FW Design with Asymmetric Internet Links

Unanswered Question
Apr 19th, 2006
User Badges:

Hi There,


I have the following scenario and I really need your help on; I’m trying to build the network design for a company who has 2 internet links (asymmetric links). The 2 standalone border routers will be followed by a tier of IPS and then by another tier of PIX firewalls.


I need your help in putting the network design together; I put a draft diagram based on my thoughts and I’m attaching with this post the draft network layout, however I have the following concerns with the setup:


1-Since both internet links will be active, both the IPS and FW should be in Active-Active mode so they can process the traffic coming from both router links. My concern on this point is the Active-Active setup of the PIX FW because I’m aware that the Active-Active configuration is not mature and it’s originally designed to support different internal subnets and not the same internal network. What do you think?

2-Is their a possibility that the traffic that arrived from one internet link, to leave the network from the other link?

3-How can I guarantee that the traffic that arrived through Router 1 in the diagram attached will be routed through interface 1 or interface 2?


Thanks for your cooperation and appreciate your feedback.


Regards,

Haitham




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (1 ratings)
Loading.
haithamnofal Thu, 04/20/2006 - 03:02
User Badges:

Hi,


Thanks for the reply, your link is very intersting, however it's not what I'm exactly looking for since it's talking about load-balancing traffic between 2 links provided that both links are from the same ISP. In my case, each link is from a different ISP (sorry may be I wasn't clear on this in my previous post).


Again, the concern here is when the traffic reaches from 2 different ISP's and flow down... and on how the FW should be designed to behave well and not cause me problems.


I'm also still looking for an answer on whether the traffic that arrives from one ISP can go out from the other ISP?


Do you think if I installed one router in the perimeter with 2 outside interfaces, I can get rid of all my concerns? This idea has just jumped into my mind, so what do you think? If you agree with me on this, what model of router do you recommend for this?


Thanks,

Haitham

victorrodrigues Sat, 04/22/2006 - 04:56
User Badges:

look at BGP or EIGRP protocols where you can add routes with metrics that would balance as best as possibly can.. as of now.. there is no such option on CIsco for.. u need PBR which can be done only with a customized box.. like i said.. Google for Internet link balancers.. theres some good stuff out ther.. then depending on ur requirement.. choose..


points are always appreciated..


vic

Actions

This Discussion