From: Scott Morris (smorris@xxxxxxxxxxxxxx)
Date: Wed Jun 14 2000 - 22:48:57 GMT-3
I have more of a problem with the technical design of the situation and
placement of technology... I'm not arguing whether multiple HSRP is or is
not possible. Just plausible! :)
I wouldn't do it, but that's a personal note.
Scott
-----Original Message-----
From: abdul_rahim@ccsi.canon.com [mailto:abdul_rahim@ccsi.canon.com]
Sent: Wednesday, June 14, 2000 11:29 AM
To: George Spahl
Cc: Scott Morris; pkm@calweb.com; 'John Conzone'; ccielab@groupstudy.com
Subject: RE: load balance outof PIX
Yer thats what I am doing up here ,If there is any better solution
Inform me to as well
The Other possiblities could be that your Clients are configured with their
own address as the default gateway
In that case there will be no need for configuring even the HSRP ,and the
clients will be accessing outside the the LAN ( local subnet )
because of the Proxy ARP on the routers but its not much controlled
Solution
Any way I dont think there is any possiblity on HSRP because the basic
topology of HSRP is active and Standby and not two actives
Thanks
Abdul
George Spahl <georges@iglou.com> on 06/10/2000 10:30:21 AM
Please respond to George Spahl <georges@iglou.com>
To: "Scott Morris" <smorris@ccci.com>
pkm@calweb.com
"'John Conzone'" <jkconzone@home.com>
cc: ccielab@groupstudy.com (bcc: Abdul Rahim/IS
Operations/Operations/CCSI)
Subject: RE: load balance outof PIX
I'm not sure if this works or not but couldn't you use two instances of
HSRP on the two routers with two virtual IP addresses? That is each router
would be the primary for one and the secondary for the other virtual IP
address. If half the clients pointed at one and the other half to the
other the other router should take over in case one of the interfaces was
down and you would also be doing load balancing of a sort. Somebody
correct me if I'm on the wrong track here.
George
At 07:30 AM 6/5/00 -0400, Scott Morris wrote:
>That will solve the problem of availability, however it won't do load
>balancing. Even listening to RIP updates, you won't get duplicate entries
>(even equal cost) within the PIX's table...
>
>So from a failover perspective, you are correct, and that will work
>wonderfully. From a load balancing perspective, however, I think that
puts
>us in the same boat still... I agree with you that if the customer is set
>on adding routers than his solution is the way to go, I just don't like
>adding hardware only to achieve the same single point of failure. I guess
>that's just a personal thing (grin).
>
>Scott
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>pkm@calweb.com
>Sent: Monday, June 05, 2000 12:06 AM
>To: John Conzone
>Cc: smorris@ccci.com; ccielab@groupstudy.com
>Subject: Re: load balance outof PIX
>
>
>It is correct the PIX is firewall not a router. However, it will be
>able to broadcast a default route to the inside network and/or outside
>by using the commands:
>rip inside(outside) default
>rip inside (outside) passive
>PIX will listen for RIP routing broadcasts and use that information to
>populate its routing table. SHOW RIP will indicate your RIP
>configuration on RIP.
>To your problem, and I have EIGRP running inside my internal network,
>was to have some default routes pointing to the PIX firewall. It works.
>Redistribution crossed my mind but I do not think you can do it due to
>very limited routing functionality of PIX.
>
>I think having another router in the mix might be the only way to go.
>However, you still have a single point of failure with the extra router:
>your router. It looks like that your design will meet your cusotmer's
>requirements. Also, it is a lot of trouble for what the customer wants.
>I do not think you get true fault tolerance if you go through the same
>ISP. I will advise having another ISP and activate the line in the case
>the other one is totally out of service. Let me know what you think.
>Good luck if you get this scenario to work. My 2 cents.
>
>Phillip K. Moulay
>
>
>John Conzone wrote:
>
>> Hi, Scott. The purpose of the second link is that the customer
>> wants fault tolerance to the same ISP. The second link goes through a
>> different backhaul so it is supposedly truly redundant, although they
>> both pull off the same smart ring. They have also agreed to terminate
>> on different dacs as well. Anyway, the customer wants to use the
>> second link since they are paying for it anyway. They would like to
>> load balance outbound over the different links, and of course have
>> redundancy should one link fail. So I'm thinking of placing a
>> router between the PIX and the ISP routers, running EIGRP between the
>> three, and having the ISP routers source defaults to the PIX gateway
>> router. That way the gateway router will load balance between the two
>> ISP routers as long as both source a default, and if one ISP router
>> fails the default from it will drop out. But now I'm thinking if
>> there is a way to have the default drop out if the serial link on an
>> ISP router goes away. Don't think so. Hmmmm. If I run HSRP on the ISP
>> routers I can track the serials, but only have one route out. The
>> plot thickens.
>>
>> ----- Original Message -----
>> From: Scott Morris
>> To: 'John Conzone'
>> Cc: ccielab@groupstudy.com
>> Sent: Sunday, June 04, 2000 4:34 PM
>> Subject: RE: load balance outof PIX
>> The first question would be, why do you need a second
>> router connecting to the same ISP? Are you looking for
>> failover the routers, or load balancing on the
>> circuits?Secondly, the PIX will only allow ONE route
>> statement per network. So if you have one "route outside 0
>> 0 (ip)" statement, and try to add another with the same
>> network, the PIX will generate an error as if you typed it
>> wrong. The same holds true for any network. If there's a
>> numerical overlap, that happens.Keep in mind that the PIX is
>> not a router, and not designed to be one. It's a
>> firewall.If possible for what you're trying to accomplish,
>> I'd suggest the load balancing on the router (two static
>> routes will get addressed in a round robin fashion for load
>> balancing). otherwise, if you want router redundancy, look
>> at doing HSRP on the routers. just a thought....
>>
>> Scott Morris, MCSE, CNE(3.x), CCDP (R&S), CCIE (R&S) #4713,
>> Security Specialization, CCNA - WAN Switching
>> CCSI #21903
>> smorris@ccci.com
>>
>>
---------------------------------------------------------------------
>------------------------------------
>>
>> Chesapeake Network Solutions http://www.ccci.com
>> Cell Phone: 941-350-8590
>> e-mail:smorris@ccci.com
>> Pager: 800-490-1326 Fax:
>> 606-225-8403
>>
>> -----Original Message-----
>> From: nobody@groupstudy.com
>> [mailto:nobody@groupstudy.com]On Behalf Of John
>> Conzone
>> Sent: Sunday, June 04, 2000 3:17 PM
>> To: ccielab
>> Subject: load balance outof PIX
>>
>> Hi, all. I have a scenario where I have a lan
>> whose deafult gateway is a PIX to get to the net.
>> (Actually 2 running failover). The PIX outside
>> then defaults to one internet router. I'm
>> adding a second router to the same ISP and want to
>> load balance out to the net from the PIX. I can't
>> think of a way to do this directly from the PIX
>> (my reading says PIX doesn't support dynamic
>> routing or dual defaults, but hopefully I read
>> wrong!) without putting a third router in between
>> the pix and the 2 ISP routers and put 2 defaults
>> in that router or run a routing protocol bewteen
>> the 2 isp routers and the third router and
>> advertise deafults from the 2 isp routers.
>> First, does anyone from their experience know of a
>> way to do this without the third router? If
>> not, if I use dual static defaults, if one of the
>> routers goes down, the route will still be in
>> there so I'm thinking if I have to go with the
>> third router having it receive dynamic defaults
>> fron the ISP routers is best. Thanks!
>>
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:23:42 GMT-3