CSS network design question

Answered Question
Apr 24th, 2007

Hi all,

We have a couple of CSS switches that need to be connected to firewall cluster on one side, and blade system with blade servers on the other side:

(2xFW)<->(2xCSS)<->(HP Blade system with two Cisco Catalyst Blade Switches 3020)

I’m puzzled about the best design for this case.

All the servers reside in the same DMZ.

Some of the blade servers will be load balanced using CSS (additionally, CSS will perform SSL termination!!!).

The rest of blade servers will not be load-balanced, and shell pass through CSS transparently.

1. Should we use bridge mode here?

2. Another question is about redundancy. If I understood well, CSS is not compatible with Cisco Catalyst spanning-tree, and STP is not recommended on CSS. Also, CSS does not support etherchannel. What would be the recommended way to connect these devices and what type of redundancy to implement?

Best regards,

Jasmina

Correct Answer by Gilles Dufour about 9 years 10 months ago

Jasmina, you can still use bridge mode if you prefer. It does not matter.

I just have a concern with the front-end.

Assume CSS1 is active and FW1 is active.

If CSS1 fails, CSS2 takes over.

Can FW2 take over ?

I'm not sure what FW you will be using and what feature is available there.

Maybe it would be better to reuse BSW1 & BSW2 at the front to interconnect the CSS to the FW.

FW1---fo link---FW2

.|...............|.

BSW1------------BSW2

.|...............|.

CSS1............CSS2

.|...............|.

BSW1------------BSW2

..\............./..

...Blade Servers...

I have seen both setup being used.

I think it just depends on what your FW can do.

Avoid direct connection between the 2 CSS.

It can be confusing during troubleshooting.

Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (3 ratings)
Loading.
Gilles Dufour Tue, 04/24/2007 - 02:06

With CSS it's best to keep the design simple.

So, on the front-end I would connect one CSS to one firewall [don't try to do a mesh or whatever].

Same in the backend. Connect one CSS to one switch.

Then interconnects the switches as you want and attached your server to the catalyst.

For redundancy use interface-redundancy in the back-end and use the shared ip as the default gateway on the servers.

In the front-end, use vip-redundancy.

The reason to go for vip/interface redundancy is because it gives you faster failover and the possibility to configure ASR for stateful redundancy.

Gilles.

jasmina27s Tue, 04/24/2007 - 03:30

Hi,

Gilles, thank you for the prompt answer!

Sorry, I now it is a lot of questions, but it means a lot to consult someone who has significant experience in this…

You suggest creating client side and server side Vlan, and configure CSS as default gateway for the servers? But, some servers need to stay in DMZ subnet with their public IP addresses! Do you think it would be wise to combine routed and bridged mode on the CSS?!?!

Suppose I use *bridge* topology with only one Vlan circuit on CSS, interconnect devices in the following way (interconnect only blade switches - dots are there just to keep the form of the picture), configure redundant interface and VIP, and configure critical services and interfaces to monitor FW and BSW reachability:

FW1---fo link---FW2

.|...............|.

CSS1............CSS2

.|...............|.

BSW1------------BSW2

..\............./..

...Blade Servers...

Do you think it would be satisfying design?

Another option would be: to use routed mode on CSS, add CSS-CSS interconnection for Client Vlan, use BSW-BSW interconnection for Server Vlan(s), and readdress all not-load-balanced servers into additional public IP address pool (or readdress FW-CSS subnet)?

Thanks,

Jasmina

Correct Answer
Gilles Dufour Tue, 04/24/2007 - 04:21

Jasmina, you can still use bridge mode if you prefer. It does not matter.

I just have a concern with the front-end.

Assume CSS1 is active and FW1 is active.

If CSS1 fails, CSS2 takes over.

Can FW2 take over ?

I'm not sure what FW you will be using and what feature is available there.

Maybe it would be better to reuse BSW1 & BSW2 at the front to interconnect the CSS to the FW.

FW1---fo link---FW2

.|...............|.

BSW1------------BSW2

.|...............|.

CSS1............CSS2

.|...............|.

BSW1------------BSW2

..\............./..

...Blade Servers...

I have seen both setup being used.

I think it just depends on what your FW can do.

Avoid direct connection between the 2 CSS.

It can be confusing during troubleshooting.

Gilles.

jasmina27s Tue, 04/24/2007 - 04:44

Hi Gilles,

I believe FW can detect link failure.

If not, I will consider reusing BSW (it would then be one-arm CSS topology basically…).

Thank you very much for all the help! :)

Best regards,

Jasmina

jasmina27s Tue, 04/24/2007 - 04:51

Hi Gilles,

It just crossed my mind that I need to force return traffic through CSS as I have SSL termination on CSS.

In that case one-arm + bridge mode is not that simple...

Thanks anyway, I'll think it over some more before I decide what to do...

Best regards,

Jasmina

Gilles Dufour Tue, 04/24/2007 - 06:11

Jasmina,

this is not because you connect to the same switch that this is one-armed.

If you have 2 links from the CSS to a single switch, put on the switch side one link in vlan x and the other link in vlan y.

On the CSS put both interface in the same vlan [y or x or whatever].

You have bridge mode, but this is not one-armed as the client in vlan x needs to go through the CSS to reach the server in vlan y.

Hope this is clear like this.

Gilles.

Actions

This Discussion