Table of Contents
Advertisement
160 Cisco LAN Switching Configuration Handbook
Tip You must also define the probes separately, as described in section "10-3: SLB
Probes." Ping probes are the most useful for firewall load balancing. For each firewall in
the firewall farm, configure a probe to send ping packets that pass completely through the
firewall, destined for the firewall load-balancing device on the other side. This tests both
"inside" and "outside" interfaces of the firewall, requiring them to be active and operational
so that the ping probe is reflected from the other side. Be sure that the firewall is config-
ured to allow ICMP ping packets to pass through.
c. (Optional) Define one or more flows that will be sent to the firewall farm:
d. (Optional) Choose a firewall load-balancing method:
e. (Optional) Use stateful backup to recover from a failure:
Allow load balancing to begin using the firewall:
■
(real-firewall) inservice
By default, the real firewall is not used by SLB unless it is placed in service. To
remove a firewall from service, use no inservice.
(firewall-farm) access [source source-ip-address network-mask]
[destination destination-ip-address network-mask]
When multiple firewall farms exist, traffic can be identified by address and sent
through the appropriate firewall farm. A traffic flow is defined by its source and
destination addresses and subnet masks. If either source or destination key-
words are omitted, they default to 0.0.0.0 with a mask of 0.0.0.0, signifying all
addresses and networks. This is the default behavior.
(firewall-farm) predictor hash address [port]
By default IOS SLB uses the source and destination IP addresses of a flow to
select a destination firewall. Use the port keyword to use the source and destina-
tion addresses, and the source and destination TCP or UDP port numbers, in the
selection decision.
(firewall-farm) replicate casa listening-ip remote-ip port-number
[interval] [password [0|7] password [timeout]]
The redundant load-balancing devices use CASA structure to exchange and repli-
cate state information. This is sent from the listening-ip address (an interface on
the local device) to the remote-ip address (an interface on the backup device),
using port-number (1 to 65535). Replication messages are sent at interval sec-
onds (1 to 300, default 10).
A password (text string; use 0 if unencrypted, the default; or 7 if encrypted)
can be used for MD5 authentication with the backup device. The optional
timeout (0 to 65,535 seconds; default 180 seconds) defines a time period when
the password can be migrated from an old value to a new one. During this time,
both old and new passwords are accepted.
Hide quick links:
Advertisement
Table of Contents
