I've got 2 sets of PIX 525s (4 total) and am looking for effective options to load balance traffic between the two sets. I have redundant Internet connections with two 7200 border routers. Does anyone have any experience with this and/or ideas for an effective solution?
1) have static routes pointing to the active PIX IP of each set (ie core has 2 default routes pointing to the PIXs). As this is the internet, use the default of load balancing per destination. If one fails PIX, the failover PIX takes over. If both PIXs fail, the static drops from the router and only uses the active set. Works well for LAN side failures. 7200s can have statics pointing to each PIX pair. Run MHSRP on the 7200s and have one PIX point to one HSRP active router and one PIX pointing to the other.
2) Have the PIXs advertise a default RIP route ("rip inside default"), that way your core will receive 2 default routes and can load balance that way (based on hop count, so make sure hops are equal - use "offset-list" command if necessary). You can run RIP on your network between your core and the PIXs (or if you are already using another protocol you can redistribute between it and RIP if necessary). If one PIX fails, the failover takes over advertising the default RIP route. If that set fails, the other PIX is still advertising the default route. Have the PIXs and 7200s run RIP between them (use authentication in this case as well).
3) Use policy-routing on your core pointing half your network at one PIX pair and half pointing at the other PIX pair. On the PIX/7200 side, run RIP or static routes/MHSRP as per above.
4) Create a tunnel between your core routers and the 7200s and run a protocol (eg EIGRP) over it and load balance that way. If one pair fails or if a 7200 fails, EIGRP will detect it and route over the other.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :