11-24
Catalyst 6500 Series Content Switching Module Configuration Note
OL-4612-01
Chapter 11 Configuring Firewall Load Balancing
Configuring Reverse-Sticky for Firewalls
Configuring Reverse-Sticky for Firewalls
The reverse-sticky feature creates a database of load-balancing decisions based on the client’s IP
address. This feature overrides the load-balancing decision when a reverse-sticky entry is available in
the database. If there is no reverse-sticky entry in the database, a load-balancing decision takes place,
and the result is stored for future matching.
Understanding Reverse-Sticky for Firewalls
Reverse-sticky provides a way of inserting entries into a sticky database as if the connection came from
the other direction. A virtual server with reverse-sticky places an entry into the specified database
containing the inbound real server.
Note The inbound real server must be a real server within a server farm.
This entry is matched by a sticky command on a different virtual server. The other virtual server sends
traffic to the client, based on this pregenerated entry.
The CSM stores reverse-sticky information as links from a source IP key to a real server. When the load
balancer gets a new session on a virtual server with an assigned sticky database, it first checks the
database for an existing entry. If a matching entry is found, the session is connected to the specified real
server. Otherwise, a new entry is created linking the sticky key with the appropriate real server.
Figure 11-8 shows how the reverse-sticky feature is used for firewalls.
Step 14
Switch-B(config-module-csm)# vserver
SEC-200-VS
Specifies SEC-20-VS
6
as the virtual server that is
being configured and enters virtual server
configuration mode.
Step 15
Switch-B(config-slb-vserver)# virtual
200.0.0.0 255.255.255.0 any
Specifies the IP address, netmask, and protocol (any)
for this virtual server
2
.
Step 16
Switch-B(config-slb-vserver))# vlan 200
Specifies that the virtual server will only accept
traffic arriving on VLAN 200, which is traffic
arriving from the internal network.
Step 17
Switch-B(config-slb-vserver)# serverfarm
SEC-SF
Specifies the server farm for this virtual server
5
.
Step 18
Switch-B(config-slb-vserver)# inservice
Enables the virtual server.
1. GENERIC-VS allows traffic from the internal server farms and the internal network that is destined for the Internet to reach
the secure side of the firewalls (through VLAN 101).
2. Clients reach the server farm represented by this virtual server through this address.
3. The server farm exists in the internal server farms network.
4. SEC-20-VS allows traffic from the Internet to reach the internal server farms (through VLAN 20).
5. The server farm contains firewalls rather than real servers.
6. SEC-200-VS allows traffic from the Internet to reach the internal network (through VLAN 20).
Command Purpose
To Next Page
Loading...
Need help?
General