Presentation is loading. Please wait.

Presentation is loading. Please wait.

HEPiX Fall 2017 Firewall Load Balancing Solution

Published byRoland Gordon Modified over 6 years ago

Similar presentations

Presentation on theme: "HEPiX Fall 2017 Firewall Load Balancing Solution"— Presentation transcript:

1

2 HEPiX Fall 2017 Firewall Load Balancing Solution
Vincent DUCRET

3 Introduction Traffic between the CERN internal networks (LCG/GPN) and the external network (Internet) is filtered by firewalls Current setup has some limitations The Firewall Load-Balancing (FWLB) solution aims to bring scalability to the setup

4 Current firewall Setup
Limitations: Limited capacity Not possible to add a 3rd firewall Each FW is dedicated to a type of traffic Overall traffic is not equally distributed Routing constraints/complexity HTAR traffic (not firewalled) Firewalled traffic

5 Four different evolution options
Build an “intermediate” FW Load Balancer solution Pros: Reuse existing and spare Firewalls No need for switch/router upgrade Allow us to get familiar with FW load-balancing Total cost < 60% of current spare FW Cons: May not match all requirements May only be valid for 2/3 years prior to a global architecture review Full review of the design with specific Load Balancers Pros: “Long term" solution Match all requirements Cons: Unknown technology Price and time (market study and tender required) May need router/switch upgrade Keep current setup and use “bigger” Firewalls Pros: no major change on the design “easy” increase of the overall capacity Cons: Price and time (tender required) No use of our spare Firewall Need router/switch upgrade (Price) Keep a separation by type of traffic (same routing constraints, unfair distribution of the traffic, etc.) Keep current setup but build a cluster of Firewalls Pros: No major change on the design Can use our spare firewall Cons: Need exact same hardware (vendor lock) Capacity increase is not linear (2x 10Gbps  14 Gbps) Keep a separation by type of traffic (same routing constraints, unequal distribution of the traffic, etc.)

6 Firewall Load Balancing Setup
More details about IDS in the presentation given by Adam Krajewski: “Network Automation for Intrusion Detection System” HTAR traffic (not firewalled) Firewalled traffic

7 Firewall Load Balancing Setup
OUTSIDE VRF/VLAN INSIDE VRF/VLAN Physical Setup Each Firewall have a 10Gbps link to each Load Balancer LAG make it a single logical connection Logical Setup Each Load Balancer is divided in two VRFs Full redundancy for single device failure

8 Firewall Load Balancing Setup
Load balanced FW2 Based on two Cisco Nexus 5672UP (each with 32x 10Gbps + 4x 40Gbps) Firewall Load Balancing is done using the ITD feature (Intelligent Traffic Director) = PBR with some automated features Load balanced FW1 Production FW Cisco Nexus 5K for FWLB Router in charge of PBR for HTAR/Firewalled traffic

9 FW LB setup details Load balancing is based on source IP (relies on PBR) Traffic to/from a single server will always cross the same FW Fully redundant setup If one FW fails, traffic is redirected to the remaining ones (30-60 seconds detection; not transparent for active sessions) If one load balancer fails, all firewalls and routers still have a connection to the second load balancer If one router fails, traffic is rerouted to the other one

10 Configuration details
Manual configuration itd device-group FIREWALLS-IN node ip X.Y.Z.1 weight 12 node ip X.Y.Z.2 weight 4 probe icmp frequency 3 timeout 2 retry-down-count 3 retry-up-count 5 itd ITD-FW-IN device-group FIREWALLS-IN ingress interface Vlan100 failaction node reassign load-balance method src ip buckets 16 no shutdown

11 Configuration details
Auto-generated ACLs ip access-list ITD-FW-IN_itd_bucket_1 10 permit ip any ip access-list ITD-FW-IN_itd_bucket_2 10 permit ip any (…) ip access-list ITD-FW-IN_itd_bucket_15 10 permit ip any ip access-list ITD-FW-IN_itd_bucket_16 10 permit ip any

12 Configuration details
Auto-generated PBR rules route-map ITD-FW-IN_itd_pool permit 0 description auto generated route-map for ITD service ITD-FW-IN match ip address ITD-FW-IN_itd_bucket_1 set ip next-hop X.Y.Z.1 route-map ITD-FW-IN_itd_pool permit 1 match ip address ITD-FW-IN_itd_bucket_2 set ip next-hop X.Y.Z.2 (…) route-map ITD-FW-IN_itd_pool permit 15 match ip address ITD-FW-IN_itd_bucket_16

13 Configuration details
Auto-generated PBR rules interface Vlan100 description GAR1 IN 0513-A-FI11 no shutdown mtu 9000 no ip redirects ip address A.B.C.D/X ip policy route-map ITD-FW-IN_itd_pool ITD will adapt the PBR rules in case of FW failure

14 Configuration details
Python scripts to ease operation cli alias name addfw21 source itd-fw.py -fwin X.Y.Z.1 -fwout A.B.C.1 -weight 12 -add cli alias name removefw21 source itd-fw.py -fwin X.Y.Z.1 -fwout A.B.C.1 -rem cli alias name addfw22 source itd-fw.py -fwin X.Y.Z.2 -fwout A.B.C.2 -weight 4 -add cli alias name removefw22 source itd-fw.py -fwin X.Y.Z.2 -fwout A.B.C.2 -rem cli alias name itdreset source itd-clear.py

15 FWLB setup limitations
Current platform supports IPv4 load-balancing only IPv6 traffic is not concerned by this FWLB solution IPv6 flow unchanged (dedicated firewalls, no HTAR) Current platform supports 32x10Gbps ports and 6x 40Gbps Not possible to transparently remove a Firewall (let current sessions “die”) But this is considered sufficient for the next 2/3 years. It lets us get familiar with FW LB solution prior to a global FW design review in the future (new/bigger firewalls, larger LB devices with IPv6 support, etc.)

16 FW LB PILOT Setup (active since mid-July 2017)
Pilot FWLB traffic Wired connection Bldgs.28/31/600 HTAR traffic (not firewalled) Firewalled traffic

17 FW LB PILOT Setup (active since mid-July 2017)
5000 1600 1st Firewall (newer model) manages ~5000 connections 2nd Firewall (older model) manages ~1600 connections Pilot load balancing configuration is ¾ to 1st FW and ¼ to 2nd FW NOTE: as a comparison, at the same time, production firewalls manage between 350K and 750K connections

18 Planning overview Summer 2017: Pilot (traffic from IT buildings)
Q4-2017: move half of the devices to 2nd network hub Q4-2017/Q1-2018: migrate all GPN/LCG traffic to FWLB solution (several steps) 2018/2019 global review of the firewall setup

19 Are you doing Firewall Load Balancing?
Which solution are you using? How scalable is it? Does it support dual stack IPv4/IPv6? If you don’t know, please forward this presentation (or at least this slide) to your “network” colleagues. They can contact me via

20 Any questions?

21

Download ppt "HEPiX Fall 2017 Firewall Load Balancing Solution"

Similar presentations

Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.

Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.
Design Guidelines for IPv6 Networks draft-matthews-v6ops-design-guidelines-01 Philip Matthews Alcatel-Lucent.

Design Guidelines for IPv6 Networks draft-matthews-v6ops-design-guidelines-01 Philip Matthews Alcatel-Lucent.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
OpenFlow overview Joint Techs Baton Rouge. Classic Ethernet Originally a true broadcast medium Each end-system network interface card (NIC) received every.

OpenFlow overview Joint Techs Baton Rouge. Classic Ethernet Originally a true broadcast medium Each end-system network interface card (NIC) received every.
Implementing Inter-VLAN Routing

Implementing Inter-VLAN Routing
Page 1 / 14 The Mesh Comparison PLANET’s Layer 3 MAP products v.s. 3 rd ’s Layer 2 Mesh.

Page 1 / 14 The Mesh Comparison PLANET’s Layer 3 MAP products v.s. 3 rd ’s Layer 2 Mesh.
Highly Available Central Services An Intelligent Router Approach Thomas Finnern Thorsten Witt DESY/IT.

Highly Available Central Services An Intelligent Router Approach Thomas Finnern Thorsten Witt DESY/IT.
1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)

1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)
1 IPv6 Address Management Rajiv Kumar. 2 Lecture Overview Introduction to IP Address Management Rationale for IPv6 IPv6 Addressing IPv6 Policies & Procedures.

1 IPv6 Address Management Rajiv Kumar. 2 Lecture Overview Introduction to IP Address Management Rationale for IPv6 IPv6 Addressing IPv6 Policies & Procedures.
(ITI310) By Eng. BASSEM ALSAID SESSIONS 8: Network Load Balancing (NLB)

(ITI310) By Eng. BASSEM ALSAID SESSIONS 8: Network Load Balancing (NLB)
Appliance Firewalls A Technology Review By: Brent Huston T h e B l a c k H a t B r i e f i n g s July 7-8, 1999 Las Vegas.

Appliance Firewalls A Technology Review By: Brent Huston T h e B l a c k H a t B r i e f i n g s July 7-8, 1999 Las Vegas.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
Network Topologies.

Network Topologies.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—2-1 Implementing VLANs in Campus Networks Applying Best Practices for VLAN Topologies.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—2-1 Implementing VLANs in Campus Networks Applying Best Practices for VLAN Topologies.
Networking Components

Networking Components
Barracuda Load Balancer Server Availability and Scalability.

Barracuda Load Balancer Server Availability and Scalability.
1 October 20-24, 2014 Georgian Technical University PhD Zaza Tsiramua Head of computer network management center of GTU South-Caucasus Grid.

1 October 20-24, 2014 Georgian Technical University PhD Zaza Tsiramua Head of computer network management center of GTU South-Caucasus Grid.
OpenFlow: Enabling Technology Transfer to Networking Industry Nikhil Handigol Nikhil Handigol Cisco Nerd.

OpenFlow: Enabling Technology Transfer to Networking Industry Nikhil Handigol Nikhil Handigol Cisco Nerd.
Chapter 8: Virtual LAN (VLAN)

Chapter 8: Virtual LAN (VLAN)

Similar presentations

Ads by Google