I know this question has been asked before and the answer is to have separate content switches per DMZ in order to maintain the security policy. There is an option to have the content switch in front of the firewall and then use only one content switch to load balance across multiple DMZs. Is this an acceptable design or the recommendation is to have a separate content switch behind the firewall for each DMZ of the firewall?
Can a Cisco 6500 with CSM be configured for multiple layer 2 load balanced VLANs thus achieving a mutiple DMZ load balancing scenario with only one switch/CSM?
Solved! Go to Solution.
With the CSS, the problem is that since the CSS will be connected to all DMZ, it will route between the DMZ.
So, if one DMZ is being hacked, the hacker could access all your network.
With the CSM, we can achieve policy routing.
So we can intercept traffic from one DMZ and send it to the firewall which will send it back to the CSM that will forward it to the 2nd DMZ.
In this case, you have full security.
Thanks for the response. The idea was not to connect the CSS to all DMZs but to have it in front of the firewall in the public zone. All traffic from the CSS to different DMZs will flow through the firewall. I personally do not like this design on account of having to put the CSS in the public area. What are your recommendations/concerns in this regards?
so you're not talking about firewall loadbalancing.
Just simply place the CSS in front of the firewall.
So all traffic will have to go through the CSS not just traffic for the VIP.
I would personally not recommend this.
The CSS is designed for handling HTTP traffic.
If you try to pass long lived connection through a CSS, you may have problems.
In terms of performance, if you have a CSS111xx or CSS110xx, you may not have enough capacitiy to handle all the traffic.
CSM is definitely a better choice.
Or do you need to put your servers in multiple DMZ ?
Yes i am not talking about firewall load balancing. I do not have a very good idea of CSS limitations but the idea is to put the CSS between the internet router and the firewall. Not all traffic needs to go through the CSS as one can force the internet routers to send all traffic to the firewall except for traffic destined to the VIPs. The servers will be in multiple DMZs of the firewall and load balancing per DMZ will be required. Can a single CSS work in this scenario provided it is placed outside the firewall and not inside the DMZs?
How do you connect the router to the firewall ?
Problem is the response from the server to a client on the internet.
Traffic needs to get back to the CSS and if the firewall default gateway is the router, the response will not go to the CSS and the CSS will reset it.
If you configure the default gateway of the firewall to be the CSS, than all traffic from your network to the outside will go through the CSS.
This could be a concern as well.
If you don't need to know the ip address of the client for your reporting, you can enable client nat on the CSS to guarantee that server response is sent to the css without having the firewall default gateway pointing at the CSS.
This is a special case in which the firewall will be connected to the router through L2 switches thus providing us with the option of introducing the CSS in that segment. I agree with you that the problem lies in the response from the server to the client. Other than this particular problem are there any other security related concerns in putting the CSS outside the firewall?
What is the most recommended design in case load balancing is required across multiple DMZs?