Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

load-sharing versus firewall

I have a 2811 with two T1 lines incoming which are set to load-sharing per-packet.

I want to be able to send traffic out (web browsing, IM, etc.) and allow traffic in to specific servers (http, https, etc.).

I've been tearing my hair out trying to get the firewalling to work correctly. It appears that the firewall (in particular inspecting outgoing traffic) is not compatible with load-sharing per-packet. I end up with packets dropping (which suspiciously turns out to be about 50% of them).

Anyone have experience getting this to work or have ideas for things to try?

I'm at the point where I'm just going to put another firewall appliance behind the 2811 and call it a day.

Thanks,

Greg

2 REPLIES
Bronze

Re: load-sharing versus firewall

Hi Greg.

Can you please give some details as to where the firewall is placed in your network.

regards

Zubair

New Member

Re: load-sharing versus firewall

Basically, the two T1s are my WAN connections. I have load-sharing per-packet on them to boost performance.

Behind the 2811 is my LAN connection. On it I have various servers. I also have a connection to another router which has clients behind it. So I need to allow traffic to my servers on my LAN and traffic out from the LAN from the other router to the internet.

Here's the basic config. I've left the rules out.

interface FastEthernet0/0

ip address 12.xx.xx.xx 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

duplex auto

speed auto

no mop enabled

interface Serial0/0/0

bandwidth 1536

ip address xx.xxx.xxx.xxx 255.255.255.252

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip load-sharing per-packet

ip virtual-reassembly

encapsulation ppp

ip route-cache flow

service-module t1 remote-alarm-enable

interface Serial0/1/0

bandwidth 1536

ip address xx.xxx.xxx.xxx 255.255.255.252

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip load-sharing per-packet

ip virtual-reassembly

encapsulation ppp

ip route-cache flow

service-module t1 remote-alarm-enable

293
Views
0
Helpful
2
Replies
CreatePlease to create content