Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Loadbalancing outgoing traffic on internet connections with css

Today we have a fairly expensive hi-speed link to the internet for browser-traffic. We have separate connections for ingoing traffic, so this question is only about outgoing connections.

I would like to make a cheaper setup by ordering maby 32 ADSL connections terminated with ethernet routers (with 1 public address on each) and a couple of CSS switches to loadbalance the requests on the connections.

The CSS should be able to keepalive some resources on the internet to monitor if the individual connections are working.

There are a few problems:

1) Megaproxy - if sticky is not used, client requests will be coming from a "new" source-address for every request - some sites dont handle that well yet. Sticky source-ip cannot be used since we have a smartfilter proxy (and firewall) that all requests go through - ei all requests comes from same address seen from the css. cookie sticky... not possible because:

2) This does not really involve any VIPs or services, only source nat and loadbalancing outgoing interfaces.

Is it possible at all ? What other solutions could give me this functionality

Thanks

Christian

8 REPLIES
New Member

Re: Loadbalancing outgoing traffic on internet connections with

No, basically.

The CSS cannot currently load-balance outgoing traffic across multiple connections. If you (like others) need that fuctionality, I would highly recommend you contact your account team.

Regards,

-A

New Member

Re: Loadbalancing outgoing traffic on internet connections with

-A,

Are you saying you cannot balance outbound (to public side) over two firewall connections? Why not?

Thanks,

Cisco Employee

Re: Loadbalancing outgoing traffic on internet connections with

the CSS can do firewall loadbalancing.

Just define your two firewall with the command 'firewall' then configure static routes pointing to the firewall like this :

ip route 0.0.0.0 0.0.0.0 firewall 1

ip route 0.0.0.0 0.0.0.0 firewall 2

What the CSS can't do is that if you have 2 interfaces to reach firewall 1, we will only use one of them.

But we are working on the etherchannel feature which will let you combine links into a single one.

I can provide you link to sample configs if needed.

Gilles.

New Member

Re: Loadbalancing outgoing traffic on internet connections with

Gilles,

Merci, I would appreciate the configs. I would like to balance in front of the firewalls, in their DMZ and on the return path. Unfortuneatly there is only 1 CSS, so I assume I can setup 3 VLANs to handle this?

Thanks for anymore info.

Cisco Employee

Re: Loadbalancing outgoing traffic on internet connections with

with 1 CSS, you can't do firewall loadbalancing.

The reason is that a 2nd CSS is needed to make sure the returning traffic goes back to the same firewall (otherwise you get into trouble).

So, with one CSS only you have no solution.

Gilles.

New Member

Re: Loadbalancing outgoing traffic on internet connections with

You may wnt to checkout a product by radware called linkproof. This may do the job for you

New Member

Re: Loadbalancing outgoing traffic on internet connections with

you can check a product by F5 Network to : link controller

New Member

Re: Loadbalancing outgoing traffic on internet connections with

I currently have two upstream routers. On my CSS, I pointed one default route to one router, the other default route to the other router. This seems to load balance outgoing traffic fine. The CSS issues an icmp ping to each router to see if it is alive, it the ping fails, the route is removed from the route table.

I'm not sure why your issues with a megaproxy would be any different if you had a single path to the internet. Why would the this behave any differently with multiple Internet connections? Why the source NAT?

210
Views
0
Helpful
8
Replies
CreatePlease login to create content