Re: SSLizing traffic with CSM -S SSL Daughter Card

jlhainy · ‎05-25-2011

I am using the following doc as a reference. http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csms/2.1.1/configuration/guide/SSLxple.html#wp1262822

I understand the concepts but I am trying to figure out implementation. My question is regarding the vlan that is used for the SSL vlan. It looks like that the communication vlan for the SSL-Daughter communication is on a layer 3 vlan that is routed by the MSFC.

Now, my client vlan is actually a dmz that is routed by a FWSM. So, if I set up this 3rd vlan for the SSL card, and the vlan is in a network that is say on the inside interface of the FWSM, does that mean that as traffic flows from the client vlan, it will go to the VIP in the client vlan in the dmz and then route out to the inside to be ssl ized and then route back to the DMZ and then get load balanced?

Daniel Arrondo Ostiz · ‎05-27-2011

Good morning,

Quoting from that same documentation link:

Note     VLAN
 225 (10.90.14.1) exists as a Layer 3 interface on the MSFC to route 
Client traffic to the CSM-S. VLAN 14 (172.16.1.254) is also configured 
on the MSFC to allow administrative traffic to be routed to the SSL 
daughter card. VLAN 14 (172.16.14.1) is configured on the CSM-S to send 
and received SSL traffic to/from the SSL daughter card. VLAN 6 
(192.168.6.1) exists only as a VLAN in the VLAN database and as CSM-S 
and SSL daughter card VLANs, but it does not have corresponding Layer 3 
interfaces on the MSFC.

As you can see, the only reason why the SSL vlan is configured on the MSFC is for management purposes. It is not required for the correct operation of the CSM-S. In your case, you could just configure this vlan as a L2 one on the switch so that, from the IP perspective it's still behind the FW.

Regards

Daniel