Cisco Cisco Content Security Management Appliance M160 User Guide
B-3
AsyncOS 8.3.6 for Cisco Content Security Management User Guide
Appendix B Assigning Network and IP Addresses
Strategies for Connecting Your Content Security Appliance
For example, suppose that you have a content security appliance with the three network interfaces
configured, each on a different network segment (assume all /24):
configured, each on a different network segment (assume all /24):
And your default gateway is 192.19.0.1.
Now, if you perform an AsyncOS upgrade (or other command or function that allows you to select an
interface) and you select the IP that is on Data1 (192.19.1.100), you would expect all the TCP traffic to
occur over the Data1 Ethernet interface. However, instead the traffic goes out of the interface that is set
as your default gateway, in this case Management, but is stamped with the source address of the IP on
Data1.
interface) and you select the IP that is on Data1 (192.19.1.100), you would expect all the TCP traffic to
occur over the Data1 Ethernet interface. However, instead the traffic goes out of the interface that is set
as your default gateway, in this case Management, but is stamped with the source address of the IP on
Data1.
Summary
The content security appliance must always be able to identify a unique interface over which a packet
can be delivered. To make this decision, the content security appliance uses a combination of the packet’s
destination IP address, and the network and IP address settings of its Ethernet interfaces. The following
table summarizes the preceding examples:
can be delivered. To make this decision, the content security appliance uses a combination of the packet’s
destination IP address, and the network and IP address settings of its Ethernet interfaces. The following
table summarizes the preceding examples:
Strategies for Connecting Your Content Security Appliance
Keep the following in mind when connecting your appliance:
•
Administrative traffic (CLI, web interface, log delivery) is usually little compared to email traffic.
•
If two Ethernet interfaces are connected to the same network switch, but end up talking to a single
interface on another host downstream, or are connected to a network hub where all data are echoed
to all ports, no advantage is gained by using two interfaces.
interface on another host downstream, or are connected to a network hub where all data are echoed
to all ports, no advantage is gained by using two interfaces.
•
SMTP conversations over an interface operating at 1000Base-T are slightly faster than conversations
over the same interfaces operating at 100Base-T, but only under ideal conditions.
over the same interfaces operating at 100Base-T, but only under ideal conditions.
•
There is no point in optimizing connections to your network if there is a bottleneck in some other
part of your delivery network. Bottlenecks most often occur in the connection to the Internet and
further upstream at your connectivity provider.
part of your delivery network. Bottlenecks most often occur in the connection to the Internet and
further upstream at your connectivity provider.
The number of interfaces that you choose to connect and how you address them should be dictated by
the complexity of your underlying network. It is not necessary to connect multiple interfaces if your
network topology or data volumes do not call for it. It is also possible to keep the connection simple at
first as you familiarize yourself with the gateway and then increase the connectivity as volume and
network topology require it.
the complexity of your underlying network. It is not necessary to connect multiple interfaces if your
network topology or data volumes do not call for it. It is also possible to keep the connection simple at
first as you familiarize yourself with the gateway and then increase the connectivity as volume and
network topology require it.
Ethernet
IP
Management
192.19.0.100
Data1
192.19.1.100
Data2
192.19.2.100
Same Network
Different Network
Same Physical Interface
Allowed
Allowed
Different Physical Interface
Not allowed
Allowed