Network Traffic Division

Unanswered Question
Mar 4th, 2008
User Badges:

We our going to install a secondary DSL line to supplement our current connection and i have been given the task of checking to see if there is a way to divide our internet bound network traffic btween the two DSL routers.

currently we have all of our traffic coming through a 2950 catalyst switch through the PIX 501 firewall which is connected to one port on the switch and finally ending up at a port on the DSL router.


I would like to know is there perhaps an access rule on the firewall or configuration on the switch etc that i use to acheive this. i cannot see anything obvious.

Any ideas would be very welcome.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

cisco ASAs haev the ability to minotor routes and support a secondary route, but only in version 7.x code and higher (which won't load to a 501). You can, however, get that with an ASA 5505 for not much $.


One of the issues you face is that, with most routing systems, whether the route is up or not is determined by whether the interface is up or not. So, if the DSL link dies but the Ethernet connection between the PIX and the 501 is still up, the PIX doesn't know the link is failed because the Ethernet port is still up. In the ASA series, you set a 'heartbeat' that is monitored on the link to validate connectivity beyond the immediate Ethernet switch port (kind of a poor man's BGP4, if you would).


And using a 501 makes it even tought, because it only has one uplink port and you'd have to connect the 501 to the switch and then to the two DSL links. In that arrangement, the DSL modem could be removed entirely and the 501 wouldn't know it because the switch would still support the Outside interface as UP.

Joseph W. Doherty Tue, 03/04/2008 - 05:41
User Badges:
  • Super Bronze, 10000 points or more

Assuming the PIX has default route out the existing DSL port, it might be as simple, if supported, to just add another default route out the second DSL port.


[edit]

Just saw the other recent post. If the PIX doesn't have a second port, the other solution might be to place a router between the PIX and the DSL links to split the outbound traffic.

james_281 Tue, 03/04/2008 - 08:41
User Badges:

Thanks guys for all the replies and info.


if i was to use a router to split the traffic would you have any reccomendations for a simple router to do the job. also if i were to use policy based routing can this be done via the gui on the firewall.

Joseph W. Doherty Tue, 03/04/2008 - 10:13
User Badges:
  • Super Bronze, 10000 points or more

Regarding a simple router, what kind of links are you using and their bandwidths? Any expected growth?

james_281 Tue, 03/04/2008 - 11:36
User Badges:

Link Speed form behind the router will be 100mb and on the other side DSL 1mbit.


Growth is very likely.

Joseph W. Doherty Tue, 03/04/2008 - 13:38
User Badges:
  • Super Bronze, 10000 points or more

Assuming we need one Ethernet connection to the PIX and two more Ethernet, one to each DSL router, the 1841 with an Ethernet 4 port HWIC or 1 port FastEthernet high speed WIC, will likely do what you need now and will support growth.


See figure #3 in:

http://www.cisco.com/en/US/prod/collateral/routers/ps5854/product_data_sheet0900aecd80581fe6_ps5853_Products_Data_Sheet.html

james_281 Wed, 03/05/2008 - 02:34
User Badges:

Am i right in thinking that the 1841 can also act as a hardware firewall and if so would it offer the same level of protection as our current 501 so that we could remove the 501 altogether and just use the Router for PBR and as a firewall.

Joseph W. Doherty Wed, 03/05/2008 - 04:15
User Badges:
  • Super Bronze, 10000 points or more

If the 1841 has the firewall feature set within its IOS, it can act as a firewall. I'm not familar enough with either to say whether they have exact feature parity or how fast a 1841 is compared to a PIX as a firewall. That noted, I suspect you probably could use just the 1841.

Actions

This Discussion