Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Load balancing of PIX firewalls with multiple DMZs

I need a suggestion about how to balance the traffic through two PIX firewalls, with 4 interfaces (IN,OUT,DMZ1,DMZ2)

In all the documentation related to the subject, I see always the firewalls with only two interfaces:

http://www.cisco.com/warp/customer/117/fw_load_balancing.html

http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/advcfggd/firewall.htm

What if I need to balance on more than 2 interfaces?

Do I have to add more content switches, one for each interface ?

Or could I use VLANs inside the same content switches, and assign the ports to DMZs appropriately ?

Thank you in advance for any help.

6 REPLIES
New Member

Re: Load balancing of PIX firewalls with multiple DMZs

You will need a minimum of four CSSs, one for every firewall interface.

New Member

Re: Load balancing of PIX firewalls with multiple DMZs

We just had some internal discussions about that at my work, and the suggestion from a local cisco specialist was, if you want to levarage load balacing over multiple DMZ's, then you get the CSS blades for the 65xx's. Right now we have mulriple CSS and LD failover pairs (One pair for each DMZ) and it is starting to become expensive, while we aren't really utilizing the full capacity of them. If you get the Blades, they have Gigabit traces to the backplane of the switch, and you can use them for as many poers as you have on the 6500.

Then again, it depends on if physical security is essential to you, and you are concerned with L2 attacks (VLAN Hopping, etc) There are tradeoffs and benefits when using a consildated infrastructure.

New Member

Re: Load balancing of PIX firewalls with multiple DMZs

I would suggest separate load balancer for each interface. If you collapse all the PIX interface into one 6500 and use the CSM blade. You will be very surprise.

Because the CSM would have a client interface on each of the PIX VLAN's; it may routed the traffic instead of sending it to the PIX.

Bottom line; not a good idea.

New Member

Re: Load balancing of PIX firewalls with multiple DMZs

Did you ever get a definitive answer on the CSM module and this design. We are looking at the same design and I can not seem to get a straight answer on whether this is secure or not.

Thanks!

New Member

Re: Load balancing of PIX firewalls with multiple DMZs

Did you ever get a definitive answer on the CSM module and this design. We are looking at the same design and I can not seem to get a straight answer on whether this is secure or not.

Thanks!

Cisco Employee

Re: Load balancing of PIX firewalls with multiple DMZs

If configured correctly, this should be secure.

The CSM can do some policy routing and prevent traffic from one vlan to be *routed* directly to another vlan and instead route the traffic to a desired firewall interface.

The configuration is a little bit more tricky and errors could lead to unsecure access.

But it's like everything else I would say.

So, in my opinion, this is secure enough once configured correctly.

Gilles.

121
Views
0
Helpful
6
Replies
CreatePlease to create content