06-23-2004 09:11 PM - edited 03-02-2019 04:35 PM
Anybody know the best way to configure a fully redudant environment if I have the config below.
Internet Internet
| |
| IBGP |
3745-----3745
| | | |
| | | |
| | | |
Pix ----- Pix
| | | |
| | | |
| | | |
L3switch L3Switch
I hope this is understandable. Basically 2 L3 switches each one contected to both Pixes in a criss cross redudant config. Two pixes each one conected to two border BGP routers also connected in a criss cross redudant config.
I would probaly usually in this case run OSPF/EIGRP and allow L3 protocol to decide the best path to take, but I am worried of Asymmetrical routing and if traffic goes out one pix and returns in another I am afraid the packet with get droped. My next approach is to use weighted static routes, but I think I would have issues with this also. Any suggestions on the best way to configure this??
Thanks
06-25-2004 05:28 AM
Running an IGP in here isn't (probably) going to impact assymetric routing--most of your assymetric routing is going to come from routing to and from the internet. I wouldn't think assymetric routing is going to be a problem from the IGP side, as long as all the links are the same cost in both directions.
:-)
Russ.W
06-25-2004 05:33 AM
What would happen if a packet went out PIX_A to the Router_A but then BGP forwarded it to the neighbor router_B. Then the return path is through PIX_B. I would think the pix would drop this packet because it does not have a session. Am I correct or not?
06-25-2004 07:26 AM
This whitepaper on redundant firewall design may be of some use.
http://www.networkingunlimited.com/white001.html
-HTH
06-26-2004 07:50 AM
If my white paper doesn't do the job for you, there is an entire chapter on setting up redundant firewalls in my book "High Availability Networking with Cisco." The book is out of print, unfortunately, but still widely available from "used" book dealers on the Amazon and Barnes & Noble web sites. There are links on my web site if you need them.
And yes, you do have to worry about asymmetric routing if the firewalls are doing any context based filtering. One way to get around that limitation is to get your firewall redundancy in the form of a firewall cluster rather than independent firewalls, but that has its own issues.
Good luck and have fun!
Vincent C Jones
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide