I have three leased lines to the Internet and just bought a PIX 515UR. The vendor told me that one PIX unit would be enough to handle all three lines (each with different IP addresses) and supplied me a PIX with three Ethernet interfaces.
Now, he tells me that for ONE PIX to handle three different IPs, I'll have to get an AS number, run BGP on my Cisco 2501s. And that the 2500 is not good enough to run BGP - and to get more powerful routers.
Or buy two more PIXs.
I'm a newbie - please help me with how I should solve this one.
Thanks a million
I take it the three leased lines are new also?
According to a friend of mine (@Cisco) if you have
more than one route to the internet, you do need to
run BGP. With at least one full internet routing table.
Have you spoken with your ISP ?
Talking to my ISP will take 2 years - if I can find somebody who knows anything (There are people - they are just impossible to find)
Is the other option - three PIX units - one per leased line the only way ?
Its simpler. Unless you can get with a Cisco engineer
to discuss. How you going to generate a default route
to the internet ?
You can have your own private AS number also. Do you have these three Leased Lines from the same ISPs? If yes, then you can manage with the same PIX firewall.
I your feeds are from the same ISP, and depending on your traffic path policy you may not need BGP.
However if you need to direct certian traffic over certsain links then BGP is necessary.
A 2501 may suffice for BGP all depends on your routing policies you instigate.
Example you can have certain traffic come in over a particukar link but have traffic originating within your nets leaving another feed.
This could be done with BGP and not having the full routing table (~ 100K routes) in your router.
With so many leased lines it is recommend that you do get an AS number from ARIN, the subscription cost is minimal and you'll find it to be a useful thing to have around. Next, it may be best if you can get your vendor to provide you with an upgrade package from the 2500 to a 3600 router with the right amount of memory to support BGP. Then setup 2 of the leased lines on the 1st 3600 and the third leased line to the second 3600. Run BGP, HSRP, etc between the 2 routers and then connect them to the Pix primary and fail-over (if you've purchased the fail-over bundle). This setup should provide you with stability and growth.
Router: 3604 or 7204 vxr (Ethernet or Gigabit)
Pix: 515 0r 525 /w fail-over (Ethernet or Gigabit)
Set IP range
You should also get a separate class "C" range from your provider(s) for each leased line, this will give you some control with BGP and the AS setup.
Depending on your ISP, you may be able to do Cisco Express Forwarding (CEF). Also, is the majority of your traffic outbound or inbound to a domain name. If the purpose of the three circuits is to support massive outbound bandwidth and not inbound to a domain, you may be able to make it work without an ASN and BGP... I know both Sprint and AT&T can provide multiple circuits without requiring you to run BGP...
Before talking about any solutions...
The first question: Why do you need 3 leased lines?
The second one: How many ISPs implied?
Your answer will give us just enough information to begin to help you designing a good solution.
You can use the cisco 2500 to get connected to the ISP thru the three leased lines and if you want load balancing then you may want to turn on BGP on a better router than the 2500.BGP gives you better control on your routes.If you want to use the leased lines as the backup lines then you may not want to turn on BGP.You can use static floating routes to make the three link redundant to each other.
The PIX firewall can go behind the Cisco 2500 router.If you want redundancy in your network then you can gor for two PIX firewalls configured in the Failover mode.
If you need any more help shoot me an E-mail at Manuahmed@hotmail.com.
Sorry but have to ask some questions.
Are all the feeds (leased line from the same provider ?
If they are, speak to your provider, they may have policies on BGP usage if you only multihome to them, plus they may respond a bit quicker than if you have mulithomed with other providers.
I will persume that the links are not. As this is slightly more complex.
I don't see why you need three pix's. If you have three sets of ip addresses you could use NAT to convert this to one set of IP addresses. Do this on the 2500's and then the IP address that hit your pix are all the same.
I think the main issue is the routing i.e. BGP. Normally if you connect to more that one isp you need bgp (does not depend on number of links etc, just on the fact that you want to send traffic via to different routes, hence you need a routing policy)
As for running it on 2500's, fine in a lab, in a production enviroment i would try a slightly larger router. The router selection will depend on the method of BGP routing choosen.
All three routers run BGP but only recieve a default route from the ISP's, you have no "best path" routing but it will be resilient. Possible on 2500's
All routers that "ISP customer routes" or some other reducted BGP view. Not quite 2500's (maybee if loads of memory, also depends on how big your ISP is) suggest 2600/3600.
run full views (a view is a BGP routing table).
Good routing, but lots of memory needed.
mix. Mix any of the above to get something customised to you.
IP addressing, some providers won't multihome with other providers IP addresses, DNS when using 3 IP addresses for 1 WWW site (if applicable), you may need to apply for provider indepent addressing, most ISP's should multihome with these.
Don't forget the return path for traffic must be taken into account. If you run BGP (more than one ISP, you will need a register AS number, one of your ISP's may offer advise for this, but you will have to apply for it) if you run bgp to one ISP they may let you use a private AS number (>65000).
Have included a link to good white paper on NAT and multihoming.
And have fun....
As has been mentioned before, BGP would only be needed if you've gotten your three lines
from different providers, and want the Internet to know that it can reach your entire address space
from any one of the three providers. The PIX can easily deal with three different networks on
it's three different interfaces. Not a problem.
The questions I'd have for you are:
0. One ISP, or three?
1. Why three lines - just bandwidth? Or redundancy?
2. If you're doing this for redundancy purposes, your PIX (by itself anyway) is a single point
3. The PIX doesn't speak anything other than RIP or RIP2. It cannot speak BGP4 at all.
If you do have to do BGP, I'd advise careful planning of your Interior Gateway Protocols (IGP) strategy...unfortunatly, the PIX being a predominately static routing platform will inject a
good deal of 'non dynamic' routing into your routing strategy.
Hope this helps,
hi, just one additional point, if you use BGP4,
you will need to apply for AS number first. also
make sure your ISP support BGP and they also hv
BGP running on their router.
Make sure your IGP is running well so you can set up
the IBGP session within your PIX and routers.
Good luck to you.