5-11
Cisco Content Services Switch Security Configuration Guide
OL-5650-02
Chapter5 Configuring Firewall Load Balancing
Configuring FWLB with VIP and Virtual Interface Redundancy
In Figure 5-2, odd-numbered firewalls are connected to the Layer 2 switches
servicing the CSS-OUT-L and CSS-IN-L CSSs. Even-numbered firewalls are
connected to the Layer 2 switches servicing the CSS-OUT-R and CSS-IN-R
CSSs.
Figure 5-2 FWLB with VIP/Interface Redundancy Configuration
Each firewall must have two addresses on either side of it. The first address is
used for the next hop on the lower-cost static (primary) path. The second address
is used for the next hop on the higher-cost floating-static (secondary) path.
Set the floating-static paths with a higher cost (typically a cost of 10) than those
associated with the static paths (typically a cost of 1). If a CSS fails (for example,
CSS-OUT-L), CSS-OUT-R will use the higher cost path to send traffic to
CSS-IN-L.
10.2.200.2
10.2.200.12
10.2.200.1
10.2.200.11
Layer 2
switch
Layer 2
switch
Layer 2
switch
Layer 2
switch
CSS-OUT-L CSS-OUT-R
10.2.1.254 10.2.1.253
CSS-IN-L CSS-IN-R
10.3.1.224 10.3.1.223
10.2.200.3
10.2.200.13
Redundant
interface
Redundant VIP
10.2.200.4
10.2.200.14
10.3.200.2
10.3.200.12
10.3.200.1
10.3.200.11
10.3.200.3
10.3.200.13
10.3.200.4
10.3.200.14
Firewall 2Firewall 1 Firewall 3 Firewall 4
Redundant
interface
59263