12-17-2002 08:19 AM - edited 03-09-2019 01:25 AM
We are installing a core consisting of two 6513 and two 6509's at the distribution layer, all running eigrp. The dist layer is redundantly connected to each core box which are also linked. HSRP provides failover. The design incorporates asymmetric routing... Packets are routed by destination, but may not return via the same path.
My question is: in each 6513, we plan to install a firewall blade. Will these firewall blades work if the network is designed to load share across the two 6513's?
12-17-2002 02:22 PM
No, if the connection is built in one firewall blade (PIX), and the return traffic tries to come in a different blade (PIX) with no connection built, then it will be blocked.
12-17-2002 02:56 PM
Thanks for the quick response...that was my guess too. Can you suggest how I might resolve this issue?
12-18-2002 03:55 PM
Are you load-sharing or using HSRP in a active-standby role? If you're load-sharing, then there's really no practicable way to get this to work. If you're doing HSRP with your routers and only one router will be active at any time, then you could just have each HSRP router talk to one particular firewall blade only. You'll run into issues when the routers switch over, but people should be able to just reconnect and start working again (sort of like non-stateful failover). Pretty messy, but I can't see any other way around it, of course I don't have a clear picture of your design so there may be better ways, but not with load-sharing.
12-19-2002 07:10 AM
Thanks again for your comments. I think we're going to run one firewall blade in failover mode and filter all outbound (Internet ) traffic through the other one; we'll leave HSRP enabled and route internal traffic to the server farm, but not through the firewall blade...just use ACL's.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide