Gilles

Could you explain this a bit more as i'm not sure i understand.

If the CSM-S is in bridge mode then the address of the CSM-S for that particular bridged vlan pair will be behind the FWSM anyway so you would have to go through the FWSM to get to it.

if the CSM-S is in bridge mode not routed mode can it be used as a gateway anyway ?

If the CSM-S is always behind the firewall in relation to the user does what you said still apply ?

Regards

Jon

Bridge mode or routed mode, the CSM-S is still behind the FWSM.

So you still have client --- FW----- CSM-S

So, why do you need bridge mode ?

I believe because you want to prevent traffic from server to server to bypass the FW.

And I'm telling you, if somebody can hack one of your servers, change the default gateway to be the CSM-S instead of the firewall, the CSM-S will route from one vlan to another, bypassing the firewall and the hacker can access all your network.

Is it clear like this ?

If you believe nobody can hack your server or change their default gateway, then you don't need to worry and you probably do not need bridge mode.

Gilles.

Gilles

Thanks for this. Didn't mean to offend or anything i was just a little unclear.

What i didn't understand was that you were talking about someone hacking the server and being behind the FWSM.

At the risk of further offence you seem to be suggesting that the reason to use bridge mode is to ensure there can't be a FWSM bypass between servers. Have i understood correctly.

I ask because the original poster was talking about bridge mode not routed mode.

Jon

Jon,

no offense.

english is not my mother tongue, so I use a simple language which sometimes sound aggressive apparently.

Anway, there are different to use bridge mode vs routed mode.

One of them is to avoid re-addressing the servers and simply insert the CSM in the middle transparently.

Another reason invoked by a lot of people is that they want to have a firewall doing the routing between vlans and not the CSM.

This is where I wanted to warn you and any other user that on paper this looks secure, but anybody gaining access to a server could change the gateway and bypass the firewall.

Again, for some users this is ok. For others this is not

With routed mode, the CSM will route between vlan, so server-to-server communication will bypass the firewall anyway.

The solution I suggested to intercept the traffic is to force traffic to be sent to the firewall whatever mode you're in and whatever the server gateway is.

Gilles.

Thanks for you input Gilles (and Jon for the questions I would have asked). Couple more questions for you if you don't mind...

Can you elaborate on the concept of "create some vserver to catch the non-vip traffic and forward it to the firewall"?

I'm not sure what this means, where it's configured (is it needed for each serverfarm / vserver?), what the client & server vlan configs look like, etc.

I understand that if a server is comprimised and the gateway is changed that the fwsm could be bypassed, but does the "vlan x" command applied to the virtual server protect against this at all, and if not, what's the purpose of it?

If it's too much to explain here I can call into TAC.

Thanks,

Eric

Eric,

a catch-all vserver looks like this

vserver catch-all

virtual 0.0.0.0/0 any

...

It means match everything.

You can then create a serverfarm like below to forward the traffic - simply forward - to the firewall.

serverfarm 2fw

no nat server

no nat client

real name FW

ins

So, all traffic that does not match any other vserver will hit this vserver and will be forwarded to the firewall.

That's only traffic with a destination mac-address equal to a CSM mac-address.

So, your bridged traffic will still go accross without hitting this vserver.

This is somekind of policy routing.

Hope this makes sense like this.

Gilles.