cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
480
Views
0
Helpful
2
Replies

CSS mutiplte upstream routes

toprock1970
Level 1
Level 1

Hi

I have a requirement where I have 2 sets of customers that require their own upstream firewalls infront of the CSS. The outside connections to the firwalls have different bandwidth SLAs.

Lets say that customer A has a 192.168.0.0/24 network for its servers and it's upstream firewall is 192.168.100.1/24.

Customer B has a 10.0.0.0/24 networks for its ballanced servers and an upstream firewall address of 10.0.100.1/24.

Currently the configuration has been set up for Customer A and the default route is for the 192.168.100.1/24 firewall.

Is there a way that I can have Customer B use the upstream firewall of 10.0.100.1/24 whilst maintaining a route of 192.168.100.1/24 as the upstream firewall for Customer A.

Any help would be greatly appreciated, as I can not change the current design as it's a production enviroment for customer A.

Regards

Jason

2 Replies 2

Diego Vargas
Cisco Employee
Cisco Employee

Jason,

Would traffic generated from client A always coming thru firewall A and traffic generated from client B always coming from firewall B?

If so, ECMP (enabled by default) should handle client traffic destined to VIPs with no issues since the default behavior is to send traffic back thru the same path that came from.

The issue would be with server initiated traffic which I understand is what you want to specify.

So if you need customer A servers to use an specific route and customer B servers to use the other, it gets a little difficult.

Is there a way to differentiate the server initiated traffic (for example, uses a different port). If so, you could configure a service that points out the VLAN the traffic should go to), and use an ACL that

prefers this service for specific server traffic.

Honestly even when I something like this might be possible, I always recommend to avoid this kind of setups, even more important is that this design should be tested on a separate testing environment before moving to production since implementing on production could cause many issues and many things need to be consider depending of your specific network setup.

Hope it helps!!

Thank you for your fast response.

The servers do have their own ports on the CSS and they are in their own vlans.

The problem isn't separating their traffic from each other.

The problem that I have is one default route that points to customers A's firewall. I would like Customer B's traffic to flow out through a port on the CSS up to it's own firewall while Customer A contiunes to go out through the A-Firewall.

Just for clarification here, this is traffic from the customers servers sat behind the CSS wanting to talk to servers on the internet and not the internet talking to a set of load balanced servers.

Example

Cust-A-srv1 needs to make a connection via SSL to a server somewhere on the internet.

This is currently fine as the default route is for Customer A's Firewall.

Now Cust-B-Srv1 needs to make an SSL connection to a server on the internet. As it stands at the moment the traffic takes the default route from the CSS to Customer A's firewall.

This causes me a problem as I don't want any config on Customer A's firewall relating to servers or services for Customer B.

If I user ECMP will this load balance the upstream firewalls???

If so then I would need to configure both cutomers firewalls to know about the other customers servers which I really don't want to do.

I hope this makes sense.

Looking at your 1st response you mentioned VLANs and ACLs. Is it possible to manipulate these in such a way that I can define all the traffic comming in on one VLAN to go out to the router on another vlan and then do the same for a different set of VLans.

If so can you point me in to right direction to some examples?

Any help would be greatly appreciated

Best Regards

Jason

Review Cisco Networking for a $25 gift card