Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
297
Views
0
Helpful
1
Replies

CSS Design Question

mchockalingam
Level 1
Level 1

‎01-19-2005 01:29 PM

Hi All,

I have a CSS 11503 ready to be configured for load balancing some web servers in our dmz and server vlan. The web servers are connected to a 6509 switch on the dmz vlan with private addresses. The default gateway points to a dmz i/f on the PIX right now.

Now with the 11503 (has a SCM module with 2 GE ports and an IOM with 2 GE ports), I am trying to come up with a design and have been reading some fo the CSS articles.

The way I have envisioned is

clients -> Internet -> PIX -> CSS -> Web Servers

I have used

1 port for DMZ vlan

1 for server vlan

1 for VIP vlan

1 for failover (box to box redundancy)

on the CSS.

I configured the web servers

in dmz to point to the DMZ i/f of the CSS

in the server vlan to point to server i/f of the CSS.

PIX is doing the NAT from public address to private VIP address. External DNS will resolve to the public IP and internal DNS will resolve to the VIP address. However, I had to add a static route on the web servers. For example, the web servers in dmz have a static route

10.0.0.0 mask 255.0.0.0 <dmz i/f of the firewall>

I have also looked at another option where 802.1q trunking can be turned on. So, I will use 3 GE ports. (1 for trunking, 1 for VIP and 1 for failover)

I am not really sure which option would be better? Any suggestions?

Labels:
0 Helpful
1 Reply 1

Gilles Dufour
Cisco Employee
Cisco Employee

‎01-20-2005 02:21 PM

so the question is - should you trunk or not ?

I would say it does not matter.

Trunking leave you the possibility to add new vlans so it seems a better choice.

One remark concern the redundancy.

Since this is a new install, I would suggest Vip/Interface redundancy which is similar to VRRP/HSRP in the IOS world.

Reasons: easier to control, faster failover time, statefull [with ASR], no single point of failure like box-to-box redundancy.\ [only 1 link between the 2 CSS - if this link goes down, the network goes down].

Finally, I'm not sure about your design. Why is there 4 vlans ? You just need inbound and outbound vlan on the CSS.

Also why the static route ? How can you bypass the CSS ? do you plan to put servers, css and pix in same vlan ?

Regards,

Gilles.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card