×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

default route per content

Unanswered Question
Mar 7th, 2006
User Badges:

Hi,


is there a posibility to use different default routes depending on which content ist used?


If a client addresses the content Serverfarm1, the packets back to the client should be routed to Firewall-X(10.160.1.200).

All other contents should use Firewall-Y(10.160.1.36) as default gateway


thanks

Juergen Klaiber

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Tue, 03/07/2006 - 11:47
User Badges:
  • Cisco Employee,

Juergen,


the CSM will send the traffic back to where it came from. This is actually a good thing for your firewall because they would probably not accept asymetric connections.


If you want connections opened by the servers to follow different path, this is feasible.

Create a serverfarm with just one real for each firewall. Use 'no nat server' and the default predictor.


Create 2 vserver catch any 0.0.0.0/0 any and simply use vlan X and firewall1 for one vserver and vlan y and firewall2 for the other vserver.


Regards,


Gilles.

juergen.klaiber Wed, 03/08/2006 - 00:47
User Badges:

Gilles,


unfortunately we use a css - one armed with trunk, and not a csm.

It seems, that csm behaves in an other way than css.


Cisco says:

"Unlike other devices, the CSM will not perform a route lookup, but it memorizes the source MAC address from where the first packet of the connection was received. Return traffic for that connection is sent back to the source MAC address."


Is there a posibility to make css behave like csm?

Maybe a second interface to FW-2 could help?

Does css memorize, from which interface the session came?


Or is your suggestion usable for css as well?

And how is the config for it?


Lots of questions....sorry


Regards,


Juergen.



Juergen

Gilles Dufour Wed, 03/08/2006 - 02:03
User Badges:
  • Cisco Employee,

Juergen,


the CSS should behave the same as the CSM and forward server response back using the same client path.

However, you may require default routes pointing to both firewall.

If 2 routes for a destination are possible, the CSS checks what path the client came in and it reuses the same path.

So, you need equal routes pointing to the 2 firewalls.


For server initiated traffic, there is a similar solution as the CSM one.

You will need to create service for the firewall and then use an acl with the 'prefer' option to select which firewall to use.


Gilles.

Actions

This Discussion