Russ,

Please see below.

Are the T1's connected to the 3550's or the 2620's? I assume:

-- the 2620's connect to the T1's towards the Internet

Correct These are managed by AT&T so I have no access to them. They did however add a second port to them for another HSRP group.

-- the 2620's have ethernet ports running hsrp which connect to a switch on the inside

Currently these connect to what we call an "outside" switch to be removed and replaced by the 2-3550's. Everything that connects to this switch uses 1 HSRP of the routers at this point so we are using only one T-1 for outbound.

-- this switch connects to the outside interfaces of two pix'n, which are using the HSRP address as their outside default gateway

The PIX'n are connected to the "outside" switch. using the route outside 0.0.0.0 0.0.0.0 XX.XXX.XX.35 1 for routing outside.

-- the inside interfaces of the pix connect to two 3550's, which the pix'n use as the inside default gateway

Correct. All of the DMZ's, failover,state and inside connections are connected to seperate vlans on the 3550's. One PIX to one switch one PIX to the other. This is hopefully for redundancy.

Keep in mind these PIX are a failover pair so only one is live at a time. At some point we intend to seperate the PIX and connected equipment by fiber to a location across town again for redundancy.

I guess the switches are both inside and outside the PIX. If that makes sense? Different VLANS are used for the DMZ's and failover and state.

Is this a correct description of the configuration? If so, then it sounds like you are already directing traffic at both pix'n,

There failover so only one is live at a time.

you're just directing all the traffic from both of the pix towards one hsrp address, which is active on one router, so all the traffic goes out through one 2620/T1.

You should be able to configure one of the two pix to use one HSRP group address as its outside default, and the other pix to use the other HSRP group as its outside default. That should split the output of the two pix across the two links.

Splitting them this way wouldn't work with only one active at a time?

Now, what you'd need to do is to make certain the two 3550's split the traffic going into the pix'n. I'm not certain what your network looks like behind those 3550's,

This is where I'm confused.

Behind the 3550's is another 3550 (SMI) connected to another switch (No VLANS) with most of our network attached.

but I assume they are connected to a common ehternet, or a pair of networks, or something of that nature? How is traffic coming into those two routers--is it fairly balanced between them right now?

We have a Check Point Firewall that everything on the inside goes through now.

If not, we might have to look at how you're getting traffic to the 3550's, so that you can get the traffic to the pix'n split as equally as possible.

Another option is just to run routing on the pix'n, rather than pointing them at an HSRP address on the 2620's. If both 2620's could advertise default routes, through rip or ospf, to the pix'n, then each pix could pick this default up, and readvertise it back to the 3550's. Each pix would have two defaults, one learned from each 2620, and would load share between them, or at least I would assume it would. Again, it would then be a matter of getting the traffic into the 3550's from the network behind them in some way that splits the traffic fairly evenly.

Of course, if I have things backwards, and the 3550's are connected directly to the T1's, and the 2620's are on the inside of the network (?), then.... :-)

Russ.W

I think the inside users should point to the HSRP of the switches (Redundancy here). The switches should connect to the routers with 2 defaults one of each of the HSRP's of the routers (Redundancy here).Where I'm stuck is where should the PIX connect to the switch?? Should it have it's own Vlan with the outside?

Thanks for your help.

James

Ah, okay, I understand the topology much better now.... :-)

What you want to do is to come from a 3550, which is connected through two different vlans to a single vlan to two different 3550's which then connect to the Pix, which then connect to another vlan on the same pair of 3550's, and then to the 2600's, out to the T1's. You can't direct traffic at both of the pix'n at the same time, because they are in a failover group.

The only option at this point is to run two outside defaults on the pix, so that it splits traffic out to each of the routers on the outside equally. You can configure the static routes so that one points to one of the two HSRP addresses, and the other points to the other HSRP address.

Russ.W

Does this keep my 3550's inside? Do I need routable interfaces on the outside vlan's on the switches? I think I'm confused?

James

The 3550's would still be on the inside and the outside--one vlan on the inside, and one on the outside.

T1--2600--(3550 vlan x)--pix--(3550 vlan y)--3550--inside network

Are the 3550's routing, or just switching? If they are routing, then there's going to be a problem with default routes, so you can't do layer 3 on these, and use them inside and outside, just switching.

Russ.W

Just switching no with an IPaddress on vlan1 for access. So create a vlan for outside and connect the 2 PIX and the 2 Routers to it. Then add the 2 default routes on each PIX one for each HSRP???

James

As the other poster noted, you can't load share between two pix'n which are connected as failovers. But, if your primary concern is load sharing between the two links, rather than the two pix'n, then you should be able to do this. First, it sounds like the two HSRP groups are on two different subnets, in two different vlans on the 3550, correct?

You need to start by configuring the pix to recognize the two vlans the 3550 is feeding it:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#1091846

Once you've done this, set up two outside static default routes, one pointing to the HSRP address on one vlan, and the other pointing to the HSRP address on the other VLAN. This _should_ cause the pix to load share between these two exit points, thus using both outbound links, though the documentation is a bit fuzzy here.

If this doesn't work, you can get the provider to advertise a default through OSPF just to your pix, and let the pix learn the default through OSPF. The docs say it will load share between two equal cost routes learned through ospf, so this should work, as well. The provider would drop the HSRP groups in this case, and the pix would just route to both routers over one vlan, rather than two.

Hope this helps...

Russ.W

I realize we cannot load share between the PIX in failover but if a PIX fails I need the other one to take over for the failed one. So yes the load share is the primary concern. Both of the HSRP groups on the routers are from the same block of IP's we got from AT&T. Our contract with them prevents us from any administration on the routers and it takes them weeks to respond to any request. The PIX outside interface is connected to the outside switch so I can get to the internet I just need to remove the outside switch and replace it with the 2 3550's. I need to have all traffic going outside to go through the PIX and have that traffic load share through the 2 2620 routers. The routers currently load share inbound from the internet. The same vlans are configured on both switches. I also need in the future to be able to seperate 1 PIX, 1 3550, 1 T-1 and the redundant servers to another location. I know the PIX may be a problem after the seperation but for now I just need to get it to work together. I thought 1 vlan would belong to the outside 2 vlans for the DMZ's 1 vlan each for the state and failover and the inside is conected to the native vlan. I know sounds like a bad plan but we dont realy have that many users. Using the native vlan for the inside lets me connect to the other vlans/DMZ's.

Everything is set except the outside part. Am I correct that I should create a vlan for the outside interfaces of the PIX and connect them to the routers? Does this go in the native vlan or a separate one? Then configure the PIX with 2 default routes to the 2 HSRP groups of the routers? Do I need any routable interfaces in the Vlan? Thanks for your help with this I seem to be confused by switches that route but don't need to.

Are both hsrp groups on the same vlan, or seperate vlans? If they are the same vlan (which it sounds like they are), then just two outside static routes on the pix'n should work to make it load share out between the two 2560's out to the T1's.

If the two HSRP groups are on two different vlans, then you would need to go the more complicated route of setting up the vlans on the outside interface of the pix.

I'm fairly certain from what you're describing, however, that you can just put in the two outside defaults, one to each hsrp virtual address, and it should load share between them.

Russ.W

After trying this my self I ask Cisco:

Can I add 2 static routes to load balance? Like this:

static (inside,outside) XX.XXX.XX.35 netmask 255.255.255.255 1.0.0.0 netmask

255.0.0.0 0 0

static (inside,outside) XX.XXX.XX.34 netmask 255.255.255.255 1.0.0.0 netmask

255.0.0.0 0 0

I can't seem to get it to work.

Cisco says:

the pix does no load balance.

I guess I'm back to the switches doing the load balancing. I'm still confused

James B

The problem is that the switch isn't going to be able to load share between the two connections. You're going to need the pix to do it, unless you're going to run routing on the switch, and load share from there. Since it's a 3550, I suppose you could do that, but you'll need to have an intermediary subnet between the two.

So, you could do this:

pix--(new ip segment)---3550--hsrp segment

You could address this new segment with some private address space, and route through it using static routes. The 3550 could then have two static defaults pointing to the two different HSRP group addresses.

Russ

David,

The idea here is to create redundancy with 2 two regular PIX if one fails there would be no firewall for the equipment behind it. Content balancing and IDS are in the near future.

James