https://community.cisco.com/t5/application-networking/acesm-fwsm-design-query/m-p/1370370#M28496 <P><SPAN style="font-family: 'PrimaSans BT,Verdana,sans-serif';">Dear , <BR /> <BR />we have 2x6509 each conatins sup720-VSS , ACE20 &amp; FWSM module to implement as Data-Centre Aggregation switches.<BR /> <BR />Now regarding our Data-centre we have 2 subnets and all our servers are in these 2 subnets. And we dont want to pass all traffic which we dont want to loadbalance thru ACE.We just want to pass all traffic thru MSFC and then FWSM(we will put all security features here) and then we will forward traffic to ACE(allow any any access list) if SLB desired otherwise directly to server.<BR /> <BR />But the main issue here is that we are hosting servers with slb requirement and non-slb servers in same subnet. So i just want to know considering this limitation above scenario we want is possible or not?<BR /> <BR />Thanks </SPAN></P><P>Wali</P> Tue, 29 Dec 2009 07:20:29 GMT KFU NOC 2009-12-29T07:20:29Z https://community.cisco.com/t5/application-networking/acesm-fwsm-design-query/m-p/1370370#M28496 <P><SPAN style="font-family: 'PrimaSans BT,Verdana,sans-serif';">Dear , <BR /> <BR />we have 2x6509 each conatins sup720-VSS , ACE20 &amp; FWSM module to implement as Data-Centre Aggregation switches.<BR /> <BR />Now regarding our Data-centre we have 2 subnets and all our servers are in these 2 subnets. And we dont want to pass all traffic which we dont want to loadbalance thru ACE.We just want to pass all traffic thru MSFC and then FWSM(we will put all security features here) and then we will forward traffic to ACE(allow any any access list) if SLB desired otherwise directly to server.<BR /> <BR />But the main issue here is that we are hosting servers with slb requirement and non-slb servers in same subnet. So i just want to know considering this limitation above scenario we want is possible or not?<BR /> <BR />Thanks </SPAN></P><P>Wali</P> Tue, 29 Dec 2009 07:20:29 GMT https://community.cisco.com/t5/application-networking/acesm-fwsm-design-query/m-p/1370370#M28496 KFU NOC 2009-12-29T07:20:29Z https://community.cisco.com/t5/application-networking/acesm-fwsm-design-query/m-p/1370371#M28497 <HTML><HEAD></HEAD><BODY><P>Wali,</P><P></P><P>this is possible but more complicated,</P><P></P><P></P><P><SPAN style="font-family: courier new,courier;">&nbsp;&nbsp; Internet</SPAN></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; MSFC</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; FWSM---- ACE</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |</P><P>&nbsp; Subnet1&nbsp; Subnet2</P><P></P><P></P><P>The flow client---&gt; ACE ---&gt; servers is not a problem with this design.</P><P></P><P>The concern is the response from the servers.</P><P>You need a way to force the FWSM to send the response to ACE and not directly to the client on the Internet.</P><P>And only for traffic that was loadbalanced.</P><P></P><P>You only have 2 options.</P><P>1/ Do client nat for all traffic going through ACE. Easy to do.&nbsp; But you lose information about client source ip address on the servers.</P><P>For HTTP, you could keep this information by instructing ACE to insert this info in the http header.</P><P></P><P>2/ Put the MSFC right after FWSM as well and implement policy-routing on the MSFC . Based on src ip and tcp src port decide to send the traffic to ACE or not.</P><P></P><P>It is much better to create a subnet for LB servers and put this subnet behind the ACE module.</P><P></P><P></P><P><SPAN style="font-family: courier new,courier;">&nbsp;&nbsp; Internet</SPAN></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; MSFC</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; FWSM---- ACE ----- LB_Subnet</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |</P><P>&nbsp; Subnet1&nbsp; Subnet2</P><P></P><P>Gilles.</P></BODY></HTML> Wed, 30 Dec 2009 09:13:11 GMT https://community.cisco.com/t5/application-networking/acesm-fwsm-design-query/m-p/1370371#M28497 Gilles Dufour 2009-12-30T09:13:11Z https://community.cisco.com/t5/application-networking/acesm-fwsm-design-query/m-p/1370372#M28498 <HTML><HEAD></HEAD><BODY><P>Thanks Gilles !</P><P></P><P>Suppose if i choose to put FWSM above MSFC and do PBR on MSFC for SLB severs in subnet1 &amp; subnet2.</P><P>Is there any flaw from design point in this solution.</P><P></P><P></P><P><SPAN style="font-family: courier new,courier;">&nbsp;&nbsp; Internet</SPAN></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; FWSM</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; MSFC---- ACE</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |</P><P>&nbsp; Subnet1&nbsp; Subnet2</P><P></P><P></P><P>Wali</P></BODY></HTML> Wed, 30 Dec 2009 09:53:12 GMT https://community.cisco.com/t5/application-networking/acesm-fwsm-design-query/m-p/1370372#M28498 KFU NOC 2009-12-30T09:53:12Z https://community.cisco.com/t5/application-networking/acesm-fwsm-design-query/m-p/1370373#M28499 <HTML><HEAD></HEAD><BODY><P>Wali,</P><P></P><P>no problem with the design.</P><P>This is actually a common solution.</P><P></P><P>Gilles.</P></BODY></HTML> Wed, 30 Dec 2009 16:13:33 GMT https://community.cisco.com/t5/application-networking/acesm-fwsm-design-query/m-p/1370373#M28499 Gilles Dufour 2009-12-30T16:13:33Z