Technical data

ManualsBrandsBrocade Communications Systems ManualsHome Theater ServerServerIron ADX 12.4.00

179

180

181

182

183

184

185

186

187

188

ServerIron ADX Firewall Load Balancing Guide 171

53-1002436-01

FWLB selection algorithms

DRAFT: BROCADE CONFIDENTIAL

The <num> parameter specifies the maximum number of retries and can be a number from 3

through 31. The default is 3.

Disabling Layer 4 path health checks on individual

firewalls and application ports

To disable the Layer 4 health check for an individual application on an individual firewall, enter a

command such as the following at the firewall configuration level of the CLI.

ServerIronADX(config-rs-FW1)# port http no-health-check

The command in this example disables Layer 4 health checks for port HTTP on firewall FW1.

Syntax: [no] no-health-check

FWLB selection algorithms

The following section describes selection algorithms for FWLB.

Hashing based on destination TCP or UDP application port

The ServerIron ADX uses a hash value based on the source and destination IP addresses in a

packet to select a path, and thus a firewall, for the packet. After calculating this hash value for a

given source-and-destination pair, the ServerIron ADX always uses the same path and firewall for

packets containing that source-and-destination pair.

NOTE

If hash-port is configured, hashing includes both source-port and destination-port.

You can configure the ServerIron ADX to also hash based on TCP or UDP port numbers. This is

useful in environments where the same source-and-destination pairs generate a lot of traffic and

you want to load balance the traffic across more than one firewall.

For example, if you configure the ServerIron ADX to hash based on TCP ports 69 (TFTP) and 80

(HTTP), the ServerIron ADX hashes packets addressed to one of these ports by calculating a hash

value based on the source and destination IP addresses and the TCP port number (69 or 80). Since

the TCP port numbers are included in the hash calculations for these packets, the calculations can

result in packets for port 80 receiving a different hash value (and thus possibly a different path and

firewall) than packets for port 69, even though the source and destination IP addresses are the

same.

NOTE

The current release supports stateful FWLB only for TCP/UDP applications that do not require

multiple simultaneous connections for the same client to the same firewall. For example, you cannot

use stateful FWLB for FTP, because this application requires separate simultaneous control and

data connections to the firewall. The CLI allows you to specify FTP or any other port, but you might

not receive the desired results if the application uses multiple simultaneous connections to the

same firewall.