Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started.

New Member

Preventing IP Routing on 6509 with Hybrid OS

Hi All,

Current setup: internal LAN on 6509, DMZ on 2 x 2924 switches, outside on 1 x 2950-12 connected to the internet via 1720 router - the 3 LANs are connected together by a PIX520. We have two webservers on the DMZ that are currently load balanced using Microsoft's Windows Load Balancing.

As you know, the new hybrid OS on the 6509 now has Cisco Server Load Balancing. We conducted some testing on the internal LAN and are very happy with it, mainly due to the fact that if the IIS service stops on one of the webservers the Cisco SLB probe can detect it - it will actually conduct http requests to the real servers. I want to make use of this!!

The problem: I want to create a new VLAN on the 6509, assign a port to that VLAN, connect a crossover cable to the DMZ switch, assign the relevant addresses to the VLAN and set up SLB with virtual IP for the webservers.

1) Is this the only way to get SLB working on the DMZ?

2) As soon as an IP address is assigned to the second vlan the RP on the switch immediately starts routing between the internal vlan and the DMZ vlan - can this be prevented on a more "secure" level than standard ACLs? I was hoping that I could enter some commands to say "under no circumstances should a packet cross from VLAN 1 to VLAN 2".

3) I'm worried that I am seriously compromising security by connecting the DMZ switch to the 6509 in the first place.

Any comments gratefully received...

Thanks,

Tariq.

  • Other Network Infrastructure Subjects
6 REPLIES

Re: Preventing IP Routing on 6509 with Hybrid OS

Hello Tariq,

The most secure way to prevent IP routing is to not-assign an IP address to the vlan. This will kill off your SLB, so this is not the solution.

What remains are ACL's. Depending on your IP plan this is either easy or not too easy but it can be done.

Regards,

Leo

New Member

Re: Preventing IP Routing on 6509 with Hybrid OS

create two ports in the new vlan on the 6500. One port connect to your PIX, the other port your 2950. Don't tell the MSFC about the VLAN so routing will occur as it happens prior to any playing around. The 6500 should still be able to track the servers but the PIX is doing the security.

easy...

steve.

New Member

Re: Preventing IP Routing on 6509 with Hybrid OS

Steve - thanks for your response.

Agreed that this is secure, but this setup will mean that SLB will not work. In order for SLB to function the 6509 needs access to the required VLAN on layer 3, which in turn means that I have to assign an address somewhere in the 6509.

Second thing is that in order for SLB to work the virtual IP address must be in a different subnet than the IP addresses of the real servers.

Thanks, Tariq.

New Member

Re: Preventing IP Routing on 6509 with Hybrid OS

Hi,

I wanted to refresh this issue to the top of the list again - has anyone else got any recommendations please?

Thanks...

Tariq.

Bronze

Re: Preventing IP Routing on 6509 with Hybrid OS

Any way you slice it, this is a complete disaster from a security standpoint. You're completely by-passing your firewall and providing a direct path from the DMZ to the internal network. You might as well combine the DMZ and internal network onto a single device (the 6509) -- it would be no less secure. (Obviously I don't recommend this, I'm just trying to make a point.)

New Member

Re: Preventing IP Routing on 6509 with Hybrid OS

Point taken...!

197
Views
0
Helpful
6
Replies