Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
275
Views
0
Helpful
4
Replies

redudant network config.

Craig Rees
Level 1
Level 1

‎06-23-2004 09:11 PM - edited ‎03-02-2019 04:35 PM

Anybody know the best way to configure a fully redudant environment if I have the config below.

Internet Internet

| |

| IBGP |

3745-----3745

| | | |

| | | |

| | | |

Pix ----- Pix

| | | |

| | | |

| | | |

L3switch L3Switch

I hope this is understandable. Basically 2 L3 switches each one contected to both Pixes in a criss cross redudant config. Two pixes each one conected to two border BGP routers also connected in a criss cross redudant config.

I would probaly usually in this case run OSPF/EIGRP and allow L3 protocol to decide the best path to take, but I am worried of Asymmetrical routing and if traffic goes out one pix and returns in another I am afraid the packet with get droped. My next approach is to use weighted static routes, but I think I would have issues with this also. Any suggestions on the best way to configure this??

Thanks

Labels:
0 Helpful
4 Replies 4

ruwhite
Level 7
Level 7

‎06-25-2004 05:28 AM

Running an IGP in here isn't (probably) going to impact assymetric routing--most of your assymetric routing is going to come from routing to and from the internet. I wouldn't think assymetric routing is going to be a problem from the IGP side, as long as all the links are the same cost in both directions.

:-)

Russ.W

0 Helpful

Craig Rees
Level 1
Level 1
In response to ruwhite

‎06-25-2004 05:33 AM

What would happen if a packet went out PIX_A to the Router_A but then BGP forwarded it to the neighbor router_B. Then the return path is through PIX_B. I would think the pix would drop this packet because it does not have a session. Am I correct or not?

0 Helpful

jamey
Level 4
Level 4

‎06-25-2004 07:26 AM

This whitepaper on redundant firewall design may be of some use.

http://www.networkingunlimited.com/white001.html

-HTH

0 Helpful

vcjones
Level 5
Level 5
In response to jamey

‎06-26-2004 07:50 AM

If my white paper doesn't do the job for you, there is an entire chapter on setting up redundant firewalls in my book "High Availability Networking with Cisco." The book is out of print, unfortunately, but still widely available from "used" book dealers on the Amazon and Barnes & Noble web sites. There are links on my web site if you need them.

And yes, you do have to worry about asymmetric routing if the firewalls are doing any context based filtering. One way to get around that limitation is to get your firewall redundancy in the form of a firewall cluster rather than independent firewalls, but that has its own issues.

Good luck and have fun!

Vincent C Jones

www.networkingunlimited.com

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents