I need some assistance and guidance from a seasoned individual who has specific experience implementing a server farm solution that uses load balancing, firewalling and HSRP.
My questions involve the placement of the default gateway.
I would think that for traffic in the client -> server direction, it should be the following way (keep in mind an L2 access layer design):
TRAFFIC FLOW: client -> core ->server farm aggregation switch ->firewall ->load balancer ->L2 access switch -> server
...where, starting from the agg switch that receives client traffic destined for the server, the defaults should be set accordingly:
agg switch forwards all traffic destined for server subnets to the firewall's OUTSIDE interface; firewall forwards server subnet traffic to the load balancers VIP for the subnet; load balancer forwards traffic to a specific server that is part of the load-balanced group.
TRAFFIC FLOW 2: server -> access switch ->load balancer -> firewall ->agg switch -> core
...where, starting from the server and destined for the core, the defaults should be set accordingly:
server defaults to load balancer ( but what interface on the LB); load balancer defaults to firewall INSIDE interface; firewall defaults to subnet HSRP group -> traffic forwarded to core
Am I making sense? (I normally don't! LOL)
[EDIT] By the way, I realize that there are many ways to implement such a design. It can be very nuanced. What I am looking for is a few scenarios based on real-world experience.
Thank you in advance.
Solved! Go to Solution.
As you say there are a number of ways of deploying this scenario ie. firewalled/load balanced servers and i have done 2 ways.
1) Firewall in routed mode/load balancer in bridge (L2) mode.
2) Firewall in routed mode/load balancer in "one-armed" mode.
1) i have deployed with combinations of standalone pix firewalls/local-directors/CSS11500's/FWSM's/CSM-S
2) i have deployed with FWSM's and CSM-S's.
It would help if you could let us know what the firewall and load balancers are and if you have any preferences as to whether you run the firewall in routed/transparent and the load balancer in routed/bridged/one-armed mode.
You know, I honestly dont have any particular preference. Ive examined this scenario a lot from a high level design approach, but dont have too much experience actually implementing it.
So, I would really need someone to educate me on what my options are, best practices and the implications fo doing things certain ways.
I know its asking a lot. But even a skeleton model with something to build on would be great.
Lets just say we are dealing with a Cisco FWSM and a CSS in a 6500 aggregation switch chassis.
I have yet to read it, but I will in a few minutes. Nonetheless, I am sure it's typical of your work and reflects you great insight -- I appreciate all the time you took to write all that.
I am really appreciative, buddy. I owe you one. If you're in NY, dinner is on me. :-)
No problem, pleasures all mine. I'm sure you'll have more questions !!.
If you ever get over to London let me know.
Apologies - there is a typo in a quite critical bit in the doc.
5) The servers responds and sends the packet back to it's default-gateway ie. the FWSM server vlan interface. The FWSM then sends the packet back out onto the VIP dmz because the destination IP address is routed back to the FWSM.
The last bit should read
because the destination IP address is routed back to the CSM.
As if it wasn't confusing enough !!
What you wrote was awesome, dude. I really appreciat ethe detail and care you out into this.
I'll need some time to digest it all and make a mental picture so I can fully understand it.
I'll let you know in the future if I need more help.