Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

weighted firewall loadbalancing

I have a customer who are using CSS as a firewall load balancer.

by the way he have two firewall with fast-ethernet interfaces and two with Gigabit ethernet interfaces.

Now the load is 1:1:1:1.

Can I give a load to firewall path on CSS?

Then, what command it is?

3 REPLIES
Cisco Employee

Re: weighted firewall loadbalancing

There is currently no way to give a weight to a firewall.

However, you could play with the static routes so that more routes point to the

GigE Firewalls.

You would do something like this

ip route 0.0.0.0/0 firewall 1

ip route 0.0.0.0/0 firewall 2

ip route 0.0.0.0/0 firewall 3

ip route 0.0.0.0/0 firewall 4

ip route 128.0.0.0/1 firewall 1

ip route 128.0.0.0/1 firewall 2

This is just an example. But you can see that firewall 1 and 2 will get all traffic to 128.0.0.0 -255.255.255.255 and the traffic from 0.0.0.0 to 127.255.255.255 wil be loadbalanced over the 4 firewalls.

Gilles.

New Member

Re: weighted firewall loadbalancing

One more

If CSS know the path which firewall the packets comes from, then your method looks no problem.

Internet ----- CSS_out--------four firewalls--------CSS_in------Servers(A.B.C.0/24)

CSS_out

ip route A.B.C.0/24 firewall 1

ip route A.B.C.0/24 firewall 2

ip route A.B.C.0/24 firewall 3

ip route A.B.C.0/24 firewall 4

ip route A.B.C.0/25 firewall 1

ip route A.B.C.0/25 firewall 2

CSS_in

ip route 0.0.0.0/0 firewall 1

ip route 0.0.0.0/0 firewall 2

ip route 0.0.0.0/0 firewall 3

ip route 0.0.0.0/0 firewall 4

ip route 128.0.0.0/1 firewall 1

ip route 128.0.0.0/1 firewall 2

How about this? Is it OK?

Even if CSS know the information of session flow, It looks have a risk of problem.

Cisco Employee

Re: weighted firewall loadbalancing

this should be ok as well.

This method is not new.

Big ISP's used to do this in the past to do BGP loadbalancing (before the invention of BGP multipath).

I believe a lot of people are still using this method.

So, it should work for the CSS as well.

Gilles.

151
Views
7
Helpful
3
Replies
CreatePlease to create content