We have a couple of CSS switches that need to be connected to firewall cluster on one side, and blade system with blade servers on the other side:
(2xFW)<->(2xCSS)<->(HP Blade system with two Cisco Catalyst Blade Switches 3020)
I’m puzzled about the best design for this case.
All the servers reside in the same DMZ.
Some of the blade servers will be load balanced using CSS (additionally, CSS will perform SSL termination!!!).
The rest of blade servers will not be load-balanced, and shell pass through CSS transparently.
1. Should we use bridge mode here?
2. Another question is about redundancy. If I understood well, CSS is not compatible with Cisco Catalyst spanning-tree, and STP is not recommended on CSS. Also, CSS does not support etherchannel. What would be the recommended way to connect these devices and what type of redundancy to implement?
Jasmina, you can still use bridge mode if you prefer. It does not matter.
I just have a concern with the front-end.
Assume CSS1 is active and FW1 is active.
If CSS1 fails, CSS2 takes over.
Can FW2 take over ?
I'm not sure what FW you will be using and what feature is available there.
Maybe it would be better to reuse BSW1 & BSW2 at the front to interconnect the CSS to the FW.
I have seen both setup being used.
I think it just depends on what your FW can do.
Avoid direct connection between the 2 CSS.
It can be confusing during troubleshooting.