We have a working Data Center with two-tier security architecture. On perimeter we have Checkpoint Firewalls while ASA is an Inside firewall. DMZ server's gateway resides on Firewall and are connected to L2 Switch. Serverfarm's servers' Gateway resides on Cisco Nexus switches whose default GW is ASA firewall.

Now, we want to introduce single pair of Cisco ACE appliance in this network to loadbalane DMZ servers and few Serverfarm servers. We don't have the option to change default gateway of servers.

I'm just looking at best options to carry out this implemention. Please correct me if I'm wrong and provide me your valuable inputs.

1. One-armed is the best way to go here. Since, I cannot change default gateway of servers and there are applications which need not be load-balanced.

2. All four ports of ACE should be part of single Port channel. I am thinking of creating two contexts and assign two physical interfaces to each context. However, this seems not very scalable.

3. Can I use same VLAN ID in different zones? Is it necessary to use unique VLAN ID across the architecture? What all needs to be permitted across the Firewall?

4. Currently, server load balancing is happening through some server technology. How can I use same current virtual IP in ACE appliance as VIP for the serverfarm? It seems that I need to use different subnet for VIP.

5. Later on, we plan to introduce GSS as well for DC-DR failover. GSS will be deployed in separate zone since we don't have DDoS protection. In future, there will be communication between ACE and GSS as well.

Please provide your valuable inputs. Thanks in advance.