When the ACE does server load balancing, it NATs the destination VIP IP to the real server IP and thus changes the destination IP address in the IP header to that of the real server and the destination MAC address in the Ethernet header to that of the server or next hop device (if server is not directly connected).
When doing FWLB, however, I suspect such a rewrite will not occur because if the destination IP address is changed to the real IP of the firewall, the firewall will see the packet addressed to itself and drop it.
My questions are:
1. How does the ACE perform load balancing without rewriting the destination IP?
2. What part of the ACE configuration indicates to the ACE that a packet will be load balanced to a firewall rather than a server? I am guessing it has to do with the class-map matching on a network specific or "catch-all" VIP rather than a host specific VIP?
indeed, no NAT should be performed when doing FW LB. This is accomplished by specifying the "transparent" command in the serverfarm where you defined the FWs as rservers.
You can instruct the ACE not to use NAT to translate the VIP address to the server IP address by using the transparent command in serverfarm host configuration mode. Use this command in firewall load balancing (FWLB) when you configure the insecure and secure sides of the firewall as a server farm. For details about FWLB, see Chapter 6, Configuring Firewall Load Balancing. The syntax of this command is as follows:
For example, enter:
Also, you want the return traffic going back to the same FW as it came in. This is done by specifying the command "mac-sticky enable"
The mac-sticky feature ensures that the ACE sends return traffic to the same upstream device through which the connection setup from the original client was received. When you enable this feature, the ACE uses the source MAC address from the first packet of a new connection to determine the device to send the return traffic. This guarantees that the ACE sends the return traffic for load-balanced connections to the same device originating the connection. By default, the ACE performs a route lookup to select the next hop to reach the client.
This feature is useful when the ACE receives traffic from Layer 2 and Layer 3 adjacent stateful devices, like firewalls and transparent caches, guaranteeing that it sends return traffic to the correct stateful device that sourced the connection without any requirement for source NAT. For more information on firewall load balancing, see the Cisco Application Control Engine Module Security Configuration Guide.
To enable the mac-sticky feature for a VLAN interface, use the mac-sticky enable command in interface configuration mode. By default, the mac-sticky feature is disabled on the ACE. The syntax of this command is:
For example, to enable the mac-sticky feature, enter:
host1/Admin(config-if)# mac-sticky enable
Mor info about FW loadbalancing can be found here:
Hope this helps.