Brocade Communications Systems ServerIron ADX 12.4.00 Service Manual Page 18
- Page / 188
- Table of contents
- BOOKMARKS
Rated. / 5. Based on customer reviews
ServerIron ADX Firewall Load Balancing Guide 7
53-1002436-01
Understanding ServerIron FWLB
1
DRAFT: BROCADE CONFIDENTIAL
Stateful FWLB
A ServerIron ADX performs stateful FWLB by creating and using session entries for source and
destination traffic flows and associating each flow with a specific firewall.
When a ServerIron ADX receives a packet that needs to go through a firewall, the ServerIron ADX
checks to see whether it has an existing session entry for the packet:
• If the ServerIron ADX does not have a session entry with the packet’s source and destination
addresses, the ServerIron creates one. To create the session entry, the ServerIron ADX selects
the firewall that has the fewest open sessions with the ServerIron ADX and associates the
source and destination addresses of the packet with that firewall.
The ServerIron ADX also sends the session information to the other ServerIron ADX in the
high-availability pair, so that the other ServerIron ADX uses the associated path for the
corresponding traffic and does not create a new session for the same traffic flow.
• If the ServerIron ADX already has a session entry for the packet, the ServerIron ADX forwards
the traffic to the firewall in the session entry. All packets with the same source and destination
addresses are forwarded to the same firewall. Because the ServerIron ADXs in a
high-availability pair exchange session information, the same firewall is used regardless of
which ServerIron ADX receives the traffic to be forwarded.
In addition to the firewall selection method based on fewest sessions described previously, a
ServerIron ADX can also select a firewall that has the fewest open sessions for the requested
service. For example, with "port http" defined for each firewall, HTTP requests will be load balanced
to the firewall that has the least open HTTP connections.
Health checks
The ServerIron ADX regularly checks the health of the firewall paths and router paths, and of the
applications on the firewalls, if you add applications to the firewall configurations.
ServerIron ADXs on each side of a firewall exchange health information for the links in each path by
exchanging IP pings through the firewalls. When the ServerIron ADX on one side of a firewall
receives a reply to a ping it sends to the other ServerIron ADX, on the other side of the firewall, the
ServerIron ADX that sent the ping concludes that its partner on the other side of the firewall is
operating normally.
The pings are required because a ServerIron ADX can use link-state information to detect when the
local link (a link directly attached to a ServerIron ADX port) in a path goes down, but cannot detect
when the remote link in the path goes down. If the other ServerIron ADX fails to respond to a ping
on a specific port, the ServerIron ADX that sent the ping tries two more times, and then determines
that the remote link in the path must be down.
NOTE
For Layer 3 health checks, the health-checking mechanism requires that the firewalls be configured
to allow ICMP traffic between the two ServerIron ADXs and the ServerIron’s gateway router. If the
firewalls block the ICMP traffic between ServerIron ADXs, the health check will not work and, as a
result, your IronClad configuration will not function properly.
- ServerIron ADX 1
- Document History 2
- Contents 3
- About This Document 8
- Document conventions 9
- Notice to the reader 10
- Related publications 11
- ServerIron FWLB Overview 12
- Firewall environments 14
- Load balancing paths 15
- Firewall selection 17
- Hashing mechanism 17
- Stateful FWLB 18
- Health checks 18
- Path health checks 19
- Application health checks 19
- Firewall health check debug 21
- Basic FWLB topology 22
- HA FWLB topology 23
- Failover 24
- Router paths 24
- Multizone FWLB topology 25
- FWLB configuration limits 26
- Configuring Basic FWLB 28
- IPv4 Firewall-1 37
- IPv4 Firewall-2 37
- External 40
- Internal 40
- Firewall-2 42
- Firewall-1 42
- Configuring HA FWLB 48
- Session limits 49
- Session aging 49
- Task Reference 52
- Configuring the firewall port 53
- Configuring the partner port 54
- Configuring the router port 55
- Configuring the firewalls 55
- Adding the firewalls 55
- Connection rate control 57
- Complete CLI example 62
- HA FWLB with VRRP 73
- Usage notes 78
- Configuring Multizone FWLB 82
- Zone 3Zone 2 84
- Zone1-SI(config)# no span 85
- Failover algorithm 92
- Commands on Zone1-SI-A zone 1 92
- DRAFT: BROCADE CONFIDENTIAL 100
- 53-1002436-01 102
- SI-A SI-A 104
- In this chapter 124
- NAT firewalls 124
- Extra firewall method 129
- Access policy method 130
- Specifying the partner port 134
- Specifying the router ports 134
- Configuring FWLB and SLB 146
- Configuring SLB-to-FWLB 148
- Configuring the real servers 149
- Enabling SLB-to-FWLB 150
- Configuring FWLB-to-SLB 152
- Enabling FWLB-to-SLB 154
- FWLB configuration overview 166
- TCP/UDP port statistics 169
- FWLB path information 172
- Field Description 173
- • 6 – TCP 174
- • 17 – UDP 174
- In this appendix 176
- FWLB selection algorithms 182
- Configuration guidelines 186
- Denying FWLB 187
Related products and manuals for Network switches Brocade Communications Systems ServerIron ADX 12.4.00
(12 pages)
(64 pages)© 2020, manymanuals.com. All rights reserved. | 1.042 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comments to this Manuals