Pix and Loadbalancing

Unanswered Question
Nov 9th, 2008

Hello all

My ISP provide me with 2 links for redundancy and load balancing purposes.

The subnet is broken in two parts, let's say 10.0.0.0/25 and 10.0.0.128/25.

From Internet side each subnet is announced using BGP to ISP routers GW1 and GW2.

Each router is a one of the subnet "prefered path" for load balancing, both being announced at each.

Between the ISP and my PIX I have a pair of routers with HSRP on LAN side.

It suits my purpose as long as I can directly split my subnet.

But I have a situation where in front of my subnets I have a PIX.

The public IP 10.0.0.0/25 and 10.0.0.128/25 will be NATed to, say, 192.168.0.0/25 and 192.168.0.128/25 (internal)

As far as I know, PIX have only a gateway address.

And being a Layer 3 device it will spoil my HSRP balancing trick anyway.

I guess that with that setup I will only have incoming load balancing.

But the traffic I really need to balance is the egress traffic to the Internet web users !

For instance I want to make sure that the 192.168.0.0/25 hosts will use the GW1 link and 192.168.0.128/25 the other one.

Whilst keeping the redundancy...

It is critical for me that a host in 192.168.0.0/25 will not compete for the bandwidth with one in 192.168.0.128/25.

The only thing I can think of is using OSPF. But I feel uneasy to put it on a FW.

How safe is it ?

Is there any good tutorial about using OSPF for load balancing, especially on PIX device ?

Is there any other options ?

Any help greatly appreciated as I didn't found anything usefull so far...

Rich.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
smahbub Sat, 11/15/2008 - 10:01

If you have a remote-access configuration in which you are using two or more security appliances or VPN Concentrators connected on the same network to handle remote sessions, you can configure these devices to share their session load. This feature is called load balancing.

Richard--92 Sat, 11/15/2008 - 13:39

That's not what I mean.

In my current setup the ISP provides me with a single subnet. Which means a uniq gateway.

But the ISP is taking care to load balance the upstream as well as the downstream to my webservers.

The new ISP is splitting the subnet into 2 subnets. One arriving at each router. The downstream is obviously splitted.

Now I have my webservers behind a PIX.

The PIX have only one gateway. Which implies that the upstream will go only to a router.

That wastes half of the bandwidth, precisely in the direction the most needed.

Thus my question : how to balance the upstream from the PIX to the ISP's routers ?

I am looking for a configuration example.

Thanks for your help !

cisco24x7 Sat, 11/15/2008 - 15:04

I don't think it can done with Pix firewall.

However, if you run Checkpoint firewall on

Nokia IP appliances, Nokia IPSO can take care

of the egress load-sharing by splitting

the traffics. Nokia IPSO allows you to enter

multiple default gateways and use either

source, destination, or source/destination

hashing algorithm to calculate the load.

This can be done very easily within IPSO by

a couple of click via Voyager.

You can verify the egress traffics are load

balance by running tcpdump with the "-e"

option. You will see different gateway MAC addresses for outbound traffics.

different for out

Richard--92 Sun, 11/16/2008 - 12:43

Hi !

I know : I have some Nokia/CP appliances myself.

Sometimes I dream to have the best of both world : Checkpoint + Pix ...

But I really feel that something can be done with OSPF on PIXes. That's why I ask for help in Cisco forum...

regards,

Actions

This Discussion