If HSRP was set-up between the two 4507's, would the default gateways 'float' between them ? meaning that if one of the physical units fails, then the default gateways will still be seen by hosts ?

Please see attached diagram, which details what I would like to acheive (if possible).

I'm trying to figure out a way of splitting traffic destined to the Internet, between two PIX firewall's, which would each be attached to two sepearte ISP's.

Thanks in advance.

Are the 2 PIX's in a failover bundle or are they 2 totally independant operating PIX's ?

I would first add a second GigE link between the 4507's for redundancy. Then I would configure HSRP on the 4507's, have 4507A the HSRP Primary for X amount of VLANS with 4507B as Standby, have 4507B the HSRP Primary for Y amount of VLANS with 4507A as standby. Configure the PIX's in a failover bundle, point the 4500's default route at the PIX's.

This allows either one of the 4507's to completely fail and only isolate the users that are physically attached to it. It allows one of the PIX's to totally fail, and one of the GigE links between the 4507's fail.

What method of load-balancing are you using for the 2 external routers and the ISP connections ?

Apologies for the delay in replying to this.

The external routers are going to be the ISP responsibility, so we will not have any input (at this stage) as to how they will be communicating.

The 2 4507's currently have redundant supervisor engines, so this side of things is already covered.

The suggestion to use each unit as the primary for different VLAN's sounds good, but we currently have 1 VLAN that has several secondary addresses that are the default gateways for the internal networks.

Would we need to create a VLAN interface for each secondary network address on the current VLAN ?

Thnaks in advance.

I will start from your last question and move backwards.

* You can keep your secondary addresses on the VLAN and still achieve default-gateway redundancy by running HSRP on the secondary IP addresses. However, since you have the capability of configuring VLANs i will recommend that you create a separate VLAN for each IP subnet. This might prove to be tedious in the beginning but in the long run it will help a lot towards optimizing your intra-subnet traffic as broadcasts are not forwarded between VLANs. Moreover it will also help you apply network policies more easily as you can bind them to logical VLAN interfaces.

* The suggestion to load balance VLANs between the two 4500s is a good one. Even though you have a small setup right now if you do implement this load balancing scheme now it will help you scale much better in the future. Some people like to make one switch active for Even VLANs and one switch active for Odd VLANs while both of them back eachother up. This is usually done by playing with Spanning Tree at Layer-2 and HSRP and/or VRRP at Layer-3.

* Regarding your question on the ability to load balance between the PIX firewalls, well the problem is that without an external load balancing device (like a CSS switch) you will not be able to deploy both firewalls in an active-active configuration. I am pretty sure that your firewalls are in the normal Cisco Active-Failover configuration.

* Your primary objective seems to be able to utilize both internet links simultaneously. This is possible but unfortunately it requires playing around with the routers terminating these internet connections. At this point i see that you do not have control over these routers and the only thing i can reommend is to somehow influence your ISP to configure these routers for load balancing of some sort.

I hope this explanation at least points you in the right direction if nothing else.

Many thanks for all the replies on this one.

I think that I will conentrate on getting the VLAN's set-up for the exisiting subnets.

The plan is to have 2 x 100 MB links to the Internet, so whether the PIX's are in failover mode or load balanced, it really won't make a gret deal of difference to the bandwidth.

Thanks.