Re: Routing Multicast oer Parallel Firewalls

francisfox · ‎07-04-2007

Is there a way to do routing over several parallel Pix 515E firewalls?

I have a 6509 on the inside network, 3 Pix firewalls and a single 6509 on the outside that terminates GRE tunnels from remote sites.

This all needs to pass a large amount of Multicast traffic which is too much for one Pix to handle.

The remote sites also need to route to each other on the outside via the 6509. Curently I can get the multicast traffic to pass through the right Pix by using VRFs on the outside 6509 but then the remote site to remote site routing can't work because there is no connection between the VRFs..

If I get rid of the VRFs I end up with equal cost routes and no control over the multicast traffic. The Pix firewalls also see routes to the inside network on their outside interfaces (I am using OSPF).

Has anyone encountered this type of Pix routing problem before and how did they deal with it?

Or is it not possible?

The solution also needs to scale because eventually there will be more than 1Gb of multicast traffic coming in to the core.

Thanks for any advice.

ivillegas · ‎07-11-2007

Implicit routes are static routes based on the networks attached directly to the firewall device. You cannot change or delete these routes. These routes are never specified as part of the device-specific command set that is generated and deployed to a firewall device. In other words, they are not included in the command sets that are generated for a firewall device. They are discussed here to provide the full picture of the routing rules active on a firewall device,