Configuring the WSM using Device Manager # Go back one pageGo to the next page#Go to this book's Index

Basic FWLB implementation

In the figure below traffic is load-balanced among the available firewalls.

Figure 1 :  Basic FWLB implementation

The following steps describe the basic FWLB process in the figure above.

  1. The client requests data.
  2. The external clients intend to connect to services at the publicly-advertised IP address assigned to a virtual server on the private-side WSM.
  3. A redirection filter balances incoming requests among different IP addresses.
  4. When the client request arrives at the public-side WSM, a filter redirects it to a real server group that consists of a number of different IP addresses. This redirection filter splits the traffic into balanced streams: one for each IP address in the real server group. For FWLB, each IP address in the real server group represents an IP Interface (IF) on a different private-side WSM subnet.
  5. Requests are routed to the firewalls.
  6. On the public-side WSM, one static route is needed for each traffic stream. For instance, the first static route will lead to an IP interface on the private-side WSM using the first firewall as the next hop. A second static route will lead to a second private-side IP interface using the second firewall as the next hop, and so on. By combining the redirection filter and static routes, traffic is load balanced among all active firewalls.

    Note Note: More than one stream can be routed though a particular firewall. You can weight the load to favor one firewall by increasing the number of static routes that traverse it.

    All traffic between specific IP source/destination address pairs flows through the same firewall, ensuring that sessions established by the firewalls persist for their duration.
  7. The firewalls decide if they should allow the packets and, if so, forwards them to a virtual server on the private-side WSM.
  8. Client requests are forwarded or discarded according to rules configured for each firewall.

    Note Note: Rules must be consistent across all firewalls.

  9. The private-side WSM performs normal SLB functions.
  10. Packets forwarded from the firewalls are sent to the original destination address, that is, the virtual server on the private-side WSM. There, they are load balanced to the real servers using standard SLB configuration.
  11. The real server responds to the client request.
  12. Redirection filters on the private-side WSM balance responses among different IP addresses.
  13. Redirection filters are needed on all ports on the private-side WSM that attach to real servers or internal clients on the private-side of the network. Filters on these ports redirect the Internet-bound traffic to a real server group that consists of a number of different IP addresses. Each IP address represents an IP interface on a different subnet on the public-side WSM.
  14. Outbound traffic is routed to the firewalls.
  15. Static routes are configured on the private-side WSM. One static route is needed for each stream that was configured on the public-side WSM. For instance, the first static route would be configured to lead to the first public-side IP interface using the first firewall as the next hop. The second static route would lead to the second public-side IP interface using the second firewall as the next hop, and so on. Since WSMs intelligently maintain state information, all traffic between specific IP source/destination addresses flows through the same firewall, maintaining session persistence.

    Note Note: If Network Address Translation (NAT) software is used on the firewalls, FWLB session persistence requires RTS to be enabled on the WSM. For more information, see Configuring basic FWLB with free-metric.

  16. The firewall decides if it should allow the packet and, if so, forwards it to the public-side WSM.
  17. Each firewall forwards or discards the server responses according to the rules that are configured for it. Forwarded packets are sent to the public-side WSM and out to the Internet.
  18. The client receives the server response.

See also:


Go back one pageGo to the next page##Go to this book's Index