Pix 515E, OSPF Equal cost paths

Unanswered Question
Mar 8th, 2007

Is it possible to configure a Pix 515E with two ports on the 'outside' and two ports on the 'inside' of a network and run OSPF at either side. Because the Pix would see the same network on both it's 'inside' ports with equal cost would it get confused and therefore drop the traffic.

Failing that. Is there a way to get OSPF to report a lower bandwidth on one of the inside interfaces so that the other would be preferred without resorting to route-maps?

Basically I'm trying to get a single pix with lots of interfaces to maximise the bandwidth from the inside network to the outside world without the need to spend any money, or at least get some resilience out of the ports if not bandwidth - It's not my firewall or budget just my problem.

Any ideas?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cpembleton Sun, 03/11/2007 - 16:52

You can have a separate OSPF process running for the inside and outside interfaces. It is best security practices to keep this separate.

The pix does not support load balancing of interface. It would be difficult for the adaptive security algorithm to keep track of the traffic that it should and should not allow.

Best bet is to use routing and/or route-maps before the pix to control the flow of traffic.

What kind of device do you attached to your pix on the inside?

Where version are you running on the pix?

Thanks,

Chad

Mel Popple Wed, 03/14/2007 - 01:37

Thanks for the response.

Single 6500 on the outside with GRE tunnels terminating from several remote sources. Then there will be several Pix 515E's connected to a pair of 6500s on the inside. That's why I was looking at two NICs facing outwards and the other 4 NICs split between the two internal 6509's.

Multicast will be the primary incoming traffic.

Pix are currently running 6.3 but will be upgraded to 7.0 if needs be.

Mel Popple Wed, 03/14/2007 - 01:40

Forgot to add that all of the traffic will be getting sent to the same networks on the inside. This is why it's a bit of a pain because it's the same OSPF cost to all networks in both directions.

Actions

This Discussion