Load balancing
Many data center and server farm architectures require network infrastructure to protect them. However, traffic volumes on some networks can exceed the capabilities of a single link pair on a FortiDDoS appliance or even the maximum throughput of a single appliance.
Table 83: Maximum throughput by model
Model | Maximum throughput (full duplex) |
Per port pair | Per appliance |
200B | 1 Gbps | 2 Gbps |
400B | 1 Gbps | 4 Gbps |
800B | 1 Gbps | 8 Gbps |
1000B | 10 Gbps | 12 Gbps |
2000B | 10 Gbps | 24 Gbps |
To increase the overall throughput, some topologies require some type of load-balancing solution using multiple link pairs or multiple FortiDDoS appliances.
The capacity of the load-balancing device must exceed the combined throughput of the multiple FortiDDoS appliances.
The load-balancing device intercepts all traffic between the server side and the Internet side and dynamically distributes the load among the available FortiDDoS appliances, based on the device’s configuration. Load balancing utilizes all the appliances concurrently, providing overall improved performance, scalability and availability.
The FortiDDoS appliance is a Layer 2 bridge and therefore does not have either a MAC address or an IP address in the data path. For transparent bridges, the load-balancing device receives a packet, makes a load-balancing decision, and forwards the packet to a FortiDDoS appliance. The FortiDDoS appliance does not perform NAT on the packets; the source and destination IP addresses are not changed.
The load-balancing device performs the following tasks:
• Balances traffic across two or more FortiDDoS appliances in your network, allowing them to work in parallel.
• Maintains state information about the traffic that flows through it and ensures that all traffic between specific IP address source and destination pairs flows through the same FortiDDoS appliance.
• Performs health checks on all paths through the FortiDDoS appliances. If any path is not operational, the load balancer maintains connectivity by diverting traffic away from that path.
You can use an external load balancer such as Linux Virtual Server (LVS), Cisco Content Switching Module (CSM), or Avaya Load Balancing Manager.
Load Balancing allows you to:
• Maximize FortiDDoS productivity
• Scale FortiDDoS performance
• Eliminate the FortiDDoS appliance as a single point of failure
Load balancing for FortiDDoS appliances requires a sandwich topology.
Sandwich topology for load balancing
Figure 141 shows a sandwich topology. In this example, load-balancing devices are deployed before and after a pair of FortiDDoS appliances. For example, two 400B appliances to support a total throughput of 8 Gbps. This same topology and throughput is possible using a single 800B appliance.
This type of design ensures the highest level of security because it physically separates the FortiDDoS interfaces using multiple switches.
Each load-balancing device balances traffic between IP address interfaces of the peer device behind the FortiDDoS appliance. Each FortiDDoS appliance resides in a different VLAN and subnet and the physical ports connected to the FortiDDoS appliance are also on different VLANs. In addition, for each VLAN, both load-balancing devices are in the same subnet. Each load balancer interface and the FortiDDoS appliance connected to it reside in a separate VLAN. This configuration ensures persistency because all the traffic through a particular FortiDDoS appliance is contained in the appliance’s VLAN.
In a typical load-balancing device, there are two hash predictors:
• Bidirectional hash requires both load-balancing devices to share a common hash value that ultimately produces the same route. You create bidirectional hashing by hashing the source and destination IP address along with the destination port of the given flow. The load-balancing devices ensure that all packets belonging to a session pass through the same FortiDDoS appliance in both directions. The devices select a FortiDDoS appliance based on a symmetric hash function of the source and destination IP addresses. This ensures that packets traveling between the same source and destination IP addresses traverse the same FortiDDoS appliance.
• Unidirectional hash produces the route in the same fashion as a bidirectional hash and also creates a TCP connection table with the reverse flow path defined. This allows you to match return path traffic against this connection table rather than being hashed.
Switch configuration for load balancing using FortiSwitch
For an example configuration for the FortiSwitch 248-B DPS Ethernet switch, see
“Appendix C: Switch and Router Configuration”.
