To Next Page

To Previous Page

11-3

Catalyst 6500 Series Content Switching Module Configuration Note

OL-4612-01

Chapter 11 Configuring Firewall Load Balancing

Understanding How Firewalls Work

Note When you configure Layer 3 load balancing to firewalls, use source NAT in the forward direction and

destination NAT in the reverse direction.

Types of Firewall Configurations

The CSM supports these two firewall configuration types:

• Dual-CSM configuration—Firewalls are located between two CSMs. The firewalls accept traffic

from one CSM and send it to a second CSM for load balancing to servers or return to the requesting

device.

• Single-CSM configuration—Firewalls accept traffic from a CSM and send it back to the same CSM

for load balancing to servers, or they can return traffic to the requesting device.

IP Reverse-Sticky for Firewalls

The CSM currently supports sticky connections. Sticky connections ensure that two distinct data flows

originating from the same client are load balanced to the same destination.

Load-balanced destinations are often real servers. They may be firewalls, caches, or other networking

devices. Sticky connections are necessary for the proper functioning of load-balanced applications.

These applications utilize multiple connections from the same client to a server. The information

transferred on one connection may affect the processing of information transferred on another

connection.

The IP reverse-sticky feature is configured for balancing new connections from the same client to the

same server, as described in “Configuring Reverse-Sticky for Firewalls” section on page 11-24. This

feature is especially important in the case of buddy connections, such as an FTP data channel or a

streaming UDP data channel.

CSM Firewall Configurations

The CSM can support these firewall configurations:

• Stealth firewalls for dual CSM configurations (Figure 11-1)

• Regular firewalls for dual CSM configurations (Figure 11-2)

• Regular firewalls for single CSM configurations (Figure 11-3)

• Mixed firewalls (stealth and regular) for dual CSM configurations (Figure 11-4)

In Figure 11-1, traffic moves through the firewalls and is filtered in both directions. The figure shows

the flow from the Internet to the intranet. On the path to the intranet, CSM A balances traffic across

VLANs 5, 6, and 7 through firewalls to CSM B. On the path to the Internet, CSM B balances traffic

across VLANs 15, 16, and 17 through firewalls to CSM A. CSM A uses the VLAN aliases of CSM B in

its server farm, and CSM B uses the VLAN aliases of CSM A in its server farm.

Cisco Catalyst 6500 Series Configuration Note

Other manuals for Cisco Catalyst 6500 Series