06-11-2002 08:14 AM - edited 03-01-2019 10:07 PM
I have a PIX 515. I am trying to load balance 2 internet connections, one Wireless and one DSL modem. Can the PIX do this or will I have to buy another router. I also have servers on the DMZ and Inside interface that have public IP addresses. The load balance will be on ethernet ports.
I am looking for outbound load balancing, and nat on each ISP.
06-12-2002 11:00 AM
Here's what I can tell you about the setup I just completed.
1) I don't believe you can do much with only a PIX - it can only have one static default route, and the pix doesn't do policy routing
2) I have a 2620 (T1, ADSL) on the edge, in front of a pix 515. I have two address blocks, one frrom each ISP, and I am unable to do BGP - the DSL provider does not support BGP on ADSL customers.
3) The customer uses private addressing inside, and I turn NAT off on the pix. In fact I statically map all hosts to themselves - eg. 192.168.12.0 0.0.0.255 mapped to 192.168.12.0 0.0.0.255.
4) I have a policy route map attached to the fastethernet interface. It selectively binds certain inside addresses and protocols first to the next hop on one interface then the next hop on the other interface, and vice versa for the other interface.
Here's the config info
access-list 111 remark
access-list 111 remark DSL preferring hosts
access-list 111 remark
access-list 111 remark first, all inside-to-outside web surfing over DSL
access-list 111 remark
access-list 111 permit tcp 192.168.12.0 0.0.0.255 any eq www
access-list 111 permit tcp 192.168.12.0 0.0.0.255 any eq 443
access-list 111 remark
access-list 111 remark then outside available services on pacbell addresses
access-list 111 remark
access-list 111 permit ip host 192.168.12.8 any
access-list 111 permit ip host 192.168.12.9 any
access-list 111 permit ip host 192.168.12.25 any
access-list 111 permit ip host 192.168.12.29 any
access-list 111 permit ip host 192.168.12.45 any
access-list 111 remark
access-list 111 remark then selected interior DHCP clients
access-list 111 remark
access-list 111 permit ip 192.168.12.172 0.0.0.3 any
access-list 111 permit ip 192.168.12.180 0.0.0.3 any
access-list 111 permit ip 192.168.12.188 0.0.0.3 any
access-list 111 permit ip 192.168.12.208 0.0.0.15 any
access-list 111 permit ip 192.168.12.240 0.0.0.15 any
access-list 113 remark
access-list 113 remark T1 preferring hosts
access-list 113 remark
access-list 113 permit ip host 192.168.12.5 any
access-list 113 permit ip host 192.168.12.48 any
access-list 113 permit ip host 192.168.12.49 any
access-list 113 permit ip 192.168.12.176 0.0.0.3 any
access-list 113 permit ip 192.168.12.184 0.0.0.3 any
access-list 113 permit ip 192.168.12.192 0.0.0.15 any
access-list 113 permit ip 192.168.12.224 0.0.0.15 any
route-map TBroute permit 10
match ip address 111
set ip next-hop w.x.y.z a.b.c.d
!
route-map TBroute permit 20
match ip address 113
set ip next-hop a.b.c.d w.x.y.z
!
5) NAT is performed also using route-maps, and I overload the interface address. There are certain services statically mapped - e.g. the smtp service, POP service, etc.
ip nat inside source route-map DSLNat interface BVI1 overload
ip nat inside source route-map T1Nat interface Serial0/0 overload
access-list 2 remark
access-list 2 remark NAT list
access-list 2 permit 192.168.12.0 0.0.0.255
route-map DSLNat permit 10
match ip address 2
match interface BVI1
!
route-map T1Nat permit 10
match ip address 2
match interface Serial0/0
!
There are a number of downfalls in this configuration. It is very specific to each application and protocol whether it can survive a drop of one link unfettered. Secondly, this configuration only detects the drop of a direct link (T1 or DSL) and not an upstream failure at the provider - that would require mutually advertised routes and BGP, as I understand it.
The scheme for an externally visible, inbound service is as follows. The internal host is set up with two local addresses. One address is statically mapped to a global address from one ISP, and the other address is statically mapped to a global address from the other ISP. The policy route map supports this mapping on outbound traffic. If one of the addresses is unavailable, then the other must be chosen for use, either manually (e.g. POP service) or by the operation of the protocoll (SMTP).
Outbound load balancing is achieved through the route-map - in my case I break up the internal address pool into chunks, and route blocks of internal hosts over one or the other. Also I route based on traffic - internal HTTP browsing is sent over the DSL line because the bandwidth properties support HTTP better via DSL (6mbps downstream, 384kbps upstream) than T1.
Its not perfect.
In your case, the pix (or a router that you purchase) will not detect a failure of your DSL link because the ethernet connection between the pix/router and the DSL modem will not go down if the DSL line goes down. I put a DSL card in the 2620 for this purpose.
I invite comments and suggestions from you experts out there how I could have done my setup differently or better. I did get advice several times using this forum.
Good luck,
John
06-18-2002 12:24 AM
Thanks John,
I have a similar router configuration. but in my case 3 interfaces connected to
Internet (same ISP) with 256 Kbps each. All the 3 are pointed to one
inteface connected to LAN. I'm using a 3640 Router.
That's a portion of it (the a.b.c.x are public IPs):
route-map GW1 permit 10
match ip address 101
match ip next-hop 1
set ip next-hop a.b.c.1
!
route-map GW2 permit 10
match ip address 102
match ip next-hop 2
set ip next-hop a.b.c.2
!
route-map GW3 permit 10
match ip address 103
set ip next-hop a.b.c.3
But I'm not convinced that this really works!!
What other kinds of load-balancing could this router do? If one Internet interface is too busy does it direct the request to another interface?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide