Filter
Top Products
Web OS 10.0 Application Guide
328
Chapter 13: Firewall Load Balancing
212777-A, February 2002
1. Incoming traffic converges on the primary dirty-side Web switch.
External traffic arrives through redundant routers. A set of interconnected switches ensures
that both routers have a path to each dirty-side Web switch.
VRRP is configured on each dirty-side Web switch so that one acts as the primary routing
switch. If the primary fails, the secondary takes over.
2. FWLB is performed between primary Web switches.
Just as with basic FWLB, filters on the ingress ports of the dirty-side Web switch redirect traf-
fic to a real server group composed of multiple IP addresses. This configuration splits incom-
ing traffic into multiple streams. Each stream is then routed toward the primary clean-side Web
switch through a different firewall.
Although other load balancing metrics can be used in some configurations (see “Free-Metric
FWLB” on page 346), the distribution of traffic within each stream is normally based on a
mathematical hash of the IP source and destination addresses. Hashing ensures that each
request and its related responses will use the same firewall (a feature known as persistence),
and that the streams will be statistically equal in traffic load.
3. The primary clean-side Web switch forwards the traffic to its destination.
Once traffic arrives at the primary clean-side Web switch, it is forwarded to its destination. In
this example, the Web switch uses regular server load balancing settings to select a real server
on the internal network for each incoming request.
The same process is used for outbound server responses; a filter on the clean-side Web switch
splits the traffic, and static routes forward each response stream back through the same firewall
that forwarded the original request.