beautypg.com

Basic fwlb, Basic fwlb 316, Figure 13-2: basic fwlb topology 316 – Nortel Networks WEB OS 212777 User Manual

Page 316

background image

Web OS 10.0 Application Guide

316

n

Chapter 13: Firewall Load Balancing

212777-A, February 2002

Basic FWLB

The basic FWLB method uses a combination of static routes and redirection filters to allow
multiple active firewalls to operate in parallel.

Figure 13-2

shows a basic FWLB topology:

Figure 13-2 Basic FWLB Topology

The firewalls being load balanced are in the middle of the network, separating the dirty side
from the clean side. This configuration requires a minimum of two Web switches: one on the
dirty side of the firewalls and one on the clean side.

A redirection filter on the dirty-side Web switch splits incoming client traffic into multiple
streams. Each stream is routed through a different firewall. The valid client traffic in each
stream is forwarded to a virtual server on the clean-side Web switch. The clean-side Web
switch uses Server Load Balancing (SLB) settings to select a real server on the internal net-
work for each incoming request. The same process is used for outbound server responses; a
redirection filter on the clean-side Web switch splits the traffic, and static routes forward each
stream through a different firewall and then back to the client.

Although other metrics can be used in some configurations (see

“Free-Metric FWLB” on page

346

), the distribution of traffic within each stream is normally based on a mathematical hash of

the IP source and destination addresses. This ensures that each client request and its related
responses will use the same firewall (a feature known as persistence) and that the streams will
be roughly equal in traffic load.

Although basic firewall load-balancing techniques can support more firewalls as well as multi-
ple switches on the clean and dirty sides for redundancy, the configuration complexity
increases dramatically. The four-subnet FWLB solution is usually preferred in larger scale,
high-availability topologies (see

page 326

).

"Dirty" Side of Network

Firewalls

Web Switch

"Clean" Side of Network

Internet

Internal

Network

Web Switch

See also other documents in the category Nortel Networks Hardware: