Firewall and Server Load Balancer Design

Peter Welcher
Architect, Operations Technical Advisor

I’ve been stuck with a picture in my head relating to Firewall and Server Load Balancer designs. This blog represents my best effort to transmit this picture to your head, to get it out of my brain. I’ve also now seen something like this in print. While that dilutes the novelty some, it also ratifies the concept to a degree. 

Here’s a diagram showing the traditional firewall pair or server load balancer (SLB) pair design, for oh, say, the last 10-15 years: 20130604-fwdiagram-01


I call this the square topology. Usually one firewall or SLB is active, the other passive. Or both are pseudo-active-active, i.e. active for some traffic and not the rest. The main drawback is that the stateful firewall or SLB polarizes traffic, i.e. uses only one of the two switches, the one adjacent to the active firewall or SLB. Worse, it tends to do that for the switch pair on either side of it. Then you’re stuck with the cost of redundant switches that you don’t even use. 

This looks like:


Well, Cisco VSS, vPC, or StackWise (3750/3850) technology provides us with an alternative. If you don’t have Cisco gear, any vendor’s MLAG (multi-chassis link aggregation) will do.

Here’s that alternative: 20130604-fwdiagram-02


That is, each firewall or SLB is set up with two links in a port-channel to the VSS, vPC, or StackWise switch pair. This is the “bow-tie topology”. The firewall or SLB thinks it is in a port-channel to a single device. The vendor may or may not officially support this, however it seems unlikely anything could go wrong, unless the vendor got creative with protocols somehow. 

The advantages:

  1. Port-channel load balancing should cause both switches to be used in both directions.
  2. Single switch failure (probably) does not trigger firewall or SLB failover. This may or may not be configurable, depending on device vendor.

Traffic flow now looks like:


Dual-active clustering would of course use both switches and both firewalls or SLBs. One virtue of active-passive is you’ll never unknowingly have joint throughput exceeding what a single device can handle.

Life Log

I’m back from a week of driving and walking (Las Vegas, Grand Canyon, Bryce Canyon). If you’re wondering why the blogging paused, well, I was clearing my desk then aggressively vacationing, and now catching up. 

I’ve got lots more blog ideas and hope to put some of them in front of you soon, along with more from the CCIE R&S prep series. In particular, I’ve got some Pete’s pent up pithy comments on OpenFlow, SDN, and odd notions of QoS I’ve been mulling over, and they’re about ripe for transmission.


The vendors for Network Field Day 5 (#NFD5) paid for my travel expenses and perhaps small items, so I wish to disclose that in my blogs now. The vendors in question are: Cisco, Brocade, Juniper, Plexxi, Ruckus, and SolarWinds. I’d like to think that my blogs aren’t influenced by that. Yes, the time spent in presentations and discussion gets me and the other attendees looking at and thinking about the various vendors’ products, marketing spin, and their points of view. I intend to try to remain as objective as possible in my blogs. I’ll concede that cool technology gets my attention!

Stay tuned!

Twitter: @pjwelcher


2 responses to “Firewall and Server Load Balancer Design

  1. so if you have a VSS pair at North of the FW cluster and VPC at South, would you mirror the bow-tie topology? in this case for each firewall in the cluster, 2 physical connections for fw cluster, 2 for vss (north) and 2 for vpc(south)
    is that accurate to say?

  2. It mostly doesn’t matter whether you have vPC on one side and VSS on the other. The idea works either way. So yes in that regard.

    The one thing to watch out for is dynamic routing. If you want your firewall dynamic routing to the switches (as I do, more and more, laterly — simpler). You don’t want to be doing routing over a vPC member link. So for now vPC implies your firewall is doing static routing over the vPC member links port-channel.

Leave a Reply


Nick Kelly

Cybersecurity Engineer, Cisco

Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.


Virgilio “BONG” dela Cruz Jr.

CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data

Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.


John Cavanaugh

CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen

John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services.  Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.

He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.