Re: Can anyone explain this (vserver BLOCKER)

ssh · ‎04-08-2006

How does this config work? It looks like I am blocking everything entering vlan 3 and vlan 5. How does my individual VIPs work then?

vlan 2 client

ip address 192.168.19.10 255.255.255.0

vlan 3 server

ip address 192.168.19.10 255.255.255.0

vlan 4 client

ip address 192.168.20.10 255.255.255.0

vlan 5 server

ip address 192.168.20.10 255.255.255.0

serverfarm NULL

nat server

no nat client

vserver BLOCKER1

virtual 192.168.19.0 255.255.255.0 any

serverfarm NULL

vlan 3

inservice

vserver BLOCKER2

virtual 192.168.20.0 255.255.255.0 any

serverfarm NULL

vlan 5

inservice

Gilles Dufour · ‎04-09-2006

the csm uses a best match criteria [like ip routes selection]

So, if your other vservers are /32, like a router the CSM will match the /32.

The vserver blocker are /24 and will be matched only if there is no other better match.

Gilles.

ssh · ‎04-10-2006

Thanks Giles,

But let me ask you this: If CSM is running in Bridge mode and FWSM is the default gateway for Servers, should I use this blocker rule on CSM and allow any desired communication on the fwsm with the assumption that CSM will not deny it first. I think BLOCKER vserver should kick in only when servers for some reason start using CSM mac address for traffic forwarding to different vlans. Is my assumption correct or I am missing something?

thanks in advance,

SSH

Gilles Dufour · ‎04-10-2006

The CSM inspects all traffic coming in [whatever the destination mac address] and if it does match a vserver, it will apply the action specified.

Instead of a blocker, you could configure the FW ip address as a real with 'no nat server' so the CSM will forward the traffic to the FW.

Or simply get rid of the blocker vserver.

Gilles.