Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACESM & FWSM design query

Dear ,

we have 2x6509 each conatins sup720-VSS , ACE20 & FWSM module to implement as Data-Centre Aggregation switches.

Now regarding our Data-centre we have 2 subnets and all our servers are in these 2 subnets. And we dont want to pass all traffic which we dont want to loadbalance thru ACE.We just want to pass all traffic thru MSFC and then FWSM(we will put all security features here) and then we will forward traffic to ACE(allow any any access list) if SLB desired otherwise directly to server.

But the main issue here is that we are hosting servers with slb requirement and non-slb servers in same subnet. So i just want to know considering this limitation above scenario we want is possible or not?

Thanks

Wali

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ACESM & FWSM design query

Wali,

no problem with the design.

This is actually a common solution.

Gilles.

3 REPLIES
Cisco Employee

Re: ACESM & FWSM design query

Wali,

this is possible but more complicated,

   Internet

            |

         MSFC

            |

        FWSM---- ACE

         |       |

  Subnet1  Subnet2

The flow client---> ACE ---> servers is not a problem with this design.

The concern is the response from the servers.

You need a way to force the FWSM to send the response to ACE and not directly to the client on the Internet.

And only for traffic that was loadbalanced.

You only have 2 options.

1/ Do client nat for all traffic going through ACE. Easy to do.  But you lose information about client source ip address on the servers.

For HTTP, you could keep this information by instructing ACE to insert this info in the http header.

2/ Put the MSFC right after FWSM as well and implement policy-routing on the MSFC . Based on src ip and tcp src port decide to send the traffic to ACE or not.

It is much better to create a subnet for LB servers and put this subnet behind the ACE module.

   Internet

            |

         MSFC

            |

        FWSM---- ACE ----- LB_Subnet

         |       |

  Subnet1  Subnet2

Gilles.

New Member

Re: ACESM & FWSM design query

Thanks Gilles !

Suppose if i choose to put FWSM above MSFC and do PBR on MSFC for SLB severs in subnet1 & subnet2.

Is there any flaw from design point in this solution.

   Internet

            |

         FWSM

            |

       MSFC---- ACE

         |       |

  Subnet1  Subnet2

Wali

Cisco Employee

Re: ACESM & FWSM design query

Wali,

no problem with the design.

This is actually a common solution.

Gilles.

389
Views
0
Helpful
3
Replies