From: Scott Morris (smorris@xxxxxxxx)
Date: Mon Jun 05 2000 - 08:30:12 GMT-3
That will solve the problem of availability, however it won't do load
balancing. Even listening to RIP updates, you won't get duplicate entries
(even equal cost) within the PIX's table...
So from a failover perspective, you are correct, and that will work
wonderfully. From a load balancing perspective, however, I think that puts
us in the same boat still... I agree with you that if the customer is set
on adding routers than his solution is the way to go, I just don't like
adding hardware only to achieve the same single point of failure. I guess
that's just a personal thing (grin).
Scott
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
pkm@calweb.com
Sent: Monday, June 05, 2000 12:06 AM
To: John Conzone
Cc: smorris@ccci.com; ccielab@groupstudy.com
Subject: Re: load balance outof PIX
It is correct the PIX is firewall not a router. However, it will be
able to broadcast a default route to the inside network and/or outside
by using the commands:
rip inside(outside) default
rip inside (outside) passive
PIX will listen for RIP routing broadcasts and use that information to
populate its routing table. SHOW RIP will indicate your RIP
configuration on RIP.
To your problem, and I have EIGRP running inside my internal network,
was to have some default routes pointing to the PIX firewall. It works.
Redistribution crossed my mind but I do not think you can do it due to
very limited routing functionality of PIX.
I think having another router in the mix might be the only way to go.
However, you still have a single point of failure with the extra router:
your router. It looks like that your design will meet your cusotmer's
requirements. Also, it is a lot of trouble for what the customer wants.
I do not think you get true fault tolerance if you go through the same
ISP. I will advise having another ISP and activate the line in the case
the other one is totally out of service. Let me know what you think.
Good luck if you get this scenario to work. My 2 cents.
Phillip K. Moulay
John Conzone wrote:
> Hi, Scott. The purpose of the second link is that the customer
> wants fault tolerance to the same ISP. The second link goes through a
> different backhaul so it is supposedly truly redundant, although they
> both pull off the same smart ring. They have also agreed to terminate
> on different dacs as well. Anyway, the customer wants to use the
> second link since they are paying for it anyway. They would like to
> load balance outbound over the different links, and of course have
> redundancy should one link fail. So I'm thinking of placing a
> router between the PIX and the ISP routers, running EIGRP between the
> three, and having the ISP routers source defaults to the PIX gateway
> router. That way the gateway router will load balance between the two
> ISP routers as long as both source a default, and if one ISP router
> fails the default from it will drop out. But now I'm thinking if
> there is a way to have the default drop out if the serial link on an
> ISP router goes away. Don't think so. Hmmmm. If I run HSRP on the ISP
> routers I can track the serials, but only have one route out. The
> plot thickens.
>
> ----- Original Message -----
> From: Scott Morris
> To: 'John Conzone'
> Cc: ccielab@groupstudy.com
> Sent: Sunday, June 04, 2000 4:34 PM
> Subject: RE: load balance outof PIX
> The first question would be, why do you need a second
> router connecting to the same ISP? Are you looking for
> failover the routers, or load balancing on the
> circuits?Secondly, the PIX will only allow ONE route
> statement per network. So if you have one "route outside 0
> 0 (ip)" statement, and try to add another with the same
> network, the PIX will generate an error as if you typed it
> wrong. The same holds true for any network. If there's a
> numerical overlap, that happens.Keep in mind that the PIX is
> not a router, and not designed to be one. It's a
> firewall.If possible for what you're trying to accomplish,
> I'd suggest the load balancing on the router (two static
> routes will get addressed in a round robin fashion for load
> balancing). otherwise, if you want router redundancy, look
> at doing HSRP on the routers. just a thought....
>
> Scott Morris, MCSE, CNE(3.x), CCDP (R&S), CCIE (R&S) #4713,
> Security Specialization, CCNA - WAN Switching
> CCSI #21903
> smorris@ccci.com
>
> ---------------------------------------------------------------------
------------------------------------
>
> Chesapeake Network Solutions http://www.ccci.com
> Cell Phone: 941-350-8590
> e-mail:smorris@ccci.com
> Pager: 800-490-1326 Fax:
> 606-225-8403
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com]On Behalf Of John
> Conzone
> Sent: Sunday, June 04, 2000 3:17 PM
> To: ccielab
> Subject: load balance outof PIX
>
> Hi, all. I have a scenario where I have a lan
> whose deafult gateway is a PIX to get to the net.
> (Actually 2 running failover). The PIX outside
> then defaults to one internet router. I'm
> adding a second router to the same ISP and want to
> load balance out to the net from the PIX. I can't
> think of a way to do this directly from the PIX
> (my reading says PIX doesn't support dynamic
> routing or dual defaults, but hopefully I read
> wrong!) without putting a third router in between
> the pix and the 2 ISP routers and put 2 defaults
> in that router or run a routing protocol bewteen
> the 2 isp routers and the third router and
> advertise deafults from the 2 isp routers.
> First, does anyone from their experience know of a
> way to do this without the third router? If
> not, if I use dual static defaults, if one of the
> routers goes down, the route will still be in
> there so I'm thinking if I have to go with the
> third router having it receive dynamic defaults
> fron the ISP routers is best. Thanks!
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:23:40 GMT-3