Cisco Cisco IOS Software Release 12.2(18)SXD
Features
9
Cisco IOS Release 12.2(18)SXD
Content Flow Monitor Support
IOS SLB supports the Cisco Content Flow Monitor (CFM), a web-based status monitoring application
within the CiscoWorks2000 product family. You can use CFM to manage Cisco server load-balancing
devices. CFM runs on Windows NT and Solaris workstations, and is accessed using a web browser.
within the CiscoWorks2000 product family. You can use CFM to manage Cisco server load-balancing
devices. CFM runs on Windows NT and Solaris workstations, and is accessed using a web browser.
Delayed Removal of TCP Connection Context
Because of IP packet ordering anomalies, IOS SLB might “see” the termination of a TCP connection (a
finish [FIN] or reset [RST]) followed by other packets for the connection. This problem usually occurs
when there are multiple paths that the TCP connection packets can follow. To correctly redirect the
packets that arrive after the connection is terminated, IOS SLB retains the TCP connection information,
or context, for a specified length of time. The length of time the context is retained after the connection
is terminated is controlled by a configurable delay timer.
finish [FIN] or reset [RST]) followed by other packets for the connection. This problem usually occurs
when there are multiple paths that the TCP connection packets can follow. To correctly redirect the
packets that arrive after the connection is terminated, IOS SLB retains the TCP connection information,
or context, for a specified length of time. The length of time the context is retained after the connection
is terminated is controlled by a configurable delay timer.
Firewall Load Balancing
As its name implies, firewall load balancing enables IOS SLB to balance flows to firewalls. Firewall load
balancing uses a load-balancing device on each side of a group of firewalls (called a firewall farm) to
ensure that the traffic for each flow travels to the same firewall, ensuring that the security policy is not
compromised.
balancing uses a load-balancing device on each side of a group of firewalls (called a firewall farm) to
ensure that the traffic for each flow travels to the same firewall, ensuring that the security policy is not
compromised.
You can configure more than one firewall farm in each load-balancing device.
Layer 3 firewalls, which have ip-addressable interfaces, are supported by IOS SLB firewall load
balancing if they are subnet-adjacent to the firewall load-balancing device and have unique MAC
addresses. The device does not modify the IP addresses in the user packet. To send the packet to the
chosen firewall, the device determines which interface to use and changes the Layer 2 headers
accordingly. This type of routing is the standard dispatched routing used by IOS SLB.
balancing if they are subnet-adjacent to the firewall load-balancing device and have unique MAC
addresses. The device does not modify the IP addresses in the user packet. To send the packet to the
chosen firewall, the device determines which interface to use and changes the Layer 2 headers
accordingly. This type of routing is the standard dispatched routing used by IOS SLB.
Layer 2 firewalls, which do not have IP addresses, are transparent to IOS SLB firewall load balancing.
IOS SLB supports Layer 2 firewalls by placing them between two ip-addressable interfaces.
IOS SLB supports Layer 2 firewalls by placing them between two ip-addressable interfaces.
Whereas many Layer 3 firewalls might exist off a single Layer 3 interface on the load-balancing device
(for example, a single LAN), only one Layer 2 firewall can exist off each interface.
(for example, a single LAN), only one Layer 2 firewall can exist off each interface.
When configuring the load-balancing device, you configure a Layer 3 firewall using its IP address, and
a Layer 2 firewall using the IP address of the interface of the device on the “other side” of the firewall.
a Layer 2 firewall using the IP address of the interface of the device on the “other side” of the firewall.
To balance flows across the firewalls in a firewall farm, IOS SLB firewall load balancing performs a
route lookup on each incoming flow, examining the source and destination IP addresses (and optionally
the source and destination TCP or User Datagram Protocol [UDP] port numbers). Firewall load
balancing applies a hash algorithm to the results of the route lookup and selects the best firewall to
handle the connection request.
route lookup on each incoming flow, examining the source and destination IP addresses (and optionally
the source and destination TCP or User Datagram Protocol [UDP] port numbers). Firewall load
balancing applies a hash algorithm to the results of the route lookup and selects the best firewall to
handle the connection request.
Note
IOS SLB firewall load balancing must examine incoming packets and perform route lookup. On
Catalyst 6500 Family Switches, some additional packets might need to be examined. Firewall load
balancing impacts internal (secure) side routing performance and must be considered in the complete
design.
Catalyst 6500 Family Switches, some additional packets might need to be examined. Firewall load
balancing impacts internal (secure) side routing performance and must be considered in the complete
design.
To maximize availability and resilience in a network with multiple firewalls, configure a separate
equal-weight route to each firewall, rather than a single route to only one of the firewalls.
equal-weight route to each firewall, rather than a single route to only one of the firewalls.