Data Center Design Implementation Help Needed

Answered Question
Mar 14th, 2008


I need some assistance and guidance from a seasoned individual who has specific experience implementing a server farm solution that uses load balancing, firewalling and HSRP.

My questions involve the placement of the default gateway.

I would think that for traffic in the client -> server direction, it should be the following way (keep in mind an L2 access layer design):

TRAFFIC FLOW: client -> core ->server farm aggregation switch ->firewall ->load balancer ->L2 access switch -> server

...where, starting from the agg switch that receives client traffic destined for the server, the defaults should be set accordingly:

agg switch forwards all traffic destined for server subnets to the firewall's OUTSIDE interface; firewall forwards server subnet traffic to the load balancers VIP for the subnet; load balancer forwards traffic to a specific server that is part of the load-balanced group.

TRAFFIC FLOW 2: server -> access switch ->load balancer -> firewall ->agg switch -> core

...where, starting from the server and destined for the core, the defaults should be set accordingly:

server defaults to load balancer ( but what interface on the LB); load balancer defaults to firewall INSIDE interface; firewall defaults to subnet HSRP group -> traffic forwarded to core

Am I making sense? (I normally don't! LOL)

[EDIT] By the way, I realize that there are many ways to implement such a design. It can be very nuanced. What I am looking for is a few scenarios based on real-world experience.

Thank you in advance.


Correct Answer by Jon Marshall about 8 years 11 months ago

And here is the attachment...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Jon Marshall Fri, 03/14/2008 - 11:08

Hi Victor

As you say there are a number of ways of deploying this scenario ie. firewalled/load balanced servers and i have done 2 ways.

1) Firewall in routed mode/load balancer in bridge (L2) mode.

2) Firewall in routed mode/load balancer in "one-armed" mode.

1) i have deployed with combinations of standalone pix firewalls/local-directors/CSS11500's/FWSM's/CSM-S

2) i have deployed with FWSM's and CSM-S's.

It would help if you could let us know what the firewall and load balancers are and if you have any preferences as to whether you run the firewall in routed/transparent and the load balancer in routed/bridged/one-armed mode.


lamav Fri, 03/14/2008 - 12:13

Hey, Jon:

You know, I honestly dont have any particular preference. Ive examined this scenario a lot from a high level design approach, but dont have too much experience actually implementing it.

So, I would really need someone to educate me on what my options are, best practices and the implications fo doing things certain ways.

I know its asking a lot. But even a skeleton model with something to build on would be great.

Lets just say we are dealing with a Cisco FWSM and a CSS in a 6500 aggregation switch chassis.



lamav Fri, 03/14/2008 - 15:20

(sounds of crickets chirping)...


Where are all the experts? :-(

lamav Fri, 03/14/2008 - 16:15


I have yet to read it, but I will in a few minutes. Nonetheless, I am sure it's typical of your work and reflects you great insight -- I appreciate all the time you took to write all that.

I am really appreciative, buddy. I owe you one. If you're in NY, dinner is on me. :-)



Jon Marshall Fri, 03/14/2008 - 16:20


No problem, pleasures all mine. I'm sure you'll have more questions !!.

If you ever get over to London let me know.


lamav Fri, 03/14/2008 - 16:32

I'm reading it now. Great stuff. And you're right -- I will ask you a few more questions. :-D


Jon Marshall Fri, 03/14/2008 - 18:07


My comments in red. We can pick this up tomorrow if you have more questions :-)


Jon Marshall Fri, 03/14/2008 - 18:17


Apologies - there is a typo in a quite critical bit in the doc.

5) The servers responds and sends the packet back to it's default-gateway ie. the FWSM server vlan interface. The FWSM then sends the packet back out onto the VIP dmz because the destination IP address is routed back to the FWSM.

The last bit should read

because the destination IP address is routed back to the CSM.

As if it wasn't confusing enough !!


lamav Sat, 03/15/2008 - 12:43


What you wrote was awesome, dude. I really appreciat ethe detail and care you out into this.

I'll need some time to digest it all and make a mental picture so I can fully understand it.

I'll let you know in the future if I need more help.




This Discussion