Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
342
Views
0
Helpful
4
Replies

firewall blade for cat 6500

wbrowning
Level 1
Level 1

‎12-17-2002 08:19 AM - edited ‎03-09-2019 01:25 AM

We are installing a core consisting of two 6513 and two 6509's at the distribution layer, all running eigrp. The dist layer is redundantly connected to each core box which are also linked. HSRP provides failover. The design incorporates asymmetric routing... Packets are routed by destination, but may not return via the same path.

My question is: in each 6513, we plan to install a firewall blade. Will these firewall blades work if the network is designed to load share across the two 6513's?

Labels:
0 Helpful
4 Replies 4

gfullage
Cisco Employee
Cisco Employee

‎12-17-2002 02:22 PM

No, if the connection is built in one firewall blade (PIX), and the return traffic tries to come in a different blade (PIX) with no connection built, then it will be blocked.

0 Helpful

wbrowning
Level 1
Level 1
In response to gfullage

‎12-17-2002 02:56 PM

Thanks for the quick response...that was my guess too. Can you suggest how I might resolve this issue?

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to wbrowning

‎12-18-2002 03:55 PM

Are you load-sharing or using HSRP in a active-standby role? If you're load-sharing, then there's really no practicable way to get this to work. If you're doing HSRP with your routers and only one router will be active at any time, then you could just have each HSRP router talk to one particular firewall blade only. You'll run into issues when the routers switch over, but people should be able to just reconnect and start working again (sort of like non-stateful failover). Pretty messy, but I can't see any other way around it, of course I don't have a clear picture of your design so there may be better ways, but not with load-sharing.

0 Helpful

wbrowning
Level 1
Level 1
In response to gfullage

‎12-19-2002 07:10 AM

Thanks again for your comments. I think we're going to run one firewall blade in failover mode and filter all outbound (Internet ) traffic through the other one; we'll leave HSRP enabled and route internal traffic to the server farm, but not through the firewall blade...just use ACL's.

0 Helpful
Customers Also Viewed These Support Documents