Using CSM and FWSM together

dean.hilton · ‎01-16-2009

We are a hosting company looking to implement a Blade server/6500 solution.

We are looking to use a 6500 with an FWSM and loadbalancing between servers on a per customer/context basis.

All the examples on cisco.com support suggest CSM before and after firewall contexts however is it possible to move traffic in the following order on a single 6500?

Outside -> FWSM -> CSM -> Customer server farm?

Would this be done utilising 3 VLANs?

Gilles Dufour · ‎01-19-2009

Are you doing firewall loadbalancing or server loadbalancing ?

FW loadbalancing needs 2 CSM because you first need to select which firewall to use on the way out -> in and you also need to guarantee to use the same Fw on the way in -> out for the same connection.

The 2nd CSM can learn what FW was used and guarantee that the server response will use the same one.

This can however be done with a single CSM - just a little bit more complicated to configure.

I wrote a document about this @

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a008020cd7c.shtml

I also would like to mention that nowadays the prefered loadbalancer would be the application control engine (ACE).

This device will defintely replace the CSM in a near future.

Gilles.

dean.hilton · ‎01-22-2009

Gilles, thanks for the reply.

We may be doing server load balancing as well as firewall load balancing depending on customer requirements. We still don't have the full details of the modules available to us yet so we may have to rethink depending on what we are supplied with. I'll make sure to take your guide as a reference point thanks!