From: Tim Adams (tadams@xxxxxxxxxxxxxx)
Date: Thu Sep 13 2001 - 16:39:34 GMT-3
Just some input. I have ran into the same request several times from customers
. We have come up with a couple of options.
1st I haven't come across any firewall that will support Multiple Gateways. Ev
en the OS based Firewall's. The will accept multiples ,but will only use one.
Generally the way we have solved this issue is by using a third router or a low
end layer 3 switch in the DMZ. If you give the Third router/Layer 3 switch bo
th the address for each HSRP group as a default path. The device will attempt
to do equal cost pathing. The problem with this is usually getting your provid
er to also balance your Inbound traffic. You can also make a 3RD HSRP group (d
epending on hardware) and use that one with the third router, just incase your
routing engine (3RD router) dies everything fails over to one of the others ins
tead of stopping completely.
The other option is to balance your traffic manually. We generally have 1 pipe
for all WWW, SMTP, FTP, etc. and another for Internet Browsing (sort of inbound
and outbound). One problem with this is when you want to use a third Nic on y
our Pix as a Secure DMZ, you run into a problem with only having a single gatew
ay address(this isn't just a pix problem, I have ran into this on Checkpoint's,
Raptors, Sidwinders, Proxy server, BorderManager, Nokia Boxes, Linux using IPC
hains, Solaris firewalls, and others). Then you have to use Routemaps to make
your routing decesions usually based on source IP. The route maps can be set u
p on your Perimeter routers or on a third router.
>>> "Tony Olzak" <tolzak@comwavz.com> 09/13/01 14:7 PM >>>
Since a PIX will only accept one default route, your options are
limited:
1) Manually balance by placing one route to half the internet pointing
one active VIP, and the other half pointed to the other active VIP using
MHSRP.
2) Use HSRP, and a crossover between the two routers. Route all traffic
to the active VIP and have it load balance between it's own serial and
the crossover conneciton to the standby router by adjusting the metrics
to make them even.
3) Get a firewall that can support multiple default routes.
I've also tried to use ICMP redirects but they don't work with HSRP.
Tony Olzak, CCIE #6689
ComWavz
419-859-2194 x1565
tolzak@comwavz.com
-----Original Message-----
From: Justin Braunagel [mailto:Justin.Braunagel@vlsystems.com]
Sent: Thursday, September 13, 2001 1:39 PM
To: Philippon; McHie, Anthony; ccielab@groupstudy.com
Subject: RE: HSRP load sharing with redundant circuits
That is the exact example I have seen in Cisco books. I want to do the
same thing on an Internet connection, but since it goes thru a firewall,
all clients use the firewall as the default gateway. Any suggestions on
how to do this with an ISP circuit thru the firewall?
-----Original Message-----
From: Philippon
Sent: Thu 9/13/2001 10:14 AM
To: McHie, Anthony; ccielab@groupstudy.com
Cc:
Subject: Re: HSRP load sharing with redundant circuits
I am not sure if this will fully complete your
objective but, make two standby groups on the routers
and make one the master on each. You would have to
make the P.C.'s gateway on the LAN's to match with
router you want to use. This should work and I believe
there is an example in the LAN Switching Book.
Hope it helped.
--- "McHie, Anthony"
<anthony.mchie@corp.bellsouth.net> wrote:
> Hey gang,
>
> Here is my question:
> How do you get an HSRP master to make use of the
> circuit on the HSRP standby
> router? The circuits are low bandwidth full-duplex.
> The desired stae is
> to have both circuits utilized for both TX and RX.
> I'm open to route-maps,
> routing protocols, or any other means. Thanks
>
> Current State
> ------------------
> HSRP 10.3.0.3
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:32:17 GMT-3