I am looking for the most optimal way of providing redundancy from a firewall out to the internet. I have a non-Cisco firewall (Checkpoint) that does not support BGP. In front of the firewall, there are two Cisco routers running BGP which are connected to different providers (pulling default routes only).
My plan is to provide redundancy to the internet as there are nearly 100 VPN's connected to the firewall. My first thought was to use GLBP to load-balance the traffic from the firewall to each of the routers. While I don't see any issues getting this to work, I do have some concerns about how this will work.
The number one question is that since nearly all of the traffic from the firewall will be coming from a single IP & mac address, does this mean that GLBP will direct all the traffic to a single forwarder (ie GLBP looks at the firewall as a single host and tells this single host that its gateway's mac is xxx negating load-balancing?)
I hope that I am clarifying this enough. The goal here is to have the firewall send traffic out equally between both routers. I understand that my inbound traffic is a whole different issue with regards to BGP (and I am negating that conversation right now).
I think you have summed it up perfectly. You don't get any real benefit from GLBP because the source IP and mac address do not change.
We faced a similiar problem in that we had dual connections to our WAN from 2 cisco routers. The internal interfaces of these routers connected into a vlan that the firewall also connected into. We found that we were only utilising one of the WAN links.
The solution we put in place was to insert 2 more routers between the firewall and the WAN routers. All 4 routers were connected to each other. We ran HSRP on the 2 new routers. And because these routers were dual connected to each WAN router they each had 2 equal cost paths to any remote destination so it didn't matter which one was the active gateway for the firewall.
It may sound like an expensive solution but the routers did not need to be that high-powered and compared to the cost of the unused WAN link it made very good financial sense.
Although your firewall doesn't do BGP, does it support any other routing capabilities? For instance, OSPF between it and the WAN routers. If so, by just passing the default, it should load balance.
If your firewall can do static routing, and if it load balances between statics, you can also have two distinct HSRP groups (on the later IOSs), each a gateway backing up the other. I.e. each router has both an active and standby HSRP.
It might also be possible, since your working only with defaults, to stop using BGP and use static defaults. Doing this, your primary router would have one default point to the WAN link and the other to the secondary router.
Lastly, if using 12.4 or later, you could use OER/PfR to dynamically load balance your outbound links.
We have a similar setup, 2 ISP each on a dedicated 7201, and two Netscreen FW in Active/Passive. EBGP to each ISP and IBGP between the 7201. We are pulling a full table from each ISP. HSRP between the 7201 and default route from Netscreen to the HSRP VIP. All outbound traffic does initially hit the HSRP Active 7201, but then BGP takes over and BGP bestpath does a pretty good job outbound and ASPATH prepend for inbound. Now I would not call it load balancing but instead load sharing.
That being said, what is the memory on the WAN routers? The current table is around 240K. Can you take a full or partial table and maybe OER too?
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...