ACE - Fiewall Loadbalancing

Unanswered Question
Apr 3rd, 2007
User Badges:

I have a problem understanding how ACE handels the Firewall Loadbalancing.


In the Doumentation is an example for a secure side and an insecure side.



serverfarm INSEC_SF

transparent

predictor hash address source 255.255.255.255

rserver FW_INSEC_1

inservice

rserver FW_INSEC_2

inservice

rserver FW_INSEC_3

inservice


serverfarm SEC_SF

predictor hash address destination 255.255.255.255

transparent

rserver FW_SEC_1

inservice

rserver FW_SEC_2

inservice

rserver FW_SEC_3

inservice


The ACE on the insecure side makes a hash of the source IP and selects one of 3 firewalls.


The ACE on the secure side makes a hash of the destination IP and selects one of 3 firewalls.


On what Information the ACE makes the hash? IP Adress of the firewalls on secure/insecure side are different.

Names of the real server are also different.



Best Regards

Sven

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Gilles Dufour Wed, 04/04/2007 - 00:58
User Badges:
  • Cisco Employee,

Sven,


ACE uses the source or destination ip address of the packet to forward.

So, on the non-secure side we receive traffic from CLIENT to SERVER.

ACE takes the CLIENT IP, computes a hash value and select server 1 for example.


On the secure side, the traffic CLIENT -> SERVER is simply forwarded. No hashing or anything.

But the response from the SERVER to CLIENT will hit the service policy and a new hash will be computed.

This time the src is the SERVER and the destination is the CLIENT.

By doing a hash on the destination, the hash is done on the CLIENT IP which will gave the same result as what was done on the non-secure side which guarantees ACE will select the same firewall.


This concept was already used on the CSM.


Gilles.

Sbutzek Wed, 04/04/2007 - 01:36
User Badges:

Hi Gilles,


thanks for your reply. You are right. But my question was on what the Hash does match?


There are 3 Firewalls.


The ACE only knows the local IP Address and name of the Firewall.

So the ACE on the Secure side knows a different IP-Adress than the ACE on the insecure side.


The Names are also different on both sides!


So how does the ACE modules know that rserver FW_INSEC_1 and rserver FW_SEC_1 are the same Firewalldevice? So it is not clear on what the ACE does match the computed HASH Value for SRC or DST IP.


On CSS Systems it is clear. The CSS knows local and remote IP of Firewall + Firewall Index and can compute the hash for both sides to the same firewall.

But on the ACE System i can not see where the match is done.


Is it done by the order of Configuration in the serverfarm?







Gilles Dufour Wed, 04/04/2007 - 02:36
User Badges:
  • Cisco Employee,

the hash is done on traffic source/destination ip addresses.

The hash result is an index 1 - 2 or 3. [if you have 3 servers].


The name of the rserver is important. To make it simple, just look at the output of "sh serverfarm " or "sh run rserver". The servers are ordered alphabetically in CLI output and this is also the order in which they are ordered for load balancing.


Gilles.

Sbutzek Wed, 04/04/2007 - 03:40
User Badges:

Hello Gilles,


ok that was what i want to know. So the names have to be similar on both sides.



Another question, is it not even better to do src/dst hash on both sides of the firewall to get better distribution over the firewalls?


Sven

Gilles Dufour Wed, 04/04/2007 - 04:26
User Badges:
  • Cisco Employee,

Sven,


yes, it is indeed a good idea to use both source and destination.


Gilles.

Sbutzek Mon, 04/16/2007 - 05:49
User Badges:

Hi Gilles,

thanks very much!



Very clear answert.


I think it is the same on the CSM?


Sven

Gilles Dufour Mon, 04/16/2007 - 06:28
User Badges:
  • Cisco Employee,

yes, you can use a similar config on the CSM.


Gilles.

Actions

This Discussion