|
|
This chapter describes how to configure the Content Services Switch Firewall Load Balancing feature. Information in this chapter applies to all CSS models, except where noted.
This chapter includes the following sections:
Because the CSS can exist on either side of a firewall, it can balance traffic over multiple firewalls simultaneously. Each firewall is active and available in the load balancing firewall algorithm. The CSS uses the source and destination IP addresses in the algorithm to calculate which firewall to use for each flow.
Firewall load balancing acts as a Layer 3 device. Each connection to the firewall is a separate IP subnet. All flows between a pair of IP addresses, in either direction, traverse the same firewall. Firewall load balancing performs routing functions; it does not apply content rules to firewall load balancing decisions.
 |
Note Firewalls cannot perform Network Address Translation (NAT). If your configuration requires NAT'ing, you must configure a content rule or source group on the CSS to provide this function. |
To configure firewall load balancing, you must define the following parameters for each path through the firewalls on both local and remote CSSs:
Refer to the sections that follow for information on configuring firewall load balancing.
Firewall solutions providing Stateful Inspection, such as Check Point FireWall-1®, create and maintain virtual state for all connections through their devices, even for stateless protocols such as UDP and RPC. This state information, including details on Network Address Translation (NAT), is updated according to the data transferred. Different firewall modules running on different machines, such as those in a firewall load balancing environment, can then share this information by mutually updating each other on the different state information of their connections.
Firewall synchronization (as shown in Figure 9-1) provides a significant benefit whereby each firewall device is aware of all connections in a firewall load balanced environment, making recovery of a failed firewall immediate and transparent to its users.
|
Note Customers should refer to their specific firewall documentation for details on configuring firewall synchronization. In the case of a FireWall-1 device, you can find detailed configuration information in the Check Point Software FireWall-1 Architecture and Administration guide, in the chapter Active Network Management. |
A CSS must exist on each side of the firewall to control which firewall is selected for each flow. Within the firewall configuration, you must configure both the local and remote CSSs with the same firewall index number.
To avoid dropping packets, the CSS directs all packets between a pair of IP addresses across the same firewall. This applies to packets flowing in either direction. If a failure occurs on one path, all traffic will use the remaining path or balance traffic on the remaining paths.
|
Note You must define the firewall index before you define the firewall route or the CSS will return an error message. To configure the route, refer to the ip route command. |
The syntax for this global configuration mode command is:
ip firewall index local_firewall_address remote_firewall_address remote_switch_address
The variables are listed below. Enter all IP addresses in dotted-decimal notation
(for example, 192.168.11.1).
For example:
(config)# ip firewall 1 192.168.27.1 192.168.28.1 192.168.28.3
To delete a firewall index, enter:
(config)# no ip firewall 1
 |
Caution When you delete a firewall index, all routes associated with that index are also deleted. |
|
Note You must define the firewall index before you define the firewall static route or the CSS will return an error message. To configure the firewall index, refer to the ip firewall command. |
The syntax for this command is:
ip route ip_address subnet_mask firewall index distance
The variables are:
For example:
(config)# ip route 192.168.2.0/24 firewall 1 2
To remove a firewall route, enter:
(config)# no ip route 192.168.2.0/24 firewall 1
Use the rip redistribute firewall command to advertise routes from other protocols through RIP.
You may also include an optional metric that the CSS uses when advertising this route. Enter a number from 1 to 15. The default is 1.
The syntax for this global configuration mode command is:
(config)# rip redistribute firewal1 3
|
Note By default, RIP advertises RIP routes and local routes for interfaces running RIP. This command advertises other routes. |
To stop advertising rip redistribute firewall routes, enter:
(config)# no rip redistribute firewall
The CSS has the capability to dynamically learn all firewall routes from other routers within the same autonomous system or between autonomous systems. You enable this functionality by configuring the OSPF link-state routing protocol on the CSS (and the other devices in the network).
To configure a dynamic route for a firewall:
1. Enable the global OSPF parameters for the CSSs located at the server and client sides of the network (as described in Configuring OSPF), by including the following configuration commands:
2. Configure the OSPF parameters for the CSS IP interfaces located at the server and client sides of the network (as described in Configuring OSPF), by including the following configuration commands:
|
Note Depending on the type of server in use and server time-out duration, you may need to set the ospf dead and ospf hello commands to an interval smaller than the default settings (40 seconds and 10 seconds, respectively). |
To configure CSS-A (the client side of the network configuration) as shown in
Figure 9-1:
1. Use the ip firewall command to define firewall 1. For example:
(config)# ip firewall 1 192.168.28.1 192.168.27.1 192.168.27.3
2. Use the ip route command to define the static route for firewall 1. For example:
(config)# ip route 192.168.2.0/24 firewall 1
3. Use the ip firewall command to define firewall 2. For example:
(config)# ip firewall 2 192.168.28.2 192.168.27.2 192.168.27.3
4. Use the ip route command to define the static route for firewall 2. For example:
(config)# ip route 192.168.2.0/24 firewall 2
To configure CSS-B (the server side of the network configuration) as shown in
Figure 9-1:
1. Use the ip firewall command to define firewall 1. For example:
(config)# ip firewall 1 192.168.27.1 192.168.28.1 192.168.28.3
2. Use the ip route command to define the static route for firewall 1. For example:
(config)# ip route 0.0.0.0/0 firewall 1
3. Use the ip firewall command to define firewall 2. For example:
(config)# ip firewall 2 192.168.27.2 192.168.28.2 192.168.28.3
4. Use the ip route command to define the static route for firewall 2. For example:
(config)# ip route 0.0.0.0/0 firewall 2
Figure 9-1 illustrates the configuration defined in the firewall commands.
Firewall configurations are displayed in the IP portion of the running-config. For example:
(config)# show running-config
To configure CSS-A (the client side of the network configuration) as shown in
Figure 9-1:
1. Use the ospf router-id command to configure the OSPF router ID for the CSS. For example:
(config)# ospf router-id 192.168.28.3
2. Use the ospf enable command to enable OSPF on the CSS. For example:
(config)# ospf enable
3. Use the ospf default command to force the CSS to generate a default ASE route and advertise it through the OSPF protocol. For example:
(config)# ospf default
4. Use the ospf redistribute local command to advertise the local route through the OSPF protocol. For example:
(config)# ospf redistribute local
5. (Optional) If you want the CSS to advertise external routes, use the ospf as-boundary command to define it as an AS border router. For example:
(config)# ospf as-boundary
6. Access circuit configuration mode for the preconfigured circuit on which you want to create the IP interface. For example, for VLAN1 enter:
(config)# circuit VLAN1 (config-circuit[VLAN1])#
7. Use the ip address command to create the IP interface to the circuit. For example:
(config-circuit[VLAN1])# ip address 192.168.28.3/24 Create ip interface <192.168.28.3>, [y/n]:y
8. Use the ospf command to configure the IP interface as an OSPF interface. For example:
(config-circuit[VLAN1-192.168.28.3])# ospf
9. Use the ospf enable command to enable OSPF on the CSS. For example:
(config-circuit[VLAN1-192.168.28.3])# ospf enable
|
Note Configuring the ospf dead and ospf hello commands in steps 12 and 13, respectively, is optional. However, depending on the type of server in use and server time-out duration, you may need to set the ospf dead and ospf hello commands to an interval smaller than the default settings (which are 40 seconds and 10 seconds, respectively). |
10. Use the ospf dead command to specify a dead router interval for the interface. For example:
(config-circuit[VLAN1-192.168.28.3])# ospf dead 20
11. Use the ospf hello command to specify how often the router interface periodically transmits hello packets. For example:
(config-circuit[VLAN1-192.168.28.3])# ospf hello 5
To configure CSS-B (the server side of the network configuration) as shown in
Figure 9-1:
1. Use the ospf router-id command to configure the OSPF router ID for the CSS. For example:
(config)# ospf router-id 192.168.27.3
2. Use the ospf enable command to enable OSPF on the CSS. For example:
(config)# ospf enable
3. Use the ospf redistribute local command to advertise the local route through the OSPF protocol. For example:
(config)# ospf redistribute local
4. (Optional) If you want the CSS to advertise external routes, use the ospf as-boundary command to define it as an AS border router. For example:
(config)# ospf as-boundary
5. Access circuit configuration mode for the preconfigured circuit on which you want to create the IP interface. For example, for VLAN1 enter:
(config)# circuit VLAN1 (config-circuit[VLAN1])#
6. Use the ip address command to create the IP interface to the circuit. For example:
(config-circuit[VLAN1])# ip address 192.168.27.3/24 Create ip interface <192.168.27.3>, [y/n]:y
7. Use the ospf command to configure the IP interface as an OSPF interface. For example:
(config-circuit[VLAN1-192.168.27.3])# ospf
8. Use the ospf enable command to enable OSPF on the CSS. For example:
(config-circuit[VLAN1-192.168.27.3])# ospf enable
|
Note Configuring the ospf dead and ospf hello commands in steps 11 and 12, respectively, is optional. However, depending on the type of server in use and server time-out duration, you may need to set the ospf dead and ospf hello commands to an interval smaller than the default settings (which are 40 seconds and 10 seconds, respectively). |
9. Use the ospf dead command to specify a dead router interval for the interface. For example:
(config-circuit[VLAN1-192.168.28.3])# ospf dead 20
10. Use the ospf hello command to specify how often the router interface periodically transmits hello packets. For example:
(config-circuit[VLAN1-192.168.28.3])# ospf hello 5
Use the show flows command to display the flow summary for a source IP address, or for a specific source address and its destination IP address on a Switch Fabric Processor (SFP). You can display up to 200 flows per SFP. You can display up to 800 flows on a CSS 11800 containing four SFPs.
This information allows you to:
The syntax is:
(config)# show flows source_address destination_address
The variables are:
For example:
(config)# show flows 192.165.22.1 192.163.2.3
To display the flows for a specific source IP address, enter:
(config)# show flows 192.165.22.1
To display the flows for specific source and destination IP addresses, enter:
(config)# show flows 192.165.22.1 192.163.2.3
Use the ip routes firewall command to display all static firewall routes. For example:
(config)# show ip routes firewall
Posted: Tue Dec 12 05:32:53 PST 2000
Copyright 1989-2000©Cisco Systems Inc.