Cisco Cisco IOS Software Release 12.2(18)SXF
Features
16
Cisco IOS Release 12.2(18)SXF5
TCP Session Reassignment
IOS SLB tracks each TCP SYN sent to a real server by a client attempting to open a new connection. If
several consecutive SYNs are not answered, or if a SYN is replied to with an RST, the TCP session is
reassigned to a new real server. The number of SYN attempts is controlled by a configurable reassign
threshold.
several consecutive SYNs are not answered, or if a SYN is replied to with an RST, the TCP session is
reassigned to a new real server. The number of SYN attempts is controlled by a configurable reassign
threshold.
IOS SLB firewall load balancing does not support TCP session reassignment.
Transparent Web Cache Load Balancing
IOS SLB can load-balance HTTP flows across a cluster of transparent web caches. To set up this
function, configure the subnet IP addresses served by the transparent web caches, or some common
subset of them, as virtual servers. Virtual servers used for transparent web cache load balancing do not
answer pings on behalf of the subnet IP addresses, and they do not affect traceroute.
function, configure the subnet IP addresses served by the transparent web caches, or some common
subset of them, as virtual servers. Virtual servers used for transparent web cache load balancing do not
answer pings on behalf of the subnet IP addresses, and they do not affect traceroute.
In some cases, such as when its cache does not contain needed pages, a web cache might need to initiate
its own connections to the Internet. Those connections should not be load-balanced back to the same set
of web caches. To address this need, IOS SLB allows you to configure client exclude statements, which
exclude connections initiated by the web caches from the load-balancing scheme.
its own connections to the Internet. Those connections should not be load-balanced back to the same set
of web caches. To address this need, IOS SLB allows you to configure client exclude statements, which
exclude connections initiated by the web caches from the load-balancing scheme.
IOS SLB firewall load balancing does not support transparent web cache load balancing.
Security Features
IOS SLB provides the following security features:
•
•
•
•
Alternate IP Addresses
IOS SLB enables you to telnet to the load-balancing device using an alternate IP address. To do so, use
either of the following methods:
either of the following methods:
•
Use any of the interface addresses to telnet to the load-balancing device.
•
Define a secondary IP address to telnet to the load-balancing device.
This function is similar to that provided by the LocalDirector (LD) Alias command.
Avoiding Attacks on Server Farms and Firewall Farms
IOS SLB relies on a site’s firewalls to protect the site from attacks. In general, IOS SLB is no more
susceptible to direct attack than is any switch or router. However, a highly secure site can take the
following steps to enhance its security:
susceptible to direct attack than is any switch or router. However, a highly secure site can take the
following steps to enhance its security:
•
Configure real servers on a private network to keep clients from connecting directly to them. This
configuration ensures that the clients must go through IOS SLB to get to the real servers.
configuration ensures that the clients must go through IOS SLB to get to the real servers.
•
Configure input access lists on the access router or on the IOS SLB device to deny flows from the
outside network aimed directly at the interfaces on the IOS SLB device. That is, deny all direct flows
from unexpected addresses.
outside network aimed directly at the interfaces on the IOS SLB device. That is, deny all direct flows
from unexpected addresses.