We are trying to separate the traffic flowing through the CSM module and being SSL-offloaded by SSLM modules. We have already decided that the best way to do that is to use the CSM in bridge mode and SSLM with the new, vrf aware software.
Unfortunately we found a problem when we tried to connect in the same way two systems which real servers should not be able to communicate with each other.
To do the SSL-offloading, with CSM in bridge mode, we have to create a dedicated vlan with L3 interface that is going to host real servers. When we connect two vlans in the same way those servers are able to communicate with each other via CSM.
This in not what we wanted, so we tried to enter an additional FW between the CSM and the real servers. When we tried to install L3 FW we had to enter static routing in the CSM server vlan pointing that the real servers can be reached via the outside ip address of the firewall.
The first problem is that with such a topology, the CSM in not routing the packets correctly (or is not routing packets at all). We opened all ip and icmp traffic on the firewall and we were not able to ping the real server from the router connected to the CSM client vlan.
In the second phase, we tried to install L2 firewall between the CSM and the real servers. Everything works but we had a problem with establishing the real server initiated connections.
We found a solution for this by using client NAT on the CSM.
Now everything works but it is really complicated and difficult to troubleshoot.
Does anybody know the easier way to provide separation of the traffic with using CSM and SSLM modules (except switching it to ACE :) or using dedicated interface on the servers for server initiated traffic).
you have to put internal users in one Vlan, external users in other Vlan. All server farms are separated by L3. All CSM in front of both server farms. In this case same CSM can be used for different networks and traffic from farm to farm is forced to go through a firewall. It is not "true" CSM virtualization but let you separate traffic.
The unmanaged mode is also known as Network only switching, which is introduced in Brazos release. It adds the flexibility for customer to use only network automation for service appliance.
If a device is configured a...
Usually, we can access ESXi Shell by pressing Alt+F1 from ESXi DCUI (Direct Console User Interface).
But on HyperFlex system, it just shows black window.
This is expected behavior because HyperFlex redirects ESXi Shell output to SoL...
Configuring an Export Policy Using the GUI
This procedure explains how to configure an Export policy using the APIC GUI. Follow these steps to trigger a backup of your data:
On the menu bar, choose Admi...