01-05-2009 01:21 PM
Hello.
I am planning the deployment of FWLB with only one ACE in routed mode. I have more than 20 DMZ and all traffic between then must be balanced by the ACE to be filtered by one of the FWSMs.
On ACE, I am planing to create one interface vlan per DMZ (default gateway for each DMZ) with a catch-all VIP (0.0.0.0 0.0.0.0). My problem is that all vlans/networks will be directly connected with ACE and I dont know what is it that ACE does first... if it "catches" the traffic to load-balance or if it routes traffic first (if routing is done fist, then FWLB will fail).
All documents that I saw have more than one ACE in their topology for load-balancing.
Also, using several contexts doesn't seem to be an option because I don't have an in/out topology (return traffic may fail, hash predictor source/destination would fail).
Anyone with experience with this type of topology?
Thanks in advance for all the help you can give me.
Best regards,
Joao Carvalho
Solved! Go to Solution.
01-06-2009 02:24 AM
ACE will first catch the traffic and perform the configured action.
If nothing to catch the traffic, ACE will route.
Multiple ACEs are usually used because very often the response needs to come back to the same firewall.
So some reverse-sticky operation is required.
Or some other mechanism.
Not sure how you planned to guarantee this.
Gilles.
01-06-2009 02:24 AM
ACE will first catch the traffic and perform the configured action.
If nothing to catch the traffic, ACE will route.
Multiple ACEs are usually used because very often the response needs to come back to the same firewall.
So some reverse-sticky operation is required.
Or some other mechanism.
Not sure how you planned to guarantee this.
Gilles.
01-06-2009 02:32 AM
Hi Giles.
Thanks for your help.
I am thinking about enabling mac-sticky at interface level to ensure that return traffic will go to the same fwsm.
Thanks once again.
Joao Carvalho
01-06-2009 09:06 AM
Hello again,
You where right, I am having problems with appl like FTP; the return traffic goes to the "wrong" FWSM.
Mac-sticky works fine only with "normal" appls.
Best regards,
Joao Carvalho
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: