From: Michael Le (mmle@xxxxxxxxxxxxxxxxx)
Date: Tue Feb 20 2001 - 15:28:52 GMT-3
Hi All,
Thanks for responding. The two PIXs I have are already doing failover, but
that's not what I was asking.
I was just trying to find a way for the PIX to send traffic to the Network B
through it's link to the Checkpoint. If, however, that link were to fail,
then I want it to use the link to Network A as a transit to Network B. This
would imply that I need to use some sort of floating static, if there were
such a thing on the PIX, but I don't think there is.
I think someone else recommended me doing routing through to the PIX instead
of with it, but how would the router detect which link between the PIX is up
or down, so I don't see how that would work.
Any suggestions would be helpful. Or is this too off-topic?
Michael
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Frank Jimenez
Sent: Tuesday, February 20, 2001 10:17 AM
To: Peter; Frank Jimenez; CCIE Study Group
Subject: Re: Firewall Design Question
Correct. The original reason that I found this configuration to begin with
was to placate a customer who had purchased two PIXs, and was upset that one
was sitting idle for failover and not 'load balancing'....
Frank Jimenez
franjime@cisco.com
At 12:25 AM 02/20/2001 -0600, Peter wrote:
>Correct but to successfully load balance firewalls, you must have the
>CSS11000's in front AND behind the FW's. You must sandwich them to make
>sure all "flows" go through the correct FW. You have the same issue with
>SSL, which must stick a session to one server, or firewall in this case.
It
>is the only to maintain state. This makes for a complex design, why not
>just get a pair of PIX535's running failover? Throw all the bandwidth you
>want at it, plus fault tolerance :)
>
>Peter
>
>----- Original Message -----
>From: "Frank Jimenez" <franjime@cisco.com>
>To: "CCIE Study Group" <ccielab@groupstudy.com>
>Sent: Monday, February 19, 2001 11:19 PM
>Subject: RE: Firewall Design Question
>
>
>> Mike,
>>
>> One thing that you might consider (Frank puts on his Cisco Sales
>Hat(tm) for a moment...) is placing a CSS-11000 Content Switching box
either
>in front or behind (or both) of the PIXs or CheckPoints. The CSS-11000 has
>some unique load-balancing features that lend themselves well for designing
>highly available networks such as the one you are working up. This gives
>you the advantage of being able to actually load-balance with the PIXs,
>instead of using failover.
>>
>> I have several documents that show how this is done, but I can't find
>any on the external Cisco sites right now. Since this is a little
off-topic
>of CCIE lab studies, email me off line and I'll send them to you...
>>
>> Frank Jimenez, CCIE #5738
>> franjime@cisco.com
>>
>>
>> At 10:17 PM 02/19/2001 -0600, Andrew Short wrote:
>> >On Mon, 19 Feb 2001, Fabricio Aponte wrote:
>> >
>> >> Mike!
>> >>
>> >> This is what I would do:
>> >>
>> >> First of all, PIX firewalls do not route, but, as you already know,
>> >> checkpoints do, so if you want, use a checkpoint box instead.
>> >
>> >Actually, as layer-3 devices, PIX's MUST route if traffic is to be
passed
>> >between thier interfaces. They also will (if my memory recalls
>correctly)
>> >run RIP. But why you'd run RIP on a PIX is beyond me.
>> >
>> >Now...the Lucent firewall (John Chambers forgive me) doesn't route, but
>> >then it is a data-link device filtering on network layer information.
An
>> >interesting idea. I am going to give it a whirl on a FreeBSD box soon.
>> >
>> >
>> >
>> >
>> >
>> >> This is what I would do:
>> >>
>> >>
>> >> [BGP]---[BGP]
>> >> | |
>> >> ------[PIX]-----failovercable---[PIX]
>> >> | | |
>> >> | [ A ]---[ A ]
>> >> | | |
>> >> --[CPT]---[CPT]--
>> >> | |
>> >> [ B ]---[ B ]
>> >>
>> >> Use only one PIX firewall, and use a failover cable to connect a
>redundant
>> >> PIX. One thing that I like better about this set up that the one you
>have,
>> >> is that if you have two different PIX firewalls in between this
>network,
>> >> management is going to turn ugly. If you want BGP to route to A or to
>B, or
>> >> if you want network A to route to B, it is going to go through two PIX
>> >> firwalls and if the network admin that you are designing this for is
>not
>> >> good, he is going to have a hard time everytime he needs to add a
>conduit.
>> >>
>> >> With the failover command, all you do is configure one PIX, and the
>other
>> >> one will copy the configuration from the primary. Obviously, the
>network
>> >> connections of the primary PIX are exactly as the ones from the
>secondary,
>> >> so if one fails it should be invisible.
>> >>
>> >> If any questions, call the Houston TAC. Those guys are good ;)
>> >>
>> >>
>> >> Fab
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> -----Original Message-----
>> >> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>> >> Michael Le
>> >> Sent: Monday, February 19, 2001 9:55 PM
>> >> To: ccielab@groupstudy.com
>> >> Subject: Firewall Design Question
>> >>
>> >>
>> >> Since firewalls shouldn't run routing protocols,
>> >> could someone give me advice on how to set up my
>> >> proposed redundant firewalls.
>> >> Please refer to my ugly ASCII network.
>> >>
>> >> [BGP]---[BGP]
>> >> | |
>> >> --[PIX]---[PIX]--
>> >> | | | |
>> >> | [ A ]---[ A ] |
>> >> | | | |
>> >> --[CPT]---[CPT]--
>> >> | |
>> >> [ B ]---[ B ]
>> >>
>> >> I plan to have two failover PIXs right behind two
>> >> BGP routers to the Internet. On the inside of the PIXs
>> >> I have one connection going to Network A and another
>> >> going to Network B. But right in front of Network B
>> >> (critical production network), I have a load balancing
>> >> set of Checkpoint firewalls. The Checkpoints are
>> >> connected to both Network A & B, which are actually
>> >> 6509 w/MSFCs.
>> >> I want it done so that the Checkpoint will forward
>> >> data to A when destined there and send all other
>> >> packets to the PIX. However, if the Checkpoint's link
>> >> to the PIX goes down, I want it to be able to send
>> >> traffic through network A and to the PIX from
>> >> there. I want it to work the other way around for the
>> >> PIX going to network B.
>> >> My question is, how would I do that if the
>> >> firewalls don't run a routing protocol? Do the PIXs
>> >> allowing for floating statics?
>> >> Thanks for your help.
>> >>
>> >> Michael
>> >>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:54 GMT-3