new to ace just purchased a new blade, could somebody advise on deployment in routed and single arm mode. if a client connects to the vip can the traffic route back out the vip interface to the servers. we have a dmz were we want to deploy a vip, once the packet enters the dmz and hits the vip can the servers be located on the same subnet as the vip and also a backup server on another dmz or even the inside of the firewall.
I am also fairly new to the ACE modules, but I think I can answer your question. Yes the servers can be located on the same subnet as the VIP. As for the backup servers, as long as the ACE can reach the servers via IP you can load balance servers even if they are if different VLANs or DMZ's.
I have a context in one arm mode and would suggest against it unless you do not have a choice. Even though one arm mode is easy to set up, it can be a little hard to troubleshoot if you have source NAT enabled, if you do not have Source NAT enabled on the ACE, you will have to configure PBR on the MFSC of the 6500 and specify what you want to go to the ACE(what needs to be load balanced).
If you configure the ACE in routed mode, be sure that you configure it so that you do not run into an assymetrical routing issues.
Like I said; I am fairly new to these load balancers, but we have very talented folks on this site that can assist you with almost any ACE related question that you may have.
Hi John thanks for the reply, if the servers are in the same subnet do you have to use two Vlan with a bridge connection ? the issue i have is the entry point is from a checkpoint firewall, the data traffic comes into the Checkpoint and enters a dmz interface that i was going to put into the 6500 and onto the ACE module, only layer 2 on the 6500 as i dont want to compromise security. this would hit the VIP interface, after that does the traffic have to come out into a separate VLAN hence the bridge connection on the 6500 ? Sorry for the long question but a little confused on the flow of traffic ?
If you plan to use src NAT or PBR then you don't need two Vlans on ACE. Simply extend the current vlan to the ACE module and configure SRC NAT/PBR.
Again the idea is to make sure that return traffic from the servers should not bypass ACE module.
If you want to use ACE module as a bridge between firewall & all servers ( with this topolgy all the traffic to/from servers will pass through ACE module) then you need two vlans.
Lets say currently you have VLANX connecting Firewall & 6500 and all servers are connected to the same vlan.
You can create a new Vlan "VLAN Y" , assign "checkpoint interface on 6500" to VLAN Y, assign VLAN X & VLAN Y to ACE and bridge VLANY (new vlan) & VLANX (Old VLAN) using ACE.