Equal cost load balancing via EIGRP on PIX 8 inside

Unanswered Question
Sep 11th, 2008
User Badges:

I have a 515E running 8.0(3). The PIX is sitting in a colo and I have a bridged DSL circuit running from my office (which is in another building a few kilometers away) to the inside interface of the PIX. This all works fine and dandy, but now I want to turn up a second bridged DSL circuit to double up the bandwidth between the office and the colo.

2 questions -

1) If the PIX does equal cost load balancing, is it per-packet or per-destination (hopefully the former!)

2) Assuming it will, are there any caveats to doing things this way with regards to NATing from 2 inside interfaces to one global, even if I turn of ip verify reverse-path on the two inside interfaces (vlans)?

Here are the config snippets for what I'm trying to do (except the second office circuit doesn't quite exist yet):


interface Ethernet0

nameif outside

security-level 0

ip address x.x.x.x


interface Ethernet2.636

vlan 636

nameif office636

security-level 100

ip address



interface Ethernet2.637

vlan 637

nameif office637

security-level 100

ip address


ip verify reverse-path interface outside


global (outside) 1 interface

nat (outside) 1

nat (office636) 0 access-list office636_nat0_outbound

nat (office636) 1

nat (office637) 0 access-list office637_nat0_outbound

nat (office637) 1


router eigrp 100


passive-interface outside

redistribute static



[90/33280] via, 8:16:07, office637

Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
suschoud Thu, 09/11/2008 - 06:41
User Badges:
  • Gold, 750 points or more

1. pix does load balacing based on per FLOW basis.so,none of the options you mentioned is correct.. :)

2.Do not see any issues with config. is load balancing is done and PAT is done with ip verify reverse-path.



jlixfeld Thu, 09/11/2008 - 13:12
User Badges:

Thanks for the clarification, Sushil;

What is a Flow?

suschoud Thu, 09/11/2008 - 13:26
User Badges:
  • Gold, 750 points or more

we can configure 3 equal cost routes on an interface and it

will load-balance amongst them. However, the traffic is not necessarily divided evenly

between the routes; traffic is distributed among the specified gateways based on an

algorithm that hashes the source and destination IP addresses. The ASA just distributes

the traffic among the different gateways, not necessarily evenly.

The same information can be found here:



The ECMP algorithm uses a hash of the source/destination IP address to

determine which route to use. As opposed to round robin load balancing, the

same source/destination pair will always use the same next hop. All packets

within the same flow and all new connections created between that

source/destination pair will utilize the same path.

Please rate if helps. :)



jlixfeld Thu, 09/11/2008 - 21:04
User Badges:

It certainly helps, but it's not the answer I was looking for ;) I was hoping for per-packet. Per-packet would allow me to use the aggregate bandwidth of my two connections if I were trying to do something that could make use of such a large amount of bandwidth, say transferring a large file, where as the flow based "load balancing" will not use the aggregate bandwidth for that same task :(

suschoud Fri, 09/12/2008 - 05:52
User Badges:
  • Gold, 750 points or more

That is correct.Unfortunately,on f/w,load balancing would not necessarily mean 50:50 division....Load balacing done by router is much better and nearest to 50:50 ratio.




This Discussion