Filter
Top Products
45-13
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 45 Managing Firewall Devices
Configuring Firewall Device Interfaces
The algorithm can use one or a combination of the following packet-header fields to determine link
assignment: source IP address, destination IP address, source MAC address, destination MAC address,
TCP/UDP port numbers, or VLAN IDs. The field combination used by the algorithm is chosen from the
Load Balancing list (on the Advanced tab of the ASA’s Add Interface and Edit Interface dialog boxes);
these options are described in the following section. For additional information, see Configuring
EtherChannels, page 45-8.
For example, suppose source MAC address (src-mac) is the chosen field: when packets are forwarded to
an EtherChannel, they are distributed across the ports in the channel based on the source MAC address
of each incoming packet. Therefore, to provide load balancing, packets from different hosts use different
ports in the channel, but packets from the same host use the same port in the channel (and the MAC
addresses learned by the device do not change).
Similarly, with destination MAC address forwarding, when packets are forwarded to an EtherChannel,
each packet is distributed across the ports in the channel based on the packet’s destination host MAC
address. Thus, packets to the same destination are forwarded over the same port, and packets to a
different destination are sent on a different port in the channel.
Therefore, when choosing a load-balancing option, use the option that provides the greatest variety in
your configuration. For example, if most of the traffic on a channel is going only to a single MAC
address, choosing the destination MAC address results in most of the traffic always using the same link
in the channel. Alternatively, using source addresses or IP addresses might result in better load
balancing, while a method that uses the source and destination addresses along with UDP or TCP port
numbers can distribute traffic much differently.
Note This option is available only on ASA 8.4.1+ devices.
Load Balancing Options
When defining a single logical EtherChannel interface in the ASA Add/Edit Interface dialog box, choose
one of the following Load Balancing options (on the Add/Edit Interface Dialog Box: Advanced Tab
(ASA/PIX 7.0+), page 45-27) to specify the basis of load distribution:
• dst-ip – Load distribution is based on the destination-host IP address only; the source of the packets
is not considered. Each packet with the same destination IP address is forwarded over the same link.
• dst-ip-port – Load distribution is based on the destination-host IP address and TCP/ UDP port. This
option offers more granularity and a little more complexity than destination IP address alone.
• dst-mac – Load distribution is based on the destination host MAC address of incoming packets.
• dst-port – Distribution is based on the destination port; that is, a TCP or UDP port and not a physical
interface.
• src-dst-ip – Distribution is based on source and destination IP addresses—source and destination IP
addresses are paired for hash calculations. This method provides more granularity than destination
IP address, for example: packets to the same destination can be forwarded over different links in a
port-channel if they are coming from a different IP source.
• src-dst-ip-port – Distribution calculation considers source and destination IP addresses, and TCP/
UDP ports. Provides even greater granularity and distribution.
• src-dst-mac – Calculation is based on source and destination MAC address pairing.
• src-dst-port – Load distribution is based on source and destination TCP/UDP port.
• src-ip – Based on source host IP address only.
• src-ip-port – Source IP address and TCP/UDP port.
• src-mac – Source MAC address only.