Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member



We have a Core layer in a Entr. DC where the core layer is 2Nos. Cat6509 with 1 No.CSM in each switch. This is the core layer hosting the server farms. Multiple tier application servers are in the farm. The client traffic will enter the Core Layer via Core layer firewalls directly connected to the core layer switches. No client vlans will be configured in the Core layer switches. I would like to know in this scenario what will be the best way the CSM can be configured Will it be the Secure Router or Bridge mode ? I personally feel that if I keep Clients traffic coming via the core firewall and entering the server farm via CSM ( both client VLANS and server in the CSM) via Secure router mode. Any ideas will be appreciated




Re: CSM for SLB

Client and server connections through the CSM can use either Layer 2 or Layer 3 switching. Clients connect to the client side VLAN, and servers connect to the server side VLAN. Servers and clients can exist on different subnets. Servers can also be located more than one hop away and connect to the server side VLAN through routers. In this case, the servers' default gateway and the routing through the network from servers to the CSM server side VLAN must direct all load balanced traffic from the servers through the CSM, or serverfarm client NAT must be configured in the CSM for all traffic destined to servers in the server farm. A client sends a request to a VIP address, and the CSM forwards the request to a server that can satisfy the request. The server forwards the response to the CSM, and the CSM forwards the response to the client.

When the client side and server side VLANs are in different subnets, you can configure the CSM in secure (router) mode. This sample configuration focuses on secure (router) mode configuration. When the client side and server side VLANs are in the same subnet, you can configure the CSM to operate in single subnet (bridge) mode.


Re: CSM for SLB

if you were to keep both client and servers in the same VLANs then you would use bridged mode.

if you require or have clients and servers in different VLANs then secure routed mode would be needed.

one nice thing about routed mode is you are able to add an additional layer of security at L3 in your case.

i agree with you that in your case, secure routed mode is your best option for your current topology.

please see the following link for more info on CSM Modes:

CreatePlease to create content