Please help on server teaming having FWSM as gateway.

Unanswered Question
Mar 8th, 2008
User Badges:

In server teaming when we select TLB (transmit load balancing) method. Server will transmit packets based on single virtual IP address and different MAC addresses.


If the server gateway is FWSM, how FWSM will treat a packet when it receives one packet from IP address 1.1.1.1 and MAC A and other packet from same IP address but different MAC example MAC B.


Cisco has no issues with this config.


http://www.cisco.com/en/US/solutions/ns340/ns517/ns224/ns304/net_design_guidance0900aecd800ea162.pdf


But then my worry is when FWSM see the packets coming from same source IP address but different MAC addresses. Does it takes this as ARP attack ? or MAC address attack ?


Please suggest.


HP teaming white papers are here for reference


ftp://ftp.compaq.com/pub/products/servers/networking/TeamingWP.pdf




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mslavin Sun, 03/09/2008 - 19:36
User Badges:

My personal recommendation is that if you can not use a teaming method based on a standards (i.e. IEEE 802.3ad), to stick with an Active/Standby mode of teaming. Active/Active (non-standards based, such as TLB), at a minimum, leads to non-deterministic flows (you have no control or idea which flaw will use which NIC), which by itself makes it more difficult to troubleshoot and increases TCO.


In cases where users are using Active/Standby and still want to load balance the network, you can have servers stager which NIC is the active NIC, to spread the load over the network (individual server is not load balanced, but over all, the teamed servers do load balance the flows).


In cases where users want to use an Active/Active based on EtherChannel, both NICs need to go to the same physical or logical upstream switch (could be a single switch, which is a single point of failure, or a logical switch, such as stacked 3750's or a pair of 6500's in VSS mode, which are not single points of failure)


Someone else on the list might have other recommendations, or specific knowledge of TLB with firewalls, so I'll open it up to them :-)


Thanks, Matt

I have configured TLB behind a FWSM in multiple context mode without running into any issues. I was using HP Blades connected to Cisco Blade Switch connected to 6500 core. We performed Altrirs RDP over the TLB interface so we did ship quite a bit of traffic, although going through the FWSM I don't beleive we really took advantage of TLB


The TLB interfaces were all behind the inside interface.


Assuming you have 1gbs connections and multiple servers then TLB probably won't really add that much. I would try and be application specific rather that a broadbrush approach.


As Matt suggest if problems occur then it is much easier troubleshooting Standards. Also if it is only configured on specific servers then it can be switched off and retested resonabily quickly.


Regards

JohnnieMac



Actions

This Discussion