cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1207
Views
10
Helpful
22
Replies

PIX and GLBP

lamav
Level 8
Level 8

Can you run GLBP on a PIX firewall?

Can you run GLBP on a 3750? ( I dont think so)

Thanks

Victor

2 Accepted Solutions

Accepted Solutions

No to both....

The PIX/ASA uses failover to achieve redundancy so no HSRP or GLBP functionality.

The 3750 only supports HSRP, so no VRRP or GLBP unfortunately.

Andy

View solution in original post

Alright, give us a chance, we brits work at a different pace you know :-)

Pix failover uses 2 IP addresses only. So in your diagram

F1 = 10.182.18.49

F2 = 10.182.18.50

These IP addresses are attached to the physical interfaces of your firewalls and you can telnet to either of them. The primary firewall, lets say F1 in this case, will respond to 10.182.18.49.

When V1 learns routes from E1 and V2 learns routes from E2 they both route via F1 which is using 10.182.18.49. And this is the address ytou would use as the next hop for both V1/V2 & E1/E2.

If the primary fails then the secondary firewall whose physical interface is still 10.182.18.50 will now becomes responsible for 10.182.18.49 and will accept packets destined for this address. So no you don't have to manually fail it over, the secondary just starts to answer to 10.182.18.49.

Is this what you need or are you wanting to understand exactly how Cisco do Pix failover ?

NR = Network Rail, UK compnay repsonsible for rail infrastructure (tracks, stations etc), in fact most things except the actual trains.

Jon

View solution in original post

22 Replies 22

No to both....

The PIX/ASA uses failover to achieve redundancy so no HSRP or GLBP functionality.

The 3750 only supports HSRP, so no VRRP or GLBP unfortunately.

Andy

Thanks, Andrew.

Andrew, I forgot to ask. Doesnt the PIX support VRRP?

Victor

Unfortunately not Victor. As I said the PIX (or ASA) can be deployed in Pairs to achieve Redundancy. I didn't think there would be but I have just checked the latest PIX 8.0 documentation and there is nothing about VRRP/HSRP or GLBP.

What is it you are trying to achieve?

Andy

Hey, Andrew.

Thank you.

Im not really trying to achieve anything, per se. My questions are a result of a discussion I had with my client yesterday.

I mentioned that GLBP should not be used in conjunction with a firewall pair because it inherently introduces asymmetric routing -- you know, more than one router in the GLBP group can do the forwarding to the firewall pair at any given time, thereby potentially breaking stateful connections.

His answer was that it didn't matter in this case, because even if he did use GLBP on the switches that sit behind the firewall pair, the firewalls are part of an HSRP group. And that means that one FW is a primary and the other a secondary -- so the primary will always get the traffic even though both switches behind it are forwarding traffic. They will forward to the FW HSRP VIP and then the primary FW will receive and forward the traffic.

I stood there puzzled, thinking you cant place PIX firewalls in an HSRP group. But then their diagram says its a VRRP group, hence my second question.

So, my remark regarding GLBP has spawned a new concern....

Any remarks?

Thanks, Andrew

Hi Victor

To my understanding even if you ran your pix firewalls in active/active for each context only one firewall is active and the other standby, just means you can have multiple contexts spreading load across the 2 firewalls.

With pix firewalls per context GLBP would give you nothing because there is nothing to load-balance ie. the firewall always appears as the same host to the routers/switches so it will always use the same active gateway so i don't believe you could end up with asymmetric routing.

As to why they labelled it as HSRP/VRRP/GLBP on the pix firewalls who knows :-)

Jon

I agree with Jon; I think the terminology is mixed up here. When your client mentioned HSRP I assume he was referring to PIX Failover, which is similar but has fundamental differences. In this scenario both PIX firewalls are identical and each have duplicate interfaces, the IP addresses on each PIX will be different (same subnet but different host number). However the difference is only the Active one will be forwarding traffic and participating in routing protocols (if configured).

You can see the similarity to HSRP - i.e. one PIX will be Active, whereas the other will be Standby. However it is the whole box that is in a standby state. If the Primary PIX should fail the Secondary would assume the configuration (and existing connection states if a state interface is also configured) of the Primary PIX and continue forwarding traffic.

I think it is just the terminology that is confused here. That being said CheckPoint firewalls run VRRP between the Active & Standby boxes.

Hi Jon, hows things going at NR?

Andy

Jon/Andrew:

Quoting Jon...

"With pix firewalls per context GLBP would give you nothing because there is nothing to load-balance ie. the firewall always appears as the same host to the routers/switches so it will always use the same active gateway so i don't believe you could end up with asymmetric routing."

That is exactly the point the client made, BUT his argument was that the L3 switches would forward the traffic to the FW's HSRP VIP -- and that is why, as he explained, there would not be asymmetric routing. And that is what confused me since I know PIX dont run HSRP.

Now, maybe, as Andrew says, there is a mix up in language. Fine. I do completely understand that whether there is one FW acting as the active, or you have two devices running HSRP where one of those switches is the HSRP active for every VLAN, it would be the same: ONE device is doing all the receiving and forwarding of traffic.

So, the question is, how is it that you are able to direct traffic to the active PIX when you have 2 PIXs in active/standy mode and no mechanism such as HSRP or VRRP or GLBP to run between the firewalls?

Please examine this attached drawing.

V1 and V2 sit at the enterprise edge, facing vendors.

E1 and E2 sit in the DMZ.

V1 learnes interior routes through multihop eBGP with E1 -- and V2 learns interior routes through multihop eBGP with E2.

Both V1 and V2 have the same static route for their eBGP peers pointing to 10.182.18.49 -- which, according to the drawing, is the FW VRRP VIP.

So, what the heck is this address that both switches would point to it when having to go through the FW if not a shared IP that both FWs use? It cant be the case that that address is the physical interface of 1 FW and failover requires manual intervention. LOL..That would be totally insane.

Ideas?

Thanks you so much

Victor

Forgot to attach diagram...sorry.

Victor

Any chance of a jpeg rather than a visio ?

Hi Andy

Left NR about a month ago and am planning to take the summer off before i look for another job. Maybe do a bit of study, a lot of mountain biking if our summer ever gets going ! and generally just doss around :-).

After 5 years at NR fancied a change and i couldn't face the idea of having to install another Nortel solution !! :-).

How are things with you, Damovo still keeping you busy ?

Jon

Jon, boy was that anti-climactic! LOL...Waiting for the big answer and I get "do you have a jpeg"? LOLOL

It's all good...

Attaching a jpeg.

And by the way, whats "NR"?

Victor

Andrew said:

"That being said CheckPoint firewalls run VRRP between the Active & Standby boxes"

Checkpoint does not have VRRP. Nokia uses

VRRP for Active/Standby and IPSO clustering

for Active/Active. Checkpoint uses ClusterXL

for Active/Active and Active/Standby.

The difference between Cisco and Checkpoint is

that Checkpoint does offer a truly

Active/Active solution whereas Cisco Pix

does not. In Cisco's Active/Active, it is

similar to Cisco HSRP with multiple HSRP

groups.

Hi Jon

Yep, Damovo is keeping me busy, not touched Nortel Telephony since the work in Manchester.

Enjoy the summer if it ever kicks off, it's looking pretty bleak in Manchester at the moment....

Andy

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco