Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
952
Views
0
Helpful
5
Replies

load balacing FWLB using ACE

Go to solution
robertsmith.netexpert
Level 1
Level 1

‎12-19-2010 11:07 PM

Hi Gents,

Can somebody help me in deciding which predictor method other then hash based source (or) destination based load-balancing when using FWLB?

Will it  be possible to use least-connections or least-loaded predictor methods  or even round-robin predictor for Firewall Load Balancing?

Also it would be good if someone can refer me an some sample config. I try to search but I did not find any good example in this regard.

Thanks in advance for your prompt response!

Roberts'

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
sachinga.hcl
Level 4
Level 4

‎12-19-2010 11:11 PM

Hi Robert,


For FWLB, it is recommend that you use only the hash address source and the hash address destination predictors. Using any other predictor with FWLB may fail and block traffic, especially for applications that have separate control and data channels, for example, FTP.

Source IP hashing also provides a simple stateless way to stick a client to the same real server in SLB environments.

Typically, the default balancing method, round robin,also can be used. Since support of multiconnection protocols, such as FTP as I said above, is required in firewall loadbalancing design, you have to use predictor hash in your configuration. For multiconnection protocols where some connections are open by clients and others by servers and you need to make sure all the connections belonging to the same session go through the same firewall, you will have to use source IP hash for incoming connection and destination IP hash for outgoing, or vice versa.

Check the following URL for  FWLB config in detail:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/fwldbal.html#wpxref70632

HTH

Sachin Garg

View solution in original post

0 Helpful

Go to solution
sachinga.hcl
Level 4
Level 4
In response to robertsmith.netexpert

‎12-19-2010 11:17 PM

Hi Robert,

The algorithm is something like this:

Here is the hash algorithm


((_key) + (_key >> 8) + (_key >> 16) + (_key >> 24))

The _key in this case is the source ip address has an unsigned 32 bits number.

You then do rserver_index = hash % number_of_rserver.

Source and/or Destination IP Hash (Subnet Mask Configurable)

Source or destination IP hash method maps the IP address in the request to a real in a server farm. The configuration options are shown below.

predictor hash address [source | destination] [netmask]        

!--- Source/Destination IP hash or predictor hash address.

The default (netmask) is 255.255.255.255. The hash value is produced with the following algorithm:

ip_addr = (Src_or_Dest_Ip_addr & Cfg_Netmask) hash_index = (ip_addr) + (ip_addr >> 8) + ip_addr >> 16) + (ip_addr >> 24);

Also for detail configuration examples for hash predictor kindly refer the below mentioned URL:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/fwldbal.html#wpxref70632

HTH

Sachin Garg

View solution in original post

0 Helpful

Go to solution
sachinga.hcl
Level 4
Level 4
In response to robertsmith.netexpert

‎12-20-2010 12:18 AM

Hi Roberts,

You can refer my previous post inthis regard for more detail discussion on FWLB with lot of links for your reference;

https://supportforums.cisco.com/message/3248115#3248115

HTH

Sachin Garg

View solution in original post

0 Helpful
5 Replies 5

Go to solution
sachinga.hcl
Level 4
Level 4

‎12-19-2010 11:11 PM

Hi Robert,


For FWLB, it is recommend that you use only the hash address source and the hash address destination predictors. Using any other predictor with FWLB may fail and block traffic, especially for applications that have separate control and data channels, for example, FTP.

Source IP hashing also provides a simple stateless way to stick a client to the same real server in SLB environments.

Typically, the default balancing method, round robin,also can be used. Since support of multiconnection protocols, such as FTP as I said above, is required in firewall loadbalancing design, you have to use predictor hash in your configuration. For multiconnection protocols where some connections are open by clients and others by servers and you need to make sure all the connections belonging to the same session go through the same firewall, you will have to use source IP hash for incoming connection and destination IP hash for outgoing, or vice versa.

Check the following URL for  FWLB config in detail:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/fwldbal.html#wpxref70632

HTH

Sachin Garg

0 Helpful

Go to solution
robertsmith.netexpert
Level 1
Level 1
In response to sachinga.hcl

‎12-19-2010 11:15 PM

Hi Sachin,


Thanks for your prompt reply.

I am going through it.


Will test it in my lab.

I am going through the hash algorithm and it is bit confusing me. Could you please tell how this algorithm works or is there any way of calculating how the hash value is calculated.

Any Idea.


Thanks,


Roberts'

0 Helpful

Go to solution
sachinga.hcl
Level 4
Level 4
In response to robertsmith.netexpert

‎12-19-2010 11:17 PM

Hi Robert,

The algorithm is something like this:

Here is the hash algorithm


((_key) + (_key >> 8) + (_key >> 16) + (_key >> 24))

The _key in this case is the source ip address has an unsigned 32 bits number.

You then do rserver_index = hash % number_of_rserver.

Source and/or Destination IP Hash (Subnet Mask Configurable)

Source or destination IP hash method maps the IP address in the request to a real in a server farm. The configuration options are shown below.

predictor hash address [source | destination] [netmask]        

!--- Source/Destination IP hash or predictor hash address.

The default (netmask) is 255.255.255.255. The hash value is produced with the following algorithm:

ip_addr = (Src_or_Dest_Ip_addr & Cfg_Netmask) hash_index = (ip_addr) + (ip_addr >> 8) + ip_addr >> 16) + (ip_addr >> 24);

Also for detail configuration examples for hash predictor kindly refer the below mentioned URL:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/fwldbal.html#wpxref70632

HTH

Sachin Garg

0 Helpful

Go to solution
robertsmith.netexpert
Level 1
Level 1
In response to sachinga.hcl

‎12-19-2010 11:19 PM

Thank a lot Sachin.

That what was I looking for.

Your reply is very helpful.

Roberts'

0 Helpful

Go to solution
sachinga.hcl
Level 4
Level 4
In response to robertsmith.netexpert

‎12-20-2010 12:18 AM

Hi Roberts,

You can refer my previous post inthis regard for more detail discussion on FWLB with lot of links for your reference;

https://supportforums.cisco.com/message/3248115#3248115

HTH

Sachin Garg

0 Helpful
Customers Also Viewed These Support Documents