Filter
Top Products
Chapter 5 Configuring Firewall Load Balancing
Overview of FWLB
5-2
Cisco Content Services Switch Security Configuration Guide
OL-5650-02
Overview of FWLB
FWLB enables you to configure a maximum of 15 firewalls per CSS. Configuring
multiple firewalls can overcome performance limitations and remove the single
point of failure when all traffic is forced through a single firewall. The FWLB
feature ensures that the CSS will forward all packets with the same source and
destination IP addresses through the same firewall. The CSS accomplishes this
task by performing an XOR on the source and destination IP address.
Because the CSS can exist on either side of a firewall, it can balance traffic over
multiple firewalls simultaneously. Each firewall is active and available in the load
balancing firewall algorithm. The CSS uses the source and destination IP
addresses in the algorithm to calculate which firewall to use for each flow.
A CSS monitors the health of a firewall by sending a custom ICMP keepalive
request every second to the remote CSS on the other side of the firewall. If the
CSS does not receive a keepalive request from the remote CSS for 3 to 16 seconds
(configurable timeout), the CSS declares the firewall path unusable. Each CSS
does not reply to the sending CSS, but transmits its own keepalive requests every
second totally independent of the other CSS. For details about configuring the
keepalive timeout, see the “Configuring a Keepalive Timeout for a Firewall”
section.
FWLB acts as a Layer 3 device. Each connection to the firewall is a separate IP
subnet. All flows between a pair of IP addresses, in either direction, traverse the
same firewall. FWLB performs routing functions; it does not apply content rules
to FWLB decisions.
Note Firewalls cannot perform Network Address Translation (NAT). If your
configuration requires NATing, you must configure a content rule or source group
on the CSS to provide this function.
To configure FWLB, you must define the following parameters for each path
through the firewalls on both local and remote CSSs:
• Firewall index (identifies the physical firewall), local firewall IP address,
remote firewall IP address, and CSS VLAN IP address
• Static route that the CSS will use for each firewall
See the sections that follow for information on configuring FWLB.