RE: [load balancing] How to load balance firewalls

From: Ritesh Rekhi (
Date: Thu Mar 18 2004 - 15:42:28 EST

Messageyeah you are right VRRP and HSRP don't make the destination traffic
to be sent to a multicast layer 2 address.We were discussing if there is a
technology out there which doesn't adhere to standards and there is another
technology which lots of hardware vendors support for doing FWLB (firewall
load balancing) which is the best option.

I think people can themselves decide when you show them all the facts out

Thanks all
  -----Original Message-----
  From: []On Behalf Of Julio
  Sent: Thursday, March 18, 2004 8:04 AM
  Subject: RE: [load balancing] How to load balance firewalls

  Uninformed guess here...

  VRRP and HSRP don't make the "destination" traffic be sent to a multicast
layer 2 (while being a Unicast layer 3).
  They use multicast for hello protocols and etc, that is it..
  What I remember is, the multicast layer 2 with unicast layer 3 (the trick
used here, and also in MS NLB or whatever they call it now), was against one
RFC, that said the ARP response should not have a multicast or broadcast
address in the hardware address field in the ARP fields...I just can't
remember which one..
  Doesn't matter if is against the RFC, it is a checklist item in the
customers I've dealt with, you need to support it even if it hurts :-)
  (BTW, your idea about "isolate the flooding to a vlan only with the HA
cluster" is even suggested in some MS documentation, so seems to be a common
pratice, I've used at least once in a customer with CP FW-1 LB)
    -----Original Message-----
    From: []
    Sent: Thursday, March 18, 2004 9:51 AM
    Subject: RE: [load balancing] How to load balance firewalls

    Yes, I believe you are correct. Multicast forwarding is usually enabled
by default on most Layer 2 switches but can easily be disabled on a port by
port basis if required. In my experience, most redundant L3 devices such as
Routers and firewalls are using multicast anyway in configs such as HSRP or
VRRP, so in all likelyhood this flooding already exists. This can also
easily be avoided by having dedicated networks connecting your firewalls to
your LAN using multilayer switches in the network core, and using a VLANs on
your load-balancer within the DMZ to connect to the firewall. A seperate
VLAN can be implemented, logically placing your real servers behind the
load-balancer to protect them, and also allowing preservation of client IPs.

    Watching the evolution of Content Delivery Networking generally over the
last 5 years or so, there doesnt really appear to be anything that is
entirely new. Most methods just take the existing tcp/ip, ethernet and DNS
standards that already exist (to name a few) and manipulate them in some
way, or perhaps bend the rules slightly to achieve the aims. Some of the
newer products available today present the user with a nice point and click
GUI. This allows him lots of ways of achieving inteligent load balancing
without being aware or even having to understand that it is all down to
fundamental networking. This may be seen as a good thing to some people, as
it opens up the world of content delivery to a wider audience. I would be
inclined to point out though that it may be lowering the technical standard
at which some networking specialists are employed . I have even found myself
in a situation with a vendor, having to explain to them how their own
product works (monkey see, monkey do is fine until things do not work:) ).
This is obviously not a good selling point, especially when I only consider
myself a beginner/intermediate in networking skills(CCNA).

    From: Ritesh Rekhi []
    Sent: 18 March 04 03:05
    Subject: RE: [load balancing] How to load balance firewalls

    One problem which I generally find in all the HA/Lb software solutions
is that they use multicast Mac address for a unicast ip address.Isn't it
against the tcp/ip standards ?

    Let me explain in details :

    say a server is connected to a switch which has HA/LB software
solution.Now this server is going to arp for it's default gateway .so far so
good .Generally in all cases you expect a response with a unicast Mac
address so that server can send packet to it's default gateway Mac.But in a
clustering environment the Mac address will be a multicast Mac address. so
when the packets go from the server to the client it will be flooded on all
the ports of a switch where server is connected( if it is not multicast

    I just want to get a feel if my understanding is correct and is this a
part of tcp/ip standards .

      -----Original Message-----
      From: []On Behalf Of
      Sent: Friday, March 12, 2004 8:09 AM
      Subject: RE: [load balancing] How to load balance firewalls

      Are you running the Checkpoint on Nokia appliances?

      Nokia IPSO has built in load balancing (from ipso 3.6 onwards I think)
that runs almost outside the CP software. We have some 6 cisco LB devices on
site and some Radware appliances, and I was reluctant to take the "IPSO
Clustering" seriously at first but have just returned from the new Nokia
Security Administrators 2 course. I played with it a bit in the lab and was
impressed. I was surprised to find that it it is not well known about, or
implemented often, even though Active/Active clustering was patented by
Nokia (a slide of this is displayed in the course) and is being incorporated
as the Active/Active method in some of the newer content delivery
appliances. Although limited in functionality, a even 50/50 spread was
achieved on both firewalls and up to 5 can be included, all active in a
cluster. A source IP "bucket" scheme is used to distribute responsibility
accross each appliance and a shared virtual MAC exists for each interface on
each firewall for each subnet/DMZ. There is no requirement for inside and
outside appliances and Asynchronous routing is avoided in every scenario
including VPN traffic.

      Keepalives are handled using multicast traffic, and in IPSO ver 3.7
with NG AI for the firewall, this traffic can be removed from the network
and distributed across your existing dedicated State Table Sync link. A
little bit of tweaking would be required for spanning tree I guess but the
firewall config is a 2 minute point and click exercise. Another benefit is
that once clustered, all management and upgrade work is carried out once in
cVoyager and is distributed to all appliances, and if neccesary they are
rebooted one at a time with no effort at all or down time.

      Best of all, ITS FREE!!!

      From: Kleberg, Jason []
      Sent: 13 February 04 15:20
      Subject: [load balancing] How to load balance firewalls

      Hello, I have a few questions concerning load balancing fw's and I
hope you guys can help J. We have a pair of checkpoint fw-1's at a site
utilizing their built in HA module called stonebeat full cluster. To keep
this short it is very sloppy. From my understanding F5/alteon and Cisco can
all LB fw's. Has anyone done it with ultra monkey? Are there any guides on
load balancing firewalls? Are there any serious drawbacks? I would like to
have a solution where both firewalls are active. Here is a sample topology:


       / \


      | |

      | |


      | |

      | |


      | |

      | |

      LAN and servers



      Gold Medal Travel E Mail disclaimer
      This e-mail contains proprietary information some or all of which may
      legally privileged. It is for the intended recipient only. If an
      addressing or transmission error has misdirected this e-mail, please
notify the author by replying to this e-mail. If you are not the intended
      recipient you must not use, disclose, distribute, copy, print or rely
      this e-mail.


The Load Balancing Mailing List
MRTG with SLB:
Hosted by:

This archive was generated by hypermail 2.1.4 : Wed Jun 16 2004 - 17:35:44 EDT