Isolating Server VLANs on CSM

jrichterkessing · ‎03-27-2006

I am trying to deploy a CSM load balance solution in my DMZs. I have several DMZs that I need to load balance on but the real servers in each can not talk directly to one another, I am not using the MSFC as the router (I only built VLANs on the 6509...no VLAN interfaces), I am using my Checkpoint/Nokia FW as the router.

See my config below, I have the load balancing working fine, but if I get on a device in VLAN 172, I can communicate with a server in VLAN173 without going through the firewall. Is there anything I can do to remedy this? Thanks for any help!...Jeff

module ContentSwitchingModule 4

vlan 170 client

ip address 192.168.170.6 255.255.255.0

gateway 192.168.170.1

alias 192.168.170.4 255.255.255.0

!

vlan 172 server

ip address 192.168.172.3 255.255.255.0

alias 192.168.172.1 255.255.255.0

!

vlan 173 server

ip address 192.168.173.3 255.255.255.0

alias 192.168.173.1 255.255.255.0

!

serverfarm ROUTE

no nat server

no nat client

predictor forward

!

serverfarm WEB172

nat server

no nat client

real 192.168.172.171

inservice

real 192.168.172.172

inservice

!

serverfarm WEB173

nat server

no nat client

real 192.168.173.71

inservice

real 192.168.173.72

inservice

!

vserver DIRECT-ACCESS

virtual 0.0.0.0 0.0.0.0 any

serverfarm ROUTE

persistent rebalance

inservice

!

vserver WEB172

virtual 167.19.250.172 tcp www

vlan 170

serverfarm WAP-WEB

persistent rebalance

inservice

!

vserver WEB173

virtual 167.19.250.173 tcp www

vlan 170

serverfarm WAP-WEB

persistent rebalance

inservice

pgolding · ‎03-27-2006

Jeff,

The feature you are looking for is virtualisation of the CSM, which is not avaialble with the existing hardware. There is a new product coming in the next few months, called ACE, which does permit virtual contexts in the CSM, plus it has ssl hardware and firewall. The existing CSM hardware is just not up to the job, so its not likely to become avaialble in later code.

If you had a FWSM in the same switch, you could configure this to sit between the CSM and the real servers within each server vlan, using a pair of vlans for each (one CSM - FW, one FW - reals). You could achieve this with other firewalls but this would need many interfaces, which most firewalls dont have.

Peter

jrichterkessing · ‎03-28-2006

Thanks for the info Peter....I was hoping for a different answer though ;).

Gilles Dufour · ‎03-29-2006

there is a way to achieve what you want.

You will have to slightly modified your config/design.

The idea is to duplicate each vlan and have the CSM bridge between the 2.

On one vlan you will have the servers and on the other vlan the firewall.

The 2 vlans will share the same subnet and the csm will bridge between the 2.

So you get something like this :

servers---VlanX----CSM-----VlanY-----FW

The servers will now use the FW as default gateway and not the CSM.

So the FW will be doing the routing between the vlans.

A lot of customers are using this solution.

Gilles.

pkrohn · ‎03-30-2006

Hi - I am thinking of deploying the described design and have a question:

Is it possible to have the vlans that are bridged through the CSM behind different fwsm contexts?

Like:

server---vlanv---csm---vlanx---fwsm,context1

server---vlany---csm---vlanz---fwsm,context2

Will there still be total seperation?

Also: Would there be any problems placing servers that do not require content switching services in the intermediate vlans (vlanx/vlanz)?

Gilles Dufour · ‎03-30-2006

The CSM having no knowledge of context, you can't reuse the same subnet for vlan v-x and vlan y-z.

If the subnet range is different for each pair, you can do it.

You can also use the 'vlan' cmd under each vserver to guarante that traffic coming on vlan Z into the CSM can't hit a vserver belonging to context 1.

This is not perfect seperation between context as you would get with virtualisation, but this is a good workaround if you do not want to swap your csm for the new ACE module.

Gilles.

pkrohn · ‎03-30-2006

Hi Gilles -

An answer I truly like :o)

Can you point me to documentation focused on how to implement the DNS functionality on CSM with enhanced license i bridged mode?

We have seperated data centers and use the DNS functionality to always point to an active ressource if present, but are moving from CSS'es to CSM's (unfortunately we cannot wait for the ACE :o(

jrichterkessing · ‎03-31-2006

Thanks Gilles. After trying to do this in routed mode, my next thought was to use bridge mode as you've described, that was quickly shot down...the web server admins do not want the clients natted going to the web servers, and I do not have enough interfaces in my firewalls to accomodate all of the subnets that we were planning on. We have decided to use routed mode and place all of the servers that need to be load balanced on one VLAN, seperating them by function would have been nice, but not a requirement.

Thanks again...Jeff