Please ignore my previous post; I did not realiaze that both ISP's are the same.

OSPF on pix v6.3 code ought to work, since your diagram depicts the pix using the same interface to connect to both routers.

I don't believe that it would work if you use two different interfaces (logical or physical) due to the way the pix does its packet filtering.

Hi every one, Hi Ehirsel,

I set a meeting today with my customer regard this issue, the surprising this is that the customer brought 4 ports Fast Ethernet card to fix it in his 525 thinking that he can connect the other router merely with setting another route outside command.

I have clearly told him that you will not be able to achieve such a thing cause the pix will not allow more than one "router outside"

Later I told him that fine, if you have two routers with two circuits then lets try to do load balancing.

I went through bulk of documents, I liked HSRP, I tried it on my lab and it worked fine, HSRP is great when you have one virtual IP address, you will tell the pix firewall to route outside that virtual IP address, but guess what, at this stage I am not achieving load balance, I am only achieving redundancy hence one of the circuits will be standby.

Okay Great, I though to configure Multiple HSRP, hence both of the routers will be active, at the end we can give some hosts the first virtual IP address, and some other hosts the second Virtual IP address, but with this PIX I will not be able to route outside to two virtual IP addresses,

Later I went through BGP things, its out of my control cause am not working in an ISP to configure the routers located on the ISP,

Still I have to go through OSPF , but its like I never tried configuring the PIX with OSPF before, I am really curious how OSPF will achieve load balancing, my Idea about OSPF that I can set one default route in each router to the ISP and advertise this default route on the same Router making it ASBR with default-information originate metric command, anyways one default route will be dominant with being the shortest path from PIX perspective, and if one router goes down the other default router can take its place, but at the end I did not achieve load balancing , I achieved redundancy that’s it.

There is less documents regard PIX OSPF configuration scenarios on the net, Thomas OSPF book will reach to me after tomorrow while I am sure that he does not mention anything regard PIX operation interoperated with OSPF.

Its gonna be great If some one exposed me what I can read to achieve my goal incase it can be achieved.

Just to remind you that both ISPs are the same, a question may arise like why my customer should go for two links while his main objective to do load balancing! He can in simple way cancel the second circuit and keep the first circuit with upgrading it.

This is brilliant Idea, but anyhow, he want to achieve simple redundancy based on the hardware/circuit failure beside doing load balancing, maybe the circuit failure will not be feasible as if the ISP goes down then damn sure the two circuits will be down.

I am really confused, like I need an action plan to go a head with.

Many thanks.

what's wrong with two static default routes on the pix?

Since they are both the same ISP running BGP would be pointless.

that's about as good as you can get but just remember you'll never achive true load balancing. Its more of load distribution.

As for the redundancy you can create two HSRP groups (tracking the 64k circuit) giving you two virtual ips. Then both static defaults on the pix point to the virtual ips.

Hope this helps.

I believe that OSPF is your best bet on the pix as well as on both routers. I can see the customer's view that even though the isp is the same, if there is a link failure or a router failure, you have separate router and path to get out. You will not achieve a true 50-50 load balance scenario for either in- or out-bound traffic.

Have OSPF configured on both routers, and have it not only exchange info to the pix but also to the routers at the other end of the isp links. I assume that both links are to seperate subnets and routers on the isp side. This will advertise two paths to your network to the ISP.

OSPF can use a max of 6 equal-cost paths, if you are running 12.0 ios code and later, this is set by default. However it is good to make sure that your isp validates that all routers participating in the ospf protocol do not have max-paths set lower than two.

You should be able to to have the pix see both routers as the default gateway and do some equal-cost pathing since the same interface is used on the pix. However even if the pix will only see one router, then HSRP is okay but should not be needed since you want to run ospf on the pix anyway. Since your traffic coming in from your isp is usually much greater than the outbound traffic, you ought to see some load-balance via the ospf mult-pathing on the isp side.

There are some cavets of running ospf on the pix when using NAT, but this may not come into play as you did not mention running ospf on the inside network.

I would recommend that you configure verify rpf on the pix to make sure that no ip spoofing due to ospf advertisements are being done, as well as filtering what gets adverstised between your pix and the nearest routers.

As a side note, bgp by default will only place one best route in the routing table, the later cisco code can have bgp multi-pathing turned on. But ospf is better in your case - less complicated and will converge more quickly.

As far as the routers are concerned. place the isp links in area 0, and the pix links in area 1. On the pix, just configure one ospf process with the links to the routers to be in area 1 - no need for area 0 or other areas on the pix.

Let me know if you have any questions or concerns.

The main issue with two static routes is that you will never be aware if one goes away, and take action dynamically; manual intevention would be needed. And I do not know if you can load balance among two static default routes in cisco ios and/or pix software. I know it can be done using ospf, because my org, has two connections to the same ISP and I have my routers configured for equal-cost multip pathing using ospf.

By using two HSRP groups on each router and tracking the connection to the ISP that covers any failover. (one router is primary for one group, secondary for the other)

Then the two default routes on the pix load distribute to the two HSRP virtual IPs.

OSPF on the otherhand doesn't make much sense to me. This is the same ISP so any routing table the 2620's get would be the same - even running eBGP with the provider and iBGP between the two doesn't make much sense...the 2620s only need a default route to the internet.

By running OSPF all we're accomplishing is adding processor overhead and complexity. Running a routing protocol just to share a default route might not be the best course of action.

With HSRP we can accomlish the balancing and also add sub second failover.

But that's why networking is fun. There are about 2 dozen ways to accomplish the same goal.

I am not seeing how HSRP will help in loadbalancing.

"Then the two default routes on the pix load distribute to the two HSRP virtual IPs"

Pix cant do this....

route outside 0.0.0.0 0.0.0.0 172.16.1.2

cannot add route entry. possible conflict with existing routes

Usage: [no] route []

OSPF is the way to do this.

Exactly, Its like how the Pix will forward to two Virtual IP addresses?

I did not reply soon cause to be honest I do not have a PIX firewall to try Multiple HSRPs, anyways while I was driving to the customer I was wondering like how the pix will route outside to two IP addresses! The pix will allow one default router, anyways maybe this is can be implemented if we integrate HSRP with OSPF, I did not try such a scenario and I am not able to visualize how its going to work.

I am so optimistic that it could be done in a way or another but the question is HOW?

I will answer myself here by yes it could be implemented in case we deployed two PIX firewalls instead of one

Hence we can specify the default route in the first PIX with the first virtual IP address, and give a group of hosts the default gateway to be the inside pix interface, the same thing could be accomplished with the other PIX firewall by specifying the default route to be the second virtual IP address, again we will assign the default gateways on the remaining hosts to be the second Inside PIX interface.

Here we can achieve load balancing without any doubt, but what if we reconsider the availability of one PIX Firewall only!

Let me imagine if OSPF and HSRP can achieve this, correct me if I am wrong.

If we said that this single PIX will participate with the two routers in OPS adjacency, I am not sure if there will be DR/BDR election but I think it should occurs cause the media which is connecting PIX with these two routers will be Broadcast Multi Access network, lets set the priority of the pix to be 0 to make sure it will not be the DR or BDR, hence one of the routers will be the DR and the other router will be the BDR, the Pix here will be DRother, three Ids has to appear in the “show ip ospf neighbor” the PIX will form adjacency with both routers hence both of them are DR and BDR, I am imagining that the external Interface IP address will participate in the OSPF route , the other two IP addresses of the Routers will participate being reachable via OSPF.

Now the cost of the routes to the two routers from the PIX has to be equal.

All the hosts should be given one default gateway; this default gateway is the PIX inside IP address

As soon as the pix start receive requests, it will share the load with the two equal cost routes available in the PIX routing table by forwarding the first flow to the first route and the next flow to the second route.

Thanks,

Ismail Al-Shelh

looks like we can't do two static defaults (verified by the poster above)

So you're runnin' ospf. a static default on each router, redistruted into ospf, running between both routers and the pix. that should get both routes into the pix.

I have read through a bulk of the post and was wondering this. Is there a router behind the pix. If so create 2 GRE tunnels on the router and do the ipsec on the firewall. The 2 tunnels will have an end point of the serial interface of each router. You can split the traffic between both routers and have 2 static routes for each network in case something goes wrong in one of the routers. I would also run ospf on the firewall.