Brocade Communications Systems ServerIron ADX 12.4.00 Service Manual Page 17
- Page / 188
- Table of contents
- BOOKMARKS
Rated. / 5. Based on customer reviews
6 ServerIron ADX Firewall Load Balancing Guide
53-1002436-01
Understanding ServerIron FWLB
1
DRAFT: BROCADE CONFIDENTIAL
Firewall selection
Once a ServerIron ADX has selected a firewall for a given traffic flow (source-destination pair of IP
addresses), the ServerIron ADX uses the same firewall for subsequent traffic in the same flow.
For example (using IPv4 addresses), if the ServerIron ADX selects firewall FW1 for the first packet
the ServerIron ADX receives with source address 1.1.1.1 and destination address 2.2.2.2, the
ServerIron ADX uses FW1 for all packets of flows from 1.1.1.1 to 2.2.2.2.
For example (using IPv6 addresses), if the ServerIron ADX selects firewall FW2 for the first packet
the ServerIron ADX receives with source address 1000::1 and destination address 2000::2, the
ServerIron ADX uses FW2 for all packets of flows from 1000::1 to 2000::2.
The ServerIron ADX uses one of the following methods to select a firewall for the first packet:
• Select the firewall based on a hash calculation – Used for stateless FWLB
• Select the firewall with the fewest open connections – Used for stateful FWLB
• Select the firewall with the fewest open connections per service – Used for stateful FWLB
Hashing mechanism
The ServerIron ADXs use the path information along with the hash mask value for each
source-destination pair of IP addresses in the user traffic to consistently send the same
source-destination pairs through the same paths. For FWLB, the hash mask must be set to all ones
(255.255.255.255 255.255.255.255 for IPv4 and FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF for IPv6) to ensure that a given source-destination pair
always goes down the same path.
The ServerIron ADX selects a firewall for forwarding a packet based on the packet’s hash value (the
binary sum of the source and destination addresses). Once the ServerIron ADX assigns a hash
value to a given source-destination pair, the ServerIron ADX associates that hash value with a path
and always uses the same path for the source-destination pair that has the assigned hash value.
Hashing based on TCP or UDP port
You can configure the ServerIron ADX to hash based on destination TCP or UDP ports. When the
ServerIron ADX uses the TCP or UDP port number in addition to the source and destination IP
address, traffic with the same source and destination IP address can be load balanced across
different paths, based on the destination TCP or UDP port number.
- ServerIron ADX 1
- Document History 2
- Contents 3
- About This Document 8
- Document conventions 9
- Notice to the reader 10
- Related publications 11
- ServerIron FWLB Overview 12
- Firewall environments 14
- Load balancing paths 15
- Firewall selection 17
- Hashing mechanism 17
- Stateful FWLB 18
- Health checks 18
- Path health checks 19
- Application health checks 19
- Firewall health check debug 21
- Basic FWLB topology 22
- HA FWLB topology 23
- Failover 24
- Router paths 24
- Multizone FWLB topology 25
- FWLB configuration limits 26
- Configuring Basic FWLB 28
- IPv4 Firewall-1 37
- IPv4 Firewall-2 37
- External 40
- Internal 40
- Firewall-2 42
- Firewall-1 42
- Configuring HA FWLB 48
- Session limits 49
- Session aging 49
- Task Reference 52
- Configuring the firewall port 53
- Configuring the partner port 54
- Configuring the router port 55
- Configuring the firewalls 55
- Adding the firewalls 55
- Connection rate control 57
- Complete CLI example 62
- HA FWLB with VRRP 73
- Usage notes 78
- Configuring Multizone FWLB 82
- Zone 3Zone 2 84
- Zone1-SI(config)# no span 85
- Failover algorithm 92
- Commands on Zone1-SI-A zone 1 92
- DRAFT: BROCADE CONFIDENTIAL 100
- 53-1002436-01 102
- SI-A SI-A 104
- In this chapter 124
- NAT firewalls 124
- Extra firewall method 129
- Access policy method 130
- Specifying the partner port 134
- Specifying the router ports 134
- Configuring FWLB and SLB 146
- Configuring SLB-to-FWLB 148
- Configuring the real servers 149
- Enabling SLB-to-FWLB 150
- Configuring FWLB-to-SLB 152
- Enabling FWLB-to-SLB 154
- FWLB configuration overview 166
- TCP/UDP port statistics 169
- FWLB path information 172
- Field Description 173
- • 6 – TCP 174
- • 17 – UDP 174
- In this appendix 176
- FWLB selection algorithms 182
- Configuration guidelines 186
- Denying FWLB 187
Related products and manuals for Network switches Brocade Communications Systems ServerIron ADX 12.4.00
(12 pages)
(64 pages)© 2020, manymanuals.com. All rights reserved. | 0.593 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comments to this Manuals