12-19-2010 11:07 PM
Hi Gents,
Can somebody help me in deciding which predictor method other then hash based source (or) destination based load-balancing when using FWLB?
Will it be possible to use least-connections or least-loaded predictor methods or even round-robin predictor for Firewall Load Balancing?
Also it would be good if someone can refer me an some sample config. I try to search but I did not find any good example in this regard.
Thanks in advance for your prompt response!
Roberts'
Solved! Go to Solution.
12-19-2010 11:11 PM
Hi Robert,
For FWLB, it is recommend that you use only the hash address source and the hash address destination predictors. Using any other predictor with FWLB may fail and block traffic, especially for applications that have separate control and data channels, for example, FTP.
Source IP hashing also provides a simple stateless way to stick a client to the same real server in SLB environments.
Typically, the default balancing method, round robin,also can be used. Since support of multiconnection protocols, such as FTP as I said above, is required in firewall loadbalancing design, you have to use predictor hash in your configuration. For multiconnection protocols where some connections are open by clients and others by servers and you need to make sure all the connections belonging to the same session go through the same firewall, you will have to use source IP hash for incoming connection and destination IP hash for outgoing, or vice versa.
Check the following URL for FWLB config in detail:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/fwldbal.html#wpxref70632
HTH
Sachin Garg
12-19-2010 11:17 PM
Hi Robert,
The algorithm is something like this:
Here is the hash algorithm
((_key) + (_key >> 8) + (_key >> 16) + (_key >> 24))
The _key in this case is the source ip address has an unsigned 32 bits number.
You then do rserver_index = hash % number_of_rserver.
Source or destination IP hash method maps the IP address in the request to a real in a server farm. The configuration options are shown below.
predictor hash address [source | destination] [netmask]
!--- Source/Destination IP hash or predictor hash address.
The default (netmask) is 255.255.255.255. The hash value is produced with the following algorithm:
ip_addr = (Src_or_Dest_Ip_addr & Cfg_Netmask) hash_index = (ip_addr) + (ip_addr >> 8) + ip_addr >> 16) + (ip_addr >> 24);
Also for detail configuration examples for hash predictor kindly refer the below mentioned URL:
HTH
Sachin Garg
12-20-2010 12:18 AM
Hi Roberts,
You can refer my previous post inthis regard for more detail discussion on FWLB with lot of links for your reference;
https://supportforums.cisco.com/message/3248115#3248115
HTH
Sachin Garg
12-19-2010 11:11 PM
Hi Robert,
For FWLB, it is recommend that you use only the hash address source and the hash address destination predictors. Using any other predictor with FWLB may fail and block traffic, especially for applications that have separate control and data channels, for example, FTP.
Source IP hashing also provides a simple stateless way to stick a client to the same real server in SLB environments.
Typically, the default balancing method, round robin,also can be used. Since support of multiconnection protocols, such as FTP as I said above, is required in firewall loadbalancing design, you have to use predictor hash in your configuration. For multiconnection protocols where some connections are open by clients and others by servers and you need to make sure all the connections belonging to the same session go through the same firewall, you will have to use source IP hash for incoming connection and destination IP hash for outgoing, or vice versa.
Check the following URL for FWLB config in detail:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/fwldbal.html#wpxref70632
HTH
Sachin Garg
12-19-2010 11:15 PM
Hi Sachin,
Thanks for your prompt reply.
I am going through it.
Will test it in my lab.
I am going through the hash algorithm and it is bit confusing me. Could you please tell how this algorithm works or is there any way of calculating how the hash value is calculated.
Any Idea.
Thanks,
Roberts'
12-19-2010 11:17 PM
Hi Robert,
The algorithm is something like this:
Here is the hash algorithm
((_key) + (_key >> 8) + (_key >> 16) + (_key >> 24))
The _key in this case is the source ip address has an unsigned 32 bits number.
You then do rserver_index = hash % number_of_rserver.
Source or destination IP hash method maps the IP address in the request to a real in a server farm. The configuration options are shown below.
predictor hash address [source | destination] [netmask]
!--- Source/Destination IP hash or predictor hash address.
The default (netmask) is 255.255.255.255. The hash value is produced with the following algorithm:
ip_addr = (Src_or_Dest_Ip_addr & Cfg_Netmask) hash_index = (ip_addr) + (ip_addr >> 8) + ip_addr >> 16) + (ip_addr >> 24);
Also for detail configuration examples for hash predictor kindly refer the below mentioned URL:
HTH
Sachin Garg
12-19-2010 11:19 PM
Thank a lot Sachin.
That what was I looking for.
Your reply is very helpful.
Roberts'
12-20-2010 12:18 AM
Hi Roberts,
You can refer my previous post inthis regard for more detail discussion on FWLB with lot of links for your reference;
https://supportforums.cisco.com/message/3248115#3248115
HTH
Sachin Garg
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide