Load Balancing for esafe Gateway 3.x with Cisco Web NS and CSS Switches Design and implementation guide

Size: px
Start display at page:

Download "Load Balancing for esafe Gateway 3.x with Cisco Web NS and CSS Switches Design and implementation guide"

Transcription

1 esafe Gateway/Mail v. 3.x Load Balancing for esafe Gateway 3.x with Cisco Web NS and CSS Switches Design and implementation guide esafe Gateway provides fast and transparent real-time inspection of Internet traffic. This document describes the firewall load balancing setup and configuration of the Cisco CSS Switches, designed to provide high availability solutions for secure gateway environments where performance requires the use of more than one Gateway, such as the Aladdin esafe Gateway. It is intended that the solution be tested after production of this document so that Aladdin can begin to recommend to its customers an approved High Availability solution for their esafe Gateways using the Cisco CSS as load balancer. This setup and configuration is a standard configuration for the Cisco CSS Switches such as the Cisco for firewall load balancing. The distinction between load balancing servers and firewalls, or in this case the Aladdin esafe Gateway, in the most general sense is that servers sit behind a single load balancing switch whereas firewalls are sandwiched between 2 load balancing switches. The reason for the different architecture configuration is that by having a CSS load balancing switch on either side of the esafe Gateway, traffic with the same source and destination address, and hence all flows to and from those addresses, can be made to go through the same esafe Gateway. This is essential for state full inspection firewalls, and appears to be how the esafe Gateway needs to work. (Last updated:.april 7, :21 am) All attempts have been made to make the information in this document complete and accurate. Aladdin is not responsible for any direct or indirect damages or loss of business resulting from inaccuracies or omissions. The specifications in this document are subject to change without notice. COPYRIGHT No part of this Technical Document may be reproduced or transmitted in any form or by any means, except for the use of the registered user(s) without permission from Aladdin Knowledge Systems, Ltd. Copyright , Aladdin Knowledge Systems, Ltd. All rights reserved. Partial Copyright for information on Check point products Check Point Software Technologies Ltd. All rights reserved. TRADEMARKS esafe is a trademark of Aladdin Knowledge Systems, Ltd. CSS and Web NS are trademarks of Cisco Systems, Inc. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. Load Balancing for esafe Gateway 3.x with Cisco Web NS and CSS Switches version 3.x level 4/7/03

2 Table of Contents page 22 Chapter 1:Overview Chapter 2:Configuration Chapter 3:Redundant Configuration Overview of Configuration 4 The Load Balancing setup for CSS A and B looks as follows: 5 The setup for CSS C and D looks as follows: 6 Chapter 4:CSS FWLB Box-2-Box vs FWLB VIP/V-INT redundancy Advantages: 8 Disadvantages: 8 When to use: 8 When not to use: 8 Load Balancing for esafe Gateway 3.x with Cisco Web NS and CSS Switches version 3.x level 4/7/03

3 Overview page 1 Overview Firewall load balancing enables you to configure a maximum of 15 firewalls per CSS. Configuring multiple firewalls can overcome performance limitations and remove the single point of failure when all traffic is forced through a single firewall. The firewall load-balancing feature ensures that the CSS will forward all packets with the same source and destination IP addresses through the same firewall or other similar device. The CSS accomplishes this task by performing an XOR on the source and destination IP address. Because the CSS can exist on either side of a firewall, it can balance traffic over multiple firewalls simultaneously. Each firewall is active and available in the load balancing firewall algorithm. The CSS uses the source and destination IP addresses in the algorithm to calculate which firewall to use for each flow. Firewall load balancing acts as a Layer 3 device. Each connection to the firewall is a separate IP subnet. All flows between a pair of IP addresses, in either direction, traverse the same firewall. Firewall load balancing performs routing functions; it does not apply content rules to firewall load-balancing decisions. When using the Cisco CSS Content Switch with multiple Aladdin esafe Gateways, a High Availability and scaleable design can be created to allow for higher data throughput than is recommended with a single esafe Gateway solution, plus providing for the added security of redundant failover should a unit in the Gateway fail. In normal operation traffic destined for the internal network is load balanced on a connection basis across 2 or more esafe Gateways; in the event of a failure of one of the Gateways, the traffic is redistributed using the CSS Content Switch over the remaining Gateways to ensure the continued operation of applications. Additionally, a design can be created providing even more secure redundancy by using redundant CSS Content Switches for Ultra High Availability environments.

4 Configuration page 2 Configuration The diagram below shows two esafe Gateways called Aladdin esafe 1 and 2 sandwiched between 2 CSS Content Switches called CSS-A and B. The internal network is shown as /24 with an unprotected outside network of /24 and private addressing within the CSS Sandwich. Figure 1: Firewall Load Balancing Example First, the interfaces and circuits of the CSS switch need be configured, along with any management and access lists information specific to the device. This information has not been included here but may be specified later if required. For each path through the esafe Gateways from both the outside CSS-A and inside CSS-B Content Switches the following 2 configuration parameters define the path taken by the data traffic. Firewall index (identifies the physical firewall), local firewall IP address, remote firewall IP address, and CSS VLAN IP address

5 Configuration page 3 Static route that the CSS will use for each firewall or configure the OSPF protocol to dynamically learn all firewall routes Use the ip firewall command to define parameters. You must define these parameters for each path through esafe Gateway on both CSS A and B. A CSS must exist on each side of the esafe Gateway to control which esafe unit 1 or 2 is selected for each flow. Within the CSS configuration, you must configure both CSS A and B with the same firewall index number. To avoid dropping packets, the CSS directs all packets between a pair of IP addresses across the same esafe Gateway. This applies to packets flowing in either direction. If a failure occurs on one path, all traffic will use the remaining path or balance traffic on the remaining paths. Important Note:Note You must define the firewall index before you define the firewall route or the CSS will return an error message. To configure the route, refer to the ip route command. The syntax for this global configuration mode command is: a. ip firewall index local_firewall_address remote_firewall_address remote_switch_address The variables are listed below. Enter all IP addresses in dotted-decimal notation(for example, ). index - The index number to identify the firewall. Enter a number from 1 to 254. local_firewall_ip address - The IP address of the firewall on a subnet connected to the CSS. remote_firewall_ip address - The IP address of the firewall on the remote subnet that connects to the remote CSS. remote_switch_ip address - The IP address of the remote CSS. b. Use the ip route firewall command to configure a static route for firewalls. You can optionally set the administrative distance for the IP route. The syntax for this command is: ip route ip_address subnet_mask firewall index distance The variables are: ip_address - The destination network address. Enter the IP address in dotted-decimal notation. subnet_mask - The IP subnet mask. Enter the mask in either: CIDR bitcount notation (for example, /24). Do not enter a space to separate the IP address from the prefix length. Dotted-decimal notation (for example, ). index - An existing index number for the firewall route. For information on configuring a firewall index, refer to the ip firewall command. distance - The optional administrative distance. Enter an integer from 1 to 254. A smaller number is preferable. The default value is 1. For example the configuration for CSS-A in the example above is as follows ip firewall ip firewall ip route firewall 1 1 ip route firewall 2 1 This essentially means that the 2 esafe Gateway paths are defined at the CSS-A switch with equal cost routes, and hence will be equal cost load balanced per connection. The configuration for CSS-B in the example above is as follows, which ensures the return path goes back through the same esafe Gateway. Note the use of the default route on the return path ip firewall ip firewall ip route firewall 1 1 ip route firewall 2 1

6 Redundant Configuration Overview of Configuration page 4 Redundant Configuration This configuration allows the use of a resilient/redundant pair of CSS 115xx load balancers on either side of the Aladdin esafe Gateways, for a highly redundant solution. There are in fact 2 configurations for redundancy, a more simple Box-2-Box redundancy, where one CSS is used as primary, and one as failover, and a more complex VIP/V-INT redundancy where both devices work by load balancing connections, and if one path fails, the other side can take over full responsibility for all connections. The pros and cons of both redundant configurations are discussed in this section. The setup as depicted in Figure 2, the redundant configuration is built as a CSS sandwich model with firewalls or esafe Gateways in between. The software on the CSS 11x00 switches needs to be WebNS 5.01 or higher in order to support FWLB with VIP/INT redundancy. The firewall load balancing configuration as shown below is the same regardless of the type of redundancy used. The added complexity of configuration depends on whether Box-2-Box or V Int/VIP redundancy is chosen. In the former case, one of the pair of CSS 115xx switches is chosen as the primary pair and path, and the other pairb are the secondary or failover pair. In the diagram this could mean that CSS A and B are primary, and C and D are secondary. If V Int/VIP redundancy is used, then what this gives is the ability to load balance connections across both pairs of CSS 115xx switches in either direction, with fail over to the other pair of switches in the event of failure of any interface. The failover is determined by using VRRP with virtual pairs of interfaces. There is a primary path and secondary path down each of the two pairs or CSS switches. This means that half of the traffic goes through CSS A and B as its primary path and CSS C and D as its secondary path, and the other half of the traffic goes through CSS C and D as its primary path, and CSS A and B as its secondary path. All switches are being used therefore to increase overall throughput, but with the added complexity of this type of configuration. Again the configuration of the V Int/VIP redundancy is not included here, for simplicity just the Firewall Load balancing configuration has been given. A descriptive overview of the configuration of the V Interfaces and VIPs is given here below however for the users understanding. Overview of Configuration The sandwiched configured model has the following important load balancing routing setting configured: Step 1. The routing to the VIP subnet /28 on the back-end CSS switches ( B and D) is via 2 routes pointing to: ip route ip route Step 2. These next hop addresses are the Virtual Interface addresses on the front-end CSS switches (A and C), where under stable conditions : is active in CSS A and is active in CSS C. Step 3. These two static routes are redistributed via dynamic routing towards the external, world by the Routers shown at the top of the diagram. Step 4. The routing from the Internet routers (cloud) towards the Internal LAN is dynamic over two routes, which are per session load balanced. Step 5. The front end CSS A and C switches have each a static route configured to the VIP subnet /28 via the ip firewall configured routes. (see details below) Step 6. The firewalls or esafe Gateways have the VIP subnet directly connected and don t require any routing statement to the internal CSS units, B and D. Step 7. The routing path backwards from the real servers on the internal LAN /24 to the external world (clients) is achieved by putting a default gateway in the real servers pointing to the V-INT address of the backend CSS units. Half of the real servers (or groups of servers) point to the back-end V-INT which is active on CSS B and the other half of the real servers point to the V-INT which is active on CSS D.

7 Redundant Configuration The Load Balancing setup for CSS A and B looks as follows: page 5 Step 8. In our case these are gateways: and corresponding to the active V Int active or primary on those CSS switches. Step 9. The back-end CSS units ( B and D) have a default route with next hop the firewall interface derived from the active ip firewall index statement. (see below for details) Step 10. In the firewalls there is a static route pointing the V-INT address of the /24 vlan on the front-end switches ( A and C). Example: On esafe 1: ip route On esafe 2: ip route The front end CSS units ( A and C) have a static route for the external network This setup can of course be made dynamic with OSPF. The Load Balancing setup for CSS A and B looks as follows: CSS A# ip firewall ip firewall ip firewall ip firewall ip route firewall 1 1 ip route firewall 2 1 ip route firewall 3 10 ip route firewall 4 10 CSS B# ip firewall ip firewall ip firewall ip firewall ip route firewall 3 10 ip route firewall 4 10 ip route firewall 1 1 ip route firewall 2 1 The black ip firewall statements have in both CSS A and B indices 1 and 2, and are linked to the black ip route statements having the same indices and a metric of 1. (Primary routes). The purple ip firewall statements have indices 3 and 4 and are linked to the purple ip route statements having the same indices and metric 10 (Backup routes). The ip firewall statements use three ip addresses, which are the interface addresses of: 1. Nearest primary address of firewall 2. Remote address of firewall 3. Interface address of remote CSS The ip address list in the ip firewall statements is limited to three. So, no additional hops can be installed between the two CSS units. The reason for this is that the CSS sends out icmp keepalives over this path with destination address the remote CSS, and with a TTL value of 2. The TTL value of 2 is set for security reasons to avoid any of these special icmp packets the leave the CSS sandwiched network.

8 Redundant Configuration The setup for CSS C and D looks as follows: page 6 The payload of the icmp keepalives has three ip addresses in it as configured in each ip firewall statement. The remote CSS who receives these icmp packets, will analyse and store the payload and verifies if it has an ip firewall statement with the same intermediate addresses. Both CSS will send out icmp messages and synchronise on the ip addresses and the indices in the payload of these packets. The setup for CSS C and D looks as follows: CSS C# ip firewall ip firewall ip firewall ip firewall ip route firewall 1 1 ip route firewall 2 1 ip route firewall 3 10 ip route firewall 4 10 CSS D# ip firewall ip firewall ip firewall ip firewall ip route firewall 1 1 ip route firewall 2 1 ip route firewall 3 10 ip route firewall 4 10 The grey ip firewall statements have in both CSS units indices 1 and 2, and are linked to the grey ip route statements having the same indices and a metric of 1. (Primary routes) The orange ip firewall statements have indices 3 and 4 and are linked to the orange ip route statements met the same indices and metric 10 (Backup routes) The layout and addressing to be used including the V Interfaces and VIPs is shown below in Figure 2 for the redundant CSS configuration.

9 Redundant Configuration The setup for CSS C and D looks as follows: page 7 Figure 2: esafe Load Balancing with Cisco CSS 115xx Switches in Redundant Configuration.

10 CSS FWLB Box-2-Box vs FWLB VIP/V-INT redundancy Advantages: page 8 CSS FWLB Box-2-Box vs FWLB VIP/V-INT redundancy Advantages: Box-2-Box Simple to configure VIP/V-INT Failover Time between 1 and 3 seconds because: Floating-static path is already up Firewall path information has been exchanged Circuits are up Active Active configuration possible More performance: All switches forward traffic No single point of failure Disadvantages: Box-2-Box VIP/V-INT Only Active Standby configuration More complex configuration possible Standby CSS units are not used for data traffic switching Currently only one physical link possible for VRRP communication When to use: Box-2-Box When Active/Standby is the expected behaviour When a dedicated 10/100 link can be configured between the CSS units. When configuration synchronization is needed VIP/V-INT When there is a common subnet between the two CSS units where the VIP/V-INT can reside on. In both Active/Active and Active/Standby configurations. When fast failover time (< 5sec) is a requirement. When not to use: Box-2-Box VIP/V-INT When Active/Active is needed When configuration synchronization is needed When a dedicated 10/100 link between Configuration complexity of this model is an issue. CSS units cannot be used Lack of 10/100 ports, or switches are. too far apart. Again, it is recommended that the setup be tested for performance and failover times with the esafe Gateways. The configuration will work on all versions of CSS code from 5.01 onwards. The newer CSS 1150x platforms use code 5.10 onwards.

11 page 3 Document Notes - Changes D DN Document originally written by Mark Dennis i

Configuring the BIG-IP and Check Point VPN-1 /FireWall-1

Configuring the BIG-IP and Check Point VPN-1 /FireWall-1 Configuring the BIG-IP and Check Point VPN-1 /FireWall-1 Introducing the BIG-IP and Check Point VPN-1/FireWall-1 LB, HALB, VPN, and ELA configurations Configuring the BIG-IP and Check Point FireWall-1

More information

Configuring VIP and Virtual IP Interface Redundancy

Configuring VIP and Virtual IP Interface Redundancy CHAPTER 6 Configuring VIP and Virtual IP Interface Redundancy This chapter describes how to plan for and configure Virtual IP (VIP) and Virtual IP Interface Redundancy on the CSS. Information in this chapter

More information

DATA CENTER. Best Practices for High Availability Deployment for the Brocade ADX Switch

DATA CENTER. Best Practices for High Availability Deployment for the Brocade ADX Switch DATA CENTER Best Practices for High Availability Deployment for the Brocade ADX Switch CONTENTS Contents... 2 Executive Summary... 3 Introduction... 3 Brocade ADX HA Overview... 3 Hot-Standby HA... 4 Active-Standby

More information

ServerIron TrafficWorks Firewall Load Balancing Guide

ServerIron TrafficWorks Firewall Load Balancing Guide ServerIron TrafficWorks Firewall Load Balancing Guide ServerIron 4G Series ServerIronGT C Series ServerIronGT E Series ServerIron 350 & 350-PLUS ServerIron 350 & 350-PLUS ServerIron 450 & 450-PLUS Release

More information

Cisco Networking Academy CCNP Multilayer Switching

Cisco Networking Academy CCNP Multilayer Switching CCNP3 v5 - Chapter 5 Cisco Networking Academy CCNP Multilayer Switching Implementing High Availability in a Campus Environment Routing issues Hosts rely on a router to find the best path Issues with established

More information

Scaling Next-Generation Firewalls with Citrix NetScaler

Scaling Next-Generation Firewalls with Citrix NetScaler Scaling Next-Generation Firewalls with Citrix NetScaler SOLUTION OVERVIEW Citrix NetScaler service and application delivery solutions are deployed in thousands of networks around the globe to optimize

More information

Configuration Example

Configuration Example Configuration Example Use a Branch Office VPN for Failover From a Private Network Link Example configuration files created with WSM v11.10.1 Revised 7/22/2015 Use Case In this configuration example, an

More information

Vocia MS-1 Network Considerations for VoIP. Vocia MS-1 and Network Port Configuration. VoIP Network Switch. Control Network Switch

Vocia MS-1 Network Considerations for VoIP. Vocia MS-1 and Network Port Configuration. VoIP Network Switch. Control Network Switch Vocia MS-1 Network Considerations for VoIP Vocia software rev. 1.4 or higher required Vocia MS-1 and Network Port Configuration The Vocia Message Server 1 (MS-1) has a number of roles in a Vocia Paging

More information

Troubleshooting and Maintaining Cisco IP Networks Volume 1

Troubleshooting and Maintaining Cisco IP Networks Volume 1 Troubleshooting and Maintaining Cisco IP Networks Volume 1 Course Introduction Learner Skills and Knowledge Course Goal and E Learning Goal and Course Flow Additional Cisco Glossary of Terms Your Training

More information

Configuring IP Load Sharing in AOS Quick Configuration Guide

Configuring IP Load Sharing in AOS Quick Configuration Guide Configuring IP Load Sharing in AOS Quick Configuration Guide ADTRAN Operating System (AOS) includes IP Load Sharing for balancing outbound IP traffic across multiple interfaces. This feature can be used

More information

Networking and High Availability

Networking and High Availability TECHNICAL BRIEF Networking and High Availability Deployment Note Imperva appliances support a broad array of deployment options, enabling seamless integration into any data center environment. can be configured

More information

WAN Failover Scenarios Using Digi Wireless WAN Routers

WAN Failover Scenarios Using Digi Wireless WAN Routers WAN Failover Scenarios Using Digi Wireless WAN Routers This document discusses several methods for using a Digi wireless WAN gateway to provide WAN failover for IP connections in conjunction with another

More information

configure WAN load balancing

configure WAN load balancing How To configure WAN load balancing Introduction With the increasing use of the Internet to service core business functions comes the need for reliable WAN connectivity. A specific aspect of this requirement

More information

Layer 3 Redundancy with HSRP By Sunset Learning Instructor Andrew Stibbards

Layer 3 Redundancy with HSRP By Sunset Learning Instructor Andrew Stibbards Layer 3 Redundancy with HSRP By Sunset Learning Instructor Andrew Stibbards Hot Standby Router Protocol (HSRP) is a Cisco proprietary protocol which allows several routers or multilayer switches to appear

More information

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1 Smart Tips Enabling WAN Load Balancing Overview Many small businesses today use broadband links such as DSL or Cable, favoring them over the traditional link such as T1/E1 or leased lines because of the

More information

How To Understand and Configure Your Network for IntraVUE

How To Understand and Configure Your Network for IntraVUE How To Understand and Configure Your Network for IntraVUE Summary This document attempts to standardize the methods used to configure Intrauve in situations where there is little or no understanding of

More information

hp ProLiant network adapter teaming

hp ProLiant network adapter teaming hp networking june 2003 hp ProLiant network adapter teaming technical white paper table of contents introduction 2 executive summary 2 overview of network addressing 2 layer 2 vs. layer 3 addressing 2

More information

Firewall Load Balancing

Firewall Load Balancing CHAPTER 6 This chapter describes the (FWLB) feature. It includes the following sections: FWLB Overview, page 6-1 FWLB Features, page 6-2 FWLB Configuration Tasks, page 6-3 Monitoring and Maintaining FWLB,

More information

2. IP Networks, IP Hosts and IP Ports

2. IP Networks, IP Hosts and IP Ports 1. Introduction to IP... 1 2. IP Networks, IP Hosts and IP Ports... 1 3. IP Packet Structure... 2 4. IP Address Structure... 2 Network Portion... 2 Host Portion... 3 Global vs. Private IP Addresses...3

More information

Networking and High Availability

Networking and High Availability yeah SecureSphere Deployment Note Networking and High Availability Imperva SecureSphere appliances support a broad array of deployment options, enabling seamless integration into any data center environment.

More information

s@lm@n CompTIA Exam N10-006 CompTIA Network+ certification Version: 5.1 [ Total Questions: 1146 ]

s@lm@n CompTIA Exam N10-006 CompTIA Network+ certification Version: 5.1 [ Total Questions: 1146 ] s@lm@n CompTIA Exam N10-006 CompTIA Network+ certification Version: 5.1 [ Total Questions: 1146 ] Topic break down Topic No. of Questions Topic 1: Network Architecture 183 Topic 2: Network Operations 149

More information

Configure WAN Load Balancing

Configure WAN Load Balancing AlliedWare TM OS How To Configure WAN Load Balancing Introduction With the increasing use of the Internet to service core business functions comes the need for reliable WAN connectivity. A specific aspect

More information

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance CHAPTER 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance This chapter describes how to configure the switch ports and VLAN interfaces of the ASA 5505 adaptive

More information

Networking Topology For Your System

Networking Topology For Your System This chapter describes the different networking topologies supported for this product, including the advantages and disadvantages of each. Select the one that best meets your needs and your network deployment.

More information

Configuring Dual VPNs with Dual ISP Links Using ECMP Tech Note PAN-OS 7.0

Configuring Dual VPNs with Dual ISP Links Using ECMP Tech Note PAN-OS 7.0 Configuring Dual VPNs with Dual ISP Links Using ECMP Tech Note PAN-OS 7.0 Revision A 2015, Palo Alto Networks, Inc. www.paloaltonetworks.com Contents Overview... 3 Use Case... 3 Equal Cost MultiPath (ECMP)...

More information

Configuring High Availability for Embedded NGX Gateways in SmartCenter

Configuring High Availability for Embedded NGX Gateways in SmartCenter Configuring High Availability for Embedded NGX Gateways in SmartCenter February 2008 Active and Passive Gateway States Contents Introduction...1 High Availability Basics and Terminology...2 Active and

More information

Configuring Oracle SDN Virtual Network Services on Netra Modular System ORACLE WHITE PAPER SEPTEMBER 2015

Configuring Oracle SDN Virtual Network Services on Netra Modular System ORACLE WHITE PAPER SEPTEMBER 2015 Configuring Oracle SDN Virtual Network Services on Netra Modular System ORACLE WHITE PAPER SEPTEMBER 2015 Introduction 1 Netra Modular System 2 Oracle SDN Virtual Network Services 3 Configuration Details

More information

Router and Routing Basics

Router and Routing Basics Router and Routing Basics Malin Bornhager Halmstad University Session Number 2002, Svenska-CNAP Halmstad University 1 Routing Protocols and Concepts CCNA2 Routing and packet forwarding Static routing Dynamic

More information

Cisco Configuring Basic MPLS Using OSPF

Cisco Configuring Basic MPLS Using OSPF Table of Contents Configuring Basic MPLS Using OSPF...1 Introduction...1 Mechanism...1 Hardware and Software Versions...2 Network Diagram...2 Configurations...2 Quick Configuration Guide...2 Configuration

More information

IP Addressing A Simplified Tutorial

IP Addressing A Simplified Tutorial Application Note IP Addressing A Simplified Tutorial July 2002 COMPAS ID 92962 Avaya Labs 1 All information in this document is subject to change without notice. Although the information is believed to

More information

Instructor Notes for Lab 3

Instructor Notes for Lab 3 Instructor Notes for Lab 3 Do not distribute instructor notes to students! Lab Preparation: Make sure that enough Ethernet hubs and cables are available in the lab. The following tools will be used in

More information

Configuration of Cisco Routers. Mario Baldi

Configuration of Cisco Routers. Mario Baldi Configuration of Cisco Routers Basics Static Routing Mario Baldi Politecnico di Torino mario.baldi[at]polito.it http://staff.polito.it/mario.baldi ConfRoutEn - 1 M. Baldi: see page 2 Copyright Notice This

More information

Configuring the Transparent or Routed Firewall

Configuring the Transparent or Routed Firewall 5 CHAPTER This chapter describes how to set the firewall mode to routed or transparent, as well as how the firewall works in each firewall mode. This chapter also includes information about customizing

More information

COURSE AGENDA. Lessons - CCNA. CCNA & CCNP - Online Course Agenda. Lesson 1: Internetworking. Lesson 2: Fundamentals of Networking

COURSE AGENDA. Lessons - CCNA. CCNA & CCNP - Online Course Agenda. Lesson 1: Internetworking. Lesson 2: Fundamentals of Networking COURSE AGENDA CCNA & CCNP - Online Course Agenda Lessons - CCNA Lesson 1: Internetworking Internetworking models OSI Model Discuss the OSI Reference Model and its layers Purpose and function of different

More information

Balancing and Gateway Failover

Balancing and Gateway Failover How To Add Active How or To Backup Add Gateway Active for Load or Backup Balancing and Gateway for Failover Load Balancing and Gateway Failover Applicable versions: 9.5.3 build 18 onwards Today organizations

More information

Table of Contents. Cisco How Does Load Balancing Work?

Table of Contents. Cisco How Does Load Balancing Work? Table of Contents How Does Load Balancing Work?...1 Document ID: 5212...1 Introduction...1 Prerequisites...1 Requirements...1 Components Used...1 Conventions...1 Load Balancing...1 Per Destination and

More information

Cisco BGP Case Studies

Cisco BGP Case Studies Table of Contents BGP Case Studies...1 BGP4 Case Studies Section 1...3 Contents...3 Introduction...3 How Does BGP Work?...3 ebgp and ibgp...3 Enabling BGP Routing...4 Forming BGP Neighbors...4 BGP and

More information

CCNP SWITCH: Implementing High Availability and Redundancy in a Campus Network

CCNP SWITCH: Implementing High Availability and Redundancy in a Campus Network CCNP SWITCH: Implementing High Availability and Redundancy in a Campus Network Olga Torstensson SWITCHv6 1 Components of High Availability Redundancy Technology (including hardware and software features)

More information

Load Balancing Trend Micro InterScan Web Gateway

Load Balancing Trend Micro InterScan Web Gateway Load Balancing Trend Micro InterScan Web Gateway Deployment Guide rev. 1.1.7 Copyright 2002 2015 Loadbalancer.org, Inc. 1 Table of Contents About this Guide... 3 Loadbalancer.org Appliances Supported...

More information

Interconnecting Cisco Networking Devices, Part 1 (ICND1) v3.0

Interconnecting Cisco Networking Devices, Part 1 (ICND1) v3.0 Interconnecting Cisco Networking Devices, Part 1 (ICND1) v3.0 COURSE OVERVIEW: Interconnecting Cisco Networking Devices, Part 1 (ICND1) v3.0 is a five-day, instructor-led training course that teaches learners

More information

Layer 3 Routing User s Manual

Layer 3 Routing User s Manual User s Manual Second Edition, July 2011 www.moxa.com/product 2011 Moxa Inc. All rights reserved. User s Manual The software described in this manual is furnished under a license agreement and may be used

More information

CHAPTER 10 LAN REDUNDANCY. Scaling Networks

CHAPTER 10 LAN REDUNDANCY. Scaling Networks CHAPTER 10 LAN REDUNDANCY Scaling Networks CHAPTER 10 10.0 Introduction 10.1 Spanning Tree Concepts 10.2 Varieties of Spanning Tree Protocols 10.3 Spanning Tree Configuration 10.4 First-Hop Redundancy

More information

Chapter 16 Route Health Injection

Chapter 16 Route Health Injection Chapter 16 Route Health Injection You can configure an HP Routing Switch to check the health of the HTTP application and inject a host route into the network to force a preferred route to an actively responding

More information

INTERCONNECTING CISCO NETWORK DEVICES PART 1 V2.0 (ICND 1)

INTERCONNECTING CISCO NETWORK DEVICES PART 1 V2.0 (ICND 1) INTERCONNECTING CISCO NETWORK DEVICES PART 1 V2.0 (ICND 1) COURSE OVERVIEW: Interconnecting Cisco Networking Devices, Part 1 (ICND1) v2.0 is a five-day, instructor-led training course that teaches learners

More information

Avaya P330 Load Balancing Manager User Guide

Avaya P330 Load Balancing Manager User Guide Avaya P330 Load Balancing Manager User Guide March 2002 Avaya P330 Load Balancing Manager User Guide Copyright 2002 Avaya Inc. ALL RIGHTS RESERVED The products, specifications, and other technical information

More information

Load Balancing Smoothwall Secure Web Gateway

Load Balancing Smoothwall Secure Web Gateway Load Balancing Smoothwall Secure Web Gateway Deployment Guide rev. 1.1.7 Copyright 2002 2015 Loadbalancer.org, Inc. 1 Table of Contents About this Guide...3 Loadbalancer.org Appliances Supported...3 Loadbalancer.org

More information

Load Balancing Web Proxies Load Balancing Web Filters Load Balancing Web Gateways. Deployment Guide

Load Balancing Web Proxies Load Balancing Web Filters Load Balancing Web Gateways. Deployment Guide Load Balancing Web Proxies Load Balancing Web Filters Load Balancing Web Gateways Deployment Guide rev. 1.4.9 Copyright 2015 Loadbalancer.org, Inc. 1 Table of Contents About this Guide... 3 Appliances

More information

100-101: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

100-101: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1) 100-101: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1) Course Overview This course provides students with the knowledge and skills to implement and support a small switched and routed network.

More information

SURF Feed Connection Guide

SURF Feed Connection Guide SURF Feed Connection Guide Tullett Prebon Information Ltd A wholly owned subsidiary of Tullett Prebon Version 6.0 3 rd August 2005 Contents 1. Introduction...3 1.1 General...3 2. Connectivity via the Internet...4

More information

Routing Security Server failure detection and recovery Protocol support Redundancy

Routing Security Server failure detection and recovery Protocol support Redundancy Cisco IOS SLB and Exchange Director Server Load Balancing for Cisco Mobile SEF The Cisco IOS SLB and Exchange Director software features provide a rich set of server load balancing (SLB) functions supporting

More information

Internet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering

Internet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering Internet Firewall CSIS 4222 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 27: Internet Routing Ch 30: Packet filtering & firewalls

More information

Interconnecting Cisco Network Devices 1 Course, Class Outline

Interconnecting Cisco Network Devices 1 Course, Class Outline www.etidaho.com (208) 327-0768 Interconnecting Cisco Network Devices 1 Course, Class Outline 5 Days Interconnecting Cisco Networking Devices, Part 1 (ICND1) v2.0 is a five-day, instructorled training course

More information

This How To Note describes one possible basic VRRP configuration.

This How To Note describes one possible basic VRRP configuration. AlliedWare TM OS How To Configure VRRP (Virtual Router Redundancy Protocol) Introduction VRRP is a popular protocol for providing device redundancy, for connecting redundant WAN gateway routers or server

More information

GLBP - Gateway Load Balancing Protocol

GLBP - Gateway Load Balancing Protocol GLBP - Gateway Load Balancing Protocol Gateway Load Balancing Protocol (GLBP) protects data traffic from a failed router or circuit, like Hot Standby Router Protocol (HSRP) and Virtual Router Redundancy

More information

Load Balancing Sophos Web Gateway. Deployment Guide

Load Balancing Sophos Web Gateway. Deployment Guide Load Balancing Sophos Web Gateway Deployment Guide rev. 1.0.9 Copyright 2002 2015 Loadbalancer.org, Inc. 1 Table of Contents About this Guide...3 Loadbalancer.org Appliances Supported...3 Loadbalancer.org

More information

User Guide Managed VPN Router. Wireless Maingate AB. Wireless Maingate AB

User Guide Managed VPN Router. Wireless Maingate AB. Wireless Maingate AB E-mail: info@maingate.se Web: www.maingate.se User Guide Managed VPN Router 1.0 MANAGED VPN ROUTER Revision: 1.0 Date: 24.08.2009 Information class: Open Information Address: Drottninggatan 16 37131 Karlskrona

More information

Load Balancing Barracuda Web Filter. Deployment Guide

Load Balancing Barracuda Web Filter. Deployment Guide Load Balancing Barracuda Web Filter Deployment Guide rev. 1.1.4 Copyright 2015 Loadbalancer.org, Inc. 1 Table of Contents About this Guide... 3 Loadbalancer.org Appliances Supported...3 Loadbalancer.org

More information

High Availability. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright 2007-2015 Palo Alto Networks

High Availability. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright 2007-2015 Palo Alto Networks High Availability Palo Alto Networks PAN-OS Administrator s Guide Version 6.0 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-us

More information

Cisco - Configure the 1721 Router for VLANs Using a Switch Module (WIC-4ESW)

Cisco - Configure the 1721 Router for VLANs Using a Switch Module (WIC-4ESW) Page 1 of 20 Configure the 1721 Router for VLANs Using a Switch Module (WIC-4ESW) Document ID: 50036 Contents Introduction Prerequisites Requirements Components Used Network Diagram The Role of Switched

More information

Load Balancing McAfee Web Gateway. Deployment Guide

Load Balancing McAfee Web Gateway. Deployment Guide Load Balancing McAfee Web Gateway Deployment Guide rev. 1.1.4 Copyright 2015 Loadbalancer.org, Inc. 1 Table of Contents About this Guide... 3 Loadbalancer.org Appliances Supported...3 Loadbalancer.org

More information

Brocade to Cisco Comparisons

Brocade to Cisco Comparisons 1 2 3 Console cables - The console cables are not interchangeable between Brocade and Cisco. Each vendor provides their console cable with each manageable unit it sells. Passwords - Neither Cisco or Brocade

More information

Load Balancing Bloxx Web Filter. Deployment Guide

Load Balancing Bloxx Web Filter. Deployment Guide Load Balancing Bloxx Web Filter Deployment Guide rev. 1.1.8 Copyright 2002 2016 Loadbalancer.org, Inc. 1 Table of Contents About this Guide...4 Loadbalancer.org Appliances Supported...4 Loadbalancer.org

More information

Border Gateway Protocol Best Practices

Border Gateway Protocol Best Practices Border Gateway Protocol Best Practices By Clifton Funakura The Internet has grown into a worldwide network supporting a wide range of business applications. Many companies depend on the Internet for day-to-day

More information

M2M Series Routers. Virtual Router Redundancy Protocol (VRRP) Configuration Whitepaper

M2M Series Routers. Virtual Router Redundancy Protocol (VRRP) Configuration Whitepaper Virtual Router Redundancy Protocol (VRRP) Configuration Whitepaper Table of Contents What is VRRP?... 3 VRRP Terminology... 3 Virtual Router... 3 VRRP Instance... 3 Virtual Router ID... 3 Virtual Router

More information

TIBCO Rendezvous Network Server Glossary

TIBCO Rendezvous Network Server Glossary TIBCO Rendezvous Network Server Glossary Software Release 1.1 March 2015 Two-Second Advantage 2 Important Information SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCH EMBEDDED OR

More information

CCNP Switch 642-813 Questions/Answers Implementing High Availability and Redundancy

CCNP Switch 642-813 Questions/Answers Implementing High Availability and Redundancy Which Catalyst 6500 switch component integrates on individual line modules as well as on the supervisor engine? A. CPU B. Flash C. ASIC D. NVRAM Answer: C Cisco Catalyst 6500 Series with Cisco IOS Software

More information

Digi Certified Transport Technician Training Course (DCTT)

Digi Certified Transport Technician Training Course (DCTT) 1 2 A roadblock to this might be if dynamic routing using proprietary protocols, like EIGRP, are required. 3 (VRRP Can also be used over FDDI/Token Ring) HSRP (Hot Standby Router Protocol) is the Cisco

More information

Load Balancing ContentKeeper With RadWare

Load Balancing ContentKeeper With RadWare Load Balancing ContentKeeper With RadWare The RadWare Fireproof may be used with ContentKeeper to provide load balanced and redundant Internet content filtering for your network. The RadWare FireProof

More information

Virtual PortChannels: Building Networks without Spanning Tree Protocol

Virtual PortChannels: Building Networks without Spanning Tree Protocol . White Paper Virtual PortChannels: Building Networks without Spanning Tree Protocol What You Will Learn This document provides an in-depth look at Cisco's virtual PortChannel (vpc) technology, as developed

More information

Lab 8.4.2 Configuring Access Policies and DMZ Settings

Lab 8.4.2 Configuring Access Policies and DMZ Settings Lab 8.4.2 Configuring Access Policies and DMZ Settings Objectives Log in to a multi-function device and view security settings. Set up Internet access policies based on IP address and application. Set

More information

Network layer: Overview. Network layer functions IP Routing and forwarding

Network layer: Overview. Network layer functions IP Routing and forwarding Network layer: Overview Network layer functions IP Routing and forwarding 1 Network layer functions Transport packet from sending to receiving hosts Network layer protocols in every host, router application

More information

Application Description

Application Description Application Description Firewall in front of LAN Different Servers located behind Firewall Firewall to be accessible from Internet Load Balancer to be installed in a TRANSPARENT MODE between Firewall and

More information

Configuring Network Address Translation

Configuring Network Address Translation CHAPTER5 Configuring Network Address Translation The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted. This chapter contains the following major sections

More information

Deployment Guide AX Series for Palo Alto Networks Firewall Load Balancing

Deployment Guide AX Series for Palo Alto Networks Firewall Load Balancing Deployment Guide AX Series for Palo Alto Networks Firewall Load Balancing DG_PAFWLB_120718.1 TABLE OF CONTENTS 1 Overview... 4 2 Deployment Prerequisites... 4 3 Architecture Overview... 5 4 Access Credentials...

More information

Networking Topology For Your System

Networking Topology For Your System Networking Topology For Your System End user experience with Cisco WebEx Meetings Server is of a web site, that users access to schedule and join meetings. A special aspect of this web site is real-time

More information

Chapter 2 Lab 2-2, EIGRP Load Balancing

Chapter 2 Lab 2-2, EIGRP Load Balancing Chapter 2 Lab 2-2, EIGRP Load Balancing Topology Objectives Background Review a basic EIGRP configuration. Explore the EIGRP topology table. Identify successors, feasible successors, and feasible distances.

More information

ERserver. iseries. TCP/IP routing and workload balancing

ERserver. iseries. TCP/IP routing and workload balancing ERserver iseries TCP/IP routing and workload balancing ERserver iseries TCP/IP routing and workload balancing Copyright International Business Machines Corporation 1998, 2001. All rights reserved. US

More information

Administrative Distance

Administrative Distance RIP is a distance vector routing protocol. It shares routing information through the local broadcast in every 30 seconds. In this tutorial we will explain RIP routing fundamentals with examples such as

More information

Advanced SLB High Availability and Stateless SLB

Advanced SLB High Availability and Stateless SLB Advanced SLB High Availability and Stateless SLB Objectives Upon completion of this module, you will be able to: Describe Server Load Balancing (SLB) high availability Distinguish between different high

More information

SOLUTION GUIDE. Radware & CyberGuard Complete Security Solutions offering Load Balancing, High Availability and Bandwidth Management.

SOLUTION GUIDE. Radware & CyberGuard Complete Security Solutions offering Load Balancing, High Availability and Bandwidth Management. SOLUTION GUIDE Radware & CyberGuard Complete Security Solutions offering Load Balancing, High Availability and Bandwidth Management. North America Radware Inc. 575 Corporate Dr Suite 205 Mahwah, NJ 07430

More information

A. Hot-Standby mode and Active-Standby mode in High Availability

A. Hot-Standby mode and Active-Standby mode in High Availability High Availability (HA) is the feature that ensures the business continuity for your organization. IT staff can take HA as a simple solution for the disaster recovery. DrayTek utilizes the Common Address

More information

Stateful Network Address Translators (NAT) Xiaohu Xu (xuxh@huawei.com) Dean Cheng (chengd@huawei.com) IETF75, Stockholm

Stateful Network Address Translators (NAT) Xiaohu Xu (xuxh@huawei.com) Dean Cheng (chengd@huawei.com) IETF75, Stockholm Redundancy and Load-Balancing Mechanisms for Stateful Network Address Translators (NAT) draft-xu-behave-stateful-nat-standby-00 Xiaohu Xu (xuxh@huawei.com) Dean Cheng (chengd@huawei.com) www.huawei.com

More information

Clustering. Configuration Guide IPSO 6.2

Clustering. Configuration Guide IPSO 6.2 Clustering Configuration Guide IPSO 6.2 August 13, 2009 Contents Chapter 1 Chapter 2 Chapter 3 Overview of IP Clustering Example Cluster... 9 Cluster Management... 11 Cluster Terminology... 12 Clustering

More information

Load Balancing 101: Firewall Sandwiches

Load Balancing 101: Firewall Sandwiches F5 White Paper Load Balancing 101: Firewall Sandwiches There are many advantages to deploying firewalls, in particular, behind Application Delivery Controllers. This white paper will show how you can implement

More information

IP Routing Features. Contents

IP Routing Features. Contents 7 IP Routing Features Contents Overview of IP Routing.......................................... 7-3 IP Interfaces................................................ 7-3 IP Tables and Caches........................................

More information

Configuration Example

Configuration Example Configuration Example Use Public IP Addresses Behind an XTM Device Example configuration files created with WSM v11.7.2 Revised 3/22/2013 Use Case There are several reasons to use publicly routable IP

More information

High Availability Solutions & Technology for NetScreen s Security Systems

High Availability Solutions & Technology for NetScreen s Security Systems High Availability Solutions & Technology for NetScreen s Security Systems Features and Benefits A White Paper By NetScreen Technologies Inc. http://www.netscreen.com INTRODUCTION...3 RESILIENCE...3 SCALABLE

More information

Policy Based Forwarding

Policy Based Forwarding Policy Based Forwarding Tech Note PAN-OS 4.1 Revision A 2012, Palo Alto Networks, Inc. www.paloaltonetworks.com Contents Overview... 3 Security... 3 Performance... 3 Symmetric Routing... 3 Service Versus

More information

Configuring Static and Dynamic NAT Translation

Configuring Static and Dynamic NAT Translation This chapter contains the following sections: Network Address Translation Overview, page 1 Information About Static NAT, page 2 Dynamic NAT Overview, page 3 Timeout Mechanisms, page 4 NAT Inside and Outside

More information

Quick Note 53. Ethernet to W-WAN failover with logical Ethernet interface.

Quick Note 53. Ethernet to W-WAN failover with logical Ethernet interface. Quick Note 53 Ethernet to W-WAN failover with logical Ethernet interface. Digi Support August 2015 1 Contents 1 Introduction... 2 1.1 Introduction... 2 1.2 Assumptions... 3 1.3 Corrections... 3 2 Version...

More information

Load Balancing Clearswift Secure Web Gateway

Load Balancing Clearswift Secure Web Gateway Load Balancing Clearswift Secure Web Gateway Deployment Guide rev. 1.1.8 Copyright 2002 2016 Loadbalancer.org, Inc. 1 Table of Contents About this Guide...3 Loadbalancer.org Appliances Supported...3 Loadbalancer.org

More information

Networking TCP/IP routing and workload balancing

Networking TCP/IP routing and workload balancing System i Networking TCP/IP routing and workload balancing Version 5 Release 4 System i Networking TCP/IP routing and workload balancing Version 5 Release 4 Note Before using this information and the product

More information

Configuring Advanced Server Load Balancing

Configuring Advanced Server Load Balancing CHAPTER 5 This chapter describes how to configure advanced server load balancing (SLB) on the CSM and contains these sections: Configuring URL Hashing, page 5-1 Configuring Firewall Load Balancing, page

More information

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance CHAPTER 5 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance This chapter describes how to configure the switch ports and VLAN interfaces of the ASA 5505 adaptive

More information

MikroTik RouterOS Workshop Load Balancing Best Practice. Warsaw MUM Europe 2012

MikroTik RouterOS Workshop Load Balancing Best Practice. Warsaw MUM Europe 2012 MikroTik RouterOS Workshop Load Balancing Best Practice Warsaw MUM Europe 2012 MikroTik 2012 About Me Jānis Meģis, MikroTik Jānis (Tehnical, Trainer, NOT Sales) Support & Training Engineer for almost 8

More information

Zarząd (7 osób) F inanse (13 osób) M arketing (7 osób) S przedaż (16 osób) K adry (15 osób)

Zarząd (7 osób) F inanse (13 osób) M arketing (7 osób) S przedaż (16 osób) K adry (15 osób) QUESTION NO: 8 David, your TestKing trainee, asks you about basic characteristics of switches and hubs for network connectivity. What should you tell him? A. Switches take less time to process frames than

More information

Introduction to ServerIron ADX Application Switching and Load Balancing. Module 5: Server Load Balancing (SLB) Revision 0310

Introduction to ServerIron ADX Application Switching and Load Balancing. Module 5: Server Load Balancing (SLB) Revision 0310 Introduction to ServerIron ADX Application Switching and Load Balancing Module 5: Server Load Balancing (SLB) Revision 0310 Objectives Upon completion of this module the student will be able to: Describe

More information

Cisco How To Configure InterVLAN Routing on Layer 3 Switc

Cisco How To Configure InterVLAN Routing on Layer 3 Switc Cisco How To Configure InterVLAN Routing on Layer 3 Switc Table of Contents How To Configure InterVLAN Routing on Layer 3 Switches...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1

More information

axsguard Gatekeeper Internet Redundancy How To v1.2

axsguard Gatekeeper Internet Redundancy How To v1.2 axsguard Gatekeeper Internet Redundancy How To v1.2 axsguard Gatekeeper Internet Redundancy How To v1.2 Legal Notice VASCO Products VASCO data Security, Inc. and/or VASCO data Security International GmbH

More information