Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
508
Views
0
Helpful
2
Replies

How to restrict the server to server communication on separate server vlans

romer.mendiola
Level 1
Level 1

‎08-13-2007 08:28 AM

Hi Guys,

We have a CSM configured with 1 bridge mode client/server vlans and 1 router mode client/server vlans, (please note, all vlans --client and servers-- are L2 vlans). As soon as a server from router mode server vlan tries to communicate to a vip in bridge mode server vlan, it bypasses our firewall and just connects through CSM, is that a normal behavior? how can you restrict this communication?

Here's our diagram

internet

|

|

FW->client vlan 84->CSM->server vlan 83

|

|

Router

|

|-->client vlan 404->CSM->server vlan 403

Here's our sample config

module ContentSwitchingModule 9

vlan 84 client

ip address 192.168.84.3 255.255.255.0

gateway 192.168.84.1

!

vlan 83 server

ip address 172.30.2.1 255.255.255.0

!

vlan 404 client

ip address 192.168.33.3 255.255.255.0

!

vlan 403 server

ip address 192.168.33.3 255.255.255.0

!

static nat 192.168.84.101

real 172.30.2.101

!

probe ICMP icmp

!

serverfarm EXT-DMZ-WEB

nat server

no nat client

real 172.30.2.101

inservice

probe ICMP

!

serverfarm INT-DMZ-WEB

nat server

no nat client

real 192.168.33.115

inservice

real 192.168.33.116

inservice

probe ICMP

!

serverfarm INT-DMZ-WEBS

nat server

no nat client

real 192.168.33.116

inservice

real 192.168.33.115

inservice

probe ICMP

!

sticky 5 netmask 255.255.255.0 timeout 5

!

vserver INT-DMZ-WEB

virtual 142.148.33.122 tcp www

serverfarm INT-DMZ-WEB

sticky 5 group 5

persistent rebalance

inservice

!

vserver INT-DMZ-WEBS

virtual 142.148.33.200 tcp https

serverfarm INT-DMZ-WEBS

sticky 5 group 5

persistent rebalance

inservice

Any ideas is much appreciated.

Labels:
0 Helpful
2 Replies 2

gmarogi
Level 5
Level 5

‎08-17-2007 08:44 AM

vpn access router such as 1720 with the CTM client and a vpn router such as 2620 with the CTM server.

Create a vpn tunnel between the two. As a side benefit, all data between the client and the server communication will be encrypted.

- Install vpn software on the CTM client, would still need the vpn router with the server though.

(Option might not be workable if they need to use CTC)

- There is an ethernet card which can be installed on the server which provides hardware vpn

encryption

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee

‎08-20-2007 01:33 AM

yes, this is normal behavior.

The CSM always routes traffic if the destination mac address belongs to the CSM.

It bridges only when the destination mac address is not itlsef.

Also, the vlans are not independent. So, routing from bridged vlan to routed vlan or vice-versa is allowed.

What you can do is restrict access to a vserver from a particular vlan only - use the command vlan in the vserver.

Then, create a new vserver to catch traffic from your routed server vlan and forward it to your firewall.

You can do this with a serverfarm with no nat server and only 1 real which would be the firewall ip.

Like this, the traffic is forwarded to the firewall which should send it back on the appropriate vlan to catch the normal vserver which will do the loadbalancing.

Gilles.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents