George, Yes, you can LB PIXen, but there are caveats:
1) PIXes can only do state sharing if one is in failover mode. If you have 2 active PIXen, you cannot share state so if one PIX fails, all active sessions on that PIX will drop and have to start over on the other PIX. 2) It's usually not necessary to LB PIXen, they have very high throughput unless you are using the very low-end boxes, so for most environments its better to simply have a active-standby configuration so you get the state-sharing. (it's also cheaper since you get a discount on the standby PIX) However, if you want to LB PIXen anyway, the best practice is to have an external LB solution like a Cisco content switch, you'll need one on the inside and outside of the PIX "farm", which can get expensive. The other way you could do it is with a routing protocol passed through the PIX from the outside routers to the inside routers, but you have to be careful that all your flows go through the same PIX or your sessions will drop since there will be no state sharing between the PIXen. You can normally achieve this by using fast switching on your internal and external routers since the next hop for destinations is cached for all subsequent packets. HTH, Kent -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 01, 2002 6:32 AM To: [EMAIL PROTECTED] Subject: Pix load balance? [7:42974] Can you load balance to pix firewalls? Has anyone done this? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42983&t=42974 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
