Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

some basic design help please

Dear Netprof,

I have been assigned a project to implement SSL proxy via a CSS11501S-K9 content switch.

This is to replace our basic web (Windows Load Balance) server farm with the ability to have the web servers just running HTTP and the CSS encrypting the secure site with SSL.

we have also bought two asa5520 as the firewalls, and two 3750g switches.

now to the questions.

I am planning on setting up two DMZs one for the web servers and CSS and the other for the application server (running SQL).

1. should I have the web servers and content switch VIP on the same or different subnets (will be private addresses 192.168.10x.x/24).

2. can I dual connect the css to the two 3750s and should I just connect the web servers to the css or best again dual connecting to the 3750G's

3. is there anything I should be aware of when the web servers talk to the application server in the other DMZ (obviously excluding the SQL rule on the ASA's).

Thanks in advance,

Regards, Adrian

1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Re: some basic design help please

Adrian,

1 - your choice, either can work. You will need to make the web server default gatways point to the CSS circuit address, or configure groups, if any load balanced service has any alternative network path that can bypass the CSS and if they all live in the same subnet. If they dont, then the CSS becomes the default gateway for the subnet anyway.

2 - again, your choice. For best redundancy, you would go for dual connections, but be aware that spanning tree is going to block some links so there is no bandwidth gain.

3 - from 1 above, if you use groups the client IP address is not visible to the app servers, possibly also lost to the web servers depending on which subnets things live in. If you need the client IP for logging, then you cant use groups. Combine that with the requirement that all traffic in ***both*** directions to any load balanced service must pass through the CSS in both directions (did I mention - in both directions!!!), then see what options you are left with.

Regards, Peter

2 REPLIES
Community Member

Re: some basic design help please

Adrian,

1 - your choice, either can work. You will need to make the web server default gatways point to the CSS circuit address, or configure groups, if any load balanced service has any alternative network path that can bypass the CSS and if they all live in the same subnet. If they dont, then the CSS becomes the default gateway for the subnet anyway.

2 - again, your choice. For best redundancy, you would go for dual connections, but be aware that spanning tree is going to block some links so there is no bandwidth gain.

3 - from 1 above, if you use groups the client IP address is not visible to the app servers, possibly also lost to the web servers depending on which subnets things live in. If you need the client IP for logging, then you cant use groups. Combine that with the requirement that all traffic in ***both*** directions to any load balanced service must pass through the CSS in both directions (did I mention - in both directions!!!), then see what options you are left with.

Regards, Peter

Community Member

Re: some basic design help please

Many thanks for your assistance, will give the different option a try next week.

Thanks again.

Regards, Adrian

128
Views
0
Helpful
2
Replies
CreatePlease to create content