Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

vserver incoming vlan question

I'm deploying a CSM in bridge mode that will be used in conjunction with a FWSM that acts as the gateway for each server farm. From Cisco's CSM & FWSM design guide they state, "The most important point is that by specifying the incoming VLAN in the vserver

configuration, the CSM can preserve the segregation between server farms so that the FWSM can be used

to control the traffic that is allowed to flow from one server farm segment to another segment."

vserver HTTP-WEB

virtual 10.20.5.80 tcp www

vlan 5

server farm WEB-SERVERS

persistent rebalance

inservice

!

...where "vlan 5" specifies that the vserver only accepts incoming traffic from vlan 5.

However, if each server farm is in it's own DMZ, it'll be subjected to the ACLs on the FWSM, and shouldn't be able to talk to other server farms, right? Or is serverfarm A in dmz1 able to talk to serverfarm B in dmz2 without going through the firewall?

Thanks in advance,

Eric

7 REPLIES
Cisco Employee

Re: vserver incoming vlan question

Eric,

if a user detects the existence of the CSM and changes the gateway to be the CSM instead of the firewall, the CSM will route between the DMZ.

Unless you create some vserver to catch the non-vip traffic and forward it to the firewall.

something like

serverfarm forward2fw

no nat server

real x.x.x.x

ins

!

vserver forward

vip 0.0.0.0/0 any

serverfarm forward2fw

vlan x

active

Gilles.

Hall of Fame Super Blue

Re: vserver incoming vlan question

Gilles

Could you explain this a bit more as i'm not sure i understand.

If the CSM-S is in bridge mode then the address of the CSM-S for that particular bridged vlan pair will be behind the FWSM anyway so you would have to go through the FWSM to get to it.

if the CSM-S is in bridge mode not routed mode can it be used as a gateway anyway ?

If the CSM-S is always behind the firewall in relation to the user does what you said still apply ?

Regards

Jon

Cisco Employee

Re: vserver incoming vlan question

Bridge mode or routed mode, the CSM-S is still behind the FWSM.

So you still have client --- FW----- CSM-S

So, why do you need bridge mode ?

I believe because you want to prevent traffic from server to server to bypass the FW.

And I'm telling you, if somebody can hack one of your servers, change the default gateway to be the CSM-S instead of the firewall, the CSM-S will route from one vlan to another, bypassing the firewall and the hacker can access all your network.

Is it clear like this ?

If you believe nobody can hack your server or change their default gateway, then you don't need to worry and you probably do not need bridge mode.

Gilles.

Hall of Fame Super Blue

Re: vserver incoming vlan question

Gilles

Thanks for this. Didn't mean to offend or anything i was just a little unclear.

What i didn't understand was that you were talking about someone hacking the server and being behind the FWSM.

At the risk of further offence you seem to be suggesting that the reason to use bridge mode is to ensure there can't be a FWSM bypass between servers. Have i understood correctly.

I ask because the original poster was talking about bridge mode not routed mode.

Jon

Cisco Employee

Re: vserver incoming vlan question

Jon,

no offense.

english is not my mother tongue, so I use a simple language which sometimes sound aggressive apparently.

Anway, there are different to use bridge mode vs routed mode.

One of them is to avoid re-addressing the servers and simply insert the CSM in the middle transparently.

Another reason invoked by a lot of people is that they want to have a firewall doing the routing between vlans and not the CSM.

This is where I wanted to warn you and any other user that on paper this looks secure, but anybody gaining access to a server could change the gateway and bypass the firewall.

Again, for some users this is ok. For others this is not

With routed mode, the CSM will route between vlan, so server-to-server communication will bypass the firewall anyway.

The solution I suggested to intercept the traffic is to force traffic to be sent to the firewall whatever mode you're in and whatever the server gateway is.

Gilles.

New Member

Re: vserver incoming vlan question

Thanks for you input Gilles (and Jon for the questions I would have asked). Couple more questions for you if you don't mind...

Can you elaborate on the concept of "create some vserver to catch the non-vip traffic and forward it to the firewall"?

I'm not sure what this means, where it's configured (is it needed for each serverfarm / vserver?), what the client & server vlan configs look like, etc.

I understand that if a server is comprimised and the gateway is changed that the fwsm could be bypassed, but does the "vlan x" command applied to the virtual server protect against this at all, and if not, what's the purpose of it?

If it's too much to explain here I can call into TAC.

Thanks,

Eric

Cisco Employee

Re: vserver incoming vlan question

Eric,

a catch-all vserver looks like this

vserver catch-all

virtual 0.0.0.0/0 any

...

It means match everything.

You can then create a serverfarm like below to forward the traffic - simply forward - to the firewall.

serverfarm 2fw

no nat server

no nat client

real name FW

ins

So, all traffic that does not match any other vserver will hit this vserver and will be forwarded to the firewall.

That's only traffic with a destination mac-address equal to a CSM mac-address.

So, your bridged traffic will still go accross without hitting this vserver.

This is somekind of policy routing.

Hope this makes sense like this.

Gilles.

428
Views
0
Helpful
7
Replies
CreatePlease to create content