Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
603
Views
0
Helpful
3
Replies

bridged or routed load balancing

rpalacio
Level 1
Level 1

‎11-30-2003 07:08 AM

Scenario:

We have a web server installed on the DMZ of the firewall. Two Database servers for the web server are installed inside the local LAN. This database servers are to be load balance using the CSM installed on the 6500 core switch. Remote clients are to access the web server.

Q1. Am I on the right track if I mapped an IP address from the DMZ to the VIP address which is on the local LAN? The mapped ip address on the dmz is the one to be queeried by the web server, which in turn point to the configured VIP on the local LAN.

Q2. Can we consider this scenario still a bridged type of LB?

Q3. What if my local LAN has to access the web server too. Is it a conventional solution for the LAN to access the web server on the DMZ, and the dmz will get the database from the inside LAN, and then the web server in turn will provide the data back to the LAN again. Any better recommendation to this scenario?

Labels:
0 Helpful
3 Replies 3

Gilles Dufour
Cisco Employee
Cisco Employee

‎12-02-2003 12:23 AM

Q1. you don't need a mapping between DMZ/local. But you can do it. If you don't, you just need to make sure your web server can access local lan ip addresses.

Q2. bridged LB will depends on how you configure the CSM. You can have bridged and routed LB with the scenario you described.

Bridged LB means the CSM uses 1 single ip address for both the incoming and outgoing vlan. We're not talking about the VIP here but the CSM vlans.

Q3. the solution you describe is the most commonly used.

Gilles

0 Helpful

rpalacio
Level 1
Level 1
In response to Gilles Dufour

‎12-02-2003 01:20 PM

thats a good info..could you give me some links regarding q3 just to prove to the costumer that my solution has a cisco documented proof.

thanks a lot in advance.

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to rpalacio

‎12-03-2003 07:08 AM

You can look at this document about firewall desgin guide :

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_implementation_design_guide09186a00800fd670.html

See example #2 where the webserver are on the DMZ but the AAA server and syslog server are on the inside.

As you can see this is common practice.

You should be able to find many examples like this.

If necessary, post a question the security forum since this more a question related to security design.

Gilles.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents