cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
456
Views
0
Helpful
3
Replies

FWLB with one ACE

jcarvalh
Level 1
Level 1

Hello.

I am planning the deployment of FWLB with only one ACE in routed mode. I have more than 20 DMZ and all traffic between then must be balanced by the ACE to be filtered by one of the FWSMs.

On ACE, I am planing to create one interface vlan per DMZ (default gateway for each DMZ) with a catch-all VIP (0.0.0.0 0.0.0.0). My problem is that all vlans/networks will be directly connected with ACE and I dont know what is it that ACE does first... if it "catches" the traffic to load-balance or if it routes traffic first (if routing is done fist, then FWLB will fail).

All documents that I saw have more than one ACE in their topology for load-balancing.

Also, using several contexts doesn't seem to be an option because I don't have an in/out topology (return traffic may fail, hash predictor source/destination would fail).

Anyone with experience with this type of topology?

Thanks in advance for all the help you can give me.

Best regards,

Joao Carvalho

1 Accepted Solution

Accepted Solutions

Gilles Dufour
Cisco Employee
Cisco Employee

ACE will first catch the traffic and perform the configured action.

If nothing to catch the traffic, ACE will route.

Multiple ACEs are usually used because very often the response needs to come back to the same firewall.

So some reverse-sticky operation is required.

Or some other mechanism.

Not sure how you planned to guarantee this.

Gilles.

View solution in original post

3 Replies 3

Gilles Dufour
Cisco Employee
Cisco Employee

ACE will first catch the traffic and perform the configured action.

If nothing to catch the traffic, ACE will route.

Multiple ACEs are usually used because very often the response needs to come back to the same firewall.

So some reverse-sticky operation is required.

Or some other mechanism.

Not sure how you planned to guarantee this.

Gilles.

Hi Giles.

Thanks for your help.

I am thinking about enabling mac-sticky at interface level to ensure that return traffic will go to the same fwsm.

Thanks once again.

Joao Carvalho

Hello again,

You where right, I am having problems with appl like FTP; the return traffic goes to the "wrong" FWSM.

Mac-sticky works fine only with "normal" appls.

Best regards,

Joao Carvalho

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: