Books
in black and white
Main menu
Home About us Share a book
Books
Biology Business Chemistry Computers Culture Economics Fiction Games Guide History Management Mathematical Medicine Mental Fitnes Physics Psychology Scince Sport Technics
Ads

Load Balancing Servers, Firewalls and Caches - Kopparapu C.

Kopparapu C. Load Balancing Servers, Firewalls and Caches - Wiley Computer Publishing, 2002. - 123 p.
ISBN 0-471-41550-2
Download (direct link): networkadministration2002.pdf
Previous << 1 .. 48 49 50 51 52 53 < 54 > 55 56 57 58 59 60 .. 70 >> Next

Now, let’s examine how the outside and inside load balancers process the request and reply traffic flows and exactly what action each one performs.
At a more detailed level, traffic flowing through each load balancer can be classified into four types, as shown in Figure 6.4. The load balancer takes a different action depending on the traffic type:
85
Load-Distribution Methods
igure 6.4: Request and reply flows in firewall load balancing.
Request packets originating from outside network. Load balancer 1 selects a firewall based on a load-distribution method. Once the packets are forwarded by the firewalls, load balancer 2 simply forwards these packets.
Reply packets from inside network to outside. Load balancer 2 must send these packets to the same firewall that processed the associated request packets. Because firewalls perform stateful inspection, only the firewall that processed the request packet can, and must, also process the corresponding reply packet. Once these packets are forwarded by firewalls, load balancer 1 simply forwards them.
Request packets originating from inside network. Load balancer 2 selects a firewall based on a load-distribution method. Once the firewalls forward these packets, load balancer 1 simply forwards them.
Reply packets from outside network to inside network. Load balancer 1 must send these packets to the same firewall that processed the associated request packets. Once the firewall forwards these packets, load balancer 2 forwards them onward again.
Load-Distribution Methods
The load-distribution method and the mechanism to ensure session persistence are highly related to one another. Let’s now discuss the different load-distribution methods. Just as in server load balancing, the load-distribution method can be stateful or stateless.
Stateless Load Balancing
In stateless load balancing, the load balancer simply performs a hash operation on selected fields in the packets. At a minimum, the fields must include the source or destination IP addresses in the packets and optionally the TCP or UDP port numbers. Whether you can choose the fields for inclusion in the hash method depends on the specific load-balancer product.
If we choose the source IP and destination IP for hashing, both load balancers use the IP address fields from each packet and determine the firewall based on the hash value, as shown in Figure 6.5. With this approach,
86
Load-Distribution Methods
all traffic between a given pair of IP addresses—IP1 and IP2, for example—goes through the same firewall. This method ensures both persistence and load balancing at the same time because both load balancers use the exact same IP addresses for hashing.
A group of firewalls 'sandwiched* between two load ImIjimvis
For all request and reply 1P2 packets flowing from IP2 to IPI Load balancer 2 uses IPl and IP2 for liash. and selects firewall 2
Figure 6.5: Stateless load balancing.
IPI For all request and reply packets flowing fioni (Pi to 1P2. Load balancer 1 uses IPI and IP? for hash and selects firewall 2.
It’s important that both load balancers 1 and 2 be configured to the same exact hash method to ensure session persistency. That means, if we configure load balancer 1 to hash on source IP and the source port, and configure load balancer 2 to hash on source IP and the destination IP, session persistence will completely break.
In this particular example, shown in Figure 6.5, all traffic between a given pair of IP addresses will flow through the same firewall because the hashing method does not use TCP or UDP port numbers. We can get more granular load distribution if the load balancer can use the port numbers as part of the hash. But one must be careful to ensure that the load balancer has special functionality built in to provide session persistence for protocols like FTP, where the data and control connections use different port numbers, but they must be sent to the same firewall in order to allow stateful inspection.
Stateless load balancing provides simple load distribution and ensures session persistence by using the same hash method in both the load balancers. However, stateless load balancing cannot provide as granular of load distribution as stateful load balancing. Further, when a firewall fails, stateless load balancing may disrupt traffic through all firewalls. Let’s consider an example where we need to load balance four firewalls with stateless load balancing. If the load balancer performs simple hashing, as discussed in Chapter 2, the load balancer must recompute the hash for all packets to a value between 1 and 3 when a firewall fails. This results in all existing sessions being redistributed among the three available firewalls. This not only causes the traffic going to firewall 4 to be redistributed, but also affects all sessions going to the firewalls that are perfectly fine. Using hash buckets method, as discussed in Chapter 2, will help solve this problem and leave the traffic on other firewalls untouched.
Previous << 1 .. 48 49 50 51 52 53 < 54 > 55 56 57 58 59 60 .. 70 >> Next