Firewall load balancing – Cabletron Systems SMARTSWITCH ROUTER 9032578-05 User Manual
Page 240
Chapter 15: IP Policy-Based Forwarding Configuration Guide
214
SmartSwitch Router User Reference Manual
Packets from users defined in the “contractors” group are sent through a firewall. If the
firewall cannot be reached packets from the contractors group are dropped. Packets from
users defined in the “full-timers” group do not have to go through the firewall.
The following is the IP policy configuration for the Policy Router in
Firewall Load Balancing
The next hop gateway can be selected by the following information in the IP packet:
source IP, destination IP, or both the source and destination IP.
illustrates this
configuration.
Figure 23. Selecting Next Hop Gateway from IP Packet Information
One session should always go to a particular firewall for persistence.
interface create ip mls0 address-netmask 10.50.1.1/16 port et.1.1
acl contractors permit ip 10.50.1.0/24 any any any 0
acl full-timers permit ip 10.50.2.0/24 any any any 0
ip-policy access permit acl contractors next-hop-list 11.1.1.1 action
policy-only
ip-policy access permit acl full-timers next-hop-list 12.1.1.1 action
policy-first
ip-policy access apply interface mls0
Intranet
Internet
Policy
Router 1
Policy
Router 2
Firewalls
1
2
3
4
1.1.1.5
2.2.2.5
1.1.1.1
2.2.2.1
1.1.1.2
2.2.2.2
1.1.1.3
2.2.2.3
1.1.1.4
2.2.2.4
mls1
mls2
et
.1
.1
et.1.
2
et.1.3
et.
1.4
et.1
.1
et.1.2
et.1.
3
et
.1.
4