I'm searching for best deployment scenario in such situation:
I have a 2 x Firewall ASA, both with 5 DMZs. In 3 of them I have HTTPS servers.
What I want to do:
- do SSL offloading by using 2 x CSS11501 with integrated SSL module
- I cannot move servers to one DMZ network segment
- I cannot change addressing scheme for network segments with HTTPS servers
I thought about inline deployment with bridge mode, but I'm not sure if it'll works as I want/need. So my questions are:
1. Are there any restrictions for using bridge mode with SSL offloading ?
2. I don't want situation where servers from different server-side vlans, can communicate each other through CSS. They should communicate through firewall. Is it possible with CSS and what should I use to guarantee it? or it's done by default like on L2 vlan-enabled switch ?
3. Could I use ASR for Active-Backup scenario ? (I think no due to lack of configured Interface Redundancy - am I right ?)
4. In bridge mode as I undestand is needed to use one pair vlans (client-side / server-side) for each serwer farm (or DMZ like in my example) ?
5. What about STP considerations in bridge mode, any problems ?
Topology for one branch(I think it should look like):
unfortunately, bridge mode won't help in your scenario. The CSS will route between the vlans - ALWAYS. So server-2-server communication can't be avoided.
ASR does not work for SSL terminated connection [bridge more or not].
You could put the CSS in front of the firewalls. The risk is that it is going to be under possible attacks. But it makes the design eaier - will all your restrictions.
You could also put the CSS in a DMZ and use client nat to guarantee the response going back to the CSS. But you then lose stats about real client ip address.
Because of all the restrictions you will end up with a design not very satisfying. It is better to make a few modifications to the current design to guarantee that the future will be better. Like moving all the servers into a single DMZ and readdressing those.
You can use private ip addresses for the servers as they will be fronted by the CSS that can perform nat if needed.
I thought about using CSS in front of FW in one-arm mode, hoverever I cannot perform any client nat due to decrypted HTTP traffic need to be inspected by external IPS system.
Writing about ASR I thought about HTTP traffic.
So best for me is also put CSS in router mode in one separate DMZ, but I'm not sure that it could be possible in environment which doesn't suits for pure loadbalancing scheme (CSS will perform only SSL offloading with balancing 1:1 VIP to service ratio).
I've one more question. Even If it'll be possible to move all servers to single DMZ, could I use bridge mode instead router mode, regarding fact that both CSS will work in VIP Redundancy with ASR for HTTP traffic and doing SSL termination ?
Moquery is the command line cousin of Vizore, it's very helpful and efficient sometimes during the troubleshooting. This article aims to provide moquery cheat sheet to the users for some most common seen scenarios.
Here is the checklist before customers/partners contact Cisco TAC:
Firmware Version of APIC and Switch
Download Switch and APIC techsupport logs
Problem description (Symptoms with details)
Business impact (eg, what kind of services...
moquery usageAPIC moquerySwitchmoquery
This document discuss a common issue observed during the VMM integration & VM workload migration to ACI fabric.
VMware Virtual machines are hosted in Cisco UCS-B seri...