04-03-2007 06:14 AM
I have a problem understanding how ACE handels the Firewall Loadbalancing.
In the Doumentation is an example for a secure side and an insecure side.
serverfarm INSEC_SF
transparent
predictor hash address source 255.255.255.255
rserver FW_INSEC_1
inservice
rserver FW_INSEC_2
inservice
rserver FW_INSEC_3
inservice
serverfarm SEC_SF
predictor hash address destination 255.255.255.255
transparent
rserver FW_SEC_1
inservice
rserver FW_SEC_2
inservice
rserver FW_SEC_3
inservice
The ACE on the insecure side makes a hash of the source IP and selects one of 3 firewalls.
The ACE on the secure side makes a hash of the destination IP and selects one of 3 firewalls.
On what Information the ACE makes the hash? IP Adress of the firewalls on secure/insecure side are different.
Names of the real server are also different.
Best Regards
Sven
04-04-2007 12:58 AM
Sven,
ACE uses the source or destination ip address of the packet to forward.
So, on the non-secure side we receive traffic from CLIENT to SERVER.
ACE takes the CLIENT IP, computes a hash value and select server 1 for example.
On the secure side, the traffic CLIENT -> SERVER is simply forwarded. No hashing or anything.
But the response from the SERVER to CLIENT will hit the service policy and a new hash will be computed.
This time the src is the SERVER and the destination is the CLIENT.
By doing a hash on the destination, the hash is done on the CLIENT IP which will gave the same result as what was done on the non-secure side which guarantees ACE will select the same firewall.
This concept was already used on the CSM.
Gilles.
04-04-2007 01:36 AM
Hi Gilles,
thanks for your reply. You are right. But my question was on what the Hash does match?
There are 3 Firewalls.
The ACE only knows the local IP Address and name of the Firewall.
So the ACE on the Secure side knows a different IP-Adress than the ACE on the insecure side.
The Names are also different on both sides!
So how does the ACE modules know that rserver FW_INSEC_1 and rserver FW_SEC_1 are the same Firewalldevice? So it is not clear on what the ACE does match the computed HASH Value for SRC or DST IP.
On CSS Systems it is clear. The CSS knows local and remote IP of Firewall + Firewall Index and can compute the hash for both sides to the same firewall.
But on the ACE System i can not see where the match is done.
Is it done by the order of Configuration in the serverfarm?
04-04-2007 02:36 AM
the hash is done on traffic source/destination ip addresses.
The hash result is an index 1 - 2 or 3. [if you have 3 servers].
The name of the rserver is important. To make it simple, just look at the output of "sh serverfarm
Gilles.
04-04-2007 03:40 AM
Hello Gilles,
ok that was what i want to know. So the names have to be similar on both sides.
Another question, is it not even better to do src/dst hash on both sides of the firewall to get better distribution over the firewalls?
Sven
04-04-2007 04:26 AM
Sven,
yes, it is indeed a good idea to use both source and destination.
Gilles.
04-04-2007 01:41 AM
.
04-16-2007 05:49 AM
Hi Gilles,
thanks very much!
Very clear answert.
I think it is the same on the CSM?
Sven
04-16-2007 06:28 AM
yes, you can use a similar config on the CSM.
Gilles.
04-19-2007 01:06 PM
Thanks a lot!
Sven
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: