From: DAN DORTON (DHSTS68@dhs.state.il.us)
Date: Mon Sep 16 2002 - 10:37:41 GMT-3
You could also run BGP & only take local provider routes from each ISP.
Use 0/0 routes to catch the rest in each with a better administrative
metric at the primary.
Run HSRP between the two routers & have the PIX send all outside
traffic to the Virtual IP.
Have an ethernet connection between the two routers with a crossover &
peer between them.
Make sure you filter well to avoid becoming a transit AS.
The traffic will follow more specific routes from each provider from
the primary router & any other traffic will follow the default, if the
primary dies then the secondary will take over & all traffic will be
routed that way.
I have setup a few this way & it seems to work well as long as you use
large providers. IE: ATT, SBC...
>>> Chuck Church <cchurch@MAGNACOM.com> 09/16/02 07:57AM >>>
Are you running BGP to the two ISPs? If not, I assume you've got 2
separate
address ranges given to you by the ISPs. If so, I assume you're NATing
on
the routers rather than the PIX. What you could do is create 2 static
routes on the Pix, one for 0.0.0.0/1 pointing to router 1, and
128.0.0.0/1,
pointing to router 2. A floating static 0/0 route on each router
pointing
to the other should then take care of a loss of a circuit. It won't be
perfect load balancing, but it's close. You can always fine tune the
static
routes on the PIX to balance a little more.
Chuck Church
CCIE #8776, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
nitin
Sent: Monday, September 16, 2002 3:39 AM
To: Reinhold.Fischer@gmx.net
Cc: ccielab@groupstudy.com; security@groupstudy.com
Subject: Re: Pix with Two ISP
Hi,
What if i dont require load balancing, and half network traffic should
go
through router A and half through router B. Default gateway will be
Pix.
But if any one of the router goes down, other router should take the
traffic.
Regards
Nitin
----- Original Message -----
From: "Reinhold Fischer" <rfischer@flexnetworks.de>
To: "nitin" <ni36ne@hotmail.com>
Cc: <ccielab@groupstudy.com>; <security@groupstudy.com>
Sent: Monday, September 16, 2002 12:31 PM
Subject: Re: Pix with Two ISP
> Hello Nitin,
>
> there is probably more than one way to solve this problem.
>
> For the load balancing part you usually need to have BGP with full
> internet routing tables on your routers with your own AS and own
> ip address space.
>
> To achive the redundancy i would use HSRP between the two routers to
> provide a redundant default gateway for the PIX. There may be a bit
> suboptimal routing in some cases when traffic gets sent to the
> active HSRP router which decides then due to its better topology
> knowledge through bgp that the traffic should better go over the
> other router. As long as you have the requirement to do
loadbalancing
> between the ISP's there is no way to get around this because you
> don't want try to give the pix a full routing table with RIP ;-)
>
> The PIX itself and the switch between the PIX and the routers would
> still be a single point of failure except you go for a cluster of
> two there.
>
> ISP-A ISP-B
> | |
> | WAN | WAN
> | eBGP | eBGP
> | iBGP |
> Router1-----------------Router2
> | back2back FE |
> | |
> | |
> | <------HSRP------> |
> +---------+ +---------+
> | |
> Switch
> |
> Pix
>
> The direct back2back ethernet between the routers may not be
necessary
> in all cases but it helps to provide the redundancy and avoids
sending
> the traffic two times over the same wire as it would happen in the
> case of subobtimal routing as described above.
>
>
> cheers !
>
> Reinhold
>
> On Mon, 16 Sep 2002, nitin wrote:
>
> > Hi,
> > I want to setup a Pix firewall on the network where i have two
different ISP
> > connections with two routers, I want users on the network should
access
> > internet from the two ISP's in load balancing and redundant
fashion. Can
any
> > one suggest how do i configure firewall for this setup.
> > Any one has done this kind of setup?? sample configuration would
be
> > appreciated..
> >
> > Thanks in advance
> >
> > Nitin Sahane
This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:53 GMT-3