I am planning the deployment of FWLB with only one ACE in routed mode. I have more than 20 DMZ and all traffic between then must be balanced by the ACE to be filtered by one of the FWSMs.
On ACE, I am planing to create one interface vlan per DMZ (default gateway for each DMZ) with a catch-all VIP (0.0.0.0 0.0.0.0). My problem is that all vlans/networks will be directly connected with ACE and I dont know what is it that ACE does first... if it "catches" the traffic to load-balance or if it routes traffic first (if routing is done fist, then FWLB will fail).
All documents that I saw have more than one ACE in their topology for load-balancing.
Also, using several contexts doesn't seem to be an option because I don't have an in/out topology (return traffic may fail, hash predictor source/destination would fail).
Anyone with experience with this type of topology?
Thanks in advance for all the help you can give me.
ACE will first catch the traffic and perform the configured action.
If nothing to catch the traffic, ACE will route.
Multiple ACEs are usually used because very often the response needs to come back to the same firewall.
So some reverse-sticky operation is required.
Or some other mechanism.
Not sure how you planned to guarantee this.