VPN Load Balancing on the CSM
You can load balance VPN connections across the CSM to increase the performance and provide redundancy to your VPN termination devices. Example 11-15 gives a dispatch-mode CSM VPN load balancing configuration.
Example 11-15. Configuring VPN Load Balancing on the CSM
The CSS does not support VPN load balancing because it does not understand the IPSec protocols.
To configure your CSM for VPN load balancing, you must create virtual servers for the Authentication Header (AH), Encrypted Security Payload (ESP), and Internet Key Exchange (IKE) protocols. Similar to SSL, IPsec-based VPNs use multiple TCP connections to establish VPN sessions. Therefore, to ensure that
If you want to configure directed-mode VPN load balancing, simply enter the command nat server in server farm configuration mode. Be cautious when rewriting fields within VPN traffic on your content switch because many VPN protocols have security features that protect the integrity of VPN messages.
Preventing Connection Table Flooding using SYN-Cookies
To avoid filling up its connection table during SYN-flood-based Denial of Service (DoS) attacks, the CSM uses SYN-cookies, which were covered
However, with SYN-cookies, instead of allocating a record for every SYN segment from its
Figure 11-7. Using SYN-Cookies to Prevent SYN-Flood Traffic from Flooding the CSM Connection Table
In this Chapter, you learned how to configure the following technologies on your content switches:
Content switching enables you to increase the performance of your SSL, firewall, and VPN devices, in terms of packets per second, connections per second, and bandwidth. You can also increase the scalability of these devices with content switching technologies.