I am implementing a failover pair of ACE appliances, and am looking for some validation of my design thoughts. I would like to utilize a physical interface and a back to back cable on each ACE for the FT VLAN, is this recommended? I am planning a two port etherchannel dot1q trunk to carry my client and server side VLAN traffic from the LAN switch to the ACE, is this the recommended practice? I am planning to assign a management IP address to the Admin Context on my management VLAN. In my first user context, I am planning a one-arm deployment. In the design guides it makes mention of assigning a management VLAN IP address to each user context, does this make sense? It's my understanding that all interfaces on the ACE are inband so if I create a second management VLAN interface don't I have to worry about my routing configuration to prevent asymetric routing for management traffic. Is it good practice to allow management on the One-arm VLAN ip address?
Your FT setup is what we recommend.
Dedicated link for FT.
We mentioned a management ip per context because usually each context represent a different group or company.
These persons may require access to the context only to manager their own config.
The Admin context controls the entire box, so you may want to have stronger restrictions there.
One-armed is usually the easiest to implement but not really the best.
It requires specific control of the traffic to avoid asymetric routing.