Showing results for 
Search instead for 
Did you mean: 

implementing redundancy

Level 1
Level 1

I have 2 internet connections with 2 PIX firewalls on them. I am trying to provide redundancy for the entire network by going out our main PIX by default or the Secondary PIX if the main fails. I have included a diagram of my core network, and all of the devices (main 4006, 3662, 4506, 4006) have a static route with a cost of 1 to the primary pix and a static route with a cost of 100 to the secondary pix. I was thinking about doing it a little different because we tested the current configuration and the devices never switched to use the higher cost static route. So a suggestion was made to make each device have its default route to the next hop device and then provide the redundancy at two points instead of all the devices. The problem with this is as you can see in the diagram it would cause a loop. If a packet hits the main 4006 and cannot use its main route it wil us the higher cost route and forward it to the 4506 but the 4506 will not see its primary route as being down therefore it would forward the packet back to the the 4006, and a loop forms. Does anyone have any suggestions on how i could provide for the redudancy for all devices to both networks and not cause any loops? Again the routes i have in the diagram were going by what somone suggested to me, but like i said that configurtion would cause loops.

7 Replies 7

Level 8
Level 8

Wha you need is to have the default route advertised by a dynamic routing protocol like EIGRP or BGP.

Your drawing doesn't provide any detail for the PIX connectivity to the Internet, but if you have outside choke routers you have several possible ways to configure this. You could connect to the ISP via EBGP and have them send you a default route only. You could then redistribute this to EIGRP tunneled through the PIX to your inside router. You can adjust the AD or metrics to prefer the primary. If the PIX or link to the ISP goes down that default route will go away, and all traffic will use the other path.

Here is a link that shows an example using EBGP to the ISPs and IBGP internally.

We run OSPF internally and the routers outside of our firewalls are managed by AT&T running BGP, what if i just put a route with a weight of 1 on the main 4006 and a route with a weight of like 50 or 100 on the 4506 , each pointing to its respective PIX, then resdistibuted those routes into OSPF, or ran OSPF on the PIX. Which would be a better solution.

When i say redistribute i mean default information originate, that should only bring the default route (ip route whatever) into OSPF, and on the main side could i set one with a cost of 1 and on the other with a cost of 50 and do default information originate on both.. would that work?

That should work great. By cost I assume you mean administrative distance.

I am no PIX expert, but the examples all show routing protocols tunneled through, rather that the PIX participating, so I am guessing that is what you will need to do with your OSPF.

Ok thanks a bunch, i do want to make sure that the admin distance on OSPF wont change the statics, OSPF will carry the distance correct?

Forget what I said about admin distance, you were correct, just redistribute your BGP defaults into OSPF with a better cost on your primary ISP.

You will need to remove the internal static default routes you have now.

I dont manage the routers running BGP and we dont have BGP running on any of our routers, how would we do that just run BGP on the two routers connected to the firewalls? and if so how do updates get through the firewalls.