From: Frank Jimenez (franjime@xxxxxxxxx)
Date: Tue Feb 20 2001 - 13:16:43 GMT-3
Correct. The original reason that I found this configuration to begin with was
to placate a customer who had purchased two PIXs, and was upset that one was s
itting idle for failover and not 'load balancing'....
Frank Jimenez
franjime@cisco.com
At 12:25 AM 02/20/2001 -0600, Peter wrote:
>Correct but to successfully load balance firewalls, you must have the
>CSS11000's in front AND behind the FW's. You must sandwich them to make
>sure all "flows" go through the correct FW. You have the same issue with
>SSL, which must stick a session to one server, or firewall in this case. It
>is the only to maintain state. This makes for a complex design, why not
>just get a pair of PIX535's running failover? Throw all the bandwidth you
>want at it, plus fault tolerance :)
>
>Peter
>
>----- Original Message -----
>From: "Frank Jimenez" <franjime@cisco.com>
>To: "CCIE Study Group" <ccielab@groupstudy.com>
>Sent: Monday, February 19, 2001 11:19 PM
>Subject: RE: Firewall Design Question
>
>
>> Mike,
>>
>> One thing that you might consider (Frank puts on his Cisco Sales
>Hat(tm) for a moment...) is placing a CSS-11000 Content Switching box either
>in front or behind (or both) of the PIXs or CheckPoints. The CSS-11000 has
>some unique load-balancing features that lend themselves well for designing
>highly available networks such as the one you are working up. This gives
>you the advantage of being able to actually load-balance with the PIXs,
>instead of using failover.
>>
>> I have several documents that show how this is done, but I can't find
>any on the external Cisco sites right now. Since this is a little off-topic
>of CCIE lab studies, email me off line and I'll send them to you...
>>
>> Frank Jimenez, CCIE #5738
>> franjime@cisco.com
>>
>>
>> At 10:17 PM 02/19/2001 -0600, Andrew Short wrote:
>> >On Mon, 19 Feb 2001, Fabricio Aponte wrote:
>> >
>> >> Mike!
>> >>
>> >> This is what I would do:
>> >>
>> >> First of all, PIX firewalls do not route, but, as you already know,
>> >> checkpoints do, so if you want, use a checkpoint box instead.
>> >
>> >Actually, as layer-3 devices, PIX's MUST route if traffic is to be passed
>> >between thier interfaces. They also will (if my memory recalls
>correctly)
>> >run RIP. But why you'd run RIP on a PIX is beyond me.
>> >
>> >Now...the Lucent firewall (John Chambers forgive me) doesn't route, but
>> >then it is a data-link device filtering on network layer information. An
>> >interesting idea. I am going to give it a whirl on a FreeBSD box soon.
>> >
>> >
>> >
>> >
>> >
>> >> This is what I would do:
>> >>
>> >>
>> >> [BGP]---[BGP]
>> >> | |
>> >> ------[PIX]-----failovercable---[PIX]
>> >> | | |
>> >> | [ A ]---[ A ]
>> >> | | |
>> >> --[CPT]---[CPT]--
>> >> | |
>> >> [ B ]---[ B ]
>> >>
>> >> Use only one PIX firewall, and use a failover cable to connect a
>redundant
>> >> PIX. One thing that I like better about this set up that the one you
>have,
>> >> is that if you have two different PIX firewalls in between this
>network,
>> >> management is going to turn ugly. If you want BGP to route to A or to
>B, or
>> >> if you want network A to route to B, it is going to go through two PIX
>> >> firwalls and if the network admin that you are designing this for is
>not
>> >> good, he is going to have a hard time everytime he needs to add a
>conduit.
>> >>
>> >> With the failover command, all you do is configure one PIX, and the
>other
>> >> one will copy the configuration from the primary. Obviously, the
>network
>> >> connections of the primary PIX are exactly as the ones from the
>secondary,
>> >> so if one fails it should be invisible.
>> >>
>> >> If any questions, call the Houston TAC. Those guys are good ;)
>> >>
>> >>
>> >> Fab
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> -----Original Message-----
>> >> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>> >> Michael Le
>> >> Sent: Monday, February 19, 2001 9:55 PM
>> >> To: ccielab@groupstudy.com
>> >> Subject: Firewall Design Question
>> >>
>> >>
>> >> Since firewalls shouldn't run routing protocols,
>> >> could someone give me advice on how to set up my
>> >> proposed redundant firewalls.
>> >> Please refer to my ugly ASCII network.
>> >>
>> >> [BGP]---[BGP]
>> >> | |
>> >> --[PIX]---[PIX]--
>> >> | | | |
>> >> | [ A ]---[ A ] |
>> >> | | | |
>> >> --[CPT]---[CPT]--
>> >> | |
>> >> [ B ]---[ B ]
>> >>
>> >> I plan to have two failover PIXs right behind two
>> >> BGP routers to the Internet. On the inside of the PIXs
>> >> I have one connection going to Network A and another
>> >> going to Network B. But right in front of Network B
>> >> (critical production network), I have a load balancing
>> >> set of Checkpoint firewalls. The Checkpoints are
>> >> connected to both Network A & B, which are actually
>> >> 6509 w/MSFCs.
>> >> I want it done so that the Checkpoint will forward
>> >> data to A when destined there and send all other
>> >> packets to the PIX. However, if the Checkpoint's link
>> >> to the PIX goes down, I want it to be able to send
>> >> traffic through network A and to the PIX from
>> >> there. I want it to work the other way around for the
>> >> PIX going to network B.
>> >> My question is, how would I do that if the
>> >> firewalls don't run a routing protocol? Do the PIXs
>> >> allowing for floating statics?
>> >> Thanks for your help.
>> >>
>> >> Michael
>> >>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:54 GMT-3