From: Kenneth Wygand (KWygand@customonline.com)
Date: Wed Jan 21 2004 - 00:18:09 GMT-3
Hello all,
Does anyone know if IP Policy can be implemented on a Pix to set a next-hop IP address based on SOURCE IP address (as opposed to the way "regular" routing works based on DESTINATION IP address).
Here's my situation - I have a Pix 515 connected to two ISP routers, each connected to a full T1 Internet circuit (through a dumb switch on the Pix outside interface). I would like to load balance (or load share) across the T1's, but I don't think this can be done without a Content Smart Switch or 3rd party device (Radware link-proof, etc). I've looked into GLBP but it won't work due to the fact that there's only a single client (Pix 515) on the segment, so the way GLBP distributes ghost MAC addresses in a round-robin fashion will not work. My only thought at the moment is to implement two HSRP groups with Virtual IP address 1 using R1 and the primary and R2 as the backup and Virtual IP address 2 using R2 as the primary and R1 as the backup. I'm guessing I can install two static default routes in the Pix to implement flow-based load "sharing" across the HSRP groups.
Ideally, however, I might want to set a specific internal LAN segment to use one of the HSRP groups and have another internal LAN segment to use the other group. I would have to use some kind of source-based distinction then on the Pix, but I've been told that since the pix is essentially a "translation device" and not a "router", that it cannot implement "IP Policy".
Any suggestions on how this can be done?
Thanks in advance!
Ken
This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:48 GMT-3