Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Firewall Load Balancing on ACE-20

I've read through the FWLB chapter of the config guide, but still have some questions:

http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/slbgd/fwldbal.html#wp1036569

1. We're using Palo Alto firewalls in virtual-wire mode.

In v-wire mode, we can't assign IP's to firewall interface, since it's just a bump in the wire, and is completely transparent.

Instead of specifying the alias IP's on stealth-mode firewalls as rservers per config guide, can those IP's be on the adjacent ACE module, or even an SVI on the adjacent Cat 6500 instead?

As long as the IP's are reachable from ACE, they can be specified as rservers in a serverfarm?

2. symmetrical routing / predictor

I understand it's important to have forward & return traffic to hit the same firewall.

Config guide says to use source/destination IP as hash method.

However, the "inside" & "outside" ACE's are independent from each other.

How do we guarantee traffic for both directions will hit the same firewall/rserver?

Do we simply need to make sure the firewalls are listed in the same order on both ACE's?

ie. rserver1=FW1, rserver2=FW2, rserver3=FW3, etc?

TIA

284
Views
0
Helpful
0
Replies
CreatePlease login to create content