FWSM and CSM (Load Balance) in the same chassi

luismatos99 · ‎09-26-2011

Folks,

Is there any type of best practice (you ** must ** do like this) when you are going to implement the FWSM and the CSM modules on the same 6509 chassi ?

PS: The CSM is not doing FW loadbalance, it is doing loadbalance to servers located in a DMZ

PATH:

(outside) FWSM (inside) -> MSFC -> (inside) PIX (dmz) -> CSM , CSM -> (dmz) PIX (inside) -> MSFC -> (inside) FWSM

My main doubts:

1) FWSM using multi-context, Is there any integration problem with CSM ?

2) FWSM and CSS in routed mode, Is there any integration problem with both modules ?

3) Is it really necessary to operate the FWSM module in bus mode when using CSM in the same chassi (fabric switching-mode force bus) ?

Cisco Says:

"The CSM line card operates in bus mode. When using the CSM in conjunction with the FWSM line card,

Cisco recommends forcing the FWSM to operate in bus mode using the

fabric switching-mode force bus command. When service modules such as the CSM and the FWSM

operate in bus mode, traffic from DFC-enabled line cards still use the fabric connection."

In past it was a workaround due a bug, but I have found this recommendadon and know I am a little confused.

Tks !!!

chrhiggi · ‎10-03-2011

Luis-

You will want to used a routed mode on the CSM so that the Firewall contexts don't see eachothers MAC Addresses for any traffic not destine to to a VIP. On the CSM VLANs, you will want to create alias IPs to use as the next hop destination between contexts for non-VIP traffic. Other than that, the CSM has no concept of contexts, so as long as the traffic is symetric when it flows through the CSM VLANs, it will be happy.

Regards,

Chris