I have the following scenario and I really need your help on; Im trying to build the network design for a company who has 2 internet links (asymmetric links). The 2 standalone border routers will be followed by a tier of IPS and then by another tier of PIX firewalls.
I need your help in putting the network design together; I put a draft diagram based on my thoughts and Im attaching with this post the draft network layout, however I have the following concerns with the setup:
1-Since both internet links will be active, both the IPS and FW should be in Active-Active mode so they can process the traffic coming from both router links. My concern on this point is the Active-Active setup of the PIX FW because Im aware that the Active-Active configuration is not mature and its originally designed to support different internal subnets and not the same internal network. What do you think?
2-Is their a possibility that the traffic that arrived from one internet link, to leave the network from the other link?
3-How can I guarantee that the traffic that arrived through Router 1 in the diagram attached will be routed through interface 1 or interface 2?
Thanks for your cooperation and appreciate your feedback.
Thanks for the reply, your link is very intersting, however it's not what I'm exactly looking for since it's talking about load-balancing traffic between 2 links provided that both links are from the same ISP. In my case, each link is from a different ISP (sorry may be I wasn't clear on this in my previous post).
Again, the concern here is when the traffic reaches from 2 different ISP's and flow down... and on how the FW should be designed to behave well and not cause me problems.
I'm also still looking for an answer on whether the traffic that arrives from one ISP can go out from the other ISP?
Do you think if I installed one router in the perimeter with 2 outside interfaces, I can get rid of all my concerns? This idea has just jumped into my mind, so what do you think? If you agree with me on this, what model of router do you recommend for this?
look at BGP or EIGRP protocols where you can add routes with metrics that would balance as best as possibly can.. as of now.. there is no such option on CIsco for.. u need PBR which can be done only with a customized box.. like i said.. Google for Internet link balancers.. theres some good stuff out ther.. then depending on ur requirement.. choose..
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...