Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3653
Views
0
Helpful
3
Replies

How does Firewall Load Balancing Work on the ACE module?

Go to solution
ggombas
Level 4
Level 4

‎01-07-2009 02:29 PM

When the ACE does server load balancing, it NATs the destination VIP IP to the real server IP and thus changes the destination IP address in the IP header to that of the real server and the destination MAC address in the Ethernet header to that of the server or next hop device (if server is not directly connected).

When doing FWLB, however, I suspect such a rewrite will not occur because if the destination IP address is changed to the real IP of the firewall, the firewall will see the packet addressed to itself and drop it.

My questions are:

1. How does the ACE perform load balancing without rewriting the destination IP?

2. What part of the ACE configuration indicates to the ACE that a packet will be load balanced to a firewall rather than a server? I am guessing it has to do with the class-map matching on a network specific or "catch-all" VIP rather than a host specific VIP?

Thanks,

Gregory Gombas

CCIE# 19649

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dario.didio
Level 4
Level 4

‎01-08-2009 12:31 AM

Hello,

indeed, no NAT should be performed when doing FW LB. This is accomplished by specifying the "transparent" command in the serverfarm where you defined the FWs as rservers.

--

You can instruct the ACE not to use NAT to translate the VIP address to the server IP address by using the transparent command in serverfarm host configuration mode. Use this command in firewall load balancing (FWLB) when you configure the insecure and secure sides of the firewall as a server farm. For details about FWLB, see Chapter 6, Configuring Firewall Load Balancing. The syntax of this command is as follows:

transparent

For example, enter:

host1/Admin(config-sfarm-host)# transparent

--

Also, you want the return traffic going back to the same FW as it came in. This is done by specifying the command "mac-sticky enable"

--

The mac-sticky feature ensures that the ACE sends return traffic to the same upstream device through which the connection setup from the original client was received. When you enable this feature, the ACE uses the source MAC address from the first packet of a new connection to determine the device to send the return traffic. This guarantees that the ACE sends the return traffic for load-balanced connections to the same device originating the connection. By default, the ACE performs a route lookup to select the next hop to reach the client.

This feature is useful when the ACE receives traffic from Layer 2 and Layer 3 adjacent stateful devices, like firewalls and transparent caches, guaranteeing that it sends return traffic to the correct stateful device that sourced the connection without any requirement for source NAT. For more information on firewall load balancing, see the Cisco Application Control Engine Module Security Configuration Guide.

To enable the mac-sticky feature for a VLAN interface, use the mac-sticky enable command in interface configuration mode. By default, the mac-sticky feature is disabled on the ACE. The syntax of this command is:

mac-sticky enable

For example, to enable the mac-sticky feature, enter:

host1/Admin(config-if)# mac-sticky enable

--

Mor info about FW loadbalancing can be found here:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/fwldbal.html

Hope this helps.

Regards,

Dario

View solution in original post

0 Helpful
3 Replies 3

Go to solution
dario.didio
Level 4
Level 4

‎01-08-2009 12:31 AM

Hello,

indeed, no NAT should be performed when doing FW LB. This is accomplished by specifying the "transparent" command in the serverfarm where you defined the FWs as rservers.

--

You can instruct the ACE not to use NAT to translate the VIP address to the server IP address by using the transparent command in serverfarm host configuration mode. Use this command in firewall load balancing (FWLB) when you configure the insecure and secure sides of the firewall as a server farm. For details about FWLB, see Chapter 6, Configuring Firewall Load Balancing. The syntax of this command is as follows:

transparent

For example, enter:

host1/Admin(config-sfarm-host)# transparent

--

Also, you want the return traffic going back to the same FW as it came in. This is done by specifying the command "mac-sticky enable"

--

The mac-sticky feature ensures that the ACE sends return traffic to the same upstream device through which the connection setup from the original client was received. When you enable this feature, the ACE uses the source MAC address from the first packet of a new connection to determine the device to send the return traffic. This guarantees that the ACE sends the return traffic for load-balanced connections to the same device originating the connection. By default, the ACE performs a route lookup to select the next hop to reach the client.

This feature is useful when the ACE receives traffic from Layer 2 and Layer 3 adjacent stateful devices, like firewalls and transparent caches, guaranteeing that it sends return traffic to the correct stateful device that sourced the connection without any requirement for source NAT. For more information on firewall load balancing, see the Cisco Application Control Engine Module Security Configuration Guide.

To enable the mac-sticky feature for a VLAN interface, use the mac-sticky enable command in interface configuration mode. By default, the mac-sticky feature is disabled on the ACE. The syntax of this command is:

mac-sticky enable

For example, to enable the mac-sticky feature, enter:

host1/Admin(config-if)# mac-sticky enable

--

Mor info about FW loadbalancing can be found here:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/fwldbal.html

Hope this helps.

Regards,

Dario

0 Helpful

Go to solution
ggombas
Level 4
Level 4
In response to dario.didio

‎01-08-2009 06:03 AM

Thanks Dario - that was a perfect explanation! Just what I was looking for!

0 Helpful

Go to solution
smhussain
Level 1
Level 1
In response to dario.didio

‎12-13-2010 06:55 PM

Is it possible to use any other predictor method other then hash based source (or) destination based load-balancing?

If I am using reverse-sticky groups (along with mac-sticky) then will it be possible to use least-connections or least-loaded predictor methods or even round-robin predictor for Firewall Load Balancing?

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/slb/guide/sticky.html#wp1184416

Thanks in advance for your prompt response!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents