topic Equal cost load balancing via EIGRP on PIX 8 inside in Network Security

Equal cost load balancing via EIGRP on PIX 8 inside

jlixfeld — Mon, 11 Mar 2019 13:43:09 GMT

I have a 515E running 8.0(3). The PIX is sitting in a colo and I have a bridged DSL circuit running from my office (which is in another building a few kilometers away) to the inside interface of the PIX. This all works fine and dandy, but now I want to turn up a second bridged DSL circuit to double up the bandwidth between the office and the colo.

2 questions -

1) If the PIX does equal cost load balancing, is it per-packet or per-destination (hopefully the former!)

2) Assuming it will, are there any caveats to doing things this way with regards to NATing from 2 inside interfaces to one global, even if I turn of ip verify reverse-path on the two inside interfaces (vlans)?

Here are the config snippets for what I'm trying to do (except the second office circuit doesn't quite exist yet):

interface Ethernet0

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.248

interface Ethernet2.636

vlan 636

nameif office636

security-level 100

ip address 172.20.15.1 255.255.255.0

shutdown

interface Ethernet2.637

vlan 637

nameif office637

security-level 100

ip address 172.20.16.1 255.255.255.0

ip verify reverse-path interface outside

global (outside) 1 interface

nat (outside) 1 192.0.2.0 255.255.255.0

nat (office636) 0 access-list office636_nat0_outbound

nat (office636) 1 192.168.100.0 255.255.255.0

nat (office637) 0 access-list office637_nat0_outbound

nat (office637) 1 192.168.100.0 255.255.255.0

router eigrp 100

network 172.16.0.0 255.240.0.0

passive-interface outside

redistribute static

D 192.168.100.0 255.255.255.0

[90/33280] via 172.20.16.2, 8:16:07, office637

Thanks in advance.

Re: Equal cost load balancing via EIGRP on PIX 8 inside

suschoud — Thu, 11 Sep 2008 13:41:52 GMT

1. pix does load balacing based on per FLOW basis.so,none of the options you mentioned is correct.. 🙂

2.Do not see any issues with config. is load balancing is done and PAT is done with ip verify reverse-path.

HTH

Sushil

Re: Equal cost load balancing via EIGRP on PIX 8 inside

jlixfeld — Thu, 11 Sep 2008 20:12:32 GMT

Thanks for the clarification, Sushil;

What is a Flow?

Re: Equal cost load balancing via EIGRP on PIX 8 inside

suschoud — Thu, 11 Sep 2008 20:26:05 GMT

we can configure 3 equal cost routes on an interface and it

will load-balance amongst them. However, the traffic is not necessarily divided evenly

between the routes; traffic is distributed among the specified gateways based on an

algorithm that hashes the source and destination IP addresses. The ASA just distributes

the traffic among the different gateways, not necessarily evenly.

The same information can be found here:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/

ip.htm#wp1047894

The ECMP algorithm uses a hash of the source/destination IP address to

determine which route to use. As opposed to round robin load balancing, the

same source/destination pair will always use the same next hop. All packets

within the same flow and all new connections created between that

source/destination pair will utilize the same path.

Please rate if helps. 🙂

Regards,

Sushil

Re: Equal cost load balancing via EIGRP on PIX 8 inside

jlixfeld — Fri, 12 Sep 2008 04:04:59 GMT

It certainly helps, but it's not the answer I was looking for 😉 I was hoping for per-packet. Per-packet would allow me to use the aggregate bandwidth of my two connections if I were trying to do something that could make use of such a large amount of bandwidth, say transferring a large file, where as the flow based "load balancing" will not use the aggregate bandwidth for that same task 😞

Re: Equal cost load balancing via EIGRP on PIX 8 inside

suschoud — Fri, 12 Sep 2008 12:52:17 GMT

That is correct.Unfortunately,on f/w,load balancing would not necessarily mean 50:50 division....Load balacing done by router is much better and nearest to 50:50 ratio.

Regards,

Sushil