Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Newbie questions about CSS (11503)

I am going to be installing a couple ASA failover pairs plus a redundant CSS load-balancing solution soon, and I have some basic newbie questions about setting up the CSS11503's. The basic scenario is this:

Internet -> FW Pair 1(A/S Failover) -> DMZ1 -> CSS (Failover) -> Web Servers -> FW Pair 2(A/S Failover) -> DMZ2 -> SQL Servers

The customer seems to think that DMZ1, CSS, Web Servers and FW pair 2 outside interface should all be in the same subnet. It appears from reading several posts, that this may be possible - but is it the best way to do it? I have the ability to influence the design, so I want to know the best way.

I also am not sure what is optimum for how NAT is accomplished. Should FW pair 1 do it, or is it better to let the CSS pair do it. Also, what is the best design for the CSS failover.

If you had a clean slate, how would you do it?

Thanks

Dave

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Newbie questions about CSS (11503)

The CSS can work in brigde mode or routed mode.

What your customer wants to do is ok. It's good to save on ip addresses if you need to.

But that's the only advantage. The CSS works the same weither you do bridge mode or routed mode.

For CSS failover, I definitely recommend Vip/Interface redundancy vs Box-to-Box.

You get faster failover time and you get the possibility to enable ASR for stateful failover.

Regarding nat, I prefer to let the firewall do it.

Gilles.

1 REPLY
Cisco Employee

Re: Newbie questions about CSS (11503)

The CSS can work in brigde mode or routed mode.

What your customer wants to do is ok. It's good to save on ip addresses if you need to.

But that's the only advantage. The CSS works the same weither you do bridge mode or routed mode.

For CSS failover, I definitely recommend Vip/Interface redundancy vs Box-to-Box.

You get faster failover time and you get the possibility to enable ASR for stateful failover.

Regarding nat, I prefer to let the firewall do it.

Gilles.

136
Views
0
Helpful
1
Replies
CreatePlease login to create content