From: Frank Jimenez (franjime@xxxxxxxxx)
Date: Tue Feb 20 2001 - 02:19:21 GMT-3
Mike,
One thing that you might consider (Frank puts on his Cisco Sales Hat(tm) fo
r a moment...) is placing a CSS-11000 Content Switching box either in front or
behind (or both) of the PIXs or CheckPoints. The CSS-11000 has some unique loa
d-balancing features that lend themselves well for designing highly available n
etworks such as the one you are working up. This gives you the advantage of be
ing able to actually load-balance with the PIXs, instead of using failover.
I have several documents that show how this is done, but I can't find any o
n the external Cisco sites right now. Since this is a little off-topic of CCIE
lab studies, email me off line and I'll send them to you...
Frank Jimenez, CCIE #5738
franjime@cisco.com
At 10:17 PM 02/19/2001 -0600, Andrew Short wrote:
>On Mon, 19 Feb 2001, Fabricio Aponte wrote:
>
>> Mike!
>>
>> This is what I would do:
>>
>> First of all, PIX firewalls do not route, but, as you already know,
>> checkpoints do, so if you want, use a checkpoint box instead.
>
>Actually, as layer-3 devices, PIX's MUST route if traffic is to be passed
>between thier interfaces. They also will (if my memory recalls correctly)
>run RIP. But why you'd run RIP on a PIX is beyond me.
>
>Now...the Lucent firewall (John Chambers forgive me) doesn't route, but
>then it is a data-link device filtering on network layer information. An
>interesting idea. I am going to give it a whirl on a FreeBSD box soon.
>
>
>
>
>
>> This is what I would do:
>>
>>
>> [BGP]---[BGP]
>> | |
>> ------[PIX]-----failovercable---[PIX]
>> | | |
>> | [ A ]---[ A ]
>> | | |
>> --[CPT]---[CPT]--
>> | |
>> [ B ]---[ B ]
>>
>> Use only one PIX firewall, and use a failover cable to connect a redundant
>> PIX. One thing that I like better about this set up that the one you have,
>> is that if you have two different PIX firewalls in between this network,
>> management is going to turn ugly. If you want BGP to route to A or to B, or
>> if you want network A to route to B, it is going to go through two PIX
>> firwalls and if the network admin that you are designing this for is not
>> good, he is going to have a hard time everytime he needs to add a conduit.
>>
>> With the failover command, all you do is configure one PIX, and the other
>> one will copy the configuration from the primary. Obviously, the network
>> connections of the primary PIX are exactly as the ones from the secondary,
>> so if one fails it should be invisible.
>>
>> If any questions, call the Houston TAC. Those guys are good ;)
>>
>>
>> Fab
>>
>>
>>
>>
>>
>>
>> -----Original Message-----
>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>> Michael Le
>> Sent: Monday, February 19, 2001 9:55 PM
>> To: ccielab@groupstudy.com
>> Subject: Firewall Design Question
>>
>>
>> Since firewalls shouldn't run routing protocols,
>> could someone give me advice on how to set up my
>> proposed redundant firewalls.
>> Please refer to my ugly ASCII network.
>>
>> [BGP]---[BGP]
>> | |
>> --[PIX]---[PIX]--
>> | | | |
>> | [ A ]---[ A ] |
>> | | | |
>> --[CPT]---[CPT]--
>> | |
>> [ B ]---[ B ]
>>
>> I plan to have two failover PIXs right behind two
>> BGP routers to the Internet. On the inside of the PIXs
>> I have one connection going to Network A and another
>> going to Network B. But right in front of Network B
>> (critical production network), I have a load balancing
>> set of Checkpoint firewalls. The Checkpoints are
>> connected to both Network A & B, which are actually
>> 6509 w/MSFCs.
>> I want it done so that the Checkpoint will forward
>> data to A when destined there and send all other
>> packets to the PIX. However, if the Checkpoint's link
>> to the PIX goes down, I want it to be able to send
>> traffic through network A and to the PIX from
>> there. I want it to work the other way around for the
>> PIX going to network B.
>> My question is, how would I do that if the
>> firewalls don't run a routing protocol? Do the PIXs
>> allowing for floating statics?
>> Thanks for your help.
>>
>> Michael
>>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:53 GMT-3