From: Netwrkx (netwrkx@myeastern.com)
Date: Tue Dec 30 2003 - 01:04:47 GMT-3
We have something along the same lines in production, which works great as
far as failover and redundancy.
Pretty much same as Larry below, except each of our outside routers are to
both providers, and run iBGP
between, multiple hsrp groups.
The only thing that still irks me not being able to run the pixes in active
active. One 515 therotically max's at 45M or so,
with 2 giving you 90M - quite a big difference.
Maybe someday.
-TV
----- Original Message -----
From: "Roberts, Larry" <Larry.Roberts@expanets.com>
To: "Jens Petter Eikeland" <jens-p.eikeland@telio.no>;
<security@groupstudy.com>; <ccielab@groupstudy.com>
Sent: Monday, December 29, 2003 4:13 PM
Subject: RE: pix failover
> What about HSRP with 2 different groups each corresponding to a different
IP
> range.
>
> This will get you back to the router, but I don't know how you would get
the
> redundancy inbound for your address range.
>
> Im working something similar.
>
> I have 2 3725's each connected to a different provider. In each 3725 I
have
> the 16 port 10/100/1G card. I cross connect the routers, and also connect
> the PIX's between them. Im going to be doing BGP to each provider, and use
> as-path prepending to have ISP A be primary for its address range and ISP
B
> primary for theirs. In the case of T-1 failure on ISP A, the router for
ISP
> B will take over (preempt and tracking). This gets me outbound. BGP takes
> care of the inbound since ISP-A *should* loose the route and stop
> advertising.
>
> I also have 2 sets of PIX's in failover each tied to their respective ISP.
> ISP-A is the primary outbound, but ISP-B can/will be used if ISP-A
> disappears.
> I'm doing this via a route-map to make ISP-A preferred if available.
>
> Sure looks good on paper. Can wait to actually turn it up live *with
fingers
> and toes crossed*
>
> Thanks
>
> Larry
>
>
> -----Original Message-----
> From: Jens Petter Eikeland [mailto:jens-p.eikeland@telio.no]
> Sent: Monday, December 29, 2003 10:14 AM
> To: security@groupstudy.com; ccielab@groupstudy.com
> Subject: pix failover
>
> Hi group ,
>
> I am trying to set up two pix in failover modus. On the outside of the
> pix'es there is two routers. I am trying to have this 100% redundant, but
I
> have problem setting up the routing here.l Since the outside interfaces on
> the pix needs to be in the same subnet, and because I am having two
> different ip ranges on the outside of the routers again, I stumble on to
> some routing problems. Have anybody out there set up an fully redundant
> solution with two pix fw that can help me on the way here. My isp are
> running ospf on the outside of the pix, and I am thinking to intergrate
this
> on my edge routers. Is this smart, or should I stick to using static
routes.
>
> Please help me.
>
>
>
> <http://www.telio.no>
> Jens Petter Eikeland
> Network Security Engineer
> <mailto:Jens-P.Eikeland@Telio.no> Jens-P.Eikeland@Telio.no Stortings gate
8
> 0161 OSLO
> NORWAY
> mobile: +47 906 577 56
> IM: MSN: tbljpe@frisurf.no
> www.Telio.no
>
>
>
> <http://www.plaxo.com/signature> Powered by Plaxo ... Want a signature
like
> this?
>
> [GroupStudy removed an attachment of type image/gif which had a name of
> image001.gif]
This archive was generated by hypermail 2.1.4 : Sat Jan 03 2004 - 08:25:46 GMT-3