We have CSS-11501s in our DMZs (separate ASA interface) doing load balancing for our public Web servers. There is a new server load balancing requirement on the internal network. Technically, I see no problems with using separate ports and VLANs on the existing appliances, but I am wondering if this would pass a network security audit?
Any documents or references to support this kind of configuration would be appreciated.
Personnaly i wouldn't take the risk, because the css does operate like a router. So if somebody can force the routing so that the css is the next hop then everybody can connect to the internal vlan because the css routes unknown traffic. You could stop this kind of abuse by using acls on the css, but again that's not really approved by cisco.
I understand what you are saying, but the only people with access to change the default gateway on a server would be an admin, and the worst that would happen would be to break connectivity. The server would then bypass the firewall for an internal connection, but the internal host response would route normally resulting in the firewall sending a reset due to the connection not being in the state table.
Introduction This article will help you understand the steps on how to
download the UCS licenses from the Cisco Systems website and then
installing it on the UCS. The redacted (blue lines) just covers up
certain numbers for privacy please do not take them...
Introduction This article will help you understand and educate the
customer on how to clear their "expired licenses"
(license-graceperiod-expired) from their UCS-M. If a customer just
purchased a license and needs a step by step guide on how to download
Introduction Prepositioning is a powerful tools on the WAAS platform but
it is not always easy to figure out why your jobs are failing when
trying to retrieve the files.Here is a method that should help you to
figure out the reason why they are not succes...