CSM and FWSM

mpocciotti · ‎04-05-2005

Hello all,

Would appreciate some insight on a issue I'm facing when trying to configure a CSM in a 6513 with a Firewall Module.

The FWSM has IPs in all vlans and is in routing mode, also it is the default gateway for servers in all VLANs.

There is also the MSFC in the same 6513 with interfaces on all vlans.

I've done a lot of research but could not yet figure out what is the best topology for this implementation.

Some places say it is best to do routing in the FWSM and bridging in the CSM.

The problem I'm facing with the CSM in routing mode and the FWSM in routing mode is that servers from a certain vlan need to access application servers in other vlan on the same 6513, but the application servers don't point to the CSM as Def gateway but point directly to the Firewall Module.

Any help is greatly appreciated.

Marcio

Gilles Dufour · ‎04-05-2005

if you configure the csm in routing mode, you definitely need to change the default gateway of the server to point at the csm or configure client nat so traffic going through the CSM is nated to guarantee that the response from the servers will come back to the csm.

Otherwise, a better solution is to split each vlan in 2 and the CSM bridge them.

ie: your subnet 10.x.x.x/24 will be used in vlan 10 and 110. On vlan 10 you put the FW and on vlan 110 you put the servers.

The csm is connected to both 10 and 110 and bridge them.

The servers still point at the FW as default gateway.

The traffic will have to go through the CSM.

Regards,

Gilles.

mpocciotti · ‎04-18-2005

Hello Gilles,

I have tried the configuration you advised and something strange is happening. I can access the servers directly, but not via VIP (I can ping the VIP). The config follows:

module ContentSwitchingModule 7

vlan 14 client

ip address 10.200.240.54 255.255.255.0

gateway 10.200.240.1

!

vlan 50 server

ip address 10.200.240.54 255.255.255.0

!

probe TESTE1 http

request method get

interval 3

failed 3

port 80

!

real LAPTOP

address 10.200.240.230

inservice

real TESTE1

address 10.200.240.12

inservice

!

serverfarm TESTE1

nat server

no nat client

real name TESTE1

inservice

real name LAPTOP

inservice

probe TESTE1

!

vserver TESTE1

virtual 10.200.240.231 tcp www

serverfarm TESTE1

persistent rebalance

inservice

gateway 10.200.240.1 is the FWSM.

I have captured packets with a sniffer on the server LAPTOP and the packets that reach the server come from IP 10.200.240.54 (the CSM interface on the client vlan). Shouldn't they come directly from the origin client?

If I create a interface vlan on the MSFC for vlan 50 it works. Could you explain?

Thanks,

Marcio