Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1099
Views
0
Helpful
6
Replies

cisco ACE and firewall design

helsayed78
Level 1
Level 1

‎08-13-2012 03:12 PM

Guys,

If I have servers protected behind a firewall and I need to load balance some servers , where should I place the ACE?

Sent from Cisco Technical Support iPad App

Labels:
0 Helpful
6 Replies 6

rgadle
Level 1
Level 1

‎08-15-2012 03:12 PM

Hello,

Here it depends, on the nature of configuration that will be done on Ace. As per best practise put firewall in front of ACE. So the topogy should be like FW --> ACE --> SEVER FARM.

Sent from Cisco Technical Support Android App

0 Helpful

helsayed78
Level 1
Level 1

‎08-16-2012 05:20 AM

This means I should go with the bridged mode ...

However I want to go with the one-arm mode.

What do you think?

Sent from Cisco Technical Support Android App

0 Helpful

helsayed78
Level 1
Level 1

‎08-18-2012 02:13 PM

Any idea guys?

Sent from Cisco Technical Su:pport Android App

0 Helpful

sivaksiv
Cisco Employee
Cisco Employee
In response to helsayed78

‎08-18-2012 11:59 PM

Hi,

With one-arm i believe the question is where you want to place the firwall. As long as the client is able to reach the VIP and server replies back to ACE i dont see any problem with this design.

Firewall ---------Switch ---------------- Load Balancer ---

As you know with one-arm requires a source NAT and might not be a good fit for application that are using the source IP address to track client usage patterns. PBR avoids this problem but adds other considerations, such as routing complexity, asymmetrical routing for non-load-balanced flows, and VRF support; PBR is not available on VRFs.

Regards,

Siva

0 Helpful

helsayed78
Level 1
Level 1
In response to sivaksiv

‎08-22-2012 02:07 PM

Actual this is the issue that I am facing ..... I won't be able to trace users since it is using source NAT that is allowed on the firewall to access the application .... And I am controlling the access using the access list on cisco ACE since I have on other options. Can you elaborate more on the PBR ... Think this might help alot.

Sent from Cisco Technical Support iPad App

0 Helpful

sivaksiv
Cisco Employee
Cisco Employee
In response to helsayed78

‎08-23-2012 12:41 AM

Hi,

With PBR, the server sends the packet to its default gateway, then the default gateway routes the packet via pbr to the ACE. 

This ideaology has a few requirements - ACE has to be L2 adjacent to the router that you configure the PBR on, and L2 adjacent to the server to make it simple.

PBR sample config:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/pbroute.html#wp1006646

Regards,

Siva

0 Helpful
Customers Also Viewed These Support Documents