Brian, Yes, most of them do nat. From the client WS perspective, there is only a single server IP, so it sends packets to that IP address. Once the switch gets the packet (since it is answering for that IP), it needs to forward the packet to a server. Normally, for the server to accept that packet the switch must change the dst IP to the servers real IP address and likewise alter the replies from the server so they appear to come from the virtual IP. (i.e. NAT) Note that some switches support an option called "direct sesrver return" in which the switch sets up the inital conversation, and then the server talks directly back to the client without having to go through the switch. In this case NAT is not performed between the server and the client. (I don't think this architecture is widely used though)
The layer 4-7 portion is really only relevant when the switch is deciding 1) Is a service "up" on a particular server and 2) How does the switch determine to which server an individual packet needs to be forwarded (i.e. how much of the data portion of a packet has to be examined to determine what traffic stream it belongs to) HTH, Kent -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brian Zeitz Sent: Tuesday, May 07, 2002 9:25 AM To: [EMAIL PROTECTED] Subject: RE: Pix load balance? [7:42974] Dumb question, does any of these devices use nat? I just read that pix to DMZ interface uses dNat, not sure if that is faster. I was reading my Alteon Web Switch book last night, it says you CAN do nat, but I don't know if layer 4-7 switches actually DO nat normall. If it's a switch, it should be switching right, the translation gets done in layer 4. kinda confused..... -----Original Message----- From: Gragido, William [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 07, 2002 12:09 PM To: Brian Zeitz; [EMAIL PROTECTED] Subject: RE: Pix load balance? [7:42974] The best way to load balance is to use an application layer (layer 4-7) switch. I am not too familiar with Cisco's offering of this technology (sadly), but have worked extensively with Foundry's ServerIrons and they are excellent devices! -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brian Zeitz Sent: Tuesday, May 07, 2002 8:50 AM To: [EMAIL PROTECTED] Subject: RE: Pix load balance? [7:42974] Load balancing is supposed to be done on content switches according to what I am reading. I cannot be done on the firewall withing the site, nor can it be done with different ISPs. Brian Zeitz MCSE, CCNP -----Original Message----- From: Gaz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 07, 2002 6:58 AM To: [EMAIL PROTECTED] Subject: Re: Pix load balance? [7:42974] What's the reason? I'm not disputing the fact, just wondering what the limitation is. I take it that the limitation is only that it cannot do stateful failover with two active PIXes? Cheers, Gaz wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Yeah, I asked the same questions last month. They can not. If you really > need firewall and Load balancing, FW-1 is the way to go. > > Theo > CSS1, CCNP, CCSE > > > > > > > "Patrick" > Sent by: [EMAIL PROTECTED] > 05/06/2002 06:28 AM > Please respond to "Patrick" > > > To: [EMAIL PROTECTED] > cc: > Subject: Re: Pix load balance? [7:42974] > > > No. > > ""GEORGE"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Can you load balance to pix firewalls? > > Has anyone done this? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43535&t=42974 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
