We are installing a core consisting of two 6513 and two 6509's at the distribution layer, all running eigrp. The dist layer is redundantly connected to each core box which are also linked. HSRP provides failover. The design incorporates asymmetric routing... Packets are routed by destination, but may not return via the same path.
My question is: in each 6513, we plan to install a firewall blade. Will these firewall blades work if the network is designed to load share across the two 6513's?
Are you load-sharing or using HSRP in a active-standby role? If you're load-sharing, then there's really no practicable way to get this to work. If you're doing HSRP with your routers and only one router will be active at any time, then you could just have each HSRP router talk to one particular firewall blade only. You'll run into issues when the routers switch over, but people should be able to just reconnect and start working again (sort of like non-stateful failover). Pretty messy, but I can't see any other way around it, of course I don't have a clear picture of your design so there may be better ways, but not with load-sharing.
Thanks again for your comments. I think we're going to run one firewall blade in failover mode and filter all outbound (Internet ) traffic through the other one; we'll leave HSRP enabled and route internal traffic to the server farm, but not through the firewall blade...just use ACL's.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...