Current setup: internal LAN on 6509, DMZ on 2 x 2924 switches, outside on 1 x 2950-12 connected to the internet via 1720 router - the 3 LANs are connected together by a PIX520. We have two webservers on the DMZ that are currently load balanced using Microsoft's Windows Load Balancing.
As you know, the new hybrid OS on the 6509 now has Cisco Server Load Balancing. We conducted some testing on the internal LAN and are very happy with it, mainly due to the fact that if the IIS service stops on one of the webservers the Cisco SLB probe can detect it - it will actually conduct http requests to the real servers. I want to make use of this!!
The problem: I want to create a new VLAN on the 6509, assign a port to that VLAN, connect a crossover cable to the DMZ switch, assign the relevant addresses to the VLAN and set up SLB with virtual IP for the webservers.
1) Is this the only way to get SLB working on the DMZ?
2) As soon as an IP address is assigned to the second vlan the RP on the switch immediately starts routing between the internal vlan and the DMZ vlan - can this be prevented on a more "secure" level than standard ACLs? I was hoping that I could enter some commands to say "under no circumstances should a packet cross from VLAN 1 to VLAN 2".
3) I'm worried that I am seriously compromising security by connecting the DMZ switch to the 6509 in the first place.
create two ports in the new vlan on the 6500. One port connect to your PIX, the other port your 2950. Don't tell the MSFC about the VLAN so routing will occur as it happens prior to any playing around. The 6500 should still be able to track the servers but the PIX is doing the security.
Agreed that this is secure, but this setup will mean that SLB will not work. In order for SLB to function the 6509 needs access to the required VLAN on layer 3, which in turn means that I have to assign an address somewhere in the 6509.
Second thing is that in order for SLB to work the virtual IP address must be in a different subnet than the IP addresses of the real servers.
Any way you slice it, this is a complete disaster from a security standpoint. You're completely by-passing your firewall and providing a direct path from the DMZ to the internal network. You might as well combine the DMZ and internal network onto a single device (the 6509) -- it would be no less secure. (Obviously I don't recommend this, I'm just trying to make a point.)
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...