topic Re: PIX OS v6.3: Load Balancing Configuration in Network Security

PIX OS v6.3: Load Balancing Configuration

vtello — Fri, 21 Feb 2020 06:47:21 GMT

Using the new feature of load balancing through OSPF, is it possible to create a parrallel array of PIXes to simulate a "dynamic" load balancing environment ? Please explain why yes or not.

If the answer is not, then, is it possible to create a "static" load balancing environment ? How it would work ? pros and cons ?

Regards.

Re: PIX OS v6.3: Load Balancing Configuration

shannong — Sun, 08 Jun 2003 18:11:12 GMT

You could use multi-path selection of OSPF to create inbound and outbound statistical load-balancing. However, it will take some trickery to make sure that an inboud session is fowarded back out through the same Pix that in came in and vice versa. This is necessary because the Pix must maintain information about the session for it to pass through, which means all packets of a session must traverse the same Pix.

This can be accomplished using a device in front of and behind the Pixs such as a load-balancing switch or a Cisco router using SLB. There is an SLB feature designed explicitly for load balancing firewalls through maintaining "sticky" sessions. This can also be accomplished with source-NAT so that the routers "know" which Pix to send the traffic back through.

This sort of configuration works with or without OSPF. Multi-path OSPF selection on the Pix is meant to take advantage of multiple inside and outside network Path--not parrallel Pixs.

Re: PIX OS v6.3: Load Balancing Configuration

vtello — Mon, 09 Jun 2003 13:48:11 GMT

Only 2 new questions:

1) What do you mean by "statistical load balancing"?

2) Multi-path OSPF selection then, would allow PIX to choose more than one path "from" this device to outside or to inside. Is´t correct?

Re: PIX OS v6.3: Load Balancing Configuration

shannong — Mon, 09 Jun 2003 23:01:27 GMT

1) Statistical load-balancing refers to the fact that truly even load balancing will not occur. Rather, you'll get a distribution limited by the statistics of the method. For example, destination based load-balancing occuring via CEF will not result in 50% usage on both paths. A session across one path my consume all bandwidth while another session sent across the other path will only be a single UDP packet. The types of sessions and the destinations determine the amount of "load-balancing". It is an especially important distinction if most of the traffic is to the same destination

2) The Pix could choose to send outbound traffic over multiple paths. You don't need OSPF for this though. Multiple default routes or something like GLBP would accomplish this.

Your original question was about load balancing an array of Pixs. Both of these questions are really in reference to a single Pix distributing its load across multiple routers and/or their links. Which are you inquiring about?

Re: PIX OS v6.3: Load Balancing Configuration

vtello — Mon, 09 Jun 2003 23:52:19 GMT

I was just trying to understand the use of OSPF in my original scenario.

In conclusion, up to date, a parallel PIX configuration needs a couple of load-balancers (in front and behind) in order to do this function, is´t correct?

Re: PIX OS v6.3: Load Balancing Configuration

shannong — Fri, 13 Jun 2003 11:51:36 GMT

Correct... You need something in front and behind the Pix to ensure that a session is maintained through the same Pix. This can also be accomplished with NAT.