Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2204
Views
3
Helpful
4
Replies

ACE Appliance design question

fashour
Level 1
Level 1

‎11-04-2011 10:15 AM

I have a pair of ace appliances that I would like to deploy. One of the requiremnts is to balance traffic in DMZ and INSIDE network. The 2 networks are seperated by a Firewall and the firewall connect to DMZ switch and Inside Switch respectively.

My idea is to have the ACE connected to each switch seperately by utilizing 2 port port channel to each the DMZ and the inside switch. I would create a DMZ context and Inside context plus admin context.The port channel connected to the inside switch to carry inside and admin context VLANs and the port channel connected to DMZ switch to carry the DMZ context VLANs. I will allocate DMZ VLANs to DMZ context and Inside VLANs to Inside Context.

Is this doable? How would redundancy be implemented in this design? Would FT vlan configured in admin context take care of redundancy in dmz context? I would assigne management vlan to admin to inside and admin context, would that be suffecient/work (manage the DMZ context using the admin)? Any direction or comments would be greatly appreciated.

Labels:
0 Helpful
4 Replies 4

Marko Leopold
Level 1
Level 1

‎11-07-2011 03:07 AM

I think it is ok what you are trying to do. You just have to be aware, that a problem in the INSIDE network will might affect a failover in the DMZ-context.

fashour
Level 1
Level 1
In response to Marko Leopold

‎11-07-2011 08:19 AM

Thank you for the reply. I just wanted to test the field of experts here since I have not found design matching to what I am proposing. Is there any other gotchas or problems that can be incurred with this design? Is there a better way of doing it? Thanks again..

Fadi

0 Helpful

Marko Leopold
Level 1
Level 1
In response to fashour

‎11-08-2011 01:37 AM

There are always a lot of ways to do this. And because of the contexts in ACE you can split the function of your ACE into several virtual ACEs. Sometimes its more a political question then a technical. Because there will be running traffic from DMZ and internal network through the same device. If you have concern about this, you should use 2 different ACE for this.

0 Helpful

fashour
Level 1
Level 1

‎11-08-2011 04:18 PM

It is no concern that DMZ and inside sharing the same box. In fact, this is a requirement. You said there are many ways of doing this. What are different ways of doing it other than what I mentioned? Thanks again.

Sent from Cisco Technical Support iPhone App

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents