Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8

161

162

163

164

165

166

167

168

169

170

Firewall Load Balancing Guide

FWLB Selection Algorithms

This appendix describes selection algorithms for FWLB. This appendix contains the following sections:

• Least Connections

• Least Connections per Application

• Hashing

NOTE: If hash-port is configured, hashing includes both source-port and destination-port.

Hashing Based on Destination TCP or UDP Application Port

The ServerIron uses a hash value based on the source and destination IP addresses in a packet to select a path,

and thus a firewall, for the packet. After calculating this hash value for a given source-and-destination pair, the

ServerIron always uses the same path and firewall for packets containing that source-and-destination pair.

You can configure the ServerIron to also hash based on TCP or UDP port numbers. This is useful in environments

where the same source-and-destination pairs generate a lot of traffic and you want to load balance the traffic

across more than one firewall.

For example, if you configure the ServerIron to hash based on TCP ports 69 (TFTP) and 80 (HTTP), the

ServerIron hashes packets addressed to one of these ports by calculating a hash value based on the source and

destination IP addresses and the TCP port number (69 or 80). Since the TCP port numbers are included in the

hash calculations for these packets, the calculations can result in packets for port 80 receiving a different hash

value (and thus possibly a different path and firewall) than packets for port 69, even though the source and

destination IP addresses are the same.

NOTE: The current release supports stateful FWLB only for TCP/UDP applications that do not require multiple

simultaneous connections for the same client to the same firewall. For example, you cannot use stateful FWLB for

FTP, because this application requires separate simultaneous control and data connections to the firewall. The CLI

allows you to specify FTP or any other port, but you might not receive the desired results if the application uses

multiple simultaneous connections to the same firewall.

You can specify a list of ports, a range of ports, or both. The software hashes based on the combined set of ports

from the list and the range.

Specifying a List of Application Ports for Use When Hashing

To specify a list TCP/UDP ports to include in the hash calculations, use either of the following methods.

USING THE CLI

To specify a list of TCP/UDP ports for hashing, enter commands such as the following:

ServerIron(config)# server fw-group 2

ServerIron(config-tc-2)# hash-ports 69 80

Syntax: [no] hash-ports <num> [<num...>]

The <num> parameters specify TCP or UDP port numbers. You can specify up to eight port numbers on the same

command line.

Specifying a Range of Application Ports for Use When Hashing

To specify a range of application ports, enter a command such as the following at the firewall group configuration

level of the CLI:

ServerIron(config-tc-2)# hash-port-range 69 80

Syntax: [no] hash-port-range <start-num> <end-num>