Cisco Cisco IOS Software Release 12.2(33)SRE
Features
10
Cisco IOS Release 12.2(33)SRB
To balance flows across the firewalls in a firewall farm, IOS SLB firewall load balancing performs a
route lookup on each incoming flow, examining the source and destination IP addresses (and optionally
the source and destination TCP or User Datagram Protocol [UDP] port numbers). Firewall load
balancing applies a hash algorithm to the results of the route lookup and selects the best firewall to
handle the connection request.
route lookup on each incoming flow, examining the source and destination IP addresses (and optionally
the source and destination TCP or User Datagram Protocol [UDP] port numbers). Firewall load
balancing applies a hash algorithm to the results of the route lookup and selects the best firewall to
handle the connection request.
To maximize availability and resilience in a network with multiple firewalls, configure a separate
equal-weight route to each firewall, rather than a single route to only one of the firewalls.
equal-weight route to each firewall, rather than a single route to only one of the firewalls.
IOS SLB firewall load balancing provides the following capabilities:
•
Connections initiated from either side of the firewall farm are load-balanced.
•
The load is balanced among a set of firewalls—the firewall farm.
•
All packets for a connection travel through the same firewall. Subsequent connections can be
“sticky,” ensuring that they are assigned to the same firewall.
“sticky,” ensuring that they are assigned to the same firewall.
•
Source-IP, destination-IP, and source-destination-IP sticky connections are supported.
•
Probes are used to detect and recover from firewall failures.
•
Redundancy is provided. Hot Standby Router Protocol (HSRP), stateless backup, and stateful
backup are all supported.
backup are all supported.
•
Multiple interface types and routing protocols are supported, enabling the external (Internet side)
load-balancing device to act as an access router.
load-balancing device to act as an access router.
•
Proxy firewalls are supported.
GTP IMSI Sticky Database
IOS SLB can select a gateway general packet radio service (GPRS) support node (GGSN) for a given
International Mobile Subscriber ID (IMSI), and forward all subsequent Packet Data Protocol (PDP)
create requests from the same IMSI to the selected GGSN.
International Mobile Subscriber ID (IMSI), and forward all subsequent Packet Data Protocol (PDP)
create requests from the same IMSI to the selected GGSN.
To enable this feature, IOS SLB uses a GPRS Tunneling Protocol (GTP) IMSI sticky database, which
maps each IMSI to its corresponding real server, in addition to its session database.
maps each IMSI to its corresponding real server, in addition to its session database.
IOS SLB creates a sticky database object when it processes the first GTP PDP create request for a given
IMSI. IOS SLB removes the sticky object when it receives a notification to do so from the real server,
or as a result of inactivity. When the last PDP belonging to an IMSI is deleted on the GGSN, the GGSN
notifies IOS SLB to remove the sticky object.
IMSI. IOS SLB removes the sticky object when it receives a notification to do so from the real server,
or as a result of inactivity. When the last PDP belonging to an IMSI is deleted on the GGSN, the GGSN
notifies IOS SLB to remove the sticky object.
Home Agent Director
The Home Agent Director load balances Mobile IP Registration Requests (RRQs) among a set of home
agents (configured as real servers in a server farm). Home agents are the anchoring points for mobile
nodes. Home agents route flows for a mobile node to its current foreign agent (point of attachment).
agents (configured as real servers in a server farm). Home agents are the anchoring points for mobile
nodes. Home agents route flows for a mobile node to its current foreign agent (point of attachment).
The Home Agent Director has the following characteristics:
•
Can operate in dispatched mode or in directed server NAT mode, but not in directed client NAT
mode. In dispatched mode, the home agents must be Layer 2-adjacent to the IOS SLB device.
mode. In dispatched mode, the home agents must be Layer 2-adjacent to the IOS SLB device.
•
Can operate in both fast and CEF switching modes.
•
Does not support stateful backup. See the
for more
information.
•
Delivers RRQs destined to the virtual Home Agent Director IP address to one of the real home
agents, using the weighted round robin load-balancing algorithm. See the
agents, using the weighted round robin load-balancing algorithm. See the
for more information about this algorithm.