Avaya P333R-LB 사용자 설명서
Chapter 14
Load Balancing in the P333R-LB
16
Avaya
P333R-LB User’s Guide
configuration example.
Persistency
Firewalls perform a Stateful Inspection on every session passing through them and
drop a session if not all of its traffic passes through the same firewall. Therefore,
when load-balancing between different firewalls, it is imperative that all traffic
belonging to a given session traverses the same firewall.
The P333R-LB achieves this goal by implementing a sophisticated persistency
mechanism, based on packet characteristics inspection. A symmetric hash function
in each module is calculated based on the source and destination IP addresses. The
P333R-LB assures that packets with the same characteristics traverse the same
firewall in both directions throughout the session.
In the case where there are two P333R-LBs (one on each side of the firewalls),
persistency is ensured only if each P333R-LB is configured so that they are
compatable with each other. If they are not, and there is a change in the network
that affects internal device decisions (for example, adding or removing a Real
Server), persistency, or even the network connection, could be lost.
drop a session if not all of its traffic passes through the same firewall. Therefore,
when load-balancing between different firewalls, it is imperative that all traffic
belonging to a given session traverses the same firewall.
The P333R-LB achieves this goal by implementing a sophisticated persistency
mechanism, based on packet characteristics inspection. A symmetric hash function
in each module is calculated based on the source and destination IP addresses. The
P333R-LB assures that packets with the same characteristics traverse the same
firewall in both directions throughout the session.
In the case where there are two P333R-LBs (one on each side of the firewalls),
persistency is ensured only if each P333R-LB is configured so that they are
compatable with each other. If they are not, and there is a change in the network
that affects internal device decisions (for example, adding or removing a Real
Server), persistency, or even the network connection, could be lost.
Non-Transparent Routing Firewall Load Balancing
This section explains how the P333R-LB supports non-Transparent Routing
firewalls, and includes configuration examples as well.
firewalls, and includes configuration examples as well.
Implementation
Non-Transparent Routing firewalls are firewalls that support dynamic NAT
(Network Address Translation).
For non-Transparent FWLB, the load balancer receives an outgoing packet, makes a
load balancing decision, and forwards the packet to a firewall. The firewall keeps a
bank of IP addresses and replaces the source IP of the incoming packet (from the
LAN) with a unique, yet arbitrary IP address from this bank. The firewall then
forwards the packet to an edge router which routes it to the correct destination on
the WAN.
For incoming packets, the unique NAT address is used as a destination IP to access
the same firewall. The firewall performs reverse NAT by replacing the NAT
destination address with the actual destination address (the client IP address), and
then forwards the packet to the load balancer which routes the packet to its
destination. No Load Balancing is performed on incoming packets.
For non-Transparent Routing FWLB, only one Load Balancing device is required.
The device is positioned on the LAN (internal) side of the firewalls. Since the
firewalls perform NAT, a Load Balancing device is not needed between the WAN
and the firewalls.
As well, non-Transparent Routing FWLB can be configured using static NAT. In
(Network Address Translation).
For non-Transparent FWLB, the load balancer receives an outgoing packet, makes a
load balancing decision, and forwards the packet to a firewall. The firewall keeps a
bank of IP addresses and replaces the source IP of the incoming packet (from the
LAN) with a unique, yet arbitrary IP address from this bank. The firewall then
forwards the packet to an edge router which routes it to the correct destination on
the WAN.
For incoming packets, the unique NAT address is used as a destination IP to access
the same firewall. The firewall performs reverse NAT by replacing the NAT
destination address with the actual destination address (the client IP address), and
then forwards the packet to the load balancer which routes the packet to its
destination. No Load Balancing is performed on incoming packets.
For non-Transparent Routing FWLB, only one Load Balancing device is required.
The device is positioned on the LAN (internal) side of the firewalls. Since the
firewalls perform NAT, a Load Balancing device is not needed between the WAN
and the firewalls.
As well, non-Transparent Routing FWLB can be configured using static NAT. In