Service module placement and the L2 adjacency problem

Unanswered Question
Oct 7th, 2009

I'd be very interested to hear others opinions on this. You have a datacenter environment with L2 boundaries at end of row aggregators, then L3 back to the core and edge. You have 6500 service module switches hanging off the core housing ACE and FWSM modules. You want to offer firewalling and load-balancing services to servers around the datacenter.

What is the current best practice ways of resolving the L2 adjacency requirement that the firewalling and load-balancing services impose? L2TPv3? EoMPLS? Any relevant advice, deployment examples, whitepapers etc would be much appreciated!

Thanks for any replies,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jon Marshall Wed, 10/14/2009 - 08:22


You could i suppose look to use L2TPv3 if your switches support it or EoMPLS but to my mind this is actually using a band aid to fix a problem that shouldn't be there.

We too struggled in our data centres with this setup but remember you only need L2 adjacency if you are running the FWSM in transparent mode or the ACE in bridged mode.

If you are then the cleanest solutions are either

1) redesign core connections to L2

2) deploy 6500 switches in the distribution layer. I say distribution layer because it's not clear from your description what your topology actually is but i'm assuming L2 access to distro and then L3 distro to core and the core switches are the 6500 switches.

Personally i always use the routed L3 approach where possible for fast failover and no STP and in the campus environment it works really well.

However L3 from the access-layer to the distro in the data centre is very limiting and you often come across problems such as the one you are facing.

Now again it does depend on your topology but assuming the issue is your core is L3 connected and you need L2 adjacency with your distro to offer servers i would look to deploy 6500 switches in the distro layer with the service modules in them.

If i have misunderstood please come back with more details.


george_daly Thu, 10/15/2009 - 06:58

Hi Jon,

Many thanks for your advice so far!

I'm getting confused here, but I think thats due to lack of experience on my part with this type of design :)

The design I'm considering would look something like this:














The ACE and FWSM are both in routed mode.

I understand that I don't require a L2 adjacency from the access layer to the ACE because I'm using 1arm mode with PBR so the

servers gateway is on the distribution switches with PBR taking care of routing return traffic to the ACE.

My confusion is that I had presumed that servers behind the FWSM would need the FWSM inside interface as their gateway - surely the

FWSM needs to ARP the servers thus should be L2 adjacent.

I need to allow for servers in different distribution switches being able to use ACE and FWSM services in any service module switch without

unecessarily extending the L2/STP domain beyond the distribution layer.

Any clarity you can provide would be much appreciated!



Jon Marshall Thu, 10/15/2009 - 09:46


"surely the FWSM needs to ARP the servers thus should be L2 adjacent."

Not necessarily. All or at least the vast majority of companies have an Internet firewall but that doesn't mean all client/servers behind the firewall must be L2 adjacent to the firewall.

It depends on what you are firewalling the servers from. If you need to firewall between server vlans then yes you would need L2 adjacency but if you simply want to firewall all your access-layer servers from the Edge then no you don't need L2 adjacency.

Assuming you do need to control traffic between server vlans in the access-layer (and potentially other devices in the access-layer ?) then with your design you would need to migrate the service modules to your distribution switches which i'm guessing are not currently 6500 switches - is that correct ?

What exactly are your distribution switches ?

With the FWSM do you have contexts or is it running in just one context ?

Same question for ACE module.

Technically vrf-lite is a possible solution with each server vlan or groups of server vlans being in their own VRF but before deciding that it would be useful as mentioned to know exactly what your firewalling requirements in the access-layer are ie. what needs firewalling and from what.


george_daly Thu, 10/15/2009 - 13:29

Thanks Jon,

Just to clarify, this is a potential design not an existing network.

Some server Vlans would be firewalled from eachother via multi context FWSMs with a context per server Vlan. Some server Vlans would just have router ACLs and Vlan ACLs.

ACEs would also be multi context, but the contexts shared amongst multiple server Vlans (including firewalled Vlans).

Ideally firewalled Vlans would have the capability of being extended over the L3 segmented distribution switches. I also need L2 adjacency from these Vlans to the FWSM contexts.




This Discussion