Chapter 5: Firewall Load Balancing

Cisco Press

1 2 3 Page 3
Page 3 of 3
module ContentSwitchingModule 2 
 vlan 14 client
 ip address 11.8.200.66 255.255.255.224
 alias 11.8.200.65 255.255.255.224
!
 vlan 114 server
 ip address 11.8.200.66 255.255.255.224
 route 173.73.248.0 255.255.248.0 gateway 11.8.200.80
!
 probe INTERNET icmp
 address 11.8.200.33 
 interval 5 
!
 probe LAN icmp
 address 11.8.200.97 
 interval 5 
!
 probe WEB tcp
 interval 10 
!
!
 serverfarm DMZ_INTERNET
 no nat server 
 no nat client
 predictor hash address destination
 real 11.8.200.75
  inservice
 real 11.8.200.76
  inservice
 real 11.8.200.77
  inservice
 probe INTERNET
!
 serverfarm DMZ_LAN
 no nat server 
 no nat client
 predictor hash address destination
 real 11.8.200.75
  inservice
 real 11.8.200.76
  inservice
 real 11.8.200.77
  inservice
 probe LAN
!
 serverfarm WEB
 nat server 
 no nat client
 real 173.73.248.121
  inservice
 real 173.73.248.122
  inservice
 real 173.73.248.123
  inservice
 probe WEB     
!
 serverfarm OUT_FW_CSM
 no nat server 
 no nat client
 predictor forward
!
!
 vserver DMZ_INTERNET
 virtual 0.0.0.0 0.0.0.0 any
 vlan 114
 serverfarm DMZ_INTERNET
 replicate csrp sticky
 replicate csrp connection
 persistent rebalance
 inservice
!
 vserver DMZ_LAN
 virtual 11.0.0.0 255.0.0.0 any
 vlan 114
 serverfarm DMZ_LAN
 replicate csrp sticky
 replicate csrp connection
 persistent rebalance
 inservice
!
 vserver WEB-80
 virtual 173.73.248.120 tcp www
 serverfarm WEB
 replicate csrp sticky
 replicate csrp connection
 persistent rebalance
 inservice
!
vserver WEB-443
 virtual 173.73.248.120 tcp https
 serverfarm WEB
 sticky 240
 replicate csrp sticky
 replicate csrp connection
 persistent rebalance
 inservice
!
 vserver OUT_FW_CSM
 virtual 173.73.248.0 255.255.248.0 any
 vlan 14
 serverfarm OUT_FW_CSM
 replicate csrp sticky
 replicate csrp connection
 persistent rebalance
 inservice
!

Catalyst 6509 Layer 3 Configurations

Following are the Layer 3 configurations on the Catalyst 6509. Interface VLAN 114 is the one that links the CSM with the MSFC. VLAN 248 is the server VLAN that exists on the MSFC. Since the default gateway of the MSFC is the CSM, all traffic from the servers going toward the INET or LAN segment passes through the CSM.

interface Vlan114
 ip address 11.8.200.81 255.255.255.224
 no ip redirects
 standby 3 ip 11.8.200.80
 standby 3 priority 105
 standby 3 preempt
!
interface Vlan248
 ip address 173.73.248.2 255.255.255.0
 no ip redirects
 standby 1 ip 173.73.248.1
 standby 1 priority 105
 standby 1 preempt
!
interface Vlan249
 ip address 173.73.249.2 255.255.255.0
 no ip redirects
 standby 2 ip 173.73.249.1
 standby 2 priority 105
 standby 2 preempt
!
ip default-gateway 11.8.200.65
ip classless
ip route 0.0.0.0 0.0.0.0 11.8.200.65

Configuration Details of the LAN Segment

The following sections provide the detailed CSM and Catalyst 6500 configurations of the LAN segment. This is the segment that connects the data center with the corporate network.

CSM Configurations

Following is the CSM configuration used in the LAN segment. Notice that in the following configuration the idle timeout is increased to 3 hours. This ensures that the user sessions from the LAN to the DMZ are not removed by the CSM even when the user is idle for up to 10,800 seconds. The default idle timeout in the CSM is 1 hour. Similar idle timeout adjustments would need to be made in the DMZ CSM configuration.

module ContentSwitchingModule 2 
 vlan 15 client
 ip address 11.8.200.98 255.255.255.224
 alias 11.8.200.97 255.255.255.224
!
 vlan 115 server
 ip address 11.8.200.98 255.255.255.224
 route 11.0.0.0 255.0.0.0 gateway 11.8.200.102
!
 probe INTERNET icmp
 address 11.8.200.33 
 interval 5  
!
 probe DMZ icmp
 address 11.8.200.65 
 interval 5 
!
 serverfarm LAN_DMZ
 no nat server 
 no nat client
 predictor hash address source
 real 11.8.200.107
  inservice
 real 11.8.200.108
  inservice
 real 11.8.200.109
  inservice
 probe DMZ
!
 serverfarm LAN_INTERNET
 no nat server 
 no nat client
 predictor hash address destination
 real 11.8.200.107
  inservice
 real 11.8.200.108
  inservice
 real 11.8.200.109
  inservice
 probe INTERNET
!
 serverfarm OUT_FW_CSM
 no nat server 
 no nat client
 predictor forward
!
 vserver LAN_DMZ_V1
 virtual 173.73.248.0 255.255.248.0 any
 vlan 115
 idle 10800
 serverfarm LAN_DMZ
 replicate csrp sticky
 replicate csrp connection
 persistent rebalance
 inservice
!
 vserver LAN_DMZ_V2
 virtual 11.8.200.64 255.255.255.224 any
 vlan 115
 idle 10800
 serverfarm LAN_DMZ
 replicate csrp sticky
 replicate csrp connection
 persistent rebalance
 inservice
!
 vserver LAN_INTERNET
 virtual 0.0.0.0 0.0.0.0 any
 vlan 115
 serverfarm LAN_INTERNET
 replicate csrp sticky
 replicate csrp connection
 persistent rebalance
 inservice
!
 vserver LAN_INTERNET_2
 virtual 11.8.200.224 255.255.255.224 any
 vlan 115
 serverfarm LAN_INTERNET
 replicate csrp sticky
 replicate csrp connection
 persistent rebalance
 inservice
!
 vserver OUT_FW_CSM
 virtual 11.0.0.0 255.0.0.0 any
 vlan 15
 serverfarm OUT_FW_CSM
 replicate csrp sticky
 replicate csrp connection
 persistent rebalance
 inservice
!

Catalyst 6509 Layer 3 Configurations

Following are the Layer 3 configurations on the Catalyst 6509. Interface VLAN 115 is the one that links the CSM with the MSFC. VLAN 200 is used to connect the MSFC to the internal corporate routers.

interface Vlan115
 ip address 11.8.200.103 255.255.255.224
 no ip redirects
 standby 1 ip 11.8.200.102
 standby 1 priority 105
 standby 1 preempt
 standby 1 track Vlan200
!
interface Vlan200
 ip address 11.8.200.130 255.255.255.224
 no ip redirects
 standby 2 ip 11.8.200.129
 standby 2 priority 105
 standby 2 preempt
 standby 2 track Vlan115
!
ip default-gateway 11.8.200.97
ip classless
ip route 0.0.0.0 0.0.0.0 11.8.200.97
ip route 11.0.0.0 255.0.0.0 11.8.200.135
ip route 11.8.200.32 255.255.255.224 11.8.200.97
ip route 11.8.200.64 255.255.255.224 11.8.200.97
ip route 11.8.200.224 255.255.255.224 11.8.200.97

Test and Verification

As mentioned before, each data center environment is unique with respect to the number of sockets used, the duration of TCP or UDP connections, activity in each session in terms of packets per second, idle timeouts, and so on. Thus, it is critical to test and verify the FWLB and SLB environments with the particular applications.

Following are a few critical test cases that you should verify after a new deployment or a major or minor infrastructure change—including a CSM or firewall code upgrade.

  • Verification of the firewall path by making sure all the probes are working correctly

  • Verification of traffic flow between all segments; that is, INET, DMZ, and LAN

  • Verification of active and passive FTP between LAN and DMZ

  • Content retrieval from the HTTP and HTTPS servers

  • A server-initiated session to a back-end database or internal server

  • A server-initiated backup or data replication session

  • Application daemon failure and detection by the CSM

  • Primary CSM failure, measurement of the recovery time

  • Primary Catalyst 6509 failure, measurement of the recovery time

Summary

This chapter introduced FWLB concepts, technology, products, and implementation details. This chapter covered motivations behind FWLB, provided an overview of different flavors of firewalls, and explained how to load balance each type.

In order to combine all the concepts of FWLB from the perspective of the CSM platform, this chapter also provided a case study. This case study focused on the deployment scenario of a real-world solution using the CSM to load balance firewalls with three secure segments. The CSM configurations have been provided and explained to introduce the reader to the CLI.

Chapter 6, "Transparent and Proxy Cache Load Balancing," introduces caching terminology, technology, and methodology, together with a complete case study of cache load balancing using CSM on the Catalyst 6500.

Copyright © 2007 Pearson Education. All rights reserved.

Learn more about this topic

 
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2007 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3
SD-WAN buyers guide: Key questions to ask vendors (and yourself)