Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
707
Views
0
Helpful
6
Replies

Load balancing of PIX firewalls with multiple DMZs

g.mongatti
Level 1
Level 1

‎04-18-2003 12:15 AM

I need a suggestion about how to balance the traffic through two PIX firewalls, with 4 interfaces (IN,OUT,DMZ1,DMZ2)

In all the documentation related to the subject, I see always the firewalls with only two interfaces:

http://www.cisco.com/warp/customer/117/fw_load_balancing.html

http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/advcfggd/firewall.htm

What if I need to balance on more than 2 interfaces?

Do I have to add more content switches, one for each interface ?

Or could I use VLANs inside the same content switches, and assign the ports to DMZs appropriately ?

Thank you in advance for any help.

Labels:
0 Helpful
6 Replies 6

k.poplitz
Level 3
Level 3

‎04-24-2003 07:44 AM

You will need a minimum of four CSSs, one for every firewall interface.

0 Helpful

edillon
Level 1
Level 1

‎05-03-2003 10:53 AM

We just had some internal discussions about that at my work, and the suggestion from a local cisco specialist was, if you want to levarage load balacing over multiple DMZ's, then you get the CSS blades for the 65xx's. Right now we have mulriple CSS and LD failover pairs (One pair for each DMZ) and it is starting to become expensive, while we aren't really utilizing the full capacity of them. If you get the Blades, they have Gigabit traces to the backplane of the switch, and you can use them for as many poers as you have on the 6500.

Then again, it depends on if physical security is essential to you, and you are concerned with L2 attacks (VLAN Hopping, etc) There are tradeoffs and benefits when using a consildated infrastructure.

0 Helpful

drob
Level 1
Level 1
In response to edillon

‎05-03-2003 07:14 PM

I would suggest separate load balancer for each interface. If you collapse all the PIX interface into one 6500 and use the CSM blade. You will be very surprise.

Because the CSM would have a client interface on each of the PIX VLAN's; it may routed the traffic instead of sending it to the PIX.

Bottom line; not a good idea.

0 Helpful

tmehok
Level 1
Level 1

‎08-07-2003 12:55 PM

Did you ever get a definitive answer on the CSM module and this design. We are looking at the same design and I can not seem to get a straight answer on whether this is secure or not.

Thanks!

0 Helpful

tmehok
Level 1
Level 1

‎08-07-2003 12:55 PM

Did you ever get a definitive answer on the CSM module and this design. We are looking at the same design and I can not seem to get a straight answer on whether this is secure or not.

Thanks!

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to tmehok

‎08-08-2003 01:51 AM

If configured correctly, this should be secure.

The CSM can do some policy routing and prevent traffic from one vlan to be *routed* directly to another vlan and instead route the traffic to a desired firewall interface.

The configuration is a little bit more tricky and errors could lead to unsecure access.

But it's like everything else I would say.

So, in my opinion, this is secure enough once configured correctly.

Gilles.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card