I am trying to design a network with already existing Cisco ACE modules in 6509 which needs to load balance between the severs which are behind the firewall. I just need to know how to design this scenario as I am new to design as I come from implementation background. Please advise as possible...
I got another architect describing that we need to use a Source NAT and vrf so that we can make ACEs sit logically behind the firewall with VLANs. I just need to know how about doing that ? I am new to load balancing as well.
If someone can point me to the right direction to do this would be very helpful.
I am not quite sure what are you trying to achieve. Perhaps you could make a logical diagram how the packet flow should look like.
When talking about ACE design, you typically have two scenarios:
1) One-arm design - ACE has only one VLAN interface (layer 3)
2) Two-arm design - ACE has two VLAN interfaces. There are two subtypes:
a) Routed mode (layer 3):
b) Bridged mode (layer 2):
(picture on this one is not correct)
As far as VRFs are concerned, ACE uses contexts for virtualization for everything (so routing table as well). If VRFs are need, they are configured on the 6500 or router.
Many thanks for your input ... they really opened up my brain and to make a starter for this project design ...
There is going to be a separate context that I need to create in this so is there anything about it ... Also anything about VRF and source NAT would be really helpful ..
I would suggest you to read a bit the ACE config guides. For example here is the part that explains how to create context.
Concept of VRF does not exist on ACE. It only exists on IOS routers and it is a way of virtualizing routing instances. On ACE we use contexts for virtualization - one context = one routing instance. I am not sure why do you need VRF, but if explain your requirements and desired packet flow we might be able to help you.
Source NAT is used on ACE when you want to hide the client IP form the real server. It is a must with one-arm design so that real server answers to ACE and not to the client, thus breaking TCP. You have an example of source NAT in the one-arm design draft I already sent you. You can find more details about it in the NAT config guide.
Actually what we are trying to do is
Server1-----------I I----------I I
I FW I I 6509 I--------------------------INTERNAL USERS
Server2-----------I I----------I with I
I I IACE moduleI
What we where trying to do is that logically place the ACE (using VRF) in between the FW and Servers and pass traffic through it. Can you provide me with some information regarding it ?
Based on what I have been able to understand from this thread, all you need to do is to configure ACE in Bridge Mode (a different context can be used if required) so that it is inline between the firewall and the servers. In bridge mode your servers will be part of VLAN-A and a separate VLAN (say VLAN-B) will be used for ACE for firewall logical connectivity. ACE will bridge the two VLANs so there is no requirement to modify the IP Addressing. In order to allow server to server load balancing within the same VLAN you will indeed need source NAT.
Many thanks for your comments... I think that would be a good idea... Also there should be a SSL offload in the ACE and re encrypt traffic to existing web portals using Certificates ... How about we do this ? Also is there any difference(from security perspective) in using a ACE module and a ACE device ?
For SSL offload please go through the relevant ACE configuration guide as it details the required configuration process in sufficient detail.
I do not believe there is any 'security' related benefit in choosing an appliance over an ACE module or vice versa. The ACE Module is better integrated with the 6500 chassis and offers better scalability when compared with the appliance.