From: Reinhold Fischer (rfischer@flexnetworks.de)
Date: Mon Sep 16 2002 - 04:01:06 GMT-3
Hello Nitin,
there is probably more than one way to solve this problem.
For the load balancing part you usually need to have BGP with full
internet routing tables on your routers with your own AS and own
ip address space.
To achive the redundancy i would use HSRP between the two routers to
provide a redundant default gateway for the PIX. There may be a bit
suboptimal routing in some cases when traffic gets sent to the
active HSRP router which decides then due to its better topology
knowledge through bgp that the traffic should better go over the
other router. As long as you have the requirement to do loadbalancing
between the ISP's there is no way to get around this because you
don't want try to give the pix a full routing table with RIP ;-)
The PIX itself and the switch between the PIX and the routers would
still be a single point of failure except you go for a cluster of
two there.
ISP-A ISP-B
| |
| WAN | WAN
| eBGP | eBGP
| iBGP |
Router1-----------------Router2
| back2back FE |
| |
| |
| <------HSRP------> |
+---------+ +---------+
| |
Switch
|
Pix
The direct back2back ethernet between the routers may not be necessary
in all cases but it helps to provide the redundancy and avoids sending
the traffic two times over the same wire as it would happen in the
case of subobtimal routing as described above.
cheers !
Reinhold
On Mon, 16 Sep 2002, nitin wrote:
> Hi,
> I want to setup a Pix firewall on the network where i have two different ISP
> connections with two routers, I want users on the network should access
> internet from the two ISP's in load balancing and redundant fashion. Can any
> one suggest how do i configure firewall for this setup.
> Any one has done this kind of setup?? sample configuration would be
> appreciated..
>
> Thanks in advance
>
> Nitin Sahane
This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:53 GMT-3