ace appliance connectivity design

Unanswered Question
Sep 2nd, 2009

v have a 4710 appliance ad want to use it for LB

following the current setup

firewall,2950 switch, servers

firewall inside interface is connected to 2950 switch in vlan 100

all servers are connected to the same switch in vlan 100. firewall is the default gateway

we want to connect the ace appliance into this setup. dont want to use the appliance in routing mode because of the default gateway change for servers.

how to get the ace appliance work in this setup in bridge mode

i am aware there will be 2 vlans created within ace. in this case one vlan will be 100 and say second is 200

100 vlan will be facing firewall and 200 will be facing the servers

does that mean all switch ports configured for server vlan should be changed from 100 to 200

then connect one interface of ace in vlan 100 and other in 200

how will the traffic from the servers wil then reach default gateway?

there is no intervlan routing there.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
followurself Thu, 09/03/2009 - 00:11

thanks for the reply

question is about how to design when all firewall, ace and servers will be connected to the same switch. if ace is configured in bridge mode , it will need 2 vlans.one vlan is firewall facing and one is server facing

firewall---vlan 100---ace appliance (bridge mode) ---vlan 200----servers

all above will be connected to the same switch

what should be port config of the switch for the servers? which vlan they should be in? if they are set to vlan 200 then how will they contact theier default gateway the firewall which is vlan 100?

also how of many physical ports of ace appliance is required. is it one interface per vlan

Gilles Dufour Thu, 09/03/2009 - 00:46

The servers should be in vlan 200 and the FW in vlan 100.

These are your switch port settings.

On the appliance you bridge vlan 200 and vlan 100 using a bvi interface.

Like this, for the FW and the servers, vlan 200 and vlan 100 are the same.

Here is bridge config.

interface vlan 30

bridge-group 30

no normalization

access-group input ANY

nat-pool 1 172.16.1.1 172.16.1.1 netmask 255.255.255.255 pat

nat-pool 2 10.51.0.77 10.51.0.77 netmask 255.255.255.255 pat

service-policy input PERMIT-ALL

service-policy input remote_mgmt_allow_policy

no shutdown

interface vlan 330

bridge-group 30

no normalization

access-group input ANY

nat-pool 1 172.16.1.1 172.16.1.1 netmask 255.255.255.255 pat

nat-pool 2 10.51.0.77 10.51.0.77 netmask 255.255.255.255 pat

service-policy input PERMIT-ALL

service-policy input remote_mgmt_allow_policy

interface bvi 30

ip address 192.168.30.10 255.255.255.0

peer ip address 192.168.30.11 255.255.255.0

no shutdown

followurself Thu, 09/03/2009 - 05:21

so i need to physically connect only interface of the ace appliance

can you please explain why nat is used?

Actions

This Discussion