From: Peter (peter@xxxxxxxxx)
Date: Tue Feb 20 2001 - 03:25:09 GMT-3
Correct but to successfully load balance firewalls, you must have the
CSS11000's in front AND behind the FW's. You must sandwich them to make
sure all "flows" go through the correct FW. You have the same issue with
SSL, which must stick a session to one server, or firewall in this case. It
is the only to maintain state. This makes for a complex design, why not
just get a pair of PIX535's running failover? Throw all the bandwidth you
want at it, plus fault tolerance :)
Peter
----- Original Message -----
From: "Frank Jimenez" <franjime@cisco.com>
To: "CCIE Study Group" <ccielab@groupstudy.com>
Sent: Monday, February 19, 2001 11:19 PM
Subject: RE: Firewall Design Question
> Mike,
>
> One thing that you might consider (Frank puts on his Cisco Sales
Hat(tm) for a moment...) is placing a CSS-11000 Content Switching box either
in front or behind (or both) of the PIXs or CheckPoints. The CSS-11000 has
some unique load-balancing features that lend themselves well for designing
highly available networks such as the one you are working up. This gives
you the advantage of being able to actually load-balance with the PIXs,
instead of using failover.
>
> I have several documents that show how this is done, but I can't find
any on the external Cisco sites right now. Since this is a little off-topic
of CCIE lab studies, email me off line and I'll send them to you...
>
> Frank Jimenez, CCIE #5738
> franjime@cisco.com
>
>
> At 10:17 PM 02/19/2001 -0600, Andrew Short wrote:
> >On Mon, 19 Feb 2001, Fabricio Aponte wrote:
> >
> >> Mike!
> >>
> >> This is what I would do:
> >>
> >> First of all, PIX firewalls do not route, but, as you already know,
> >> checkpoints do, so if you want, use a checkpoint box instead.
> >
> >Actually, as layer-3 devices, PIX's MUST route if traffic is to be passed
> >between thier interfaces. They also will (if my memory recalls
correctly)
> >run RIP. But why you'd run RIP on a PIX is beyond me.
> >
> >Now...the Lucent firewall (John Chambers forgive me) doesn't route, but
> >then it is a data-link device filtering on network layer information. An
> >interesting idea. I am going to give it a whirl on a FreeBSD box soon.
> >
> >
> >
> >
> >
> >> This is what I would do:
> >>
> >>
> >> [BGP]---[BGP]
> >> | |
> >> ------[PIX]-----failovercable---[PIX]
> >> | | |
> >> | [ A ]---[ A ]
> >> | | |
> >> --[CPT]---[CPT]--
> >> | |
> >> [ B ]---[ B ]
> >>
> >> Use only one PIX firewall, and use a failover cable to connect a
redundant
> >> PIX. One thing that I like better about this set up that the one you
have,
> >> is that if you have two different PIX firewalls in between this
network,
> >> management is going to turn ugly. If you want BGP to route to A or to
B, or
> >> if you want network A to route to B, it is going to go through two PIX
> >> firwalls and if the network admin that you are designing this for is
not
> >> good, he is going to have a hard time everytime he needs to add a
conduit.
> >>
> >> With the failover command, all you do is configure one PIX, and the
other
> >> one will copy the configuration from the primary. Obviously, the
network
> >> connections of the primary PIX are exactly as the ones from the
secondary,
> >> so if one fails it should be invisible.
> >>
> >> If any questions, call the Houston TAC. Those guys are good ;)
> >>
> >>
> >> Fab
> >>
> >>
> >>
> >>
> >>
> >>
> >> -----Original Message-----
> >> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> >> Michael Le
> >> Sent: Monday, February 19, 2001 9:55 PM
> >> To: ccielab@groupstudy.com
> >> Subject: Firewall Design Question
> >>
> >>
> >> Since firewalls shouldn't run routing protocols,
> >> could someone give me advice on how to set up my
> >> proposed redundant firewalls.
> >> Please refer to my ugly ASCII network.
> >>
> >> [BGP]---[BGP]
> >> | |
> >> --[PIX]---[PIX]--
> >> | | | |
> >> | [ A ]---[ A ] |
> >> | | | |
> >> --[CPT]---[CPT]--
> >> | |
> >> [ B ]---[ B ]
> >>
> >> I plan to have two failover PIXs right behind two
> >> BGP routers to the Internet. On the inside of the PIXs
> >> I have one connection going to Network A and another
> >> going to Network B. But right in front of Network B
> >> (critical production network), I have a load balancing
> >> set of Checkpoint firewalls. The Checkpoints are
> >> connected to both Network A & B, which are actually
> >> 6509 w/MSFCs.
> >> I want it done so that the Checkpoint will forward
> >> data to A when destined there and send all other
> >> packets to the PIX. However, if the Checkpoint's link
> >> to the PIX goes down, I want it to be able to send
> >> traffic through network A and to the PIX from
> >> there. I want it to work the other way around for the
> >> PIX going to network B.
> >> My question is, how would I do that if the
> >> firewalls don't run a routing protocol? Do the PIXs
> >> allowing for floating statics?
> >> Thanks for your help.
> >>
> >> Michael
> >>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:53 GMT-3