We our going to install a secondary DSL line to supplement our current connection and i have been given the task of checking to see if there is a way to divide our internet bound network traffic btween the two DSL routers.
currently we have all of our traffic coming through a 2950 catalyst switch through the PIX 501 firewall which is connected to one port on the switch and finally ending up at a port on the DSL router.
I would like to know is there perhaps an access rule on the firewall or configuration on the switch etc that i use to acheive this. i cannot see anything obvious.
Any ideas would be very welcome.
You can use the policy based routing using the route maps. Here you change the next hop either to dsl1 or dsl2 based upon the access list.
Please read the following link...
Rate if it helps..
cisco ASAs haev the ability to minotor routes and support a secondary route, but only in version 7.x code and higher (which won't load to a 501). You can, however, get that with an ASA 5505 for not much $.
One of the issues you face is that, with most routing systems, whether the route is up or not is determined by whether the interface is up or not. So, if the DSL link dies but the Ethernet connection between the PIX and the 501 is still up, the PIX doesn't know the link is failed because the Ethernet port is still up. In the ASA series, you set a 'heartbeat' that is monitored on the link to validate connectivity beyond the immediate Ethernet switch port (kind of a poor man's BGP4, if you would).
And using a 501 makes it even tought, because it only has one uplink port and you'd have to connect the 501 to the switch and then to the two DSL links. In that arrangement, the DSL modem could be removed entirely and the 501 wouldn't know it because the switch would still support the Outside interface as UP.
Assuming the PIX has default route out the existing DSL port, it might be as simple, if supported, to just add another default route out the second DSL port.
Just saw the other recent post. If the PIX doesn't have a second port, the other solution might be to place a router between the PIX and the DSL links to split the outbound traffic.
Thanks guys for all the replies and info.
if i was to use a router to split the traffic would you have any reccomendations for a simple router to do the job. also if i were to use policy based routing can this be done via the gui on the firewall.
Assuming we need one Ethernet connection to the PIX and two more Ethernet, one to each DSL router, the 1841 with an Ethernet 4 port HWIC or 1 port FastEthernet high speed WIC, will likely do what you need now and will support growth.
See figure #3 in:
Am i right in thinking that the 1841 can also act as a hardware firewall and if so would it offer the same level of protection as our current 501 so that we could remove the 501 altogether and just use the Router for PBR and as a firewall.
If the 1841 has the firewall feature set within its IOS, it can act as a firewall. I'm not familar enough with either to say whether they have exact feature parity or how fast a 1841 is compared to a PIX as a firewall. That noted, I suspect you probably could use just the 1841.
I have located this card based on your reccomendation of a 4 port fast ethernet HWIC is this the correct card.