Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

FWLB with one ACE

Hello.

I am planning the deployment of FWLB with only one ACE in routed mode. I have more than 20 DMZ and all traffic between then must be balanced by the ACE to be filtered by one of the FWSMs.

On ACE, I am planing to create one interface vlan per DMZ (default gateway for each DMZ) with a catch-all VIP (0.0.0.0 0.0.0.0). My problem is that all vlans/networks will be directly connected with ACE and I dont know what is it that ACE does first... if it "catches" the traffic to load-balance or if it routes traffic first (if routing is done fist, then FWLB will fail).

All documents that I saw have more than one ACE in their topology for load-balancing.

Also, using several contexts doesn't seem to be an option because I don't have an in/out topology (return traffic may fail, hash predictor source/destination would fail).

Anyone with experience with this type of topology?

Thanks in advance for all the help you can give me.

Best regards,

Joao Carvalho

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: FWLB with one ACE

ACE will first catch the traffic and perform the configured action.

If nothing to catch the traffic, ACE will route.

Multiple ACEs are usually used because very often the response needs to come back to the same firewall.

So some reverse-sticky operation is required.

Or some other mechanism.

Not sure how you planned to guarantee this.

Gilles.

3 REPLIES
Cisco Employee

Re: FWLB with one ACE

ACE will first catch the traffic and perform the configured action.

If nothing to catch the traffic, ACE will route.

Multiple ACEs are usually used because very often the response needs to come back to the same firewall.

So some reverse-sticky operation is required.

Or some other mechanism.

Not sure how you planned to guarantee this.

Gilles.

New Member

Re: FWLB with one ACE

Hi Giles.

Thanks for your help.

I am thinking about enabling mac-sticky at interface level to ensure that return traffic will go to the same fwsm.

Thanks once again.

Joao Carvalho

New Member

Re: FWLB with one ACE

Hello again,

You where right, I am having problems with appl like FTP; the return traffic goes to the "wrong" FWSM.

Mac-sticky works fine only with "normal" appls.

Best regards,

Joao Carvalho

158
Views
0
Helpful
3
Replies