Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ssh
New Member

Can anyone explain this (vserver BLOCKER)

How does this config work? It looks like I am blocking everything entering vlan 3 and vlan 5. How does my individual VIPs work then?

vlan 2 client

ip address 192.168.19.10 255.255.255.0

vlan 3 server

ip address 192.168.19.10 255.255.255.0

vlan 4 client

ip address 192.168.20.10 255.255.255.0

vlan 5 server

ip address 192.168.20.10 255.255.255.0

serverfarm NULL

nat server

no nat client

vserver BLOCKER1

virtual 192.168.19.0 255.255.255.0 any

serverfarm NULL

vlan 3

inservice

vserver BLOCKER2

virtual 192.168.20.0 255.255.255.0 any

serverfarm NULL

vlan 5

inservice

3 REPLIES
Cisco Employee

Re: Can anyone explain this (vserver BLOCKER)

the csm uses a best match criteria [like ip routes selection]

So, if your other vservers are /32, like a router the CSM will match the /32.

The vserver blocker are /24 and will be matched only if there is no other better match.

Gilles.

ssh
New Member

Re: Can anyone explain this (vserver BLOCKER)

Thanks Giles,

But let me ask you this: If CSM is running in Bridge mode and FWSM is the default gateway for Servers, should I use this blocker rule on CSM and allow any desired communication on the fwsm with the assumption that CSM will not deny it first. I think BLOCKER vserver should kick in only when servers for some reason start using CSM mac address for traffic forwarding to different vlans. Is my assumption correct or I am missing something?

thanks in advance,

SSH

Cisco Employee

Re: Can anyone explain this (vserver BLOCKER)

The CSM inspects all traffic coming in [whatever the destination mac address] and if it does match a vserver, it will apply the action specified.

Instead of a blocker, you could configure the FW ip address as a real with 'no nat server' so the CSM will forward the traffic to the FW.

Or simply get rid of the blocker vserver.

Gilles.

127
Views
0
Helpful
3
Replies
CreatePlease login to create content