09-11-2008 06:14 AM - edited 03-11-2019 06:43 AM
I have a 515E running 8.0(3). The PIX is sitting in a colo and I have a bridged DSL circuit running from my office (which is in another building a few kilometers away) to the inside interface of the PIX. This all works fine and dandy, but now I want to turn up a second bridged DSL circuit to double up the bandwidth between the office and the colo.
2 questions -
1) If the PIX does equal cost load balancing, is it per-packet or per-destination (hopefully the former!)
2) Assuming it will, are there any caveats to doing things this way with regards to NATing from 2 inside interfaces to one global, even if I turn of ip verify reverse-path on the two inside interfaces (vlans)?
Here are the config snippets for what I'm trying to do (except the second office circuit doesn't quite exist yet):
!
interface Ethernet0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Ethernet2.636
vlan 636
nameif office636
security-level 100
ip address 172.20.15.1 255.255.255.0
shutdown
!
interface Ethernet2.637
vlan 637
nameif office637
security-level 100
ip address 172.20.16.1 255.255.255.0
!
ip verify reverse-path interface outside
!
global (outside) 1 interface
nat (outside) 1 192.0.2.0 255.255.255.0
nat (office636) 0 access-list office636_nat0_outbound
nat (office636) 1 192.168.100.0 255.255.255.0
nat (office637) 0 access-list office637_nat0_outbound
nat (office637) 1 192.168.100.0 255.255.255.0
!
router eigrp 100
network 172.16.0.0 255.240.0.0
passive-interface outside
redistribute static
!
D 192.168.100.0 255.255.255.0
[90/33280] via 172.20.16.2, 8:16:07, office637
Thanks in advance.
09-11-2008 06:41 AM
1. pix does load balacing based on per FLOW basis.so,none of the options you mentioned is correct.. :)
2.Do not see any issues with config. is load balancing is done and PAT is done with ip verify reverse-path.
HTH
Sushil
09-11-2008 01:12 PM
Thanks for the clarification, Sushil;
What is a Flow?
09-11-2008 01:26 PM
we can configure 3 equal cost routes on an interface and it
will load-balance amongst them. However, the traffic is not necessarily divided evenly
between the routes; traffic is distributed among the specified gateways based on an
algorithm that hashes the source and destination IP addresses. The ASA just distributes
the traffic among the different gateways, not necessarily evenly.
The same information can be found here:
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/
ip.htm#wp1047894
The ECMP algorithm uses a hash of the source/destination IP address to
determine which route to use. As opposed to round robin load balancing, the
same source/destination pair will always use the same next hop. All packets
within the same flow and all new connections created between that
source/destination pair will utilize the same path.
Please rate if helps. :)
Regards,
Sushil
09-11-2008 09:04 PM
It certainly helps, but it's not the answer I was looking for ;) I was hoping for per-packet. Per-packet would allow me to use the aggregate bandwidth of my two connections if I were trying to do something that could make use of such a large amount of bandwidth, say transferring a large file, where as the flow based "load balancing" will not use the aggregate bandwidth for that same task :(
09-12-2008 05:52 AM
That is correct.Unfortunately,on f/w,load balancing would not necessarily mean 50:50 division....Load balacing done by router is much better and nearest to 50:50 ratio.
Regards,
Sushil
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: