RE: Pix load balance? [7:42974]
Brian, Yes, most of them do nat. From the client WS perspective, there is only a single server IP, so it sends packets to that IP address. Once the switch gets the packet (since it is answering for that IP), it needs to forward the packet to a server. Normally, for the server to accept that packet the switch must change the dst IP to the servers real IP address and likewise alter the replies from the server so they appear to come from the virtual IP. (i.e. NAT) Note that some switches support an option called "direct sesrver return" in which the switch sets up the inital conversation, and then the server talks directly back to the client without having to go through the switch. In this case NAT is not performed between the server and the client. (I don't think this architecture is widely used though) The layer 4-7 portion is really only relevant when the switch is deciding 1) Is a service "up" on a particular server and 2) How does the switch determine to which server an individual packet needs to be forwarded (i.e. how much of the data portion of a packet has to be examined to determine what traffic stream it belongs to) HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brian Zeitz Sent: Tuesday, May 07, 2002 9:25 AM To: [EMAIL PROTECTED] Subject: RE: Pix load balance? [7:42974] Dumb question, does any of these devices use nat? I just read that pix to DMZ interface uses dNat, not sure if that is faster. I was reading my Alteon Web Switch book last night, it says you CAN do nat, but I don't know if layer 4-7 switches actually DO nat normall. If it's a switch, it should be switching right, the translation gets done in layer 4. kinda confused. -Original Message- From: Gragido, William [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 07, 2002 12:09 PM To: Brian Zeitz; [EMAIL PROTECTED] Subject: RE: Pix load balance? [7:42974] The best way to load balance is to use an application layer (layer 4-7) switch. I am not too familiar with Cisco's offering of this technology (sadly), but have worked extensively with Foundry's ServerIrons and they are excellent devices! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brian Zeitz Sent: Tuesday, May 07, 2002 8:50 AM To: [EMAIL PROTECTED] Subject: RE: Pix load balance? [7:42974] Load balancing is supposed to be done on content switches according to what I am reading. I cannot be done on the firewall withing the site, nor can it be done with different ISPs. Brian Zeitz MCSE, CCNP -Original Message- From: Gaz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 07, 2002 6:58 AM To: [EMAIL PROTECTED] Subject: Re: Pix load balance? [7:42974] What's the reason? I'm not disputing the fact, just wondering what the limitation is. I take it that the limitation is only that it cannot do stateful failover with two active PIXes? Cheers, Gaz wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Yeah, I asked the same questions last month. They can not. If you really > need firewall and Load balancing, FW-1 is the way to go. > > Theo > CSS1, CCNP, CCSE > > > > > > > "Patrick" > Sent by: [EMAIL PROTECTED] > 05/06/2002 06:28 AM > Please respond to "Patrick" > > > To: [EMAIL PROTECTED] > cc: > Subject:Re: Pix load balance? [7:42974] > > > No. > > ""GEORGE"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Can you load balance to pix firewalls? > > Has anyone done this? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43535&t=42974 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Pix load balance? [7:42974]
The Cisco CSS11xxx can do NAT without degrading performance. I have had excellent experiences setting this up for clients. -Original Message- From: Brian Zeitz [mailto:[EMAIL PROTECTED]] Sent: Tue 5/7/2002 12:24 PM To: [EMAIL PROTECTED] Cc: Subject: RE: Pix load balance? [7:42974] Dumb question, does any of these devices use nat? I just read that pix to DMZ interface uses dNat, not sure if that is faster. I was reading my Alteon Web Switch book last night, it says you CAN do nat, but I don't know if layer 4-7 switches actually DO nat normall. If it's a switch, it should be switching right, the translation gets done in layer 4. kinda confused. -Original Message- From: Gragido, William [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 07, 2002 12:09 PM To: Brian Zeitz; [EMAIL PROTECTED] Subject: RE: Pix load balance? [7:42974] The best way to load balance is to use an application layer (layer 4-7) switch. I am not too familiar with Cisco's offering of this technology (sadly), but have worked extensively with Foundry's ServerIrons and they are excellent devices! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brian Zeitz Sent: Tuesday, May 07, 2002 8:50 AM To: [EMAIL PROTECTED] Subject: RE: Pix load balance? [7:42974] Load balancing is supposed to be done on content switches according to what I am reading. I cannot be done on the firewall withing the site, nor can it be done with different ISPs. Brian Zeitz MCSE, CCNP -Original Message- From: Gaz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 07, 2002 6:58 AM To: [EMAIL PROTECTED] Subject: Re: Pix load balance? [7:42974] What's the reason? I'm not disputing the fact, just wondering what the limitation is. I take it that the limitation is only that it cannot do stateful failover with two active PIXes? Cheers, Gaz wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Yeah, I asked the same questions last month. They can not. If you really > need firewall and Load balancing, FW-1 is the way to go. > > Theo > CSS1, CCNP, CCSE > > > > > > > "Patrick" > Sent by: [EMAIL PROTECTED] > 05/06/2002 06:28 AM > Please respond to "Patrick" > > > To: [EMAIL PROTECTED] > cc: > Subject:Re: Pix load balance? [7:42974] > > > No. > > ""GEORGE"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Can you load balance to pix firewalls? > > Has anyone done this? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43534&t=42974 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Pix load balance? [7:42974]
Dumb question, does any of these devices use nat? I just read that pix to DMZ interface uses dNat, not sure if that is faster. I was reading my Alteon Web Switch book last night, it says you CAN do nat, but I don't know if layer 4-7 switches actually DO nat normall. If it's a switch, it should be switching right, the translation gets done in layer 4. kinda confused. -Original Message- From: Gragido, William [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 07, 2002 12:09 PM To: Brian Zeitz; [EMAIL PROTECTED] Subject: RE: Pix load balance? [7:42974] The best way to load balance is to use an application layer (layer 4-7) switch. I am not too familiar with Cisco's offering of this technology (sadly), but have worked extensively with Foundry's ServerIrons and they are excellent devices! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brian Zeitz Sent: Tuesday, May 07, 2002 8:50 AM To: [EMAIL PROTECTED] Subject: RE: Pix load balance? [7:42974] Load balancing is supposed to be done on content switches according to what I am reading. I cannot be done on the firewall withing the site, nor can it be done with different ISPs. Brian Zeitz MCSE, CCNP -Original Message- From: Gaz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 07, 2002 6:58 AM To: [EMAIL PROTECTED] Subject: Re: Pix load balance? [7:42974] What's the reason? I'm not disputing the fact, just wondering what the limitation is. I take it that the limitation is only that it cannot do stateful failover with two active PIXes? Cheers, Gaz wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Yeah, I asked the same questions last month. They can not. If you really > need firewall and Load balancing, FW-1 is the way to go. > > Theo > CSS1, CCNP, CCSE > > > > > > > "Patrick" > Sent by: [EMAIL PROTECTED] > 05/06/2002 06:28 AM > Please respond to "Patrick" > > > To: [EMAIL PROTECTED] > cc: > Subject:Re: Pix load balance? [7:42974] > > > No. > > ""GEORGE"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Can you load balance to pix firewalls? > > Has anyone done this? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43528&t=42974 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Pix load balance? [7:42974]
The best way to load balance is to use an application layer (layer 4-7) switch. I am not too familiar with Cisco's offering of this technology (sadly), but have worked extensively with Foundry's ServerIrons and they are excellent devices! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brian Zeitz Sent: Tuesday, May 07, 2002 8:50 AM To: [EMAIL PROTECTED] Subject: RE: Pix load balance? [7:42974] Load balancing is supposed to be done on content switches according to what I am reading. I cannot be done on the firewall withing the site, nor can it be done with different ISPs. Brian Zeitz MCSE, CCNP -Original Message- From: Gaz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 07, 2002 6:58 AM To: [EMAIL PROTECTED] Subject: Re: Pix load balance? [7:42974] What's the reason? I'm not disputing the fact, just wondering what the limitation is. I take it that the limitation is only that it cannot do stateful failover with two active PIXes? Cheers, Gaz wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Yeah, I asked the same questions last month. They can not. If you really > need firewall and Load balancing, FW-1 is the way to go. > > Theo > CSS1, CCNP, CCSE > > > > > > > "Patrick" > Sent by: [EMAIL PROTECTED] > 05/06/2002 06:28 AM > Please respond to "Patrick" > > > To: [EMAIL PROTECTED] > cc: > Subject:Re: Pix load balance? [7:42974] > > > No. > > ""GEORGE"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Can you load balance to pix firewalls? > > Has anyone done this? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43525&t=42974 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Pix load balance? [7:42974]
Load balancing is supposed to be done on content switches according to what I am reading. I cannot be done on the firewall withing the site, nor can it be done with different ISPs. Brian Zeitz MCSE, CCNP -Original Message- From: Gaz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 07, 2002 6:58 AM To: [EMAIL PROTECTED] Subject: Re: Pix load balance? [7:42974] What's the reason? I'm not disputing the fact, just wondering what the limitation is. I take it that the limitation is only that it cannot do stateful failover with two active PIXes? Cheers, Gaz wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Yeah, I asked the same questions last month. They can not. If you really > need firewall and Load balancing, FW-1 is the way to go. > > Theo > CSS1, CCNP, CCSE > > > > > > > "Patrick" > Sent by: [EMAIL PROTECTED] > 05/06/2002 06:28 AM > Please respond to "Patrick" > > > To: [EMAIL PROTECTED] > cc: > Subject:Re: Pix load balance? [7:42974] > > > No. > > ""GEORGE"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Can you load balance to pix firewalls? > > Has anyone done this? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43501&t=42974 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix load balance? [7:42974]
What's the reason? I'm not disputing the fact, just wondering what the limitation is. I take it that the limitation is only that it cannot do stateful failover with two active PIXes? Cheers, Gaz wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Yeah, I asked the same questions last month. They can not. If you really > need firewall and Load balancing, FW-1 is the way to go. > > Theo > CSS1, CCNP, CCSE > > > > > > > "Patrick" > Sent by: [EMAIL PROTECTED] > 05/06/2002 06:28 AM > Please respond to "Patrick" > > > To: [EMAIL PROTECTED] > cc: > Subject:Re: Pix load balance? [7:42974] > > > No. > > ""GEORGE"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Can you load balance to pix firewalls? > > Has anyone done this? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43478&t=42974 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix load balance? [7:42974]
Yeah, I asked the same questions last month. They can not. If you really need firewall and Load balancing, FW-1 is the way to go. Theo CSS1, CCNP, CCSE "Patrick" Sent by: [EMAIL PROTECTED] 05/06/2002 06:28 AM Please respond to "Patrick" To: [EMAIL PROTECTED] cc: Subject: Re: Pix load balance? [7:42974] No. ""GEORGE"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Can you load balance to pix firewalls? > Has anyone done this? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43451&t=42974 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix load balance? [7:42974]
Hi, Do you have any URL on Cisco site which point on how to configure a CCS11 to provide a load balance to PIXes ? I tried looking at cisco.com but couldn`t find it. This URL is the closest that I found on Firewall load balance with CCS, but it doesn`t specifically says it is a PIX. http://www.cisco.com/warp/public/117/fw_load_balancing.html Thanks in advance - Original Message - From: "Greene, Patrick" To: Sent: Monday, May 06, 2002 9:03 AM Subject: RE: Pix load balance? [7:42974] > Yes if you front-end them with a Cisco Content Switch...the CSS11000. It > will also provide fault-tolerance. > > -Original Message- > From: Patrick [mailto:[EMAIL PROTECTED]] > Sent: Sun 5/5/2002 5:28 PM > To: [EMAIL PROTECTED] > Cc: > Subject: Re: Pix load balance? [7:42974] > > > > No. > > ""GEORGE"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Can you load balance to pix firewalls? > > Has anyone done this? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43379&t=42974 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Pix load balance? [7:42974]
Yes if you front-end them with a Cisco Content Switch...the CSS11000. It will also provide fault-tolerance. -Original Message- From: Patrick [mailto:[EMAIL PROTECTED]] Sent: Sun 5/5/2002 5:28 PM To: [EMAIL PROTECTED] Cc: Subject: Re: Pix load balance? [7:42974] No. ""GEORGE"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Can you load balance to pix firewalls? > Has anyone done this? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43352&t=42974 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix load balance? [7:42974]
No. ""GEORGE"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Can you load balance to pix firewalls? > Has anyone done this? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43346&t=42974 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Pix load balance? [7:42974]
George, Yes, you can LB PIXen, but there are caveats: 1) PIXes can only do state sharing if one is in failover mode. If you have 2 active PIXen, you cannot share state so if one PIX fails, all active sessions on that PIX will drop and have to start over on the other PIX. 2) It's usually not necessary to LB PIXen, they have very high throughput unless you are using the very low-end boxes, so for most environments its better to simply have a active-standby configuration so you get the state-sharing. (it's also cheaper since you get a discount on the standby PIX) However, if you want to LB PIXen anyway, the best practice is to have an external LB solution like a Cisco content switch, you'll need one on the inside and outside of the PIX "farm", which can get expensive. The other way you could do it is with a routing protocol passed through the PIX from the outside routers to the inside routers, but you have to be careful that all your flows go through the same PIX or your sessions will drop since there will be no state sharing between the PIXen. You can normally achieve this by using fast switching on your internal and external routers since the next hop for destinations is cached for all subsequent packets. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 01, 2002 6:32 AM To: [EMAIL PROTECTED] Subject: Pix load balance? [7:42974] Can you load balance to pix firewalls? Has anyone done this? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42983&t=42974 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]