Dual routers and PIX question

Discussion in 'Cisco' started by Brucefan, Aug 2, 2006.

  1. Brucefan

    Brucefan Guest

    Pretty new at this (I'm a server guy) and just started at this company
    so bear with me. We currently have 2 T-1's, one from Verizon and
    another from NetCarrier. Each T1 uses it's own router. We also have a
    PIX 515E (6.3 software). Neither the Verizon router or the PIX are
    currently in use (that's right, no firewall right now). I'd like to
    use both routers as a type of failover solution...so that if one goes
    down, Internet access will still be available out the other router (no
    need for incoming to be redundant, just outgoing). I'm assuming both
    inside interfaces on the routers will go into a switch and then into
    the external interface of the PIX. What is needed on the PIX to do
    what I'm asking? I've been reading about OSPF, is that what I need to
    use? And does that need to run on all 3 devices or just on the PIX?
    Is there an easier solution? Appreciate any direction on this.
    Brucefan, Aug 2, 2006
    #1
    1. Advertising

  2. Brucefan

    flamer Guest

    Brucefan wrote:

    > Pretty new at this (I'm a server guy) and just started at this company
    > so bear with me. We currently have 2 T-1's, one from Verizon and
    > another from NetCarrier. Each T1 uses it's own router. We also have a
    > PIX 515E (6.3 software). Neither the Verizon router or the PIX are
    > currently in use (that's right, no firewall right now). I'd like to
    > use both routers as a type of failover solution...so that if one goes
    > down, Internet access will still be available out the other router (no
    > need for incoming to be redundant, just outgoing). I'm assuming both
    > inside interfaces on the routers will go into a switch and then into
    > the external interface of the PIX. What is needed on the PIX to do
    > what I'm asking? I've been reading about OSPF, is that what I need to
    > use? And does that need to run on all 3 devices or just on the PIX?
    > Is there an easier solution? Appreciate any direction on this.


    Have a read on hot standby router protocol. Also some pixes come with a
    failover license and have a port on the pix to connect two together for
    this purpose (you need a special cable).

    Flamer.
    flamer , Aug 2, 2006
    #2
    1. Advertising

  3. In article <>,
    Brucefan <> wrote:

    >Each T1 uses it's own router. We also have a
    >PIX 515E (6.3 software). Neither the Verizon router or the PIX are
    >currently in use (that's right, no firewall right now). I'd like to
    >use both routers as a type of failover solution...so that if one goes
    >down, Internet access will still be available out the other router


    >What is needed on the PIX to do
    >what I'm asking? I've been reading about OSPF, is that what I need to
    >use? And does that need to run on all 3 devices or just on the PIX?


    If you need the access to continue without interruption, then you
    will need to get an AS assignment and arrange BGP with *both*
    ISPs, both of whom will be happy to say that any problems are
    some else's fault. [Sorry, cynicism is an occupational hazard.]

    If you are okay with a disruption in service (i.e., all active
    connections lost) then Yes, you can arrange OSPF on all of the
    devices, and some kind of detection of link loss to change the
    routing.

    If you connect both routers to a switch that is then
    connected to the outside interface of the PIX, then as far as
    the PIX is concerned, you might as well use RIP instead of OSPF.
    Unfortunately with that setup, you introduce a new single point
    failure, namely the switch.

    If you connect the routers to -different- interfaces, that's when
    OSPF comes into play: when you use RIP, the PIX doesn't like
    switching interfaces, but it can do it with OSPF.

    Be sure to have a look at the whitepapers on Vincent Jone's site,
    networkingunlimited.com .
    Walter Roberson, Aug 3, 2006
    #3
  4. * Brucefan wrote:
    > use both routers as a type of failover solution...so that if one goes
    > down, Internet access will still be available out the other router (no
    > need for incoming to be redundant, just outgoing). I'm assuming both


    Beside the other proposals you can push the redundancy level by using an
    Active-Active Failover and multiple contexts in the PIX. This allows you to
    remove the SPOF between the routers and the PIX.
    Lutz Donnerhacke, Aug 3, 2006
    #4
  5. Brucefan

    Nandan Guest

    Hi There,

    I think following steps will help you in acheiving what you want to do:

    1. Configure HSRP on internet facing routers. Track their internet
    links, so that transition will happen when internet link of the primary
    router fails.
    2. Configure the virtual HSRP IP Address as default gateway on your
    PIX.

    This will ensure that you are shifted to the other link once the
    primary link goes down, but you would not be able to do load balancing
    over both the links. If you want to do load balancing as well, then you
    can configure two HSRP groups (Cisco site gives details of how to
    configure load balancing using HSRP). You can also try to configure
    GLBP on internet facing routers insteand of HSRP for load balancing.

    Hope this helps.

    Best Regards
    Nandan
    Nandan, Aug 3, 2006
    #5
  6. Walter Roberson wrote:

    > In article <>,
    > Brucefan <> wrote:
    >
    >>Each T1 uses it's own router. We also have a
    >>PIX 515E (6.3 software). Neither the Verizon router or the PIX are
    >>currently in use (that's right, no firewall right now). I'd like to
    >>use both routers as a type of failover solution...so that if one goes
    >>down, Internet access will still be available out the other router

    >
    >>What is needed on the PIX to do
    >>what I'm asking? I've been reading about OSPF, is that what I need to
    >>use? And does that need to run on all 3 devices or just on the PIX?

    >
    > If you need the access to continue without interruption, then you
    > will need to get an AS assignment and arrange BGP with *both*
    > ISPs, both of whom will be happy to say that any problems are
    > some else's fault. [Sorry, cynicism is an occupational hazard.]
    >
    > If you are okay with a disruption in service (i.e., all active
    > connections lost) then Yes, you can arrange OSPF on all of the
    > devices, and some kind of detection of link loss to change the
    > routing.
    >
    > If you connect both routers to a switch that is then
    > connected to the outside interface of the PIX, then as far as
    > the PIX is concerned, you might as well use RIP instead of OSPF.
    > Unfortunately with that setup, you introduce a new single point
    > failure, namely the switch.
    >
    > If you connect the routers to -different- interfaces, that's when
    > OSPF comes into play: when you use RIP, the PIX doesn't like
    > switching interfaces, but it can do it with OSPF.
    >
    > Be sure to have a look at the whitepapers on Vincent Jones' site,
    > networkingunlimited.com .


    Good answer, but like the other answers I've seen so far, it ignores the
    fact that as proposed, at least one of the ISP routers must do NAT rather
    than (or in addition to) the PIX. I suspect that at the current time, each
    ISP is providing a unique range of public IP addresses, and expects your
    firewall to do any NAT required to make them work. If you use RIP or OSPF
    to switch between routers, your source addresses will be wrong for at least
    one of the ISPs unless their router is configured to NAT from the other
    providers public addresses assigned to you to their public addresses
    assigned to you.

    If you can't get at least one of the ISPs to cooperate, you will need to
    make your routing decisions inside your firewall and apply the appropriate
    NAT for the ISP which is to be used. Reliably detecting when an ISP is not
    useable can be a challenge, as few ISPs are willing to run a routing
    protocol other than BGP over their access lines, although you can use BGP
    without implementing dual homing if your ISPs are willing.

    See the brief white paper on my web site, think over your options, then read
    through Chapter 8 of my book for example approaches and their pitfalls.
    Bottom line is that it is very easy to connect to two ISPs, but the devil
    is in the details of getting those redundant connections to function
    together correctly so they actually improve functional availability.

    Good luck and have fun!
    --
    Vincent C Jones, Consultant Expert advice and a helping hand
    Networking Unlimited, Inc. for those who want to manage and
    Tenafly, NJ Phone: 201 568-7810 control their networking destiny
    http://www.networkingunlimited.com
    Vincent C Jones, Aug 8, 2006
    #6
  7. In article <lmRBg.2974$>,
    Vincent C Jones <> wrote:
    >Walter Roberson wrote:


    >> If you connect the routers to -different- interfaces, that's when
    >> OSPF comes into play: when you use RIP, the PIX doesn't like
    >> switching interfaces, but it can do it with OSPF.


    >Good answer, but like the other answers I've seen so far, it ignores the
    >fact that as proposed, at least one of the ISP routers must do NAT rather
    >than (or in addition to) the PIX. I suspect that at the current time, each
    >ISP is providing a unique range of public IP addresses, and expects your
    >firewall to do any NAT required to make them work. If you use RIP or OSPF
    >to switch between routers, your source addresses will be wrong for at least
    >one of the ISPs unless their router is configured to NAT from the other
    >providers public addresses assigned to you to their public addresses
    >assigned to you.


    If you use OSPF to select between PIX interfaces, then the
    interfaces can have different NAT rules, which gets around the issue
    you are discussing.

    [I see that I didn't write about that in my answer, but I distinctly
    recall that I was -thinking- about that when I wrote my answer ;-) ]
    Walter Roberson, Aug 13, 2006
    #7
  8. Brucefan

    sumdingwong

    Joined:
    Aug 21, 2006
    Messages:
    4
    sumdingwong, Aug 21, 2006
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dineyar Buhariwala

    Connect 2 routers (wireless and regular routers)

    Dineyar Buhariwala, Nov 22, 2004, in forum: Wireless Networking
    Replies:
    1
    Views:
    2,574
  2. jmark
    Replies:
    0
    Views:
    474
    jmark
    Apr 27, 2004
  3. Jon L. Miller

    cisco routers and netgear routers

    Jon L. Miller, Feb 4, 2005, in forum: Cisco
    Replies:
    2
    Views:
    1,225
    SysAdm
    Feb 5, 2005
  4. Castravete
    Replies:
    0
    Views:
    652
    Castravete
    Mar 9, 2005
  5. Paul
    Replies:
    0
    Views:
    684
Loading...

Share This Page