Chapter 10: Server Load Balancing (SLB) 159
Section 10-2
■ Firewall load balancing is performed by computing a hash value of each new traffic
flow (source and destination IP addresses and ports). This is called a route lookup.
■ The firewall load-balancing device then masquerades as the IP address for all
firewalls in the firewall farm.
■ Firewall load balancing can detect a firewall failure by monitoring probe activity.
■ The HSRP can be used to provide a “stateless backup” redundancy for multiple firewall
load-balancing devices. If one device fails, a redundant device can take over its function.
■ Multiple firewall load-balancing devices can also use “stateful backup” for redun-
dancy. Backup devices keep state information dynamically and can take over immedi-
ately if a failure occurs.
Configuration
1. Define a firewall farm.
a. Assign a name to the firewall farm:
(global) ip slb firewallfarm firewallfarm-name
In IOS SLB, the collection of firewalls is referenced by firewallfarm-name (text
string up to 15 characters).
b. Identify one or more firewalls in the farm.
■ Specify the firewall’s IP address:
(firewall-farm) real ip-address
The firewall is directly connected (same logical subnet) to the load-balancing
device with an interface at IP address ip-address.
■ (Optional) Assign a relative capacity weight:
(real-firewall) weight weighting-value
The real firewall is assigned a weighting-value (1 to 255; default 8) that indi-
cates its capacity relative to other real firewalls in the firewall farm. These val-
ues are statically defined and are based on what you think the firewall can han-
dle, relative to the others. The weight values are used only for round-robin or
least-connections algorithms.
■ (Optional) Define one or more probes to detect a firewall failure:
(real-firewall) probe probe-name
The probe that is defined by probe-name (text string) is used periodically to
determine whether the firewall has failed. Even if more than one probe is
defined, the firewall is declared down if it fails just one probe. A firewall must
pass all probes to be recovered again.
To Next Page
Loading...
Need help?
General