cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
538
Views
5
Helpful
9
Replies

ACE - Fiewall Loadbalancing

Sbutzek
Level 1
Level 1

I have a problem understanding how ACE handels the Firewall Loadbalancing.

In the Doumentation is an example for a secure side and an insecure side.

serverfarm INSEC_SF

transparent

predictor hash address source 255.255.255.255

rserver FW_INSEC_1

inservice

rserver FW_INSEC_2

inservice

rserver FW_INSEC_3

inservice

serverfarm SEC_SF

predictor hash address destination 255.255.255.255

transparent

rserver FW_SEC_1

inservice

rserver FW_SEC_2

inservice

rserver FW_SEC_3

inservice

The ACE on the insecure side makes a hash of the source IP and selects one of 3 firewalls.

The ACE on the secure side makes a hash of the destination IP and selects one of 3 firewalls.

On what Information the ACE makes the hash? IP Adress of the firewalls on secure/insecure side are different.

Names of the real server are also different.

Best Regards

Sven

9 Replies 9

Gilles Dufour
Cisco Employee
Cisco Employee

Sven,

ACE uses the source or destination ip address of the packet to forward.

So, on the non-secure side we receive traffic from CLIENT to SERVER.

ACE takes the CLIENT IP, computes a hash value and select server 1 for example.

On the secure side, the traffic CLIENT -> SERVER is simply forwarded. No hashing or anything.

But the response from the SERVER to CLIENT will hit the service policy and a new hash will be computed.

This time the src is the SERVER and the destination is the CLIENT.

By doing a hash on the destination, the hash is done on the CLIENT IP which will gave the same result as what was done on the non-secure side which guarantees ACE will select the same firewall.

This concept was already used on the CSM.

Gilles.

Hi Gilles,

thanks for your reply. You are right. But my question was on what the Hash does match?

There are 3 Firewalls.

The ACE only knows the local IP Address and name of the Firewall.

So the ACE on the Secure side knows a different IP-Adress than the ACE on the insecure side.

The Names are also different on both sides!

So how does the ACE modules know that rserver FW_INSEC_1 and rserver FW_SEC_1 are the same Firewalldevice? So it is not clear on what the ACE does match the computed HASH Value for SRC or DST IP.

On CSS Systems it is clear. The CSS knows local and remote IP of Firewall + Firewall Index and can compute the hash for both sides to the same firewall.

But on the ACE System i can not see where the match is done.

Is it done by the order of Configuration in the serverfarm?

the hash is done on traffic source/destination ip addresses.

The hash result is an index 1 - 2 or 3. [if you have 3 servers].

The name of the rserver is important. To make it simple, just look at the output of "sh serverfarm " or "sh run rserver". The servers are ordered alphabetically in CLI output and this is also the order in which they are ordered for load balancing.

Gilles.

Hello Gilles,

ok that was what i want to know. So the names have to be similar on both sides.

Another question, is it not even better to do src/dst hash on both sides of the firewall to get better distribution over the firewalls?

Sven

Sven,

yes, it is indeed a good idea to use both source and destination.

Gilles.

.

Hi Gilles,

thanks very much!

Very clear answert.

I think it is the same on the CSM?

Sven

yes, you can use a similar config on the CSM.

Gilles.

Thanks a lot!

Sven

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: