I'm deploying a CSM in bridge mode that will be used in conjunction with a FWSM that acts as the gateway for each server farm. From Cisco's CSM & FWSM design guide they state, "The most important point is that by specifying the incoming VLAN in the vserver
configuration, the CSM can preserve the segregation between server farms so that the FWSM can be used
to control the traffic that is allowed to flow from one server farm segment to another segment."
virtual 10.20.5.80 tcp www
server farm WEB-SERVERS
...where "vlan 5" specifies that the vserver only accepts incoming traffic from vlan 5.
However, if each server farm is in it's own DMZ, it'll be subjected to the ACLs on the FWSM, and shouldn't be able to talk to other server farms, right? Or is serverfarm A in dmz1 able to talk to serverfarm B in dmz2 without going through the firewall?
Bridge mode or routed mode, the CSM-S is still behind the FWSM.
So you still have client --- FW----- CSM-S
So, why do you need bridge mode ?
I believe because you want to prevent traffic from server to server to bypass the FW.
And I'm telling you, if somebody can hack one of your servers, change the default gateway to be the CSM-S instead of the firewall, the CSM-S will route from one vlan to another, bypassing the firewall and the hacker can access all your network.
Is it clear like this ?
If you believe nobody can hack your server or change their default gateway, then you don't need to worry and you probably do not need bridge mode.
Thanks for you input Gilles (and Jon for the questions I would have asked). Couple more questions for you if you don't mind...
Can you elaborate on the concept of "create some vserver to catch the non-vip traffic and forward it to the firewall"?
I'm not sure what this means, where it's configured (is it needed for each serverfarm / vserver?), what the client & server vlan configs look like, etc.
I understand that if a server is comprimised and the gateway is changed that the fwsm could be bypassed, but does the "vlan x" command applied to the virtual server protect against this at all, and if not, what's the purpose of it?
If it's too much to explain here I can call into TAC.
The unmanaged mode is also known as Network only switching, which is introduced in Brazos release. It adds the flexibility for customer to use only network automation for service appliance.
If a device is configured a...
Usually, we can access ESXi Shell by pressing Alt+F1 from ESXi DCUI (Direct Console User Interface).
But on HyperFlex system, it just shows black window.
This is expected behavior because HyperFlex redirects ESXi Shell output to SoL...
Configuring an Export Policy Using the GUI
This procedure explains how to configure an Export policy using the APIC GUI. Follow these steps to trigger a backup of your data:
On the menu bar, choose Admi...