PIX and GLBP

Answered Question
Jun 20th, 2008

Can you run GLBP on a PIX firewall?

Can you run GLBP on a 3750? ( I dont think so)

Thanks

Victor

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 8 years 7 months ago

Alright, give us a chance, we brits work at a different pace you know :-)

Pix failover uses 2 IP addresses only. So in your diagram

F1 = 10.182.18.49

F2 = 10.182.18.50

These IP addresses are attached to the physical interfaces of your firewalls and you can telnet to either of them. The primary firewall, lets say F1 in this case, will respond to 10.182.18.49.

When V1 learns routes from E1 and V2 learns routes from E2 they both route via F1 which is using 10.182.18.49. And this is the address ytou would use as the next hop for both V1/V2 & E1/E2.

If the primary fails then the secondary firewall whose physical interface is still 10.182.18.50 will now becomes responsible for 10.182.18.49 and will accept packets destined for this address. So no you don't have to manually fail it over, the secondary just starts to answer to 10.182.18.49.

Is this what you need or are you wanting to understand exactly how Cisco do Pix failover ?

NR = Network Rail, UK compnay repsonsible for rail infrastructure (tracks, stations etc), in fact most things except the actual trains.

Jon

Correct Answer by andrew.butterworth about 8 years 7 months ago

No to both....

The PIX/ASA uses failover to achieve redundancy so no HSRP or GLBP functionality.

The 3750 only supports HSRP, so no VRRP or GLBP unfortunately.

Andy

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Correct Answer
andrew.butterworth Fri, 06/20/2008 - 15:04

No to both....

The PIX/ASA uses failover to achieve redundancy so no HSRP or GLBP functionality.

The 3750 only supports HSRP, so no VRRP or GLBP unfortunately.

Andy

lamav Fri, 06/20/2008 - 16:45

Andrew, I forgot to ask. Doesnt the PIX support VRRP?

Victor

andrew.butterworth Sat, 06/21/2008 - 02:32

Unfortunately not Victor. As I said the PIX (or ASA) can be deployed in Pairs to achieve Redundancy. I didn't think there would be but I have just checked the latest PIX 8.0 documentation and there is nothing about VRRP/HSRP or GLBP.

What is it you are trying to achieve?

Andy

lamav Sat, 06/21/2008 - 06:29

Hey, Andrew.

Thank you.

Im not really trying to achieve anything, per se. My questions are a result of a discussion I had with my client yesterday.

I mentioned that GLBP should not be used in conjunction with a firewall pair because it inherently introduces asymmetric routing -- you know, more than one router in the GLBP group can do the forwarding to the firewall pair at any given time, thereby potentially breaking stateful connections.

His answer was that it didn't matter in this case, because even if he did use GLBP on the switches that sit behind the firewall pair, the firewalls are part of an HSRP group. And that means that one FW is a primary and the other a secondary -- so the primary will always get the traffic even though both switches behind it are forwarding traffic. They will forward to the FW HSRP VIP and then the primary FW will receive and forward the traffic.

I stood there puzzled, thinking you cant place PIX firewalls in an HSRP group. But then their diagram says its a VRRP group, hence my second question.

So, my remark regarding GLBP has spawned a new concern....

Any remarks?

Thanks, Andrew

Jon Marshall Sat, 06/21/2008 - 08:51

Hi Victor

To my understanding even if you ran your pix firewalls in active/active for each context only one firewall is active and the other standby, just means you can have multiple contexts spreading load across the 2 firewalls.

With pix firewalls per context GLBP would give you nothing because there is nothing to load-balance ie. the firewall always appears as the same host to the routers/switches so it will always use the same active gateway so i don't believe you could end up with asymmetric routing.

As to why they labelled it as HSRP/VRRP/GLBP on the pix firewalls who knows :-)

Jon

andrew.butterworth Sat, 06/21/2008 - 10:12

I agree with Jon; I think the terminology is mixed up here. When your client mentioned HSRP I assume he was referring to PIX Failover, which is similar but has fundamental differences. In this scenario both PIX firewalls are identical and each have duplicate interfaces, the IP addresses on each PIX will be different (same subnet but different host number). However the difference is only the Active one will be forwarding traffic and participating in routing protocols (if configured).

You can see the similarity to HSRP - i.e. one PIX will be Active, whereas the other will be Standby. However it is the whole box that is in a standby state. If the Primary PIX should fail the Secondary would assume the configuration (and existing connection states if a state interface is also configured) of the Primary PIX and continue forwarding traffic.

I think it is just the terminology that is confused here. That being said CheckPoint firewalls run VRRP between the Active & Standby boxes.

Hi Jon, hows things going at NR?

Andy

lamav Sat, 06/21/2008 - 13:33

Jon/Andrew:

Quoting Jon...

"With pix firewalls per context GLBP would give you nothing because there is nothing to load-balance ie. the firewall always appears as the same host to the routers/switches so it will always use the same active gateway so i don't believe you could end up with asymmetric routing."

That is exactly the point the client made, BUT his argument was that the L3 switches would forward the traffic to the FW's HSRP VIP -- and that is why, as he explained, there would not be asymmetric routing. And that is what confused me since I know PIX dont run HSRP.

Now, maybe, as Andrew says, there is a mix up in language. Fine. I do completely understand that whether there is one FW acting as the active, or you have two devices running HSRP where one of those switches is the HSRP active for every VLAN, it would be the same: ONE device is doing all the receiving and forwarding of traffic.

So, the question is, how is it that you are able to direct traffic to the active PIX when you have 2 PIXs in active/standy mode and no mechanism such as HSRP or VRRP or GLBP to run between the firewalls?

Please examine this attached drawing.

V1 and V2 sit at the enterprise edge, facing vendors.

E1 and E2 sit in the DMZ.

V1 learnes interior routes through multihop eBGP with E1 -- and V2 learns interior routes through multihop eBGP with E2.

Both V1 and V2 have the same static route for their eBGP peers pointing to 10.182.18.49 -- which, according to the drawing, is the FW VRRP VIP.

So, what the heck is this address that both switches would point to it when having to go through the FW if not a shared IP that both FWs use? It cant be the case that that address is the physical interface of 1 FW and failover requires manual intervention. LOL..That would be totally insane.

Ideas?

Thanks you so much

Victor

Jon Marshall Sun, 06/22/2008 - 00:39

Hi Andy

Left NR about a month ago and am planning to take the summer off before i look for another job. Maybe do a bit of study, a lot of mountain biking if our summer ever gets going ! and generally just doss around :-).

After 5 years at NR fancied a change and i couldn't face the idea of having to install another Nortel solution !! :-).

How are things with you, Damovo still keeping you busy ?

Jon

lamav Sun, 06/22/2008 - 03:12

Jon, boy was that anti-climactic! LOL...Waiting for the big answer and I get "do you have a jpeg"? LOLOL

It's all good...

Attaching a jpeg.

And by the way, whats "NR"?

Victor

cisco24x7 Sun, 06/22/2008 - 05:05

Andrew said:

"That being said CheckPoint firewalls run VRRP between the Active & Standby boxes"

Checkpoint does not have VRRP. Nokia uses

VRRP for Active/Standby and IPSO clustering

for Active/Active. Checkpoint uses ClusterXL

for Active/Active and Active/Standby.

The difference between Cisco and Checkpoint is

that Checkpoint does offer a truly

Active/Active solution whereas Cisco Pix

does not. In Cisco's Active/Active, it is

similar to Cisco HSRP with multiple HSRP

groups.

andrew.butterworth Sun, 06/22/2008 - 06:12

Hi Jon

Yep, Damovo is keeping me busy, not touched Nortel Telephony since the work in Manchester.

Enjoy the summer if it ever kicks off, it's looking pretty bleak in Manchester at the moment....

Andy

JORGE RODRIGUEZ Sun, 06/22/2008 - 06:44

Hi Jon, since you left NR do you have personal email, well at least we know where to find you in netpro.. I am sure you will find other job in a heart bit, good idea to enjoy summer.

Bst Rgds

Jorge

lamav Sun, 06/22/2008 - 08:38

Cmon guys...Im glad youre all catching up on the year's social events, but can someone anaswer my question above?

LOL

[FROM THE ABOVE POST]

"With pix firewalls per context GLBP would give you nothing because there is nothing to load-balance ie. the firewall always appears as the same host to the routers/switches so it will always use the same active gateway so i don't believe you could end up with asymmetric routing."

That is exactly the point the client made, BUT his argument was that the L3 switches would forward the traffic to the FW's HSRP VIP -- and that is why, as he explained, there would not be asymmetric routing. And that is what confused me since I know PIX dont run HSRP.

Now, maybe, as Andrew says, there is a mix up in language. Fine. I do completely understand that whether there is one FW acting as the active, or you have two devices running HSRP where one of those switches is the HSRP active for every VLAN, it would be the same: ONE device is doing all the receiving and forwarding of traffic.

So, the question is, how is it that you are able to direct traffic to the active PIX when you have 2 PIXs in active/standy mode and no mechanism such as HSRP or VRRP or GLBP to run between the firewalls?

Please examine this attached drawing.

V1 and V2 sit at the enterprise edge, facing vendors.

E1 and E2 sit in the DMZ.

V1 learnes interior routes through multihop eBGP with E1 -- and V2 learns interior routes through multihop eBGP with E2.

Both V1 and V2 have the same static route for their eBGP peers pointing to 10.182.18.49 -- which, according to the drawing, is the FW VRRP VIP.

So, what the heck is this address that both switches would point to it when having to go through the FW if not a shared IP that both FWs use? It cant be the case that that address is the physical interface of 1 FW and failover requires manual intervention. LOL..That would be totally insane.

Ideas?

Thanks you so much

Victor

[END ABOVE POST]

Victor

Correct Answer
Jon Marshall Sun, 06/22/2008 - 09:06

Alright, give us a chance, we brits work at a different pace you know :-)

Pix failover uses 2 IP addresses only. So in your diagram

F1 = 10.182.18.49

F2 = 10.182.18.50

These IP addresses are attached to the physical interfaces of your firewalls and you can telnet to either of them. The primary firewall, lets say F1 in this case, will respond to 10.182.18.49.

When V1 learns routes from E1 and V2 learns routes from E2 they both route via F1 which is using 10.182.18.49. And this is the address ytou would use as the next hop for both V1/V2 & E1/E2.

If the primary fails then the secondary firewall whose physical interface is still 10.182.18.50 will now becomes responsible for 10.182.18.49 and will accept packets destined for this address. So no you don't have to manually fail it over, the secondary just starts to answer to 10.182.18.49.

Is this what you need or are you wanting to understand exactly how Cisco do Pix failover ?

NR = Network Rail, UK compnay repsonsible for rail infrastructure (tracks, stations etc), in fact most things except the actual trains.

Jon

Jon Marshall Sun, 06/22/2008 - 13:08

Victor

Apologies, just a quick modification. I said

"And this is the address (ie. 10.182.18.49) you would use as the next hop for both V1/V2 & E1/E2".

Actually you wouldn't. For V1/V2 you would. But E1/E2 would use a different address as the next hop on the firewalls ie. whatever the IP address is on the primary firewall on the interfaces facing E1/E2.

Sorry about that.

Jon

lamav Sun, 06/22/2008 - 09:24

"If the primary fails then the secondary firewall whose physical interface is still 10.182.18.50 will now becomes responsible for 10.182.18.49 and will accept packets destined for this address. So no you don't have to manually fail it over, the secondary just starts to answer to 10.182.18.49."

Bingo!

That is exacyly what I was asking.

Isnt the failover you just described indeed 'PIX failover"?

By the way, does that mean that that diagram is nonsense? Because it describes the failover mechanism between the firewalls as "VRRP" and the 10.182.18.49 address as being the VRRP VIP.

Thanks

Victor

Jon Marshall Sun, 06/22/2008 - 09:27

Well you took your time reading the post after all that complaining :-)

"Isnt the failover you just described indeed 'PIX failover"?"

Yes it is, i was just wondering how much detail you actually wanted.

The diagram is misleading it would be more accurate to just label the firewalls as active/standby with the primary address 10.182.18.49.

Jon

lamav Sun, 06/22/2008 - 09:40

Now all my confusion could have been avoided had I just not been such a PIX retard. LOL

Thanks, dude.

Victor

Actions

This Discussion