So here are a few tips on setting up VAPs on Crossbeam. Blue Coat X-Series Chassis is designed to run applications from third-party security software vendors (for example, Check Point) on VAPs (Virtual Application Processes). A Blue Coat Chassis supports up to 14 VAPs and is divided into three types of hardware blades or modules:

  • Network Processor Module (NPM)
  • Control Processor Module (CPM)
  • Application Processor Module (APM)

The setup of the security models is managed by the CPM. The CPM CLI allows defining and running the security modules on the APMs through VAP (Virtual Application Processing) groups. These are essentially Security Software virtual modules that can be allocated to run on APMs dynamically.

 

Initial Setup to Create VAP Groups on Blue Coat

 

To create a VAP group in XOS using the CLI, run the following commands in sequence:

Configure vap-group <vap group name> <xslinux_v3/v5/v5_64/xsve>

 

There are 4 different Linux versions, make sure the Linux version is supported by the APM:

Version Supported APMs
xslinux_v3 APM-8600/8650
xslinux_v5 APM-8600/8650, APM-9600
xslinux_v5_64 * APM-8600/8650, APM-9600
xsve ** APM-9600

* The determination between xslinux_v5 and xslinux_v5_64 is based on the target application’s requirements and XOS will prompt you for the correct version when you install the application on the VAP Group.

** Platform that allows non-Linux based applications to run on APMs.

 

vap-count <count>

vap-count is the number of VAPs (APMs) in this group. For example, in Check Point (standalone) security gateway this would be set to 1; for a cluster it would be set to 2.

 

max-load-count <number of APMs to dynamically allocate to>

The maximum number of VAP members in the VAP group cannot exceed the vap-count.

 

ap-list <list of potential APMs ap1..ap14>

Assign APMs to support the VAP group. This command specifies the list of APMs to be loaded.

 

load-balance-vap-list <indexes 1..14>

This is a list of VAP indexes that the NPM uses to load balance new flows. By default, the NPM load balances over all the VAPs in the VAP group.

 

ip-flow-rule <flow rule name>

Create the load balancing flow rule for the VAP group.

 

action load-balance

Set flow rule action to load-balance traffic to all available VAP members.

 

activate

Set the activate flag to enable the action.

 

exit

 

Example for Initial Setup:

 

vap-group r7540cxl xslinux_v5_64 vap-count 2 max-load-count 2 ap-list ap1 ap2 ap3 ap4 ap5 ap6 ap7 ap8 ap9 ap10 load-balance-vap-list 1 2 3 4 5 6 7 8 9 10 ip-flow-rule r7540cxl_lb action load-balance activate

 

When you’ve finished configuring the VAPs, it is recommended that you save the config by running the following command:

copy running-config startup-config

 

To view the allocation of VAPs on the APMs, run the following command, which displays VAP group to APMs mapping. It will give you a quick indication of which VAP groups are running on which APMs:

show ap-vap-mapping

 

As part of indeni’s monitoring of Blue Coat’s XOS, we:

  • Compare the VAPs as defined under the vap-group section of the configuration with the output of show ap-vap-mapping. If indeni finds VAPs that are defined but not running, we alert you.
  • Run show application vap-group periodically for all the VAPs that are set up. If indeni finds VAPs that have a status different than ‘Up’, we alert you.

Leave a Reply