yammy1688_99834
Feb 02, 2011Nimbostratus
Dedicated firewall interfaces for each pool, LTM config?
I'm putting the LTM in an environment where we have dedicated firewall (FWSM) interfaces (along with corresponding ACLs) for each pool/farm and require that all traffic for a given farm flows through its respective firewall interface.
I've tried using VLAN groups and keeping the firewall interface and pool members in separate vlans but it just doesn't seem that reliable? I'm running into a situation right now whereby the modified (translucent) mac-address advertised by the ltm for a particular pool shows up on both the pool and firewall VLAN, preventing access to the servers directly. The virtual IP and self-IPs ping fine however. Any ideas on what could cause this?
I've resorted to keeping everything in the same VLAN and SNATing. However I'm wondering if it is possible to see the client IPs on the servers using this method?
Thanks,
-Ken