Hi,

With one-arm i believe the question is where you want to place the firwall. As long as the client is able to reach the VIP and server replies back to ACE i dont see any problem with this design.

Firewall ---------Switch ---------------- Load Balancer ---

As you know with one-arm requires a source NAT and might not be a good fit for application that are using the source IP address to track client usage patterns. PBR avoids this problem but adds other considerations, such as routing complexity, asymmetrical routing for non-load-balanced flows, and VRF support; PBR is not available on VRFs.

Regards,

Siva

Actual this is the issue that I am facing ..... I won't be able to trace users since it is using source NAT that is allowed on the firewall to access the application .... And I am controlling the access using the access list on cisco ACE since I have on other options. Can you elaborate more on the PBR ... Think this might help alot.

Sent from Cisco Technical Support iPad App

Hi,

With PBR, the server sends the packet to its default gateway, then the default gateway routes the packet via pbr to the ACE. 

This ideaology has a few requirements - ACE has to be L2 adjacent to the router that you configure the PBR on, and L2 adjacent to the server to make it simple.

PBR sample config:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/pbroute.html#wp1006646

Regards,

Siva