Load Balancing PIX

Unanswered Question
Oct 7th, 2009
User Badges:

Hi All,


we have the following scenario. 2 Firewall Active/Standby are facing 2 routers configured with HSRP.


is it possible in order to achieve LOAD Balancing for certain destination traffic to have 2 static routes having same AD but different next hop ? ( each route pointing to different physical IP address of the router and not to the virtual IP address ).


thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
dhananjoy chowdhury Wed, 10/07/2009 - 23:57
User Badges:
  • Silver, 250 points or more

In your case Firewall is in active/standby so at any point of time only one box is forwarding traffic.

jeansamarani Thu, 10/08/2009 - 00:07
User Badges:

yes this is true but my goal is to achieve the Load Balacing via 2 ISP connected each one to the external border router ? can I achieve this by using the above approach ? what's the recommendation ?

dhananjoy chowdhury Thu, 10/08/2009 - 01:18
User Badges:
  • Silver, 250 points or more

You can achieve link level redundancy not load balance in your current setup.

Run BGP between your routers and the PE routers. And also an IGP protocol running between your gateway routers.


For acheiving load balancing between your links, you may run GLBP instead of HSRP on your gateway routers. EBGP between your routers and the PE routers. And also an IGP protocol running between your gateway routers.


May be other Gurus here, will give you better suggesstions :)

jeansamarani Thu, 10/08/2009 - 02:10
User Badges:

just to make sure that i got ur point. i need to use GLBP with the combination of eBGP and the IGP on the border routers?

dhananjoy chowdhury Thu, 10/08/2009 - 12:16
User Badges:
  • Silver, 250 points or more

yes, you got it.


Few more additions to this I can think of -

- tell your ISP to advertise a default route on both your links via EBGP.

- you will need to configure BGP MED on your gateway routers while advertising your IP subnets to the PE.


Good Luck.


Also you can refer to this link.


http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a00800945bf.shtml#diag3

Saurabh Kishore Thu, 10/08/2009 - 15:46
User Badges:

Hi,


Though ASA?PIX do not support load balancing or packet shaping but lets say you have 2 ISP's, the traffic can be divided based on the routes you apply on the firewall


a simple example would be


route outside 0.0.0.0 128.0.0.0 x.x.x.x


route outside 128.0.0.0 128.0.0.0 y.y.y.y


here x.x.x.x will be your ISP1 and y.y.y.y will be the ISP2


this way the traffic can be divided between the 2 ISP's however this is just a workaround and is not a complete load balancing solution.


Though Load balancing can be configured on Cisco routers but it is not a supported feature on ASA/PIX firewall.


Let me know if you have any other questions

Actions

This Discussion