From: Richard Danu (rdanu@apex3.com)
Date: Wed Jan 21 2004 - 01:39:50 GMT-3
I would try running an Ethernet segment in between ISP routers, and another to the pix; This way you can run HSRP on the segments on communicating with the PIX. Once the packet reaches the active HSRP router, you can use some policy based routing to forward packets out the Serial to the 1st ISP and packets out the Ethernet to the other Router, which can also use some policy routing to send packets out the serial to the other ISP.(not back to router A!)
This can load balance outbound.
I would guess you could even use NAT on routers to map each of the ISP's private class on each router, as you see fit. You may use DNS to load balance in round robin fashion inbound traffic to your services (smtp, dns, www, ftp, etc.) Use the PIX as a filtering device only. There are ways to get creative with this model.
isp1 isp2
| |
| |
(A)----------(B)
| |
--------------
|
(PIX)
|
Richard Danu
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Kenneth Wygand
Sent: Tuesday, January 20, 2004 9:18 PM
To: ccielab@groupstudy.com
Subject: Policy Route w/ Pix 515 ?
Hello all,
Does anyone know if IP Policy can be implemented on a Pix to set a next-hop IP address based on SOURCE IP address (as opposed to the way "regular" routing works based on DESTINATION IP address).
Here's my situation - I have a Pix 515 connected to two ISP routers, each connected to a full T1 Internet circuit (through a dumb switch on the Pix outside interface). I would like to load balance (or load share) across the T1's, but I don't think this can be done without a Content Smart Switch or 3rd party device (Radware link-proof, etc). I've looked into GLBP but it won't work due to the fact that there's only a single client (Pix 515) on the segment, so the way GLBP distributes ghost MAC addresses in a round-robin fashion will not work. My only thought at the moment is to implement two HSRP groups with Virtual IP address 1 using R1 and the primary and R2 as the backup and Virtual IP address 2 using R2 as the primary and R1 as the backup. I'm guessing I can install two static default routes in the Pix to implement flow-based load "sharing" across the HSRP groups.
Ideally, however, I might want to set a specific internal LAN segment to use one of the HSRP groups and have another internal LAN segment to use the other group. I would have to use some kind of source-based distinction then on the Pix, but I've been told that since the pix is essentially a "translation device" and not a "router", that it cannot implement "IP Policy".
Any suggestions on how this can be done?
Thanks in advance!
Ken
This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:48 GMT-3