gdufour, no, no combination with trunk on e5 worked so I switched it off. Yes, e5 is connected to a HP switch. The default vlan on the HP switch is 1, the firewall is connected to another HP switch (these two are directly uplinked, but are strictly layet 2 switches).

Thanks for the config. If I successfully manage to bridge the CSS, how will it react when it sees traffic coming in on its e5 interface, with an IP address that belongs to the subnet on its e1 interface?

I discussed this problem with our firewall consultants, and he said that the company he's currently working at, the IT administrator has set up a CSS, but with only one circuit. I've never seen any config examples or anything that just uses one (WAN, I presume) circuit, but this would perhaps solve my entire problem. Is such a configuration recommended?

In advance, thanks.

we have to be very clear when talking about routing/switching on a L7 switch.

So, when you say traffic entering e5 with ip of e1, are you talking about source ip or destination ip ?

How is the traffic routed/switched to e5 first ? [is the default gateway used by the source the CSS or a device on e1 ?]

I would suggest you to send me a drawing of what setup you're trying to achieve.

I'll then tell you what config you need to use.

Regards,

Gilles.

Okay, before I/we delve too deep into the problem, I just did a test with setting the default gateway on the servers to the public (e1) IP address of the CSS, changed the IP address in the services to the public IP addresses of the servers, and the servers have full access to all of our networks, internet, *and* the CSS works as intended.

This does however use only one interface on the CSS.

Will this configuration defeat some purpose or anything with the way content switching is supposed to work, or is this okay?

This is called one-armed config.

Here is a link to a sample config and list of advantages/disadvantages.

http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080093dff.shtml

Thanks,

Gilles.

Thanks Gilles.

I read the list of advantages and disadvantages.

However the only disadvantage I can see, is that the CSS yelds lower performance since it has to shuffle inbound and outbound traffic on the same interface.

For instance: "When using this configuration, the load balanced servers will see all traffic as being originated from the CSS rathar than the real client source IP address. You do not get a true representation of where your traffic is coming from."

and in the following example:

"The CSS is now configured to load balance to the services, however, there is one problem. When the traffic goes through the CSS to get load balanced, the destination IP address is changed but the source IP address is not changed. When those packets head back to the client, they bypass the CSS through the switch because the servers' default gateways are set to the router IP address and the source IP address of the load balanced request is not on the local subnet.

You must not only NAT the destination address of the packet but the source addresses as well. In order to do this, configure the source groups."

This could be considered a bit misleading; I set the default gateway for the servers to the CSS, and not only do I *not* need to NAT, I *do* see the real client source IP address not the CSS VIP address, and furthermore, the servers have full access to all of our network resources as well as the internet if we chose to.

There is one problem with pointing the servers to the CSS as default gateway.

If a server needs to open a connection, it will send its traffic through the CSS, the response however will not come back via the CSS.

The CSS requires to see both side of the traffic.

If it does not, like in this case, it will reset/close the connection.

So, in this scenario, you are fine as long as the server do not need to open connection or if no connection will be open with the servers directly.

Gilles.

Thanks, I think I'm almost where we can close this thread as solved.

I'm not sure if I understood correctly what you meant by if a server needs to open a connection, but I accessed one of the servers which now are behind the one-armed CSS, and successfully managed to download and upload files via ftp to it.

Did I understand you correctly?