I came up with 2 scenarios for ACE4710 appliance deployment. Please see drawings in the attached file. Please let me know which scenario will work or both will work.
Thank you in advance.
Both would work but why you'd use the F/W or ACE as the DG for serverfarm C when you have perfectly functional 3750 L3 switches sitting there is confusing.
Also I have done this with two farms, but three would be equally easy.
My setup is this,
Serverfarm A - web
Serverfarm B - App
1st for client to web farm
2nd for web server to app farm
Using ACE & FWSM and ASA's.
ACE & FWSM using bridged mode (transparent) with multiple context's. 1st context for web. 2nd context for App. Using route-health-injection to advertise VIP back to MSFC (in our case Cat6509 but could be 3750).
Works great and using this setup we avoid having to do source nat. Plus the separate contexts helps cut down the config size for each building block. I could add a third VIP for the backend App to DB conversation but that would break our particular app and since the DB's are clustered using MSCS, is not needed.
Thank you for your response. We don't use 3750 switch as L3 since it's in DMZ. Hence, we will use ACE as a DG for those server farms, so that all traffic will be going through the ACE. Also, this will prevent unwanted traffic to serverfarms bypassing the ACE. We are planning to deploy in phases. Phase I is to create a new VLAN for Serverfarm A. Then, we will move Serverfarm B to this new VLAN in phase II (Scenario II). We also want to minimize configuration changes on these servers. My main concern was that I am not certain if the load balance will work in Scenario II step 2 (to load balance traffic from Serverfarm B to Serverfarm C), which is the opposite direction of the load balancing traffic in step 1 (users => Serverfarm B). Thank you in advance.