Core-->Firewall Active/Active load-balancing

Unanswered Question
Oct 3rd, 2007

We are upgrading from active/standby configuration to active/active. What would be the best way to load-balance from the Core 65xx perspective? The firewall's are not running any routing-protocol or VRRP. The Core is running OSPF & CEF. Thanks!

................-->L2Switch-->FW1

CORE65xx

................-->L2Switch-->FW2

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Danilo Dy Wed, 10/03/2007 - 07:04

Hi,

What is the firewall vendor/model and what HA tecnology it use for active/active state?

I have setup CheckPoint (cluster) and Juniper (cluster) with a redundant core. However, PIX/ASA active/active state differs from these two.

Regards,

Dandy

Danilo Dy Wed, 10/03/2007 - 07:33

Hi,

For both CheckPoint and Juniper active/active state, run OSPF in the firewall. In the core, run OSPF load-balancing.

The firewall should see equal path to 2xcore to achieved load balancing in the core (outgoing traffic from Firewall). Do note that the incoming traffic to firewall is already load balancing no matter what is the routing configuration.

Don't forget to put a rule on top of the policy for OSPF connection between firewall and core. That is;

IP:

FW-VIP

FW1-IP

FW2-IP

FW-OSPF_ID (if available, I can't remember if Juniper need this but CheckPoint need this)

Core1-IP

Core2-IP

Core1-OSPF_ID

Core2-OSPF_ID

224.0.0.5

224.0.0.6

Service:

IP Protocol 89 (OSPF)

ICMP Type 8 (echo-request)

Good luck!

Regards,

Dandy

joshcarlson Wed, 10/03/2007 - 07:52

When you say run OSPF load-balancing are you speaking of the automatic equal-cost load-balancing?

Actions

This Discussion