Re: PIX with 2 ISP load sharing/balance

j.hato · ‎04-16-2004

Hi gurus,

I have so many reference when I search this forum using the "load balance" key word. Starting find an answer can be used "ip load-sharing" command - just in my mind?? is it possible coz the ISP have to configure the "ip load-sharing" also right. FIne! More deeper more confusing -- stated that, this is no a pure load balancing. Right, then go to the next search find out I can use BGP, OSPF and bla-bla-bla. These become makes me dizzy......./???/??.)_)?// coz will we have an AS# from ISP? coz we are not a big enterprise company/ISP.

I have a scenario where I connect my ISP-A with RTR-A and ISP-B with RTR-B. So these are diffrent ISP. I will got 2 subnet for the Public IP add. Behind the ROUTER I will have a PIX firewall. Where the PIX interface will do PAT.

My questions are?

1. Where should I point the default route for the PIX (since the PIX only can setup for one default route)

2. What IP address should I use for the PIX outside interface? The one from ISP-A or ISP-B. IF I do so....so this become not balancing/sharing right? ---Is it VRRP (Virtual Router Routing Protocol) works fine for this scenario?

3. What if I only use 1 Router for the two ISP both A and B

Any sugesstion? Thanks in advanced.

HATO

ehirsel · ‎04-16-2004

You do not want one router to be uses for both isp's becasue if it fails, your redundancy design is defeated.

You mentioned the two public ip addresses that you have. I assume that they are for outside connectivity to your servers via the isp's as well as for the links themselves between you and the isp's.

I.E., you don't have one public address set that you own that both isp's will advertise. Am I correct in stating this?

If both isp's will advertise only the public addresses that only they gave you, then you need to do this:

1. Insure that the pix and the two routers that connect to the isp are on the same subnet, so that the pix uses only one interface for in and out traffic to your site. If not, the pix may wind up dropping traffic because of asymmetric routing. The pix needs to be immune from both sets of public addresses, so the routers that connect to both isp's will need to perform some type of nat, in addition to, or instead of the pix.

2. You need make both isp's aware of the other's public set of addresses and have them configure their routing to accept either address across the links.

Some isps now do ingress/egress filtering and what may happen is that if the link to isp b fails, you want the return traffic to cross the link to isp a, otherwise users who connect to you thru isp b would not see your site as being visible. Why? Beacause when the traffic was set to go to isp a thru your link, they recognized the source as not being from a valid network on that link and they may drop it.

I would meet with both isp's and make them aware of this scenario.

You will need to run ospf or rip v2 between the isp routers and the pix, so that dynamic failover from one link to another occurs.

After you meet with your providers, or if you or they have any more questions, just post them here.

j.hato · ‎04-18-2004

HI Ehirsel,

Thanks for ur quick response,

1. How to make them become one subnet? Let say the ISP-A gave us 192.168.10.0/29 and the ISP-B gave us 192.168.11.0/29. So, I'll use the 192.168.10.1 for eth0/0 router A and 192.168.10.2 for the outside PIX and 192.168.10.3 for the eth0/0 router B. But how comes the ISP-B will know the IP that gaved by the ISP-A. Should I contact them?

2. I will have Mail server at the DMZ side. So how the traffic came from?? From the ISP-A or ISP-B or load sharing ISP-A n ISP-B

NB: The ISP was not the same

HATO

ehirsel · ‎04-19-2004

I would recommend that you contact both ISP's and have them understand that either one will need to route traffic to you, even though the ip address is given by the other one. This will be true when a failover occurs, but even load-balancing can cause this to happen.

From my point of view there are two clean solutions to this issue:

1. Only use one set of public addresses, say those given by isp a. Just have isp b come to agreement with you and isp a to have the ability to carry and route that address as if they (isp b) owned that address. This will simplify your nat and the public dns entries, and this is similar to the case where you own the public address.

2. Have two routers where both connect to both providers. In this case you are still working with two public ip addresses. The routers will perform the nat instead of the pix, because isp b will only accept and route to you using the addreses that it handed out, not ones handed out by isp b. In this case, the dns records would contain two entires for your mail server's public ip - one for the isp a and the other for the isp b given address. Similar for other servers such as web and ftp.

I would try option number 1 first, since you do not own your own public address, nor a public/iana assigned bgp autonomous system.

In either case you would need to run some dynamic protocol between the routers on your side that connects to the isp's and your pix, as well as between those routers and the isp routers. This is to allow traffic to route around failed links.

Let me know what your ISP's have to say.

j.hato · ‎04-20-2004

Hi,

For solution #1 and #2 the ISP A and ISP B won;t do that, coz....they do not wanna change any config at their site.

Do you think I need a load balancer? Since only BGP will do the real load balance but the ISP won;t give the AS# to us -the client also do not want to pay extra money to buy an AS#. Which load balancer would be good to performs this.

Thank you

ehirsel · ‎04-21-2004

I do not believe that a load-balancer will help. Your issues run deeper than just load balancing.

For one thing, dns records are one issue that need to be addressed. Does the org. own its own domain name? Note that this is not the same as owning a public/iana assigned ip address.

Each isp will have to advertise your services - isp a will have a dns record with an address that is in the public subnet that it assigned to you; isp b will do the same for its subnet. Maybe each isp can advertise in its dns both sets of addresses, ask them if it is possible.

Now we have a NAT issue, and the question of whether each isp will allow you to have a public source ip address assigned by the other isp for packets crossing the link to it. This has to do with ingress/egress filtering - ask if your isp's employ that type of filtering.

I would perform NAT on the routers that connect to the isp's so that both routers will nat to a common address that the pix will recognize and process on the outside interface. You want to employ a common lan subet where the pix's outside interface and both routers's inside interface meet. This way the pix sends and receives traffic on the same interface which makes the stateful filtering and packet processing as well as the config cleaner.

The router connected to isp a will nat to a public address given by isp a for your web/email/ftp and other releated servers. The router connected to isp b will nat to a address given by isp b.

Note that if the link between you and isp b were to fail, or if isp b is having a internal network issue then some of your customers will not be able to connect, because isp a will not carry that traffic. Not much you can do about that, except for this:

Have each router connect to both isp's - it will take care of the single link between you and isp but it still won't take care of the isp internal issue.

j.hato · ‎04-21-2004

Hi,

So I have to register dns record for my mail server to ISP-A and ISP-B (this what I got from your details)? And the NAT should be form at router. So what's the global (outside) pointed at the PIX?

CMIAW

HATO

ccie_77 · ‎04-17-2004

It will be great if you reached a solution with this, please refer to the thread "Load Balance from two ISPs into single PIX Firewall".

Regards,

Ismail Alshelh

j.hato · ‎04-19-2004

Thank you,

But Ismail, the thread was not clear enough for me (or I do not understand). Do you think any differentiate between same and different ISP. Coz...in your design you were connected to 2 same ISP but mine is different.

HATO

r.docuyanan · ‎04-28-2004

Try using policy based routing, I've tried it before and it work. You can redirect internet browsing in one link while the other link serves the mail link.