hi!
--On Friday, February 16, 2001 09:21:29 AM +0800 Wensong Zhang
<wensong@xxxxxxxxxxxx> wrote:
Example2: Firewall Load Balancing
|-- FW1 --|
Internet ----- SH --| |-- DH -- Protected Network
|-- FW2 --|
Make sure that the firewall boxes are added in the load balancers in the
same order. Then, request packets of a session are sent to a firewall,
e.g. FW1, the DH can forward the response packets from protected network
to the FW1 too. However, I don't have enough hardware to test this setup
myself. Please let me know if any of you make it work for you. :)
that really sounds interesting to me ... :))
but i guess that this setup will only work if the firewalls are really
transparent for the network traffic, i.e. both load balancers do see the
same addresses in the packets so the hash calculation based on the sourc ip
and destination ip will lead to the same result (=firewall box to use).
if the firewall devices aren't that transparent (consider tunneled traffic
as an option) you won't get the same src/dst addresses on the load
balancers. the SH load balancer would see the src/dst from the tunnel
traffic and the DH load balancer the encapsulated addresses
(the tunnel endpoint is on the firewall boxes). hence the hash calculation
may lead to different results what would be very bad indeed ...
if in addition we have to deal with encrypted tunnel traffic (what happens
to be the case with IPSEC for example) we even don't have a chance to look
into the tunnel packets to look up the encapsulated src/dst addresses.
any ideas on how to handle that?
best regards,
-- matt.
Cheers,
Wensong
|