Load balancing of PIX firewalls with multiple DMZs

I need a suggestion about how to balance the traffic through two PIX firewalls, with 4 interfaces (IN,OUT,DMZ1,DMZ2)
In all the documentation related to the subject, I see always the firewalls with only two interfaces:
http://www.cisco.com/warp/customer/117/fw_load_balancing.html
http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/advcfggd/firewall.htm
What if I need to balance on more than 2 interfaces?
Do I have to add more content switches, one for each interface ?
Or could I use VLANs inside the same content switches, and assign the ports to DMZs appropriately ?
Thank you in advance for any help.

We just had some internal discussions about that at my work, and the suggestion from a local cisco specialist was, if you want to levarage load balacing over multiple DMZ's, then you get the CSS blades for the 65xx's. Right now we have mulriple CSS and LD failover pairs (One pair for each DMZ) and it is starting to become expensive, while we aren't really utilizing the full capacity of them. If you get the Blades, they have Gigabit traces to the backplane of the switch, and you can use them for as many poers as you have on the 6500.
Then again, it depends on if physical security is essential to you, and you are concerned with L2 attacks (VLAN Hopping, etc) There are tradeoffs and benefits when using a consildated infrastructure.

Similar Messages

  • Load balancing on an applicaton with multi-ports

    One of our application open 5 ports and other 4 management ports. the ports can not be ranged.
    to load balancing this, I did:
    make seperate contents rules for every port. and all of them use aca.
    Please advice me :
    1. how can I group all the ports into one contents rule?
    2. every rule for a port means the balancing in only by based on specialy port?
    3. Can I balance the load between ports?
    4. for administrator ports, what is the better balancing mothed?
    Any comments will be apprecaited
    Thanks in advance

    Gilles,
    What will be the best keepalive on the services to use in this case?
    I have had a problem where I tried the same setup you have suggested above but what happen is i get a black hole if the service port(s) goes down on one of the servers.
    At the beginning, I used the default ICMP keepalive and then tried the port xx keepalive but because the servers have multiple ports and if the port that is not monitored by keepalive goes down, the content rule still think that the service is still up and this is where I get i blackhole. To get around with the problem I have created multiple services, (one for each port) and configured the subsequent keepalive.
    1. is there a better way of doing it? i,e script
    2. is there any documentation on Cisco website on how to use the scripting tools on CSS?
    Thanks again,
    Ben

  • App.server load balancing for SAP System with 1 PS

    Hi,
    In SAP CPS 7.0 (Build M26.12) I have a SAP system with Central Instance + 10 App.servers, but all instances are managed by 1 ProcessServer.
    After activating the "App.server load balancing" setting in SAP system definition the application servers are becoming visible in CPS with their load factors (number of BGD wp's on app.servers) and load numbers (number of active jobs on app.servers).
    This is so far fine, but the additional functionality is not working as I would expect, I have issues with 2 functionalities:
    1. Based on documentation after activating also the XAL connection the CPS should submit the job on app.server with best performance based on XAL monitoring data filling the TARGET_SERVER parameter.
    This functionality is not working for me at all
    2. A useful functionality after activating the "App.server load balancing" setting is that the ProcessServer is going to "Overloaded" status when all BGD wp's of SAP system are occupied, thus restricting submitting new jobs during overload situation. But I had an issue also with this functionality, after SAP system recovery from overload situation, the CPS still remained in Overload status (so no new jobs were submitted).
    As a workaround I had increased the treshold values for loads on all app.servers for this SAP system, what was fine for several days, but after a while I believe this was a reason of unexpected performance issues in CPS, therefore I have deactivated the 'App.server load balancing" setting at all for this ProcessServer.
    I would appreciate your feedbacks with this functionality.
    Thanks and Regards,
    Ernest Liczki

    Hi Preetish,
    This connect string option is to loadbalance RFC connections. These are balanced upon login, once you are connected to a particular application server (AS) you stay on that server until you reconnect.
    Since CPS uses multiple RFC connections, this will result in the connections being distributed over the available AS resources which is fine as long as they are generally evenly loaded. If you have certain AS hosts that are continuosly more loaded than the rest, then you probably don't want the CPS RFC connections to end up on these servers.
    The original question is about loadbalancing of batch jobs over the available AS resources, and this is done independent of the RFC connection load balancing. Even if all CPS RFC connections are pinned to the DB/CI host, you can still loadbalance jobs over the available SAP AS hosts, either by using SAPs builtin balancing, or the CPS algorithm by activating the checkbox as indicated in the first entry in this thread.
    Finally, to reply to Ernest's question: I believe there are some fixes on the app load balancing in the latest release, M26.17 should be available on the SWDC now.
    Regards,
    Anton.
    Edited by: Anton Goselink on May 29, 2009 9:06 PM

  • Load Balancing proxy based firewalls

    I need to load balance http and ssl traffic through proxy based firewalls (Gauntlet)to a server farm. I've been told I can't use the usual paths through the firewalls but need to load balance the firewalls as if they were servers which would then proxy the session to the Internal content switch which will load balance to the servers.
    Any ideas if this will work or how to do it? I need to keep the SSL sessions sticky as well.

    could you clarify what you mean by proxy firewall.
    Is it just a proxy server with some filtering feature ?
    If so, what was suggested to you is correct.
    You define your proxy servers as services and then you simply configure
    a content rule for 8080 or 80 (whatever your proxy listen on) and another content rule for port 443 SSL (or whatever port your proxy is setup for).
    If the proxy is setup to use its own ip address to request HTML data, the response all aways come back to the right proxy. No need for the firewall loadbalancing feature.
    An example is this
    service proxyfw1
    ip address x.x.x.x1
    active
    service proxyfw2
    ip address x.x.x.x2
    active
    owner mycompany
    content HTTPproxy
    vip address x.x.x.x
    add service proxyfw1
    add server proxyfw2
    proto tcp
    port 8080
    active
    content SSLproxy
    vip address x.x.x.x
    add serv proxyfw1
    add serv proxyfw2
    proto tcp
    port 443
    application ssl
    advanced-balance ssl
    active
    Then you setup your browser to point to proxy address x.x.x.x port 8080 for http and 443 for ssl.
    Gilles.

  • How to use the Load Balancer Plug-in to serve multiple domains

    In SJSAS8.1 SE/EE the asadmin commands that create and maintain a load balancer configuration operate within a domain. When the load balancer configuration is exported an xml file is created that contains all the information for that domain. To make the load balancer plug-in balance the load for multiple domains, the loadbalancer.xml files can be manually merged to conatin the data that is exported from each domain's load balancer configuration.
    For example, 2 domains are created, both having a load balancing configuration. After exporting both configurations using the asadmin export-http-lb-config command, the user would then cut and past the cluster information into the single loadbalancer.xml file that resides under the web server's config directory.
    An example of the manually merged loadbalancer.xml file follows:
    <?xml version="1.0" encoding="UTF-8"?>
    <loadbalancer>
    <cluster name="domain1">
    <instance disable-timeout-in-minutes="30" enabled="true" listeners="http://localhost:1026 https://localhost:38181" name="i1"/>
    <instance disable-timeout-in-minutes="30" enabled="true" listeners="http://localhost:1027 https://localhost:38182" name="i2"/>
    <web-module context-root="ab" disable-timeout-in-minutes="30" enabled="true"/>
    <health-checker interval-in-seconds="5" timeout-in-seconds="60" url="/"/>
    </cluster>
    <cluster name="domain2">
    <instance disable-timeout-in-minutes="30" enabled="true" listeners="http://localhost:1029 https://localhost:38189" name="i3"/>
    <instance disable-timeout-in-minutes="30" enabled="true" listeners="http://localhost:1030 https://localhost:38188" name="i4"/>
    <web-module context-root="webservice" disable-timeout-in-minutes="30" enabled="true"/>
    <health-checker interval-in-seconds="5" timeout-in-seconds="60" url="/"/>
    </cluster>
    <property name="response-timeout-in-seconds" value="60"/>
    <property name="reload-poll-interval-in-seconds" value="5"/>
    <property name="https-routing" value="false"/>
    <property name="require-monitor-data" value="false"/>
    <property name="route-cookie-enabled" value="true"/>
    </loadbalancer>
    Hope this helps - Mark

    Mark, be my savior, I work for SUN as subcontractor at client site. the only one at site ...so I depend on this forum for solutions........
    still having trouble failingover to second instance. I have two AccessManagers behind this loadbalancer.
    Here is what I saw......
    **************LOGS**********************
    [20/Jun/2005:14:22:47] failure (15102): for host 128.114.65.13 trying to GET /amconsole/base/AMA
    dminFrame, service-passthrough reports: timed out waiting for request body
    [20/Jun/2005:14:22:47] warning (15102): reports: lb.runtime: ROUT1014: Non-idempotent request /
    amconsole/base/AMAdminFrame cannot be retried.
    So I went and updated the loadbalancer.xml (see at the end of the msg). Now I get a different kind of problem...
    **************LOGS******************************
    [20/Jun/2005:15:25:18] failure (15295): for host 128.114.65.13 trying to GET /amconsole/base/AMA
    dminFrame, service-passthrough reports: timed out waiting for request body
    [20/Jun/2005:15:25:18] info (15295): reports: lb.runtime: RNTM3003 : Error servicing the request : NoVal
    Here is my loadbalancer.xml file...
    <loadbalancer>
    <cluster name="cluster1">
    <instance name="instance1" enabled="true" disable-timeout-in-minutes="1" listeners="http://idm-test-1.ucsc.
    edu:80 "/>
    <instance name="instance2" enabled="true" disable-timeout-in-minutes="1" listeners="http://idm-test-2.ucsc.
    edu:80 "/>
    <web-module context-root="amconsole" disable-timeout-in-minutes="1" enabled="true" error-url="sun-http-lber
    ror.html" >
    <idempotent-url-pattern url-pattern="/*" no-of-retries="3" />
    </web-module>
    <web-module context-root="amserver" disable-timeout-in-minutes="1" enabled="true" error-url="sun-http-lberr
    or.html" >
    <idempotent-url-pattern url-pattern="/*" no-of-retries="3" />
    </web-module>
    <web-module context-root="ampassword" disable-timeout-in-minutes="1" enabled="true" error-url="sun-http-lb
    error.html" />
    <web-module context-root="amcommon" disable-timeout-in-minutes="1" enabled="true" error-url="sun-http-lberr
    or.html" >
    <idempotent-url-pattern url-pattern="/*" no-of-retries="3" />
    </web-module>
    <health-checker url="/" interval-in-seconds="15" timeout-in-seconds="2" />
    </cluster>
    <property name="reload-poll-interval-in-seconds" value="60"/>
    <property name="response-timeout-in-seconds" value="30"/>
    <property name="https-routing" value="false"/>
    <property name="require-monitor-data" value="true"/>
    <property name="active-healthcheck-enabled" value="true"/>
    <property name="number-healthcheck-retries" value="3"/>
    <property name="route-cookie-enabled" value="true" />
    </loadbalancer>
    **************************************************************

  • Oracle Applications 11i Load Balancing does not work with RAC one Node

    Hi all,
    Could you help me to resolve this issue.
    Architecture environment is :
    - One APPS tier node
    - Two nodes Oracle Database Appliance (Primary node 1 holds INSTANCE_1 et Secondary node is configurured to holds INSTANCE_2), i.e RAC one Node.
    - The primary node have instance_name SIGM_1 and the secondary node have instance_name SIGM_2, but in RAC one node, the secondary instance is not alive.
    We convert our EBS 11i environment to RAC following note ID Using Oracle 11g Release 2 Real Application Clusters with Oracle E-Business Suite Release 11i [ID 823586.1].
    When testing Database failover, Oracle Applications 11i load balancing does not work anymore.
    The root cause is that, when the primary node of the Rac one node is down, the INSTANCE_NAME_1 is automaically relocating to the surviving node,.
    During test failover, we imagine that when the primary node goes down, the secondary node start or relocate database with instance_name SIGM_2, and in that case the Oracle Applications load balancing works.
    Currently, when the primary node goes down, the instance_name SIGM_1 is relocated on the secondary node, which cause failure of Oracle Applications Load Balancing.
    Thank you for your advice.
    Moussa

    This is something I observed a long time ago for Safari (ie: around version 1). I'm not sure this is Safari, per se, but OpenSSL that is responsible for the behavior. I'm pretty sure Chrome does this and I've seen some Linux browsers do it.
    What I have done at the last two companies I've worked for is recommend that our clients do not use SSL SessionID as the way of tracking sticky sessions on web servers, but instead using IP address. This works in nearly all cases and has few downsides. The other solution is to use some sort of session sharing on your web servers to mitigate the issue (which also means that your web servers aren't a point of failure for your users' sessions). (One of the products I supported had no session information stored on the web servers, so we could safely round-robin requests, the other product could be implemented with a Session State Server... but in most cases we just used IP address to load balance with). The other solution is to configure your load balancer to terminate the SSL tunnel. You get some other benefits from this, such as allowing your load balancer to reduce the number of actual connections to the web servers. I've seen many devices setup this way.
    One thing to consider through this is that - due to the way internet standards work - this really can't be termed a bug on anyone's part. There is no guarantee in the SSL/TLS standards that a client will return the same SSL Session ID for each request and there is not requirement that subsequent requests will even use the same tunnel. Remember, HTTP is a stateless protocol. Each request is considered a new request by the web server and everything else is just trickery to try and get it to work the way you want. You can be annoyed at Safari's behavior, but it's been this way for over 5 years by my count, so I don't expect it to change.

  • Load balancing Reports Services 10g with WebCache?

    Hi Guys
    Does anybody have any good ideas on how to load balance Oracle Reports Services?
    Can I do it with WebCache as with Forms Services?
    /Jacob :)

    My java application resides in a different server (weblogic) from the Oracle Application server (which has the report server). I do a browser redirect from my java application to a URL of OAS . I have hard coded Oracle Application server and report server name in one of my config files in my java weblogic server
    In the above URL, servername:7770 is the Oracle Application Server. I would not have a problem with this since this will be the name of the cluster.
    But the problem is server=<report server> . The report server which will pickup my request will be identified only after the browser has redirected to the URL. SO I cannot hard code it in my ajava application.
    Can I just remove server=<report server name> when generating URL from my java application when I need to run report server in a clustered load balancing environment?
    Sorry if my earlier post was confusing

  • Load Balancing Forms and Reports with Web Cache

    We are planning to add a second OracleAS 10g middle-tier application server to an existing 10g middle-tier.
    Both middle tiers will provide Forms and Reports.
    Users must pass through two static HTML pages before starting Forms.
    We plan to use Web Cache to load-balance (probably using round-robin) between the two middle-tiers.
    Does anyone see any problems with this solution?
    All comments/suggestions welcome.
    Thanks,
    Jim

    You could also load balance the two OC4J's using standard servlet mechanisms. I know that there exists a couple of good notes on Metalink. Go and do a search.
    Regards,
    Martin Malmstrom

  • Sticky load balancing across 2 ports with cookies

    Hi,
    I have a server configuration where I have 1 top level Apache server that deals with SSL termination (and handles static content) and proxy passes dynamic content onto 2 Tomcat servers on 2 ports, one for http requests (9001) and one for the requests that were secure, but have now been un-encrypted by Apache (9002).  My 2 Tomcat servers are load balanced using a CSS and I need this load balancing to stick to the tomcat servers regardless of port so that the user is stuck to the same Tomcat server for their entire session. 
    I would like to use arrowpoint cookies to perform this stickyness, but the documentation suggests that arrowpoint cookie load balancing (in fact any cookie based load balancing) requires the port to be specified in the content rule.  Is this correct?  Is my only option to use the source IP for stickyness? I don't understand why the port should be required if the stickyness is via a cookie. Can I not simply configure my 2 tomcat servers as services with no port and add a single content rule that load balances these services using arrowpoint-cookie advanced balancing?
    service tomcat1
      ip address x.x.x.x
      active
    service tomcat2
      ip address x.x.x.x
      active
    owner me
       content sticky
         vip address x.x.x.x
         protocol tcp
         url "/*"
         add service tomcat-1
         add service tomcat-2
         advanced-balance arrowpoint-cookie
         active

    Angela-
    The issue with port is that cookies are very specifically HTTP only and the CSS has no way of knowing what protocol will hit a VIP prior to trying to address it as HTTP. Your issue is actually a bit clearer than it is initially led to be - you can still use 2 different rules by using the configuration below. 
    However, you might be headed for a headache if you don't implicitly control the client's actions.  By default, browsers don't generally send cookies cross-protocol and definitely not cross-domain.  Use something like httpwatch or iewatch to check out the headers your client sends to your site.  Make sure when the 200ok arrives with the set-cookie that the client sends that cookie in all preceeding packets that are HTTP and HTTPS both.
    service tomcat1
      string "tomcat1"
      ip address x.x.x.x
      active
    service tomcat2
      string "tomcat2"
      ip address x.x.x.x
      active
    owner me
       content sticky9001
         vip address x.x.x.x
         protocol tcp
         url "/*"
         port 9001
         add service tomcat-1
         add service tomcat-2
         advanced-balance arrowpoint-cookie
         active
       content sticky9002
         vip address x.x.x.x
         protocol tcp
         url "/*"
         port 9002
         add service tomcat-1
         add service tomcat-2
         advanced-balance arrowpoint-cookie
         active
    With this configuration, the CSS will use the "string" as the cookie value. So if the client were to recieve set-cookie: ArrowpointCookie=tomcat1, it should use it for either rule, and end up on tomcat1 accessing either VIP.
    Regards,
    Chris

  • Load-balancing inbound sftp connections with ACE

    Hi,
    Can anyone share experiences or any info relating to issues that might be encountered when load-balancing sftp protocol?
    The goal is to distribute inbound file deposits evenly across SFTP servers.
    High-level Overview
    Clients -> Internet -> Tier-1 Firewall -> ACE Load-balancer -> SFTP Servers
    Many Thanks

    SFTP is nothing but SSH. It uses a single connection. There are no issues loadbalancing it using traditional Layer 4 load balancing.
    So you are good.
    On the other hand FTP over SSL (FTPS) can neither offloaded nor loadbalanced using ACE.
    FTPS uses multiple channels and Since the control channel is encrypted, ACe is not able to get the port numbers for the data connections.
    HTH
    Syed Iftekhar Ahmed

  • Server load balancing for application access using multiple servers

    1.what are the methods supported by cisco switches for load balancing
    2. I want to achive users to access 1 particular ip from different locations but phsically few servers which handle the application and data

    well some servers allow you to install routing protocols on them. you could OSPF some links together.
    or you could NLB if it is a microsoft server. this uses a heartbeat network, a virtual mac and an IP address bound to the vmac.
    you could use NIC teaming. broadcom nics on dell servers allow you to configure them for loadbalancing, failover and a few other options.
    or if the servers are mirrored using MSCS or something similar (i.e configured the same but independant) you could just load balance using DNS.
    hope this helps. jsut some ideas quickly off the top of my head

  • Load Balancing on a URL with parameters in it.

    Hi,
    We have two main Server Farms. I have been asked to load balance to each farm based on the url. The problem:
    The url looks like this
    https://www.domain.com/test/ci/?par1=Default&par2=main&userRole=userrole&mcId=companyname&par4=somethingelse
    The bit of the url for the decision making is "mcId", but as I understand it, I cannot use a "?" in the url text string on the CSS. So, how do i do it ?
    Many thanks
    Wayne

    Wayne,
    the documentation is actually incorrect.
    The '?' does not prevent the advanced-balance url feature to work.
    It just changes where the CSS starts looking for the string.
    Check this url for a sample config.
    http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a0080409807.html#wp1115519
    Regards,
    Gilles.

  • Load balancing on rac database with single node appsTier

    Hi,
    Please advice me, I am working on to configure load balancing on appstier, following is my setup and steps I did so far.
    Host name      Services
    Clelx062ptlge --     Rac 1 – only database
    Clelx063ptlge --     Rac 2 – only database
    Clelx042ptlge --     All apps services including concurrent managers
    I have two R12 database(UDEV -- development & HRQA -- UAT), I only made changes in apps tier xml file of udev for some load balancing parameters, following are the changes I did.
    *<TWO_TASK oa_var="s_tools_twotask" osd="unix"> udev_806_BALANCE </TWO_TASK>*
    *<CP_TWOTASK oa_var="s_cp_twotask" customized="yes">udev_806_BALANCE</CP_TWOTASK>*
    *<TWO_TASK oa_var="s_weboh_twotask" osd="unix"> udev_BALANCE </TWO_TASK>*
    I changed the values from "UDEV" to given above value. After the above change I ran autoconfig. Then Concurrent managers and forms services are not automatically getting failover to second database node, I need to bounce services to fail it back to other available Rac node. Please note that we have only one appsTier
    Thanks,
    Tanveer Mohammed.

    Hi,
    Yes, i have checked the doc referenced, and already did the steps given in the doc. Also i did all the steps given into ID 388577.1 but still Concurrent managers and forms services are not automatically getting failover to second database node, I need to bounce services to fail it back to other available Rac node.
    Please advice...
    Thanks,
    Tanveer Mohammed.

  • Load balancing v/s Clustering with  BOXI enterprise premium

    We are planning to install Businessobjects enterprise premium on windows2008 server (64 bit) and we are going to use oracle database. my question is
    "Can we set up Crystal reports and businessobjects (web intelligence) both either on clustered environment or load balancer ? "
    If not, can you please let me know what is the best option ?

    Oh. All BOE (this includes Crystal) servers support clustering (and software load balancing via corba).  Only the input and output FRS do not support load balancing. i.e. while you can have mulitple input/output FRS, only one of each is active at a time. The others are passive and will only be used if the active FRS is unavailable.
    As an aside, if I remember correctly, a BOE Premium license is required for clustering.
    So, in essence, you do not need a hardware load balancer to support load balancing for both Crystal and Webi.

  • Load data from a file with multiple record types to a single table-sqlldr

    We are using two datastores which refer to the same file. The file has 2 types of records header and detail.
    h011234tyre
    d01rey5679jkj5679
    h011235tyrr
    d01rel5678jul5688
    d01reh5698jll5638
    Can someone help in loading these lines from one file with only two data stores(not 2 separate files) using File to Oracle(SQLLDR) Knowledge Module.

    Hi,
    Unfortunately the IKM SQLDR doesn't have the "when" condition to be wrote at ctl file.
    If you wish a simple solution, just add an option (drop me a email if you want a LKM with this)
    The point is:
    With a single option, you will control the when ctl clause and, for instance, can define:
    1) create 2 datastores (1 for each file)
    2) the first position will be a column at each datastore
    3) write the when condition to this first column at the LKM in the interface.
    Does it help you?

Maybe you are looking for