Understanding How Firewalls Work
Firewalls Types
The two basic types of firewalls are as follows:
•
•
Regular firewalls have a presence on the network; they are assigned an IP address that allows them to be
addressed as a device and seen by other devices on the network.
Stealth firewalls have no presence on the network; they are not assigned an IP address and cannot be
addressed or seen by other devices on the network. To the network, a stealth firewall is part of the wire.
Both firewall types examine traffic moving in both directions (between the protected and the unprotected
side of the network) and accept or reject packets based on user-defined sets of policies.
How the CSM Distributes Traffic to Firewalls
The CSM load-balances traffic to devices configured in server farms. These devices can be servers,
firewalls, or any IP-addressable object including an alias IP address. The CSM uses load-balancing
algorithms to determine how the traffic is balanced among the devices configured in server farms,
independent of device type.
Note
We recommend that you configure Layer 3 load balancing on server farms that contain firewalls because
of the interactions between higher-layer load-balancing algorithms and server applications.
Supported Firewalls
The CSM can load-balance traffic to regular or stealth firewalls.
For regular firewalls, a single CSM or a pair of CSMs balances traffic among firewalls that contain
unique IP addresses, similar to how it balances traffic to servers.
For stealth firewalls, a CSM balances traffic among unique VLAN alias IP address interfaces on another
CSM that provide paths through stealth firewalls. A stealth firewall is configured so that all traffic
moving in both directions across that VLAN moves through the firewall.
Layer 3 Load Balancing to Firewalls
When the CSM load-balances traffic to firewalls, the CSM performs the same function that it performs
when it load-balances traffic to servers. To configure Layer 3 load balancing to firewalls, follow these
steps:
Step 1
Create a server farm for each side of the firewall.
In serverfarm submode, enter the predictor hash address command.
Step 2
Assign that server farm to the virtual server that accepts traffic destined for the firewalls.
Step 3
Catalyst 6500 Series Content Switching Module Configuration Note
11-2
Regular firewalls
Stealth firewalls
Chapter 11
Configuring Firewall Load Balancing
OL-4612-01