Re: Cisco CSM - reals / VIP seperated by a firewall

achrich · ‎01-25-2011

Hi,

Briefly, for various reasons, we are locating a pair of applicances on a DMZ frontended by a firewall. We intend to configure inbound traffic via a Cisco CSM located infront of that firewall.

My question is what interface would send the health probes from the CSM ? We are using a source NAT client pool so I`m assuming it would be the interface of the CSM in that vlan...is this correct ?

Many Thanks

chrhiggi · ‎01-25-2011

Hello!

The CSM will send the probe with the source IP of the packet that the probe leaves based on the best route to it.

i.e

If the destination IP on the probe matches a layer 2 segment, then we arp for the MAC, then send the packet with the source ip of the interface vlan the arp was responded to.

If the IP is not layer 2 adjacent, the CSM will send the probe out of the interface vlan based on its routing table. The source ip of the packet is the vlan ip on the chosen outbound interface.

Please let me know if that clarifies what you were asking for.

Regards,

Chris

achrich · ‎01-26-2011

Hi Chris,

Thanks for the info. Just for clairity on my behalf

"f the IP is not layer 2 adjacent, the CSM will send the probe out of the interface vlan based on its routing table. The source ip of the packet is the vlan ip on the chosen outbound interface"

Are referring to the CSM routing table or MSFC and if its the CSM your refering to its interface into the msfc ?

Thanks

chrhiggi · ‎01-26-2011

The CSM itself. Although the CSM configuation is done through the MSFC, the CSM has its own

unique routing and bridging tables. It makes its decisions separately from the MSFC and sees anything else in the 6k chassis as if it were just another host connected to one of its VLANs.

Regards,

Chris

achrich · ‎01-27-2011

yep - thanks Chris.