Web OS 10.0 Application GuideChapter 13: Firewall Load Balancing n 327212777-A, February 2002As shown in Figure 13-5, the network is divided into four sections: Subnet 1 includes all equipment between the exterior routers and dirty-side Web switches. Subnet 2 includes the dirty-side Web switches with their interswitch link, and dirty-sidefirewall interfaces. Subnet 3 includes the clean-side firewall interfaces, and clean-side Web switches withtheir interswitch link. Subnet 4 includes all equipment between the clean-side Web switches and their servers.In this network, external traffic arrives through both routers. Since VRRP is enabled, one ofthe dirty-side Web switches acts as primary and receives all traffic. The dirty-side primary Webswitch performs FWLB in a fashion similar to basic FWLB: a redirection filter splits trafficinto multiple streams which are routed through the available firewalls to the primary clean-sideWeb switch.Just as with the basic method, four-subnet FWLB uses the hash metric to distribute firewalltraffic and maintain persistence, though other load-balancing metrics can be used by configur-ing an additional Return to Sender (RTS) option (see “Free-Metric FWLB” on page 346).Four-Subnet FWLB ImplementationIn this example, traffic between the redundant Web switches is load balanced among the avail-able firewalls.Figure 13-6 Four-Subnet FWLB ProcessSubnet 1 Subnet 2 Subnet 3 Subnet 4Dirty Side Clean SideInternetRouters SimpleSwitchesSimpleSwitchesFirewalls SecondaryWeb SwitchPrimary PrimarySecondaryWeb Switch Servers1231. VRRP forces incoming traffic to converge on primary dirty-side Web switch2. Firewall load balancing occurs between primary Web switches3. Primary clean-side Web switch performs standard SLB