04-08-2006 03:07 AM
How does this config work? It looks like I am blocking everything entering vlan 3 and vlan 5. How does my individual VIPs work then?
vlan 2 client
ip address 192.168.19.10 255.255.255.0
vlan 3 server
ip address 192.168.19.10 255.255.255.0
vlan 4 client
ip address 192.168.20.10 255.255.255.0
vlan 5 server
ip address 192.168.20.10 255.255.255.0
serverfarm NULL
nat server
no nat client
vserver BLOCKER1
virtual 192.168.19.0 255.255.255.0 any
serverfarm NULL
vlan 3
inservice
vserver BLOCKER2
virtual 192.168.20.0 255.255.255.0 any
serverfarm NULL
vlan 5
inservice
04-09-2006 10:33 PM
the csm uses a best match criteria [like ip routes selection]
So, if your other vservers are /32, like a router the CSM will match the /32.
The vserver blocker are /24 and will be matched only if there is no other better match.
Gilles.
04-10-2006 05:14 PM
Thanks Giles,
But let me ask you this: If CSM is running in Bridge mode and FWSM is the default gateway for Servers, should I use this blocker rule on CSM and allow any desired communication on the fwsm with the assumption that CSM will not deny it first. I think BLOCKER vserver should kick in only when servers for some reason start using CSM mac address for traffic forwarding to different vlans. Is my assumption correct or I am missing something?
thanks in advance,
SSH
04-10-2006 11:52 PM
The CSM inspects all traffic coming in [whatever the destination mac address] and if it does match a vserver, it will apply the action specified.
Instead of a blocker, you could configure the FW ip address as a real with 'no nat server' so the CSM will forward the traffic to the FW.
Or simply get rid of the blocker vserver.
Gilles.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide