01-07-2009 02:29 PM
When the ACE does server load balancing, it NATs the destination VIP IP to the real server IP and thus changes the destination IP address in the IP header to that of the real server and the destination MAC address in the Ethernet header to that of the server or next hop device (if server is not directly connected).
When doing FWLB, however, I suspect such a rewrite will not occur because if the destination IP address is changed to the real IP of the firewall, the firewall will see the packet addressed to itself and drop it.
My questions are:
1. How does the ACE perform load balancing without rewriting the destination IP?
2. What part of the ACE configuration indicates to the ACE that a packet will be load balanced to a firewall rather than a server? I am guessing it has to do with the class-map matching on a network specific or "catch-all" VIP rather than a host specific VIP?
Thanks,
Gregory Gombas
CCIE# 19649
Solved! Go to Solution.
01-08-2009 12:31 AM
Hello,
indeed, no NAT should be performed when doing FW LB. This is accomplished by specifying the "transparent" command in the serverfarm where you defined the FWs as rservers.
--
You can instruct the ACE not to use NAT to translate the VIP address to the server IP address by using the transparent command in serverfarm host configuration mode. Use this command in firewall load balancing (FWLB) when you configure the insecure and secure sides of the firewall as a server farm. For details about FWLB, see Chapter 6, Configuring Firewall Load Balancing. The syntax of this command is as follows:
transparent
For example, enter:
host1/Admin(config-sfarm-host)# transparent
--
Also, you want the return traffic going back to the same FW as it came in. This is done by specifying the command "mac-sticky enable"
--
The mac-sticky feature ensures that the ACE sends return traffic to the same upstream device through which the connection setup from the original client was received. When you enable this feature, the ACE uses the source MAC address from the first packet of a new connection to determine the device to send the return traffic. This guarantees that the ACE sends the return traffic for load-balanced connections to the same device originating the connection. By default, the ACE performs a route lookup to select the next hop to reach the client.
This feature is useful when the ACE receives traffic from Layer 2 and Layer 3 adjacent stateful devices, like firewalls and transparent caches, guaranteeing that it sends return traffic to the correct stateful device that sourced the connection without any requirement for source NAT. For more information on firewall load balancing, see the Cisco Application Control Engine Module Security Configuration Guide.
To enable the mac-sticky feature for a VLAN interface, use the mac-sticky enable command in interface configuration mode. By default, the mac-sticky feature is disabled on the ACE. The syntax of this command is:
mac-sticky enable
For example, to enable the mac-sticky feature, enter:
host1/Admin(config-if)# mac-sticky enable
--
Mor info about FW loadbalancing can be found here:
Hope this helps.
Regards,
Dario
01-08-2009 12:31 AM
Hello,
indeed, no NAT should be performed when doing FW LB. This is accomplished by specifying the "transparent" command in the serverfarm where you defined the FWs as rservers.
--
You can instruct the ACE not to use NAT to translate the VIP address to the server IP address by using the transparent command in serverfarm host configuration mode. Use this command in firewall load balancing (FWLB) when you configure the insecure and secure sides of the firewall as a server farm. For details about FWLB, see Chapter 6, Configuring Firewall Load Balancing. The syntax of this command is as follows:
transparent
For example, enter:
host1/Admin(config-sfarm-host)# transparent
--
Also, you want the return traffic going back to the same FW as it came in. This is done by specifying the command "mac-sticky enable"
--
The mac-sticky feature ensures that the ACE sends return traffic to the same upstream device through which the connection setup from the original client was received. When you enable this feature, the ACE uses the source MAC address from the first packet of a new connection to determine the device to send the return traffic. This guarantees that the ACE sends the return traffic for load-balanced connections to the same device originating the connection. By default, the ACE performs a route lookup to select the next hop to reach the client.
This feature is useful when the ACE receives traffic from Layer 2 and Layer 3 adjacent stateful devices, like firewalls and transparent caches, guaranteeing that it sends return traffic to the correct stateful device that sourced the connection without any requirement for source NAT. For more information on firewall load balancing, see the Cisco Application Control Engine Module Security Configuration Guide.
To enable the mac-sticky feature for a VLAN interface, use the mac-sticky enable command in interface configuration mode. By default, the mac-sticky feature is disabled on the ACE. The syntax of this command is:
mac-sticky enable
For example, to enable the mac-sticky feature, enter:
host1/Admin(config-if)# mac-sticky enable
--
Mor info about FW loadbalancing can be found here:
Hope this helps.
Regards,
Dario
01-08-2009 06:03 AM
Thanks Dario - that was a perfect explanation! Just what I was looking for!
12-13-2010 06:55 PM
Is it possible to use any other predictor method other then hash based source (or) destination based load-balancing?
If I am using reverse-sticky groups (along with mac-sticky) then will it be possible to use least-connections or least-loaded predictor methods or even round-robin predictor for Firewall Load Balancing?
Thanks in advance for your prompt response!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide