weighted firewall loadbalancing

msmoon · ‎02-21-2003

I have a customer who are using CSS as a firewall load balancer.

by the way he have two firewall with fast-ethernet interfaces and two with Gigabit ethernet interfaces.

Now the load is 1:1:1:1.

Can I give a load to firewall path on CSS?

Then, what command it is?

Gilles Dufour · ‎02-22-2003

There is currently no way to give a weight to a firewall.

However, you could play with the static routes so that more routes point to the

GigE Firewalls.

You would do something like this

ip route 0.0.0.0/0 firewall 1

ip route 0.0.0.0/0 firewall 2

ip route 0.0.0.0/0 firewall 3

ip route 0.0.0.0/0 firewall 4

ip route 128.0.0.0/1 firewall 1

ip route 128.0.0.0/1 firewall 2

This is just an example. But you can see that firewall 1 and 2 will get all traffic to 128.0.0.0 -255.255.255.255 and the traffic from 0.0.0.0 to 127.255.255.255 wil be loadbalanced over the 4 firewalls.

Gilles.

msmoon · ‎02-23-2003

One more

If CSS know the path which firewall the packets comes from, then your method looks no problem.

Internet ----- CSS_out--------four firewalls--------CSS_in------Servers(A.B.C.0/24)

CSS_out

ip route A.B.C.0/24 firewall 1

ip route A.B.C.0/24 firewall 2

ip route A.B.C.0/24 firewall 3

ip route A.B.C.0/24 firewall 4

ip route A.B.C.0/25 firewall 1

ip route A.B.C.0/25 firewall 2

CSS_in

ip route 0.0.0.0/0 firewall 1

ip route 0.0.0.0/0 firewall 2

ip route 0.0.0.0/0 firewall 3

ip route 0.0.0.0/0 firewall 4

ip route 128.0.0.0/1 firewall 1

ip route 128.0.0.0/1 firewall 2

How about this? Is it OK?

Even if CSS know the information of session flow, It looks have a risk of problem.

Gilles Dufour · ‎02-27-2003

this should be ok as well.

This method is not new.

Big ISP's used to do this in the past to do BGP loadbalancing (before the invention of BGP multipath).

I believe a lot of people are still using this method.

So, it should work for the CSS as well.

Gilles.