Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Two public IP to PIX external i/f 1
- Thread starter sghezzi
- Start date
HI.
The pix does not support this.
The pix can have only 1 ip on the outside, and only 1 default gateway.
You will need router(s) for such load balancing/fault tolerance configuration.
Ask your ISP or a routing expert to help you design this.
Yizhar Hurwitz
The pix does not support this.
The pix can have only 1 ip on the outside, and only 1 default gateway.
You will need router(s) for such load balancing/fault tolerance configuration.
Ask your ISP or a routing expert to help you design this.
Yizhar Hurwitz
- Thread starter
- #3
Yizhar,
would you suggest to have a single router in front of PIX and implement on it some security features?
Or two routers connected to the ISPs rispectively? But how to have dinamic routing in this way?
Do you think this is the only possible solution?
would you suggest to have a single router in front of PIX and implement on it some security features?
Or two routers connected to the ISPs rispectively? But how to have dinamic routing in this way?
Do you think this is the only possible solution?
HI.
Myself, I'm not a routing expert, so I don't know what is the best way.
> Do you think this is the only possible solution?
There are different optional solutions, but they all use routers and not the pix for multiple ISP links.
When planning for such a solution, you should plan also connectivity at high layers of OSI. For example, if you have multiple internal mail servers, then maybe each one will map to public IP of different ISP, and both or more will be referenced in your DNS MX record.
Don't plan just for layer 3+4 connectivity...
Yizhar Hurwitz
Myself, I'm not a routing expert, so I don't know what is the best way.
> Do you think this is the only possible solution?
There are different optional solutions, but they all use routers and not the pix for multiple ISP links.
When planning for such a solution, you should plan also connectivity at high layers of OSI. For example, if you have multiple internal mail servers, then maybe each one will map to public IP of different ISP, and both or more will be referenced in your DNS MX record.
Don't plan just for layer 3+4 connectivity...
Yizhar Hurwitz
-
1
- #5
We struggle with this one as well... Before you can route to multiple ISPs, you need to have a few things in order:
1) You need to be using BGP on your router(s).
2) You need to have your own BGP AS number
3) You usually will need your own registered IP block (not one assigned by one of the two ISPs). This is to overcome the issues Yizhar mentioned.
Even then, some ISPs won't share peering relationships with others, and some won't route beyond a certain mask (as an example, my corporation has a full registered class B address, but we need to route this at the C level, and we get pushback from ISPs to do this).
In the end, it was more trouble than it was worth for us. We did our research and determined which major ISPs (Tier 1) had backbones with multiple paths into our city. We chose a single ISP, but made sure that our local loop went to two geographically different POPs, and those POPs had multiple paths to the ISP backbone.
The scenario mentioned above can be done with ISP-assigned addresses, so assuming you have BGP set up correctly on your routers, the PIX will only see one default gw and the address space is routed through both POPs (though in a redunancy scenario and not load-balancing).
This setup has worked very well for us and we have not a total outage where we lost connectivity completely. Do keep in mind, however, that unless you have multiple LECs in your city, you will still be somewhat constrained by your LEC being a single point of failure.
1) You need to be using BGP on your router(s).
2) You need to have your own BGP AS number
3) You usually will need your own registered IP block (not one assigned by one of the two ISPs). This is to overcome the issues Yizhar mentioned.
Even then, some ISPs won't share peering relationships with others, and some won't route beyond a certain mask (as an example, my corporation has a full registered class B address, but we need to route this at the C level, and we get pushback from ISPs to do this).
In the end, it was more trouble than it was worth for us. We did our research and determined which major ISPs (Tier 1) had backbones with multiple paths into our city. We chose a single ISP, but made sure that our local loop went to two geographically different POPs, and those POPs had multiple paths to the ISP backbone.
The scenario mentioned above can be done with ISP-assigned addresses, so assuming you have BGP set up correctly on your routers, the PIX will only see one default gw and the address space is routed through both POPs (though in a redunancy scenario and not load-balancing).
This setup has worked very well for us and we have not a total outage where we lost connectivity completely. Do keep in mind, however, that unless you have multiple LECs in your city, you will still be somewhat constrained by your LEC being a single point of failure.
- Thread starter
- #6
I didn't understand very well send part of your suggestion (what is LEC for example?)
Having our own AS and IP range is completely out of discussion. It would be expensive, complicated, and we will propably never get it since we are a small institution.
On the other hand we cannot rely on a single ISP, because we are talking here about a development country, where telecommunication is still an ongoing process and also very expensive.
Therefore, I think in our case we still have to think about redundancy with two ISPs.
My question remains: is it better to have a single router in front of PIX and implement on it some security features?
Or two routers connected to the ISPs rispectively? But how to have dinamic routing in this way?
thanks
Silvia
Having our own AS and IP range is completely out of discussion. It would be expensive, complicated, and we will propably never get it since we are a small institution.
On the other hand we cannot rely on a single ISP, because we are talking here about a development country, where telecommunication is still an ongoing process and also very expensive.
Therefore, I think in our case we still have to think about redundancy with two ISPs.
My question remains: is it better to have a single router in front of PIX and implement on it some security features?
Or two routers connected to the ISPs rispectively? But how to have dinamic routing in this way?
thanks
Silvia
LEC stands for Local Exchange Carrier... In the U.S., it's the people who essentially provide the physcial link. As an example, no matter which ISP I choose for service, that ISP must still have my local phone company - BellSouth - set up the physical circuit (i.e. the local loop).
Back to your question. You could implement two routers. Look into using Cisco's Hot Standby Routing Protocol, which allows you to assign a 'virtual' default gateway between two routers, with one weighted higher than the other. With HSRP, the firewall sends to the virtual gw, and depending on which router has the higher priority, the traffic then goes out that direction. Should the priamry router fail, the second then routes the traffic out it's circuit.
That takes care of your outbound traffic. Unfortunately, if you host servers at your site, the situation will be much tougher if you can't use BGP and share the IP space between ISPs.
Back to your question. You could implement two routers. Look into using Cisco's Hot Standby Routing Protocol, which allows you to assign a 'virtual' default gateway between two routers, with one weighted higher than the other. With HSRP, the firewall sends to the virtual gw, and depending on which router has the higher priority, the traffic then goes out that direction. Should the priamry router fail, the second then routes the traffic out it's circuit.
That takes care of your outbound traffic. Unfortunately, if you host servers at your site, the situation will be much tougher if you can't use BGP and share the IP space between ISPs.
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question