-
Catalyst 6500 Series Switch Content Switching Module with SSL (CSM-S) Installation and Configuration Note
-
Book-level PDF: Catalyst 6500 Series CSM-S Installation and Configuration Note Release 2.1(x)
-
Contents
-
Preface
-
Product Overiew
-
Configuring Virtual Servers, Maps, and Policies
-
Getting Started
-
Configuring VLANs
-
Configuring Real Servers and Server Farms
-
Configuring Virtual Servers, Maps, and Policies
-
Configuring the CSMS SSL Services
-
Configuring the SSL Services
-
Configuring Redundant Connections
-
Configuring Additional Features and Options
-
Configuring Health Monitoring
-
Configuring CSM Scripts
-
Configuring Firewall Load Balancing
-
Configuration Examples
-
Example SSL Configurations
-
Troubleshooting and System Messages
-
CSM XML Document Type Definition
-
Index
-
Table Of Contents
Configuring Firewall Load Balancing
Understanding How Firewalls Work
How the CSM-S Distributes Traffic to Firewalls
Layer 3 Load Balancing to Firewalls
Types of Firewall Configurations
IP Reverse-Sticky for Firewalls
Fault-Tolerant CSM-S Firewall Configurations
Configuring Stealth Firewall Load Balancing
Stealth Firewall Configuration
Stealth Firewall Configuration Example
Configuring CSM-S A (Stealth Firewall Example)
Configuring CSM-S B (Stealth Firewall Example)
Configuring Regular Firewall Load Balancing
Packet Flow in a Regular Firewall Configuration
Regular Firewall Configuration Example
Configuring CSM-S A (Regular Firewall Example)
Configuring CSM-S B (Regular Firewall Example)
Configuring Reverse-Sticky for Firewalls
Understanding Reverse-Sticky for Firewalls
Configuring Reverse-Sticky for Firewalls
Configuring Stateful Firewall Connection Remapping
Configuring Firewall Load Balancing
This chapter describes how to configure firewall load balancing and contains these sections:
•
Understanding How Firewalls Work
•
•
•
•
Firewall load balancing allows you to scale firewall protection by distributing traffic across multiple firewalls on a per-connection basis. All packets belonging to a particular connection must go through the same firewall. The firewall then allows or denies transmission of individual packets across its interfaces.
Understanding How Firewalls Work
A firewall forms a physical barrier between two parts of a network, for example, the Internet and an intranet. When a firewall accepts a packet from one side (the Internet), it sends the packet through to the other side (the intranet). A firewall can modify a packet before passing it through or sending it through unaltered. When a firewall rejects a packet, it usually drops the packet and logs the dropped packet as an event.
After a session is established and a flow of packets begins, a firewall can monitor each packet in the flow or allow the flow to continue, unmonitored, depending on the policies that are configured on that firewall.
This section contains the following:
•
•
•
•
•
•
Firewall Types
The two basic types of firewalls are as follows:
•
•
Regular firewalls have a presence on the network; they are assigned an IP address that allows them to be addressed as a device and seen by other devices on the network.
Stealth firewalls have no presence on the network; they are not assigned an IP address and cannot be addressed or seen by other devices on the network. To the network, a stealth firewall is part of the wire.
Both firewall types examine traffic moving in both directions (between the protected and the unprotected side of the network) and accept or reject packets based on user-defined sets of policies.
How the CSM-S Distributes Traffic to Firewalls
The CSM-S load balances traffic to devices configured in server farms. These devices can be servers, firewalls, or any IP-addressable object including an alias IP address. The CSM-S uses load-balancing algorithms to determine how the traffic is balanced among the devices configured in server farms, independent of device type.
Note
Supported Firewalls
The CSM-S can load balance traffic to regular or stealth firewalls.
For regular firewalls, a single CSM-S or a pair of CSMs balances traffic among firewalls that contain unique IP addresses, similar to how the CSM-S balances traffic to servers.
For stealth firewalls, a CSM-S balances traffic among unique VLAN alias IP address interfaces on another CSM-S that provides paths through stealth firewalls. A stealth firewall is configured so that all traffic moving in both directions across that VLAN moves through the firewall.
Layer 3 Load Balancing to Firewalls
When the CSM-S load balances traffic to firewalls, the CSM-S performs the same function that it performs when it load balances traffic to servers. To configure Layer 3 load balancing to firewalls, follow these steps:
Step 1
Step 2
Step 3
Note
Types of Firewall Configurations
The CSM-S supports these two firewall configuration types:
•
•
IP Reverse-Sticky for Firewalls
The CSM-S currently supports sticky connections. Sticky connections ensure that two distinct data flows originating from the same client are load balanced to the same destination.
Load-balanced destinations are often real servers. They may be firewalls, caches, or other networking devices. Sticky connections are necessary for the proper functioning of load-balanced applications. These applications utilize multiple connections from the same client to a server. The information transferred on one connection may affect the processing of information transferred on another connection.
The IP reverse-sticky feature is configured for balancing new connections from the same client to the same server, as described in the "Configuring Reverse-Sticky for Firewalls" section. This feature is especially important in the case of buddy connections, such as an FTP data channel or a streaming UDP data channel.
CSM-S Firewall Configurations
The CSM-S can support these firewall configurations:
•
•
•
•
In Figure 13-1, traffic moves through the firewalls and is filtered in both directions. The figure shows the flow from the Internet to the intranet. On the path to the intranet, CSM-S A balances traffic across VLANs 5, 6, and 7 through firewalls to CSM-S B. On the path to the Internet, CSM-S B balances traffic across VLANs 15, 16, and 17 through firewalls to CSM-S A. CSM-S A uses the VLAN aliases of CSM-S B in its server farm, and CSM-S B uses the VLAN aliases of CSM-S A in its server farm.
Figure 13-1 Stealth Firewall Configuration (Dual CSM-S modules Only)
In Figure 13-2, traffic moves through the firewalls and is filtered in both directions. The figure shows the flow from the Internet to the intranet. VLANs 11 and 111 are on the same subnet, and
VLANs 12 and 112 are on the same subnet.Figure 13-2 Regular Firewall Configuration (Dual CSM-S modules)
In Figure 13-3, traffic moves through the firewalls and is filtered in both directions. The figure shows only the flow from the Internet to the intranet, and VLANs 11 and 111 are on the same subnet.
VLANs 12 and 112 are on the same subnet.Figure 13-3 Regular Firewall Configuration (Single CSM-S)
In Figure 13-4, traffic moves through both the regular and stealth firewalls and is filtered in both directions. The figure shows the flow from the Internet to the intranet. VLANs 5, 6, and 7 are shared between CSM-S A and CSM-S B. On the path to the intranet, CSM-S A balances traffic across VLANs 5, 6, and 7 through firewalls to CSM-S B. On the path to the intranet, CSM-S B balances traffic across VLANs 5, 6, and 7 through firewalls to CSM-S A.
Figure 13-4 Mixed Firewall Configuration for Stealth and Regular Firewalls (Dual CSM-S Only)
Fault-Tolerant CSM-S Firewall Configurations
The CSM-S supports fault tolerance for these configurations:
•
•
•
•
In Figure 13-5, the traffic moves through the firewalls and is filtered in both directions. The figure only shows the flow from the Internet to the intranet through the primary CSMs, and VLANs 11 and 111 are on the same subnet. VLANs 12 and 112 are on the same subnet.
Figure 13-5 Fault-Tolerant, Regular Firewall Configuration-(Dual CSMs)
Configuring Stealth Firewall Load Balancing
This section describes how to configure firewall load balancing for stealth firewalls and covers the following information:
•
•
Stealth Firewall Configuration
In a stealth firewall configuration, firewalls connect to two different VLANs and are configured with IP addresses on the VLANs to which they connect. (See Figure 13-6.)
Figure 13-6 Stealth Firewall Configuration Example
Figure 13-6 shows two regular firewalls (Firewall 1 and Firewall 2) located between two CSM modules
(CSM-S A and CSM-S B).
Note
On the path from the Internet to the intranet, traffic enters the insecure side of the firewalls through separate VLANs, VLAN 101 and VLAN 103, and exits the secure side of the firewalls through separate VLANs, VLAN 102 and VLAN 104. On the path from the intranet to the Internet, the flow is reversed. VLANs also provide connectivity to the Internet (VLAN 10) and to the intranet (VLAN 20).
In a stealth configuration, CSM-S A and CSM-S B load balance traffic through the firewalls.
Stealth Firewall Configuration Example
The stealth firewall configuration example contains two CSM-S modules (CSM-S A and CSM-S B) installed in separate Catalyst 6500 series switches.
Note
This section describes how to create the stealth firewall configuration for CSM-S A and CSM-S B.
Configuring CSM-S A (Stealth Firewall Example)
To create the regular configuration example, perform these tasks for CSM-S A:
•
•
Note
Creating VLANs on Switch A
To create two VLANs on Switch A, perform this task:
Step 1
Enters the VLAN mode1 .
Step 2
Creates VLAN 102 .
Step 3
Creates VLAN 1013 .
Step 4
Creates VLAN 1034 .
1 Perform this step on the switch console of the switch that contains CSM-S A.
2 VLAN 10 connects CSM-S A to the Internet.
3 VLAN 101 provides a connection through Firewall 1 to CSM-S B.
4 VLAN 103 provides a connection through Firewall 2 to CSM-S B.
Configuring VLANs on CSM-S A
To configure the three VLANs, perform this task:
Step 1
Enters multiple module configuration mode and specifies that CSM-S A is installed in slot 5.
Step 2
Specifies VLAN 10 as the VLAN that is being configured, identifies it as a client VLAN, and enters VLAN configuration mode.
Step 3
Specifies an IP address and netmask for VLAN 10.
Step 4
Specifies an alias IP address and netmask for VLAN 101 .
Step 5
Returns to VLAN configuration mode.
Step 6
Specifies VLAN 101 as the VLAN that is being configured, identifies it as a server VLAN, and enters VLAN configuration mode.
Step 7
Specifies an IP address and netmask for VLAN 101.
Step 8
Specifies an alias IP address and netmask for VLAN 1011.
Step 9
Returns to VLAN configuration mode.
Step 10
Specifies VLAN 103 as the VLAN that is being configured, identifies it as a server VLAN, and enters VLAN configuration mode.
Step 11
Specifies an IP address and netmask for VLAN 103.
Step 12
Specifies an alias IP address and netmask for VLAN 1031.
1 This step provides a target for CSM-S B to use in making a load-balancing decision.
Configuring Server Farms on CSM-S A
Note
To configure two server farms on CSM-S A, perform this task:
Step 1
Enters multiple module configuration mode and specifies that CSM-S A is installed in slot 5.
Step 2
Creates and names the FORWARD-SF1 server farm (actually a forwarding policy) and enters serverfarm configuration mode.
Step 3
Disables the NAT of server IP addresses and port numbers2 .
Step 4
Forwards traffic in accordance with its internal routing tables rather than a load-balancing algorithm.
Step 5
Returns to multiple module configuration mode.
Step 6
Creates and names the INSIDE-SF3 server farm (that will contain alias IP addresses rather than real servers) and enters serverfarm configuration mode.
Step 7
Disables the NAT of the server IP address and port number4 .
Step 8
Selects a server using a hash value based on the source IP address5 .
Step 9
Identifies the alias IP address of CSM-S B that lies on the path to Firewall 1 as a real server and enters real server configuration submode.
Step 10
Enables the firewall.
Step 11
Returns to serverfarm configuration mode.
Step 12
Identifies the alias IP address of CSM-S B that lies on the path to Firewall 2 as a real server and enters real server configuration submode.
Step 13
Enables the firewall.
1 FORWARD-SF is actually a route forwarding policy, not an actual server farm, that allows traffic to reach the Internet (through VLAN 10). It does not contain any real servers.
2 This step is required when configuring a server farm that contains a forwarding policy rather than real servers.
3 INSIDE-SF contains the two alias IP addresses of CSM-S B listed as real servers that allow traffic from the intranet to reach CSM-S B.
4 This step is required when configuring a server farm that contains firewalls.
5 We recommend that you perform this step when configuring insecure-side firewall interfaces in a server farm.
Configuring Virtual Servers on CSM-S A
To configure three virtual servers on CSM-S A, perform this task:
Step 1
Enters multiple module configuration mode and specifies that the CSM-S A is installed in slot 5.
Step 2
Specifies FORWARD-V1011 as the virtual server that is being configured and enters virtual server configuration mode.
Step 3
Specifies a match for any IP address and any protocol2 .
Step 4
Specifies that the virtual server will only accept traffic arriving on VLAN 101, which is traffic arriving from the insecure side of the firewalls.
Step 5
Specifies the server farm for this virtual server3 .
Step 6
Enables the virtual server.
Step 7
Returns to multiple module configuration mode.
Step 8
Specifies FORWARD-V1034 as the virtual server that is being configured and enters virtual server configuration mode.
Step 9
Specifies a match for any IP address and any protocol5 .
Step 10
Specifies that the virtual server will only accept traffic arriving on VLAN 103, which is traffic arriving from the insecure side of the firewalls.
Step 11
Specifies the server farm for this virtual server3.
Step 12
Enables the virtual server.
Step 13
Returns to multiple module configuration mode.
Step 14
Specifies OUTSIDE-VS6 as the virtual server that is being configured and enters virtual server configuration mode.
Step 15
Specifies the IP address, netmask, and protocol (any) for this virtual server. Clients reach the server farm represented by this virtual server through this address.
Step 16
Specifies that the virtual server will only accept traffic arriving on VLAN 10, which is traffic arriving from the Internet.
Step 17
Specifies the server farm for this virtual server7 .
Step 18
Enables the virtual server.
1 FORWARD-V101 allows Internet traffic to reach the insecure side of the firewalls (through VLAN 101).
2 Client matching is only limited by VLAN restrictions. (See Step 4.)
3 This server farm is actually a forwarding predictor rather than an actual server farm containing real servers.
4 FORWARD-V103 allows Internet traffic to reach the insecure side of the firewalls (through VLAN 103).
5 Clients will always match (see Step 9)-only being limited by VLAN restrictions. (See Step 10.)
6 OUTSIDE-VS allows traffic from the Internet to reach CSM-S A (through VLAN 10).
7 The server farm contains the alias IP addresses of CSM-S B that lie along the path of Firewall 1 and Firewall 2.
Configuring CSM-S B (Stealth Firewall Example)
To create the regular configuration example, perform the following configuration tasks for CSM-S B:
•
•
Note
Creating VLANs on Switch B
To create three VLANs on Switch B, perform this task:
Note
Step 1
Enters the VLAN mode1 .
Step 2
Creates VLAN 1022 .
Step 3
Creates VLAN 1043 .
Step 4
Creates VLAN 2004 .
1 Do this step on the switch console of the switch that contains CSM-S B.
2 VLAN 102 provides a connection through Firewall 1 to CSM-S A.
3 VLAN 104 provides a connection through Firewall 2 to CSM-S A.
4 VLAN 200 provides the connection to the internal network.
Configuring VLANs on CSM-S B
To configure the three VLANs, perform this task:
Step 1
Enters multiple module configuration mode and specifies that CSM-S B is installed in slot 6.
Step 2
Specifies VLAN 102 as the VLAN that is being configured, identifies it as a server VLAN, and enters VLAN configuration mode.
Step 3
Specifies an IP address and netmask for VLAN 102.
Step 4
Specifies an alias IP address and netmask for VLAN 1021 .
Step 5
Returns to multiple module configuration mode.
Step 6
Specifies VLAN 104 as the VLAN that is being configured, identifies it as a server VLAN, and enters VLAN configuration mode.
Step 7
Specifies an IP address and netmask for VLAN 104.
Step 8
Specifies an alias IP address and netmask for VLAN 1041.
Step 9
Returns to multiple module configuration mode.
Step 10
Specifies VLAN 20 as the VLAN that is being configured, identifies it as a server VLAN, and enters VLAN configuration mode.
Step 11
Specifies an IP address and netmask for VLAN 20.
1 This step provides a target for CSM-S A to use in making a load-balancing decision.
Configuring Server Farms on CSM-S B
To configure three server farms on CSM-S B, perform this task:
Note
Step 1
Enters multiple module configuration mode and specifies that CSM-S B is installed in slot 6.
Step 2
Creates and names the FORWARD-SF1 server farm (actually a forwarding policy) and enters serverfarm configuration mode.
Step 3
Disables the NAT of server IP addresses and port numbers2 .
Step 4
Forwards traffic in accordance with its internal routing tables rather than a load-balancing algorithm.
Step 5
Returns to multiple module configuration mode.
Step 6
Creates and names the GENERIC-SF server farm and enters serverfarm configuration mode3 .
Step 7
Disables NAT of server IP addresses and port numbers4 .
Step 8
Identifies the alias IP address of CSM-S A that is locked on the path to Firewall 1 as a real server and enters real server configuration submode.
Step 9
Enables the real server (actually an alias IP address).
Step 10
Returns to the serverfarm configuration mode.
Step 11
Identifies the alias IP address of CSM-S B that is located on the path to Firewall 2 as a real server and enters real server configuration submode.
Step 12
Enables the real server (actually an alias IP address).
Step 13
Returns to serverfarm configuration mode.
Step 14
Creates and names the SERVERS-SF5 server farm and enters serverfarm configuration mode.
Step 15
Identifies a server in the intranet as a real server, assigns it an IP address, and enters real server configuration submode.
Step 16
Enables the real server.
Step 17
Returns to serverfarm configuration mode.
Step 18
Identifies a server in the intranet as a real server, assigns it an IP address, and enters real server configuration submode.
Step 19
Enables the real server.
Step 20
Identifies a server in the intranet as a real server, assigns it an IP address, and enters real server configuration submode.
Step 21
Enables the real server.
1 FORWARD-SF is actually a route forwarding policy, not an actual server farm, that allows traffic to reach the intranet (through VLAN 20). It does not contain any real servers.
2 This step is required when configuring a server farm that contains a forwarding policy rather than real servers.
3 OUTSIDE-SF contains the two alias IP addresses of CSM-S A as the real servers allowing traffic from the intranet to reach CSM-S A.
4 This step is required when configuring a server farm that contains a forwarding policy rather than real servers.
5 SERVERS-SF contains the IP addresses of the real servers located within the intranet.
Configuring Virtual Servers on CSM-S B
To configure three virtual servers on CSM-S, perform this task:
Step 1
Enters multiple module configuration mode and specifies that CSM-S B is installed in slot 6.
Step 2
Specifies FORWARD-VS as the virtual server that is being configured and enters virtual server configuration mode.
Step 3
Specifies a match for any IP address and any protocol1 .
Step 4
Specifies that the virtual server will only accept traffic arriving on VLAN 102, which is traffic arriving from the secure side of the Firewall 1.
Step 5
Specifies the server farm for this virtual server2 .
Step 6
Enables the virtual server.
Step 7
Returns to multiple module configuration mode.
Step 8
Specifies FORWARD-VS3 as the virtual server that is being configured and enters virtual server configuration mode.
Step 9
Specifies a match for any IP address and any protocol1.
Step 10
Specifies that the virtual server will only accept traffic arriving on VLAN 104, which is traffic arriving from the secure side of the Firewall 2.
Step 11
Specifies the server farm for this virtual server2.
Step 12
Enables the virtual server.
Step 13
Returns to multiple module configuration mode.
Step 14
Specifies INSIDE-VS4 as the virtual server that is being configured and enters virtual server configuration mode.
Step 15
Specifies a match for any IP address and any protocol1.
Step 16
Specifies that the virtual server will only accept traffic arriving on VLAN 20, which is traffic arriving from the intranet.
Step 17
Specifies the server farm for this virtual server (containing the alias IP addresses of CSM-S A as real servers and allowing traffic to flow through Firewalls 1 and 2) and enters real server configuration submode.
Step 18
Enables the virtual server.
Step 19
Returns to multiple module configuration mode.
Step 20
Specifies TELNET-VS5 as the virtual server that is being configured and enters virtual server configuration mode.
Note
Step 21
Specifies the IP address, netmask, protocol (TCP), and port (Telnet) for this virtual server6 .
Step 22
Specifies the server farm containing real servers for this virtual server.
Step 23
Enables the virtual server.
1 Client matching is only limited by VLAN restrictions.
2 This server farm is actually a forwarding predictor rather than an actual server farm containing real servers.
3 FORWARD-VS allows traffic from the Internet to reach the intranet through VLAN 20.
4 INSIDE-VS allows traffic from the intranet to reach CSM-S A through Firewall 1 (through VLANs 102 and 101) or
Firewall 2 (through VLANs 104 and 103).5 TELNET-VS allows traffic from the Internet to reach Telnet servers in the internal network.
6 Clients reach the server farm represented by this virtual server through this address.
Configuring Regular Firewall Load Balancing
This section describes how to configure firewall load balancing for regular firewalls and provides the following information:
•
•
Packet Flow in a Regular Firewall Configuration
In a regular firewall configuration, firewalls connect to two different VLANs and are configured with IP addresses on the VLANs to which they connect. (See Figure 13-7.)
Figure 13-7 Regular Firewall Configuration Example
To intranet
VLAN 100
VLANs 101
To intranet
VLANs 201
VLAN 200 and 20
To Internet
VLAN 200 and 20
VLANs 201
To Internet
VLANs 101
VLAN 100
Figure 13-7 shows two regular firewalls (Firewall 1 and Firewall 2) located between two CSMs
(CSM-S A and CSM-S B). Traffic enters and exits the firewalls through shared VLANs (VLAN 101 and VLAN 201). Both regular firewalls have unique addresses on each shared VLAN.VLANs provide connectivity to the Internet (VLAN 100), the internal network (VLAN 200), and to internal server farms (VLAN 20).
The CSM-S balances traffic among regular firewalls as if they were real servers. Regular firewalls are configured in server farms with IP addresses like real servers. The server farms to which regular firewalls belong are assigned a load-balancing predictor and are associated with virtual servers.
Regular Firewall Configuration Example
The regular firewall configuration example contains two CSM-S modules (CSM-S A and CSM-S B) installed in separate Catalyst 6500 series switches.
Note
Configuring CSM-S A (Regular Firewall Example)
To create the regular configuration example, perform the following configuration tasks for CSM-S A:
•
•
Note
Creating VLANs on Switch A
The example, shown in Figure 13-7, requires that you create two VLANs on Switch A.
Note
To configure VLANs on Switch A, perform this task:
Step 1
Enters the VLAN mode1 .
Step 2
Creates VLAN 1002 .
Step 3
Creates VLAN 1013 .
1 Do this step on the switch console of the switch that contains CSM-S A.
2 VLAN 100 connects CSM-S A to the Internet.
3 VLAN 101 connects CSM-S A to the insecure side of the firewalls.
Configuring VLANs on CSM-S A
To configure the two VLANs, perform this task:
Step 1
Enters multiple module configuration mode and specifies that CSM-S A is installed in slot 5.
Step 2
Specifies VLAN 100 as the VLAN that is being configured, identifies it as a client VLAN, and enters VLAN configuration mode.
Step 3
Specifies an IP address and netmask for VLAN 100.
Step 4
Configures a gateway IP address for the router on the Internet side of CSM-S A.
Step 5
Returns to multiple module configuration mode.
Step 6
Specifies VLAN 101 as the VLAN that is being configured, identifies it as a server VLAN, and enters VLAN configuration mode.
Step 7
Specifies an IP address and netmask for VLAN 101.
Step 8
Specifies an alias IP address and netmask for VLAN 1011 .
1 This step provides a target for CSM-S B to use in making a load-balancing decision.
Configuring Server Farms on CSM-S A
Note
To configure two server farms on CSM-S A, perform this task:
Step 1
Enters multiple module configuration mode and specifies that CSM-S A is installed in slot 5.
Step 2
Creates and names the FORWARD-SF1 server farm (actually a forwarding policy) and enters serverfarm configuration mode.
Step 3
Disables the NAT of server IP addresses and port numbers2 .
Step 4
Forwards traffic by adhering to its internal routing tables rather than a load-balancing algorithm.
Step 5
Returns to multiple module configuration mode.
Step 6
Creates and names the INSEC-SF3 server farm (which will contain firewalls as real servers) and enters serverfarm configuration mode.
Step 7
Disables the NAT of the server IP address and port number4 .
Step 8
Selects a server using a hash value based on the source IP address5 .
Step 9
Identifies Firewall 1 as a real server, assigns an IP address to its insecure side, and enters real server configuration submode.
Step 10
Enables the firewall.
Step 11
Returns to serverfarm configuration mode.
Step 12
Identifies Firewall 2 as a real server, assigns an IP address to its insecure side, and enters real server configuration submode.
Step 13
Enables the firewall.
1 FORWARD-SF is actually a route forwarding policy, not an actual server farm, that allows traffic to reach the Internet (through VLAN 100); it does not contain any real servers.
2 This is a required step when configuring a server farm that contains a forwarding policy rather than real servers.
3 INSEC-SF contains (Firewall 1 and Firewall 2); their insecure-side IP addresses are configured as real servers in this server farm.
4 This is a required step when configuring a server farm that contains firewalls.
5 We recommend this step when configuring insecure-side firewall interfaces in a server farm.
Configuring Virtual Servers on CSM-S A
To configure two virtual servers on CSM-S A, perform this task:
Step 1
Enters multiple module configuration mode and specifies that the CSM-S A is installed in slot 5.
Step 2
Specifies FORWARD-VS1 as the virtual server that is being configured and enters virtual server configuration mode.
Step 3
Specifies a match for any IP address and any protocol2 .
Step 4
Specifies that the virtual server will only accept traffic arriving on VLAN 101, which is traffic arriving from the insecure side of the firewalls.
Step 5
Specifies the server farm for this virtual server3 .
Step 6
Enables the virtual server.
Step 7
Returns to multiple module configuration mode.
Step 8
Specifies INSEC-VS4 as the virtual server that is being configured and enters virtual server configuration mode.
Step 9
Specifies the IP address, netmask, and protocol (any) for this virtual server5 .
Step 10
Specifies that the virtual server will only accept traffic arriving on VLAN 100, which is traffic arriving from the Internet.
Step 11
Specifies the server farm for this virtual server6 .
Step 12
Enables the virtual server.
1 FORWARD-VS allows Internet traffic to reach the insecure side of the firewalls (through VLAN 101).
