Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
298
Views
4
Helpful
2
Replies

CSS, PIX, LAYER2 SWITCH

nayanpanchal
Level 1
Level 1

‎05-03-2006 05:53 AM

Hi,

We have PIX in FO mode. Also we have four CSS11503s (Two pair) to implement in ASR mode with active-backup vip/interface redundancy. Two LBs will be used for SAP, Two LBs will be used for SIEBEL.

We want to implement two web servers in DMZ as follows:

Client - Pix - Load Balancer  2970 L2 switch  Servers

Apart from web servers for SAP (vlan 100), there will be some other servers too which are going to be connected to same 2970. Same way, Another LB will be used for SIEBEL servers but they are altogether physicall different CSSes connected to same PIX and same 2970 switches.

Please correct me if I am wrong:

1. Traffic coming for other servers will be simply forwarded by LoadBalancer, even if it is not matching vip defined in the content rule.

2. Default gateway for SAP servers will be Redundant Interface IP (server side), vip defined in the content rule also will be from the same subnet.

3. I will assign vip (which is from SAP subnet) under separate vlan which should be defined for connectivity between PIX and Loadbalancer.

4. Inline mode should be preferable over One-armed mode. If my first point is wrong then do I have to implement using one-armed mode only.

Labels:
Preview file
25 KB
0 Helpful
2 Replies 2

a-vazquez
Level 6
Level 6

‎05-10-2006 06:13 AM

Yes, you are correct. Traffic coming for other servers will be simply forwarded by LoadBalancer, even if it is not matching vip defined in the content rule.

nayanpanchal
Level 1
Level 1
In response to a-vazquez

‎05-14-2006 10:55 PM

Thanks for the reply.

I went ahead with one-armed config, everything in single vlan. I tested it using two laptops as my webservers and it was working fine.

for the beginners, who are new to this CSS stuff, i am posting sample config which is as follows:

Both loadbalancers are in ASR mode with two ISC connections. Uplink is Firewall, downlink is Layer2 switch.

I am using one-armed architecture as i was not sure about above reply otherwise i would have given in-line config a try.

LoadBalancer 1:

show run

configure

!*************************** GLOBAL ***************************

ip route 0.0.0.0 0.0.0.0 10.1.xx.2 1

!************************* INTERFACE *************************

interface 1/1

isc-port-one

interface 1/2

isc-port-two

!************************** CIRCUIT **************************

circuit VLAN1

ip address 10.1.xx.5 255.255.255.0

ip virtual-router 1 priority 101 preempt

ip redundant-interface 1 10.1.xx.4

ip redundant-vip 1 10.1.xx.44

--More--- !************************** SERVICE **************************

service WEB_SIEBEL_1

ip address 10.1.xx.31

protocol tcp

port 8000

keepalive type http

redundant-index 1

active

service WEB_SIEBEL_2

ip address 10.1.xx.32

protocol tcp

port 8000

keepalive type http

redundant-index 2

active

!*************************** OWNER ***************************

owner TATASKY

content SIEBEL_WEB

vip address 10.1.xx.44

protocol tcp

port 8000

--More--- add service WEB_SIEBEL_1

add service WEB_SIEBEL_2

redundant-index 11

active

!*************************** GROUP ***************************

group SIEBEL_WEB

add destination service WEB_SIEBEL_1

add destination service WEB_SIEBEL_2

vip address 10.1.xx.44

redundant-index 21

active

LoadBalancer 2:

configure

!*************************** GLOBAL ***************************

ip route 0.0.0.0 0.0.0.0 10.1.xx.2 1

!************************* INTERFACE *************************

interface 1/1

isc-port-one

interface 1/2

isc-port-two

!************************** CIRCUIT **************************

circuit VLAN1

ip address 10.1.xx.6 255.255.255.0

ip virtual-router 1

ip redundant-interface 1 10.1.xx.4

ip redundant-vip 1 10.1.xx.44

--More--- !************************** SERVICE **************************

service WEB_SIEBEL_1

ip address 10.1.xx.31

protocol tcp

port 8000

keepalive type http

redundant-index 1

active

service WEB_SIEBEL_2

ip address 10.1.xx.32

protocol tcp

port 8000

keepalive type http

redundant-index 2

active

!*************************** OWNER ***************************

owner TATASKY

content SIEBEL_WEB

vip address 10.1.xx.44

protocol tcp

port 8000

--More--- add service WEB_SIEBEL_1

add service WEB_SIEBEL_2

redundant-index 11

active

!*************************** GROUP ***************************

group SIEBEL_WEB

add destination service WEB_SIEBEL_1

add destination service WEB_SIEBEL_2

redundant-index 21

vip address 10.1.xx.44

active

I would like to thank every Netpro members, Gilles and all members whose replies were very helpful to me.

nayan Panchal

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents