Cisco Cisco IOS Software Release 12.2(14)ZA
Features
9
Cisco IOS Release 12.2(14)ZA5
Note
IOS SLB firewall load balancing must examine incoming packets and perform route lookup. On
Catalyst 6500 Family Switches, some additional packets might need to be examined. Firewall load
balancing impacts internal (secure) side routing performance and must be considered in the complete
design.
Catalyst 6500 Family Switches, some additional packets might need to be examined. Firewall load
balancing impacts internal (secure) side routing performance and must be considered in the complete
design.
To maximize availability and resilience in a network with multiple firewalls, configure a separate
equal-weight route to each firewall, rather than a single route to only one of the firewalls.
equal-weight route to each firewall, rather than a single route to only one of the firewalls.
IOS SLB firewall load balancing provides the following capabilities:
•
Connections initiated from either side of the firewall farm are load-balanced.
•
The load is balanced among a set of firewalls—the firewall farm.
•
All packets for a connection travel through the same firewall. Subsequent connections can be
“sticky,” ensuring that they are assigned to the same firewall.
“sticky,” ensuring that they are assigned to the same firewall.
•
Probes are used to detect and recover from firewall failures.
•
Redundancy is provided. Hot Standby Router Protocol (HSRP), stateless backup, and stateful
backup are all supported.
backup are all supported.
•
Multiple interface types and routing protocols are supported, enabling the external (Internet side)
load-balancing device to act as an access router.
load-balancing device to act as an access router.
•
Proxy firewalls are supported.
Maximum Connections
IOS SLB allows you to configure maximum connections for server and firewall load balancing.
•
For server load balancing, you can configure a limit on the number of active connections that a real
server is assigned. If the maximum number of connections is reached for a real server, IOS SLB
automatically switches all further connection requests to other servers until the connection number
drops below the specified limit.
server is assigned. If the maximum number of connections is reached for a real server, IOS SLB
automatically switches all further connection requests to other servers until the connection number
drops below the specified limit.
•
For firewall load balancing, you can configure a limit on the number of active TCP or UDP
connections that a firewall farm is assigned. If the maximum number of connections is reached for
the firewall farm, new connections are dropped until the connection number drops below the
specified limit.
connections that a firewall farm is assigned. If the maximum number of connections is reached for
the firewall farm, new connections are dropped until the connection number drops below the
specified limit.
Multiple Firewall Farm Support
You can configure more than one firewall farm in each load-balancing device.
Network Address Translation (NAT)
Cisco IOS NAT, RFC 1631, allows unregistered “private” IP addresses to connect to the Internet by
translating them into globally registered IP addresses. As part of this functionality, Cisco IOS NAT can
be configured to advertise only one address for the entire network to the outside world. This
configuration provides additional security and network privacy, effectively hiding the entire internal
network from the world behind that address. NAT has the dual functionality of security and address
conservation, and is typically implemented in remote access environments.
translating them into globally registered IP addresses. As part of this functionality, Cisco IOS NAT can
be configured to advertise only one address for the entire network to the outside world. This
configuration provides additional security and network privacy, effectively hiding the entire internal
network from the world behind that address. NAT has the dual functionality of security and address
conservation, and is typically implemented in remote access environments.
This section includes information about the following topics:
•
•