Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
763
Views
0
Helpful
5
Replies

CSM-S mode -One-Arm-vs- routed

tporembski
Level 1
Level 1

‎12-22-2005 02:26 PM

We currently have an environment with CSS running in routed mode. We are building a new data center with 6509s and CSM-S. My question is what is the best mode to run the CSM-S in routed or one-arm and why?

Labels:
0 Helpful
5 Replies 5

Gilles Dufour
Cisco Employee
Cisco Employee

‎12-26-2005 02:27 AM

we usually do not recommend one-armed.

The reason is that you will need to use client-nat to make sure the response from the server goes back to the CSM and this will have some drawbacks.

First, you won't see the client ip on the servers anymore - so no stats possible.

Second, if you have too many clients and use only a few client nat ip addresses, you could have a problem of the CSM reusing source ports too quickly for the servers.

So, if this is a new design, do not go with one-armed.

You can use a 2 interfaces design and do bridge mode.

This is also a valid option.

This gives you the possibility to keep existing ip addressing and still have the traffic flow through the CSM naturally without client nat.

Gilles.

Thanks for rating this answer.

0 Helpful

tporembski
Level 1
Level 1
In response to Gilles Dufour

‎12-27-2005 07:06 AM

Thank you for the response. I think we are going to use routed since there are some security concerns with using bridge.

0 Helpful

sam_crooks
Level 1
Level 1
In response to Gilles Dufour

‎12-29-2005 09:30 PM

Gilles,

What do you recommend when the traffic flows from the load balanced server are significant?

ie: you are using Oracle application and database servers, load balancing http and https to the app servers. There is significant traffic flow from the app server to the database servers, such that the load balancer in a 2-armed configuration(particularly a CSS11501 w/ 8 10/100 interfaces and a single 1000Base-T interface) would be a significant bandwidth bottleneck.

Also, if Cisco usually does not recommend one-armed config.... why does the latest Server Farm Security Solution Reference Network Design v2.0 (http://www.cisco.com/warp/public/732/systems/docs/dcsrndbk.pdf) recommend a one-armed configuration for the CSS?

0 Helpful

tporembski
Level 1
Level 1
In response to sam_crooks

‎12-30-2005 06:55 AM

Sam, from what I have been told and read, if your server traffic is coming back thru the CSS 11501, in your case, that routed mode isn't the best solution. In my case all my web to app to DB traffic is happening on the backside of the web server. That is to say our web servers have two interfaces, one facing the CSS and one facing the app/DB layer so none of that traffic comes back through the CSS(CSM).

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to sam_crooks

‎12-30-2005 06:59 AM

If you know what you're doing and have the requirement for one-armed like when having lots of traffic that does not need to go through the loadbalancer.

My recommendation is just that one-armed may look more simple but it actually requires some thinking before deploying and should only be used when needed.

Gilles.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card