Chapter5 Configurin g Firewall Load Balancing
Configuring FWLB with VIP and Virtual Interface Redundancy
5-12
Cisco Content Services Switch Security Configuration Guide
OL-5650-02
If the firewall supports it, you can use multinetting by configuring multiple
addresses on the firewall. If the firewall does not support multiple addresses per
physical interface, use the ap-kal-fwlb-multinet script to simulate multiple
addresses for the firewall. The script takes arguments of “realAddress
secondaryAddress”. The script creates a static ARP entry for each firewall
interface.
Note You can also enter the static ARP entries manually. However, the benefit of the
script is that it will change the ARP entries if you replace the firewall and the
MAC address changes.
Failover time is very fast at 1 to 3 seconds, because:
•Floating-static path is already up
•Firewall path information has been exchanged
•Circuits are up
If a Layer 2 switch fails, traffic will rehash over every other firewall. If there are
an even number of firewalls, 50 percent of the traffic will rehash to the same
firewalls.
Note If you configure redundant interfaces on both sides of a CSS, use critical services
to ensure that if one interface fails over to backup, the other interface does the
same. If you are implementing multiple interfaces, use firewall interfaces as
critical services on external CSSs, and firewall interfaces (configured as service
type redundancy-up) and backend servers on internal CSSs. For details on
configuring critical services and configuring redundant uplink services, refer to
the Cisco Content Services Switch Redundancy Configuration Guide.