Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
628
Views
0
Helpful
3
Replies

ACESM & FWSM design query

Go to solution
KFU NOC
Level 1
Level 1

‎12-28-2009 11:20 PM

Dear ,

we have 2x6509 each conatins sup720-VSS , ACE20 & FWSM module to implement as Data-Centre Aggregation switches.

Now regarding our Data-centre we have 2 subnets and all our servers are in these 2 subnets. And we dont want to pass all traffic which we dont want to loadbalance thru ACE.We just want to pass all traffic thru MSFC and then FWSM(we will put all security features here) and then we will forward traffic to ACE(allow any any access list) if SLB desired otherwise directly to server.

But the main issue here is that we are hosting servers with slb requirement and non-slb servers in same subnet. So i just want to know considering this limitation above scenario we want is possible or not?

Thanks

Wali

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee
In response to KFU NOC

‎12-30-2009 08:13 AM

Wali,

no problem with the design.

This is actually a common solution.

Gilles.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎12-30-2009 01:13 AM

Wali,

this is possible but more complicated,

   Internet

            |

         MSFC

            |

        FWSM---- ACE

         |       |

  Subnet1  Subnet2

The flow client---> ACE ---> servers is not a problem with this design.

The concern is the response from the servers.

You need a way to force the FWSM to send the response to ACE and not directly to the client on the Internet.

And only for traffic that was loadbalanced.

You only have 2 options.

1/ Do client nat for all traffic going through ACE. Easy to do.  But you lose information about client source ip address on the servers.

For HTTP, you could keep this information by instructing ACE to insert this info in the http header.

2/ Put the MSFC right after FWSM as well and implement policy-routing on the MSFC . Based on src ip and tcp src port decide to send the traffic to ACE or not.

It is much better to create a subnet for LB servers and put this subnet behind the ACE module.

   Internet

            |

         MSFC

            |

        FWSM---- ACE ----- LB_Subnet

         |       |

  Subnet1  Subnet2

Gilles.

0 Helpful

Go to solution
KFU NOC
Level 1
Level 1
In response to Gilles Dufour

‎12-30-2009 01:53 AM

Thanks Gilles !

Suppose if i choose to put FWSM above MSFC and do PBR on MSFC for SLB severs in subnet1 & subnet2.

Is there any flaw from design point in this solution.

   Internet

            |

         FWSM

            |

       MSFC---- ACE

         |       |

  Subnet1  Subnet2

Wali

0 Helpful

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee
In response to KFU NOC

‎12-30-2009 08:13 AM

Wali,

no problem with the design.

This is actually a common solution.

Gilles.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents