Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1122
Views
0
Helpful
2
Replies

load-sharing versus firewall

ggilley
Level 1
Level 1

‎11-22-2006 05:53 PM - edited ‎03-11-2019 01:59 AM

I have a 2811 with two T1 lines incoming which are set to load-sharing per-packet.

I want to be able to send traffic out (web browsing, IM, etc.) and allow traffic in to specific servers (http, https, etc.).

I've been tearing my hair out trying to get the firewalling to work correctly. It appears that the firewall (in particular inspecting outgoing traffic) is not compatible with load-sharing per-packet. I end up with packets dropping (which suspiciously turns out to be about 50% of them).

Anyone have experience getting this to work or have ideas for things to try?

I'm at the point where I'm just going to put another firewall appliance behind the 2811 and call it a day.

Thanks,

Greg

Labels:
0 Helpful
2 Replies 2

zubairjalal
Level 1
Level 1

‎11-23-2006 03:07 AM

Hi Greg.

Can you please give some details as to where the firewall is placed in your network.

regards

Zubair

0 Helpful

ggilley
Level 1
Level 1
In response to zubairjalal

‎11-23-2006 09:22 AM

Basically, the two T1s are my WAN connections. I have load-sharing per-packet on them to boost performance.

Behind the 2811 is my LAN connection. On it I have various servers. I also have a connection to another router which has clients behind it. So I need to allow traffic to my servers on my LAN and traffic out from the LAN from the other router to the internet.

Here's the basic config. I've left the rules out.

interface FastEthernet0/0

ip address 12.xx.xx.xx 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

duplex auto

speed auto

no mop enabled

interface Serial0/0/0

bandwidth 1536

ip address xx.xxx.xxx.xxx 255.255.255.252

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip load-sharing per-packet

ip virtual-reassembly

encapsulation ppp

ip route-cache flow

service-module t1 remote-alarm-enable

interface Serial0/1/0

bandwidth 1536

ip address xx.xxx.xxx.xxx 255.255.255.252

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip load-sharing per-packet

ip virtual-reassembly

encapsulation ppp

ip route-cache flow

service-module t1 remote-alarm-enable

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card