03-27-2006 06:59 AM
I am trying to deploy a CSM load balance solution in my DMZs. I have several DMZs that I need to load balance on but the real servers in each can not talk directly to one another, I am not using the MSFC as the router (I only built VLANs on the 6509...no VLAN interfaces), I am using my Checkpoint/Nokia FW as the router.
See my config below, I have the load balancing working fine, but if I get on a device in VLAN 172, I can communicate with a server in VLAN173 without going through the firewall. Is there anything I can do to remedy this? Thanks for any help!...Jeff
module ContentSwitchingModule 4
vlan 170 client
ip address 192.168.170.6 255.255.255.0
gateway 192.168.170.1
alias 192.168.170.4 255.255.255.0
!
vlan 172 server
ip address 192.168.172.3 255.255.255.0
alias 192.168.172.1 255.255.255.0
!
vlan 173 server
ip address 192.168.173.3 255.255.255.0
alias 192.168.173.1 255.255.255.0
!
serverfarm ROUTE
no nat server
no nat client
predictor forward
!
serverfarm WEB172
nat server
no nat client
real 192.168.172.171
inservice
real 192.168.172.172
inservice
!
serverfarm WEB173
nat server
no nat client
real 192.168.173.71
inservice
real 192.168.173.72
inservice
!
vserver DIRECT-ACCESS
virtual 0.0.0.0 0.0.0.0 any
serverfarm ROUTE
persistent rebalance
inservice
!
vserver WEB172
virtual 167.19.250.172 tcp www
vlan 170
serverfarm WAP-WEB
persistent rebalance
inservice
!
vserver WEB173
virtual 167.19.250.173 tcp www
vlan 170
serverfarm WAP-WEB
persistent rebalance
inservice
03-27-2006 06:17 PM
Jeff,
The feature you are looking for is virtualisation of the CSM, which is not avaialble with the existing hardware. There is a new product coming in the next few months, called ACE, which does permit virtual contexts in the CSM, plus it has ssl hardware and firewall. The existing CSM hardware is just not up to the job, so its not likely to become avaialble in later code.
If you had a FWSM in the same switch, you could configure this to sit between the CSM and the real servers within each server vlan, using a pair of vlans for each (one CSM - FW, one FW - reals). You could achieve this with other firewalls but this would need many interfaces, which most firewalls dont have.
Peter
03-28-2006 01:39 PM
Thanks for the info Peter....I was hoping for a different answer though ;).
03-29-2006 06:13 AM
there is a way to achieve what you want.
You will have to slightly modified your config/design.
The idea is to duplicate each vlan and have the CSM bridge between the 2.
On one vlan you will have the servers and on the other vlan the firewall.
The 2 vlans will share the same subnet and the csm will bridge between the 2.
So you get something like this :
servers---VlanX----CSM-----VlanY-----FW
The servers will now use the FW as default gateway and not the CSM.
So the FW will be doing the routing between the vlans.
A lot of customers are using this solution.
Gilles.
03-30-2006 03:37 AM
Hi - I am thinking of deploying the described design and have a question:
Is it possible to have the vlans that are bridged through the CSM behind different fwsm contexts?
Like:
server---vlanv---csm---vlanx---fwsm,context1
server---vlany---csm---vlanz---fwsm,context2
Will there still be total seperation?
Also: Would there be any problems placing servers that do not require content switching services in the intermediate vlans (vlanx/vlanz)?
03-30-2006 04:35 AM
The CSM having no knowledge of context, you can't reuse the same subnet for vlan v-x and vlan y-z.
If the subnet range is different for each pair, you can do it.
You can also use the 'vlan' cmd under each vserver to guarante that traffic coming on vlan Z into the CSM can't hit a vserver belonging to context 1.
This is not perfect seperation between context as you would get with virtualisation, but this is a good workaround if you do not want to swap your csm for the new ACE module.
Gilles.
03-30-2006 06:19 AM
Hi Gilles -
An answer I truly like :o)
Can you point me to documentation focused on how to implement the DNS functionality on CSM with enhanced license i bridged mode?
We have seperated data centers and use the DNS functionality to always point to an active ressource if present, but are moving from CSS'es to CSM's (unfortunately we cannot wait for the ACE :o(
03-31-2006 04:44 AM
Thanks Gilles. After trying to do this in routed mode, my next thought was to use bridge mode as you've described, that was quickly shot down...the web server admins do not want the clients natted going to the web servers, and I do not have enough interfaces in my firewalls to accomodate all of the subnets that we were planning on. We have decided to use routed mode and place all of the servers that need to be load balanced on one VLAN, seperating them by function would have been nice, but not a requirement.
Thanks again...Jeff
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide