Re: Loadbalancing outgoing traffic on internet connections with

cbluhme · ‎06-19-2002

Today we have a fairly expensive hi-speed link to the internet for browser-traffic. We have separate connections for ingoing traffic, so this question is only about outgoing connections.

I would like to make a cheaper setup by ordering maby 32 ADSL connections terminated with ethernet routers (with 1 public address on each) and a couple of CSS switches to loadbalance the requests on the connections.

The CSS should be able to keepalive some resources on the internet to monitor if the individual connections are working.

There are a few problems:

1) Megaproxy - if sticky is not used, client requests will be coming from a "new" source-address for every request - some sites dont handle that well yet. Sticky source-ip cannot be used since we have a smartfilter proxy (and firewall) that all requests go through - ei all requests comes from same address seen from the css. cookie sticky... not possible because:

2) This does not really involve any VIPs or services, only source nat and loadbalancing outgoing interfaces.

Is it possible at all ? What other solutions could give me this functionality

Thanks

Christian

ahojmark · ‎06-19-2002

No, basically.

The CSS cannot currently load-balance outgoing traffic across multiple connections. If you (like others) need that fuctionality, I would highly recommend you contact your account team.

Regards,

-A

bjames · ‎06-22-2003

-A,

Are you saying you cannot balance outbound (to public side) over two firewall connections? Why not?

Thanks,

Gilles Dufour · ‎06-22-2003

the CSS can do firewall loadbalancing.

Just define your two firewall with the command 'firewall' then configure static routes pointing to the firewall like this :

ip route 0.0.0.0 0.0.0.0 firewall 1

ip route 0.0.0.0 0.0.0.0 firewall 2

What the CSS can't do is that if you have 2 interfaces to reach firewall 1, we will only use one of them.

But we are working on the etherchannel feature which will let you combine links into a single one.

I can provide you link to sample configs if needed.

Gilles.

bjames · ‎06-23-2003

Gilles,

Merci, I would appreciate the configs. I would like to balance in front of the firewalls, in their DMZ and on the return path. Unfortuneatly there is only 1 CSS, so I assume I can setup 3 VLANs to handle this?

Thanks for anymore info.

Gilles Dufour · ‎06-25-2003

with 1 CSS, you can't do firewall loadbalancing.

The reason is that a 2nd CSS is needed to make sure the returning traffic goes back to the same firewall (otherwise you get into trouble).

So, with one CSS only you have no solution.

Gilles.

bhose · ‎06-20-2002

You may wnt to checkout a product by radware called linkproof. This may do the job for you

gilles.delcroix · ‎06-20-2002

you can check a product by F5 Network to : link controller

clayton-price · ‎06-23-2003

I currently have two upstream routers. On my CSS, I pointed one default route to one router, the other default route to the other router. This seems to load balance outgoing traffic fine. The CSS issues an icmp ping to each router to see if it is alive, it the ping fails, the route is removed from the route table.

I'm not sure why your issues with a megaproxy would be any different if you had a single path to the internet. Why would the this behave any differently with multiple Internet connections? Why the source NAT?

Loadbalancing outgoing traffic on internet connections with css