Solved: CSS - must real servers be in seperate Vlan?

mark.tutton · ‎01-07-2007

I am to install 2xCSS11503, one at each datacentre. The objective is to give datacentre resilience for Web clients.

However, the Web server (real server)is NOT in its own Vlan and it shares it with approx 30 other hosts. Some of these other hosts feed data into the Web server, but other hosts are nothing at all to do with this application.

Apparently to move the Web server (and associated database server) into their own separate Vlan is going to be a problem (or indeed moving the other hosts off this Vlan) - because of changing IP addresses etc.

The question is, can the Web server and database server remain in the same Vlan as these other hosts when depolying CSSs?

Thanks in anticipation to any responses.

regards Mark

Gilles Dufour · ‎01-08-2007

Mark,

it is better to have the CSS in setup such as that you have an outside(Internet) interface/vlan and an inside/private vlan.

This is because the CSS MUST see both flows of a connection - client -> server and server->client.

With a setup as mentioned, it is always the case since to get out, the servers must go through the CSS.

This is the reason why the servers need to be in their own vlan. But it does not mean they have to be alone in the vlan. It also does not mean they must be in a vlan directly attached to the CSS. It could several next-hops away. As long as the only exit is through the CSS.

This is what I explained in my previous post. If you share the vlan with other devices, and those devices need to use multicase [I'm not talking about the servers], then you will need a separate router to handle this traffic.

Gilles.

View solution in original post

Gilles Dufour · ‎01-08-2007

Mark,

the CSS is a routing/switching device with loadbalancing functionality. So, you can have whatever ip device you want behind it.

It does not matter if these are servers or not.

However, the CSS does not support some protocols like multicast or IPSEC. So, if the devices in this vlan require some specific traffic to go through the CSS, you should verify that it works.

You could have the CSS and another router attach to this vlan. Use the router as gateway for the non-servers and the CSS for te servers.

Gilles.

mark.tutton · ‎01-08-2007

Hi Giles,

Thanks for your input.

The Real server will be assessed via HTTP (80) only.

However, I understood that the basic good CSS deployment design concept is to have the real servers in their own Vlan. My question was therefore two fold:

1- Do the real servers have to be in their own vlan when deploying CSSs?

2- If they do, why? (I know about general benefits of having Vlans in normal circumstances)

regards

Mark

Gilles Dufour · ‎01-08-2007

Mark,

it is better to have the CSS in setup such as that you have an outside(Internet) interface/vlan and an inside/private vlan.

This is because the CSS MUST see both flows of a connection - client -> server and server->client.

With a setup as mentioned, it is always the case since to get out, the servers must go through the CSS.

This is the reason why the servers need to be in their own vlan. But it does not mean they have to be alone in the vlan. It also does not mean they must be in a vlan directly attached to the CSS. It could several next-hops away. As long as the only exit is through the CSS.

This is what I explained in my previous post. If you share the vlan with other devices, and those devices need to use multicase [I'm not talking about the servers], then you will need a separate router to handle this traffic.

Gilles.

mark.tutton · ‎01-08-2007

Thanks Giles