[prev in list] [next in list] [prev in thread] [next in thread]
List: loadbalancing-l
Subject: RE: [load balancing] How to load balance firewalls
From: "Kleberg, Jason" <JKleberg () glhec ! org>
Date: 2004-03-19 16:53:37
Message-ID: CB6DA133641E454BA31402EA6DC450EC04828CD2 () glsxchma4 ! glhec ! org
[Download RAW message or body]
The reason I stated it was sloppy is because we could not contain the mcast
traffic to only the ports needed. As I stated earlier, our config is not
typical, having 2 passport 8600's utilizing vrrp and wanting to plug one
firewall into each using the stonebeat mcast solution. We have a test lab
trying every solution, so far unsuccessful if we want to stop the blasting
of traffic. If I had one switch with 2 firewalls, I could easily filter
off. We are seriously looking for a simpler solution hopefully using a
active/standby presence. We will not be using both firewalls at the same
time but it will be much cleaner and easier to troubleshoot.
_____
From: Julio Arruda [mailto:jarruda@nortelnetworks.com]
Sent: Thursday, March 18, 2004 4:04 PM
To: lb-l@vegan.net
Subject: RE: [load balancing] How to load balance firewalls
I'm biased :-), but I would think these "Software" LB options with the
multicast trick (stonebeat seems to be the pioneer on that ?), have one
basic flaw, they force all the machines in the cluster to at least receive
ALL the packets being load balanced, and at least a lookup at
source/destination (to do a hash) need to be done in these packets to see if
the packet is "mine" or "to be processed by my peer"..
I've no clue if going all the way to the device drivers and IP stacks is
that much of a burden to traffic that I won't bother process anyway, ..maybe
even this is the reason Jason said this solution was too sloppy ?
-----Original Message-----
From: Ritesh Rekhi [mailto:rrekhi@foundrynet.com]
Sent: Thursday, March 18, 2004 3:42 PM
To: lb-l@vegan.net
Subject: RE: [load balancing] How to load balance firewalls
yeah you are right VRRP and HSRP don't make the destination traffic to be
sent to a multicast layer 2 address.We were discussing if there is a
technology out there which doesn't adhere to standards and there is another
technology which lots of hardware vendors support for doing FWLB (firewall
load balancing) which is the best option.
I think people can themselves decide when you show them all the facts out
there
Thanks all
-----Original Message-----
From: owner-lb-l@vegan.net [mailto:owner-lb-l@vegan.net]On Behalf Of Julio
Arruda
Sent: Thursday, March 18, 2004 8:04 AM
To: lb-l@vegan.net
Subject: RE: [load balancing] How to load balance firewalls
Uninformed guess here...
VRRP and HSRP don't make the "destination" traffic be sent to a multicast
layer 2 (while being a Unicast layer 3).
They use multicast for hello protocols and etc, that is it..
What I remember is, the multicast layer 2 with unicast layer 3 (the trick
used here, and also in MS NLB or whatever they call it now), was against one
RFC, that said the ARP response should not have a multicast or broadcast
address in the hardware address field in the ARP fields...I just can't
remember which one..
But......
Doesn't matter if is against the RFC, it is a checklist item in the
customers I've dealt with, you need to support it even if it hurts :-)
(BTW, your idea about "isolate the flooding to a vlan only with the HA
cluster" is even suggested in some MS documentation, so seems to be a common
pratice, I've used at least once in a customer with CP FW-1 LB)
-----Original Message-----
From: hdn@goldmedal.co.uk [mailto:hdn@goldmedal.co.uk]
Sent: Thursday, March 18, 2004 9:51 AM
To: lb-l@vegan.net
Subject: RE: [load balancing] How to load balance firewalls
Yes, I believe you are correct. Multicast forwarding is usually enabled by
default on most Layer 2 switches but can easily be disabled on a port by
port basis if required. In my experience, most redundant L3 devices such as
Routers and firewalls are using multicast anyway in configs such as HSRP or
VRRP, so in all likelyhood this flooding already exists. This can also
easily be avoided by having dedicated networks connecting your firewalls to
your LAN using multilayer switches in the network core, and using a VLANs on
your load-balancer within the DMZ to connect to the firewall. A seperate
VLAN can be implemented, logically placing your real servers behind the
load-balancer to protect them, and also allowing preservation of client IPs.
Watching the evolution of Content Delivery Networking generally over the
last 5 years or so, there doesnt really appear to be anything that is
entirely new. Most methods just take the existing tcp/ip, ethernet and DNS
standards that already exist (to name a few) and manipulate them in some
way, or perhaps bend the rules slightly to achieve the aims. Some of the
newer products available today present the user with a nice point and click
GUI. This allows him lots of ways of achieving inteligent load balancing
without being aware or even having to understand that it is all down to
fundamental networking. This may be seen as a good thing to some people, as
it opens up the world of content delivery to a wider audience. I would be
inclined to point out though that it may be lowering the technical standard
at which some networking specialists are employed . I have even found myself
in a situation with a vendor, having to explain to them how their own
product works (monkey see, monkey do is fine until things do not work:) ).
This is obviously not a good selling point, especially when I only consider
myself a beginner/intermediate in networking skills(CCNA).
_____
From: Ritesh Rekhi [mailto:rrekhi@foundrynet.com]
Sent: 18 March 04 03:05
To: lb-l@vegan.net
Subject: RE: [load balancing] How to load balance firewalls
One problem which I generally find in all the HA/Lb software solutions is
that they use multicast Mac address for a unicast ip address.Isn't it
against the tcp/ip standards ?
Let me explain in details :
say a server is connected to a switch which has HA/LB software solution.Now
this server is going to arp for it's default gateway .so far so good
.Generally in all cases you expect a response with a unicast Mac address so
that server can send packet to it's default gateway Mac.But in a clustering
environment the Mac address will be a multicast Mac address. so when the
packets go from the server to the client it will be flooded on all the ports
of a switch where server is connected( if it is not multicast aware.)
I just want to get a feel if my understanding is correct and is this a part
of tcp/ip standards .
-----Original Message-----
From: owner-lb-l@vegan.net [mailto:owner-lb-l@vegan.net]On Behalf Of
hdn@goldmedal.co.uk
Sent: Friday, March 12, 2004 8:09 AM
To: lb-l@vegan.net
Subject: RE: [load balancing] How to load balance firewalls
Are you running the Checkpoint on Nokia appliances?
Nokia IPSO has built in load balancing (from ipso 3.6 onwards I think) that
runs almost outside the CP software. We have some 6 cisco LB devices on site
and some Radware appliances, and I was reluctant to take the "IPSO
Clustering" seriously at first but have just returned from the new Nokia
Security Administrators 2 course. I played with it a bit in the lab and was
impressed. I was surprised to find that it it is not well known about, or
implemented often, even though Active/Active clustering was patented by
Nokia (a slide of this is displayed in the course) and is being incorporated
as the Active/Active method in some of the newer content delivery
appliances. Although limited in functionality, a even 50/50 spread was
achieved on both firewalls and up to 5 can be included, all active in a
cluster. A source IP "bucket" scheme is used to distribute responsibility
accross each appliance and a shared virtual MAC exists for each interface on
each firewall for each subnet/DMZ. There is no requirement for inside and
outside appliances and Asynchronous routing is avoided in every scenario
including VPN traffic.
Keepalives are handled using multicast traffic, and in IPSO ver 3.7 with NG
AI for the firewall, this traffic can be removed from the network and
distributed across your existing dedicated State Table Sync link. A little
bit of tweaking would be required for spanning tree I guess but the firewall
config is a 2 minute point and click exercise. Another benefit is that once
clustered, all management and upgrade work is carried out once in cVoyager
and is distributed to all appliances, and if neccesary they are rebooted one
at a time with no effort at all or down time.
Best of all, ITS FREE!!!
_____
From: Kleberg, Jason [mailto:JKleberg@glhec.org]
Sent: 13 February 04 15:20
To: lb-l@vegan.net
Subject: [load balancing] How to load balance firewalls
-->
Hello, I have a few questions concerning load balancing fw's and I hope you
guys can help :-). We have a pair of checkpoint fw-1's at a site utilizing
their built in HA module called stonebeat full cluster. To keep this short
it is very sloppy. From my understanding F5/alteon and Cisco can all LB
fw's. Has anyone done it with ultra monkey? Are there any guides on load
balancing firewalls? Are there any serious drawbacks? I would like to have
a solution where both firewalls are active. Here is a sample topology:
Internet
/ \
Rtr1---------rtr2
| |
| |
Fw1---------Fw2
| |
| |
Sw1---------sw2
| |
| |
LAN and servers
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:st1="urn:schemas-microsoft-com:office:smarttags" \
xmlns="http://www.w3.org/TR/REC-html40">
<head>
<DEFANGED_META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<DEFANGED_meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<!-- <DEFANGED_STYLE>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
--> </DEFANGED_STYLE>
<![endif]-->
<title>Message</title>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="PersonName"/>
<!--[if !mso]>
<!-- <DEFANGED_STYLE>
st1\:*{behavior:url(#default#ieooui) }
--> </DEFANGED_STYLE>
<![endif]-->
<!-- <DEFANGED_STYLE>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
--> </DEFANGED_STYLE>
<DEFANGED_META HTTP-EQUIV="Content-Type" CONTENT="text/html; \
charset=us-ascii"><DEFANGED_META HTTP-EQUIV="Content-Type" CONTENT="text/html; \
charset=us-ascii"><DEFANGED_META name="Generator" content="Microsoft Word 11 \
(filtered medium)"><!-- <DEFANGED_STYLE> <!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
--><DEFANGED_META content="MSHTML 6.00.2800.1400" name=GENERATOR>
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>The reason I stated it was sloppy is
because we could not contain the mcast traffic to only the ports needed. As I \
stated earlier, our config is not typical, having 2 passport 8600’s utilizing
vrrp and wanting to plug one firewall into each using the stonebeat mcast
solution. We have a test lab trying every solution, so far unsuccessful if we
want to stop the blasting of traffic. If I had one switch with 2 firewalls, I \
could easily filter off. We are seriously looking for a simpler solution \
hopefully using a active/standby presence. We will not be using both firewalls \
at the same time but it will be much cleaner and easier to troubleshoot. \
<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<div>
<div class=MsoNormal align=center DEFANGED_STYLE='text-align:center'><font size=3
face="Times New Roman"><span DEFANGED_STYLE='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span DEFANGED_STYLE='font-size:10.0pt;font-family:Tahoma'> Julio Arruda
[mailto:jarruda@nortelnetworks.com] <br>
<b><span DEFANGED_STYLE='font-weight:bold'>Sent:</span></b> Thursday, March 18, 2004
4:04 PM<br>
<b><span DEFANGED_STYLE='font-weight:bold'>To:</span></b> <st1:PersonName \
w:st="on">lb-l@vegan.net</st1:PersonName><br> <b><span \
DEFANGED_STYLE='font-weight:bold'>Subject:</span></b> RE: [load balancing] How to \
load balance firewalls</span></font><o:p></o:p></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 color=blue face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:blue'>I'm biased :-), but I would think these
"Software" LB options with the multicast trick (stonebeat seems to be
the pioneer on that ?), have one basic flaw, they force all the machines in the
cluster to at least receive ALL the packets being load balanced, and at least a
lookup at source/destination (to do a hash) need to be done in these packets to
see if the packet is "mine" or "to be processed by my
peer"..</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=2 color=blue face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:blue'>I've no clue if going all the way to the
device drivers and IP stacks is that much of a burden to traffic that I won't
bother process anyway, ..maybe even this is the reason Jason said this
solution was too sloppy ?</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<blockquote DEFANGED_STYLE='border:none;border-left:solid blue 1.5pt;padding:0in 0in \
0in 4.0pt; margin-left:4.2pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'>
<p class=MsoNormal DEFANGED_STYLE='margin-bottom:12.0pt'><font size=2 \
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>-----Original \
Message-----<br> <b><span DEFANGED_STYLE='font-weight:bold'>From:</span></b> Ritesh \
Rekhi [mailto:rrekhi@foundrynet.com] <br>
<b><span DEFANGED_STYLE='font-weight:bold'>Sent:</span></b> Thursday, March 18, 2004
3:42 PM<br>
<b><span DEFANGED_STYLE='font-weight:bold'>To:</span></b> <st1:PersonName \
w:st="on">lb-l@vegan.net</st1:PersonName><br> <b><span \
DEFANGED_STYLE='font-weight:bold'>Subject:</span></b> RE: [load balancing] How to \
load balance firewalls</span></font><o:p></o:p></p>
<div>
<p class=MsoNormal><font size=2 color=blue face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:blue'>yeah you are right VRRP and HSRP don't
make the destination traffic to be sent to a multicast layer 2 address.We were
discussing if there is a technology out there which doesn't adhere to standards
and there is another technology which lots of hardware vendors support for
doing FWLB (firewall load balancing) which is the best \
option.</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 color=blue face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:blue'>I think people can themselves decide when
you show them all the facts out there</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 color=blue face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:blue'>Thanks all</span></font><o:p></o:p></p>
</div>
<blockquote DEFANGED_STYLE='margin-top:5.0pt;margin-bottom:5.0pt'
DEFANGED_STYLE="MARGIN-RIGHT: 0px">
<p class=MsoNormal DEFANGED_STYLE='margin-bottom:12.0pt'><font size=2 \
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>-----Original \
Message-----<br> <b><span DEFANGED_STYLE='font-weight:bold'>From:</span></b> \
owner-<st1:PersonName w:st="on">lb-l@vegan.net</st1:PersonName> \
[mailto:owner-<st1:PersonName w:st="on">lb-l@vegan.net</st1:PersonName>]<b><span \
style='font-weight:bold'>On Behalf Of </span></b>Julio Arruda<br> <b><span \
DEFANGED_STYLE='font-weight:bold'>Sent:</span></b> Thursday, March 18, 2004 8:04 \
AM<br> <b><span DEFANGED_STYLE='font-weight:bold'>To:</span></b> <st1:PersonName \
w:st="on">lb-l@vegan.net</st1:PersonName><br> <b><span \
DEFANGED_STYLE='font-weight:bold'>Subject:</span></b> RE: [load balancing] How to \
load balance firewalls</span></font><o:p></o:p></p>
<div>
<p class=MsoNormal><font size=2 color=blue face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:blue'>Uninformed guess \
here...</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 color=blue face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:blue'>VRRP and HSRP don't make the
"destination" traffic be sent to a multicast layer 2 (while being a
Unicast layer 3).</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=2 color=blue face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:blue'>They use multicast for hello protocols and
etc, that is it..</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=2 color=blue face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:blue'>What I remember is, the multicast layer 2
with unicast layer 3 (the trick used here, and also in MS NLB or whatever they
call it now), was against one RFC, that said the ARP response should not have a
multicast or broadcast address in the hardware address field in the ARP
fields...I just can't remember which one..</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=2 color=blue face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:blue'>But......</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=2 color=blue face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:blue'>Doesn't matter if is against the RFC, it
is a checklist item in the customers I've dealt with, you need to support it
even if it hurts :-)</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=2 color=blue face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:blue'>(BTW, your idea about "isolate
the flooding to a vlan only with the HA cluster" is even suggested in some
MS documentation, so seems to be a common pratice, I've used at least once in a
customer with CP FW-1 LB)</span></font><o:p></o:p></p>
</div>
<blockquote DEFANGED_STYLE='border:none;border-left:solid blue 1.5pt;padding:0in 0in \
0in 4.0pt; margin-left:4.2pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'>
<p class=MsoNormal DEFANGED_STYLE='margin-bottom:12.0pt'><font size=2 \
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>-----Original \
Message-----<br> <b><span DEFANGED_STYLE='font-weight:bold'>From:</span></b> \
hdn@goldmedal.co.uk [mailto:hdn@goldmedal.co.uk] <br>
<b><span DEFANGED_STYLE='font-weight:bold'>Sent:</span></b> Thursday, March 18, 2004
9:51 AM<br>
<b><span DEFANGED_STYLE='font-weight:bold'>To:</span></b> <st1:PersonName \
w:st="on">lb-l@vegan.net</st1:PersonName><br> <b><span \
DEFANGED_STYLE='font-weight:bold'>Subject:</span></b> RE: [load balancing] How to \
load balance firewalls</span></font><o:p></o:p></p>
<p class=MsoNormal><font size=2 color=blue face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:blue'>Yes, I believe you are correct. Multicast
forwarding is usually enabled by default on most Layer 2 switches but can
easily be disabled on a port by port basis if required. In my experience, most
redundant L3 devices such as Routers and firewalls are using multicast anyway
in configs such as HSRP or VRRP, so in all likelyhood this flooding already
exists. This can also easily be avoided by having dedicated networks connecting
your firewalls to your LAN using multilayer switches in the network core, and
using a VLANs on your load-balancer within the DMZ to connect to the
firewall. A seperate VLAN can be implemented, logically placing your real
servers behind the load-balancer to protect them, and also allowing
preservation of client IPs.</span></font><o:p></o:p></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=blue face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:blue'>Watching the evolution of Content Delivery
Networking generally over the last 5 years or so, there doesnt really appear to
be anything that is entirely new. Most methods just take the existing tcp/ip,
ethernet and DNS standards that already exist (to name a few) and
manipulate them in some way, or perhaps bend the rules slightly to achieve the
aims. Some of the newer products available today present the user with a
nice point and click GUI. This allows him lots of ways of achieving inteligent
load balancing without being aware or even having to understand that it is all
down to fundamental networking. This may be seen as a good thing to some
people, as it opens up the world of content delivery to a wider audience. I
would be inclined to point out though that it may be lowering the technical
standard at which some networking specialists are employed . I have even
found myself in a situation with a vendor, having to explain to them how their
own product works (monkey see, monkey do is fine until things do not work:) ).
This is obviously not a good selling point, especially when I only
consider myself a beginner/intermediate in networking \
skills(CCNA).</span></font><o:p></o:p></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<div class=MsoNormal align=center DEFANGED_STYLE='text-align:center'><font size=3
face="Times New Roman"><span DEFANGED_STYLE='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabIndex=-1>
</span></font></div>
<p class=MsoNormal DEFANGED_STYLE='margin-bottom:12.0pt'><b><font size=2 \
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma;font-weight:bold'>From:</span></font></b><font
size=2 face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'> Ritesh
Rekhi [mailto:rrekhi@foundrynet.com] <br>
<b><span DEFANGED_STYLE='font-weight:bold'>Sent:</span></b> 18 March 04 03:05<br>
<b><span DEFANGED_STYLE='font-weight:bold'>To:</span></b> <st1:PersonName \
w:st="on">lb-l@vegan.net</st1:PersonName><br> <b><span \
DEFANGED_STYLE='font-weight:bold'>Subject:</span></b> RE: [load balancing] How to \
load balance firewalls</span></font><o:p></o:p></p>
<div>
<p class=MsoNormal><font size=2 color=blue face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:blue'>One problem which I generally find in all
the HA/Lb software solutions is that they use multicast Mac address for a
unicast ip address.Isn't it against the tcp/ip standards \
?</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 color=blue face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:blue'>Let me explain in details \
:</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 color=blue face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:blue'>say a server is connected to a switch
which has HA/LB software solution.Now this server is going to arp for it's
default gateway .so far so good .Generally in all cases you expect a response
with a unicast Mac address so that server can send packet to it's default
gateway Mac.But in a clustering environment the Mac address will be a multicast
Mac address. so when the packets go from the server to the client it will be
flooded on all the ports of a switch where server is connected( if it is
not multicast aware.)</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 color=blue face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:blue'>I just want to get a feel if my
understanding is correct and is this a part of tcp/ip standards \
.</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<blockquote DEFANGED_STYLE='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal DEFANGED_STYLE='margin-bottom:12.0pt'><font size=2 \
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>-----Original \
Message-----<br> <b><span DEFANGED_STYLE='font-weight:bold'>From:</span></b> \
owner-<st1:PersonName w:st="on">lb-l@vegan.net</st1:PersonName> \
[mailto:owner-<st1:PersonName w:st="on">lb-l@vegan.net</st1:PersonName>]<b><span \
style='font-weight:bold'>On Behalf Of </span></b>hdn@goldmedal.co.uk<br> <b><span \
DEFANGED_STYLE='font-weight:bold'>Sent:</span></b> Friday, March 12, 2004 8:09 AM<br>
<b><span DEFANGED_STYLE='font-weight:bold'>To:</span></b> <st1:PersonName \
w:st="on">lb-l@vegan.net</st1:PersonName><br> <b><span \
DEFANGED_STYLE='font-weight:bold'>Subject:</span></b> RE: [load balancing] How to \
load balance firewalls</span></font><o:p></o:p></p>
<p class=MsoNormal><font size=2 color=blue face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:blue'>Are you running the Checkpoint on Nokia
appliances?</span></font><o:p></o:p></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=blue face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:blue'>Nokia IPSO has built in load balancing
(from ipso 3.6 onwards I think) that runs almost outside the CP software. We
have some 6 cisco LB devices on site and some Radware appliances, and I was
reluctant to take the "IPSO Clustering" seriously at first
but have just returned from the new Nokia Security Administrators 2
course. I played with it a bit in the lab and was impressed. I was
surprised to find that it it is not well known about, or implemented often,
even though Active/Active clustering was patented by Nokia (a slide of this is
displayed in the course) and is being incorporated as the Active/Active method
in some of the newer content delivery appliances. Although limited in
functionality, a even 50/50 spread was achieved on both firewalls and up to 5
can be included, all active in a cluster. A source IP "bucket" scheme
is used to distribute responsibility accross each appliance and a shared
virtual MAC exists for each interface on each firewall for each subnet/DMZ.
There is no requirement for inside and outside appliances and Asynchronous
routing is avoided in every scenario including VPN \
traffic.</span></font><o:p></o:p></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=blue face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:blue'>Keepalives are handled using multicast
traffic, and in IPSO ver 3.7 with NG AI for the firewall, this traffic can be
removed from the network and distributed across your existing dedicated State
Table Sync link. A little bit of tweaking would be required for spanning tree I
guess but the firewall config is a 2 minute point and click exercise. Another
benefit is that once clustered, all management and upgrade work is carried out
once in cVoyager and is distributed to all appliances, and if neccesary they
are rebooted one at a time with no effort at all or down \
time.</span></font><o:p></o:p></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=blue face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:blue'>Best of all, ITS \
FREE!!!</span></font><o:p></o:p></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<div class=MsoNormal align=center DEFANGED_STYLE='text-align:center'><font size=3
face="Times New Roman"><span DEFANGED_STYLE='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabIndex=-1>
</span></font></div>
<p class=MsoNormal DEFANGED_STYLE='margin-bottom:12.0pt'><b><font size=2 \
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma;font-weight:bold'>From:</span></font></b><font
size=2 face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'> \
<st1:PersonName w:st="on">Kleberg, Jason</st1:PersonName> [mailto:JKleberg@glhec.org] \
<br> <b><span DEFANGED_STYLE='font-weight:bold'>Sent:</span></b> 13 February 04 \
15:20<br> <b><span DEFANGED_STYLE='font-weight:bold'>To:</span></b> <st1:PersonName \
w:st="on">lb-l@vegan.net</st1:PersonName><br> <b><span \
DEFANGED_STYLE='font-weight:bold'>Subject:</span></b> [load balancing] How to load \
balance firewalls</span></font><o:p></o:p></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>--> <o:p></o:p></span></font></p>
</DEFANGED_STYLE>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>Hello, I
have a few questions concerning load balancing fw's and I hope you guys can
help </span></font><font size=2 face=Wingdings><span DEFANGED_STYLE="FONT-SIZE: 10pt; \
FONT-FAMILY: Wingdings"><span \
style='font-size:10.0pt;font-family:Wingdings'>J</span></span></font><font size=2 \
face=Arial><span DEFANGED_STYLE="font-size:10.0pt;font-family:Arial"><span \
style='font-size:10.0pt;font-family:Arial'>. We have a pair of checkpoint \
fw-1's at a site utilizing their built in HA module called stonebeat full \
cluster. To keep this short it is very sloppy. From my understanding \
F5/alteon and Cisco can all LB fw's. Has anyone done it with ultra \
monkey? Are there any guides on load balancing firewalls? Are there any \
serious drawbacks? I would like to have a solution where both firewalls are \
active. Here is a sample topology:<o:p></o:p></span></font></p>
</span>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><font
size=2 face=Arial><span DEFANGED_STYLE="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><span
style='font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
</span>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><font
size=2 face=Arial><span DEFANGED_STYLE="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><span
style='font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
</span>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><font
size=2 face=Arial><span DEFANGED_STYLE="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><span
style='font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
</span>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>
Internet<o:p></o:p></span></font></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><font
size=2 face=Arial><span \
style='font-size:10.0pt;font-family:Arial'> /
\<o:p></o:p></span></font></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><font
size=2 face=Arial><span DEFANGED_STYLE="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><span
style='font-size:10.0pt;font-family:Arial'>Rtr1---------rtr2<o:p></o:p></span></font></p>
</span>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><font
size=2 face=Arial><span \
style='font-size:10.0pt;font-family:Arial'>|
|<o:p></o:p></span></font></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><font
size=2 face=Arial><span \
style='font-size:10.0pt;font-family:Arial'>|
|<o:p></o:p></span></font></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><font
size=2 face=Arial><span DEFANGED_STYLE="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><span
style='font-size:10.0pt;font-family:Arial'>Fw1---------Fw2<o:p></o:p></span></font></p>
</span>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><font
size=2 face=Arial><span \
style='font-size:10.0pt;font-family:Arial'>|
|<o:p></o:p></span></font></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><font
size=2 face=Arial><span \
style='font-size:10.0pt;font-family:Arial'>|
|<o:p></o:p></span></font></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><font
size=2 face=Arial><span DEFANGED_STYLE="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><span
style='font-size:10.0pt;font-family:Arial'>Sw1---------sw2<o:p></o:p></span></font></p>
</span>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><font
size=2 face=Arial><span \
style='font-size:10.0pt;font-family:Arial'>|
|<o:p></o:p></span></font></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><font
size=2 face=Arial><span \
style='font-size:10.0pt;font-family:Arial'>|
| <o:p></o:p></span></font></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>LAN and
servers<o:p></o:p></span></font></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><font
size=2 face=Arial><span DEFANGED_STYLE="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><span
style='font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
</div>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</span></div>
</body>
</html>
____________________
The Load Balancing Mailing List
Unsubscribe: mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
Archive: http://vegan.net/lb/archive
LBDigest: http://lbdigest.com
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic