Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

bridged or routed load balancing


We have a web server installed on the DMZ of the firewall. Two Database servers for the web server are installed inside the local LAN. This database servers are to be load balance using the CSM installed on the 6500 core switch. Remote clients are to access the web server.

Q1. Am I on the right track if I mapped an IP address from the DMZ to the VIP address which is on the local LAN? The mapped ip address on the dmz is the one to be queeried by the web server, which in turn point to the configured VIP on the local LAN.

Q2. Can we consider this scenario still a bridged type of LB?

Q3. What if my local LAN has to access the web server too. Is it a conventional solution for the LAN to access the web server on the DMZ, and the dmz will get the database from the inside LAN, and then the web server in turn will provide the data back to the LAN again. Any better recommendation to this scenario?

Cisco Employee

Re: bridged or routed load balancing

Q1. you don't need a mapping between DMZ/local. But you can do it. If you don't, you just need to make sure your web server can access local lan ip addresses.

Q2. bridged LB will depends on how you configure the CSM. You can have bridged and routed LB with the scenario you described.

Bridged LB means the CSM uses 1 single ip address for both the incoming and outgoing vlan. We're not talking about the VIP here but the CSM vlans.

Q3. the solution you describe is the most commonly used.


New Member

Re: bridged or routed load balancing

thats a good info..could you give me some links regarding q3 just to prove to the costumer that my solution has a cisco documented proof.

thanks a lot in advance.

Cisco Employee

Re: bridged or routed load balancing

You can look at this document about firewall desgin guide :

See example #2 where the webserver are on the DMZ but the AAA server and syslog server are on the inside.

As you can see this is common practice.

You should be able to find many examples like this.

If necessary, post a question the security forum since this more a question related to security design.