Re: Load Balancing Across Multiple PIX
Greetings, I was in this type of senerio. To load balance the firewalls 2-Nokia-Checkpoint) we used 4 Cisco (Arrowpoint) 11000. They are in failover mode with identical configs. One and two are in front of the firewalls. Three and four are below the firewalls. The trick is to make the conversations stick to the firewall who is assigned to do this. A single firewall must keep the conversation. If another gets it, it will drop it as it has no knowledge of it. This means that you must have "load balancing on both sides of the firewall. I am not sure how this would be handeled if the firewalls were clustered. Does this help? -- A. Dominick Marino Quality Networking Inc. www.qualitynetworkinginc-ny.net E-mail [EMAIL PROTECTED] [EMAIL PROTECTED] Cell (516) 480-2973 Phone (631) 427-4931 ""Rossetti, Stan"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello Everyone, Does anybody know if it is possible to load balance across multiple PIX firewalls? I have looked at numerous Cisco web pages, but never any mention of load balancing. I have talked to a sales engineer and he has said that to get 1GB of throughput from a PIX firewall, you need to install 3 PIX firewalls and do load balancing across them. The max throughput from one PIX is 370MBps. Of course, I can't get the sales engineer to return my call now. Doe anyone know if this is true? Do you have to have 3 PIX to do load balancing? I would like to just do load balancing across 2 PIX firewalls. Is this possible? Thanks in advance. Thanks Stan Rossetti NASA - PriSMS Advanced Technology Group Voice: (256) 544-5031 Email: [EMAIL PROTECTED] Beeper: 544-1183 pin 0112 CCDA, CCNA, CCSE _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Load Balancing Across Multiple PIX
You would be far better off manipulating the routes (routing protocol) in your network with the routers on the inside of the PIX, and then just letting the the traffic flow through the PIX as usual. You will find this solution much easier to implement and far more forgiving on your pocketbook! Of course if your using RIP this is not an option. - Original Message - From: Rossetti, Stan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 07, 2001 8:01 AM Subject: Load Balancing Across Multiple PIX Hello Everyone, Does anybody know if it is possible to load balance across multiple PIX firewalls? I have looked at numerous Cisco web pages, but never any mention of load balancing. I have talked to a sales engineer and he has said that to get 1GB of throughput from a PIX firewall, you need to install 3 PIX firewalls and do load balancing across them. The max throughput from one PIX is 370MBps. Of course, I can't get the sales engineer to return my call now. Doe anyone know if this is true? Do you have to have 3 PIX to do load balancing? I would like to just do load balancing across 2 PIX firewalls. Is this possible? Thanks in advance. Thanks Stan Rossetti NASA - PriSMS Advanced Technology Group Voice: (256) 544-5031 Email: [EMAIL PROTECTED] Beeper: 544-1183 pin 0112 CCDA, CCNA, CCSE _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Load Balancing Across Multiple PIX
Would he run into any problems with persistence? For example apacket enters firewall #1, and gets routed out firewall two? I could see some potential problems with asymetric routing occuring. I know with Checkpoint you can sync the state tables, which takes at a minimum of around 50-100 ms. Often the latency behind the firewalls is far less than this, and can lead to problems. One approach is to use something like BigIp's fireguard or Radware etc, place a load balancer on both sides of the firewall. If you want to move away from pix, there are several other options. Nokia allows you to load balance, as well as a few products for Checkpoint...Stonebeat, Rainwall etc. Clayton Price ""Groupstudy"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... You would be far better off manipulating the routes (routing protocol) in your network with the routers on the inside of the PIX, and then just letting the the traffic flow through the PIX as usual. You will find this solution much easier to implement and far more forgiving on your pocketbook! Of course if your using RIP this is not an option. - Original Message - From: Rossetti, Stan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 07, 2001 8:01 AM Subject: Load Balancing Across Multiple PIX Hello Everyone, Does anybody know if it is possible to load balance across multiple PIX firewalls? I have looked at numerous Cisco web pages, but never any mention of load balancing. I have talked to a sales engineer and he has said that to get 1GB of throughput from a PIX firewall, you need to install 3 PIX firewalls and do load balancing across them. The max throughput from one PIX is 370MBps. Of course, I can't get the sales engineer to return my call now. Doe anyone know if this is true? Do you have to have 3 PIX to do load balancing? I would like to just do load balancing across 2 PIX firewalls. Is this possible? Thanks in advance. Thanks Stan Rossetti NASA - PriSMS Advanced Technology Group Voice: (256) 544-5031 Email: [EMAIL PROTECTED] Beeper: 544-1183 pin 0112 CCDA, CCNA, CCSE _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Load Balancing Across Multiple PIX
If you're looking for optimal load balancing across firewalls look at the CSS product line (Cisco of course). You're going to want to take advantage of the multiple "sticky session" options and the performance advantage over the LD. - Wayne, CCIE # 5244, CCNA, CCDA, Nortel NCSE, MCSE, CNE, CNX Ethernet ""Howard C. Berkowitz"" [EMAIL PROTECTED] wrote in message news:p05001933b6cc23d60d2f@[63.216.127.100]... You may need a combination of devices to get optimal load balancing, and the solution may very well depend on the protocols involved. One of the problems in our industry is to try to get a single box, with a single processor, to do everything well. It may be appropriate to treat the PIXen (informal plural I just invented, after the plural of DEC VAX being VAXen) as a cluster (boy, am I sounding VAX-ish). The actual load balancing would be done on Local Directors (or similar TCP session level load distributors) between the PIXen and the routers, potentially both on the inside and outside. If your management demands that everything be done on the PIX, you might quote Samuel Johnson to them: "the important thing about a dog walking on his hind legs is not how well he does it, but that he does it at all." They won't load balance natively. The problem with getting a load balancer before the PIX is that you either have it on the inside balancing outbound traffic or outside balancing inbound traffic. The PIX needs a static route for traffic going the other direction and you can't have multiple default routes on a PIX. The interface without the load balancer would have to have some kind of rigged BGP or something like that to distribute coming to the pixes or you'll have routing issues. Remember that the finest granularity of which BGP is aware is a subnet, ignoring global prefix length issues. As soon as you start to deal with things on a server level, you are talking about things that operate at Layer 4 or 7, and that standard routing doesn't understand (ignoring the ill-defined term content routing, which simply injects layer 7 information into the routing system). I could be wrong...just my first thougth on the situationwithout COFFEE. I don't think there's any easy way to do this... - Original Message - From: "Rossetti, Stan" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 07, 2001 10:01 AM Subject: Load Balancing Across Multiple PIX Hello Everyone, Does anybody know if it is possible to load balance across multiple PIX firewalls? I have looked at numerous Cisco web pages, but never any mention of load balancing. I have talked to a sales engineer and he has said that to get 1GB of throughput from a PIX firewall, you need to install 3 PIX firewalls and do load balancing across them. The max throughput from one PIX is 370MBps. Of course, I can't get the sales engineer to return my call now. Doe anyone know if this is true? Do you have to have 3 PIX to do load balancing? I would like to just do load balancing across 2 PIX firewalls. Is this possible? Thanks in advance. Thanks Stan Rossetti NASA - PriSMS Advanced Technology Group Voice: (256) 544-5031 Email: [EMAIL PROTECTED] Beeper: 544-1183 pin 0112 CCDA, CCNA, CCSE _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Load Balancing Across Multiple PIX
That is a rediculously overpriced solution to the problem at hand! - Original Message - From: Wayne Therese Lawson [EMAIL PROTECTED] Newsgroups: groupstudy.cisco To: [EMAIL PROTECTED] Sent: Thursday, March 08, 2001 11:51 AM Subject: Re: Load Balancing Across Multiple PIX If you're looking for optimal load balancing across firewalls look at the CSS product line (Cisco of course). You're going to want to take advantage of the multiple "sticky session" options and the performance advantage over the LD. - Wayne, CCIE # 5244, CCNA, CCDA, Nortel NCSE, MCSE, CNE, CNX Ethernet ""Howard C. Berkowitz"" [EMAIL PROTECTED] wrote in message news:p05001933b6cc23d60d2f@[63.216.127.100]... You may need a combination of devices to get optimal load balancing, and the solution may very well depend on the protocols involved. One of the problems in our industry is to try to get a single box, with a single processor, to do everything well. It may be appropriate to treat the PIXen (informal plural I just invented, after the plural of DEC VAX being VAXen) as a cluster (boy, am I sounding VAX-ish). The actual load balancing would be done on Local Directors (or similar TCP session level load distributors) between the PIXen and the routers, potentially both on the inside and outside. If your management demands that everything be done on the PIX, you might quote Samuel Johnson to them: "the important thing about a dog walking on his hind legs is not how well he does it, but that he does it at all." They won't load balance natively. The problem with getting a load balancer before the PIX is that you either have it on the inside balancing outbound traffic or outside balancing inbound traffic. The PIX needs a static route for traffic going the other direction and you can't have multiple default routes on a PIX. The interface without the load balancer would have to have some kind of rigged BGP or something like that to distribute coming to the pixes or you'll have routing issues. Remember that the finest granularity of which BGP is aware is a subnet, ignoring global prefix length issues. As soon as you start to deal with things on a server level, you are talking about things that operate at Layer 4 or 7, and that standard routing doesn't understand (ignoring the ill-defined term content routing, which simply injects layer 7 information into the routing system). I could be wrong...just my first thougth on the situationwithout COFFEE. I don't think there's any easy way to do this... - Original Message - From: "Rossetti, Stan" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 07, 2001 10:01 AM Subject: Load Balancing Across Multiple PIX Hello Everyone, Does anybody know if it is possible to load balance across multiple PIX firewalls? I have looked at numerous Cisco web pages, but never any mention of load balancing. I have talked to a sales engineer and he has said that to get 1GB of throughput from a PIX firewall, you need to install 3 PIX firewalls and do load balancing across them. The max throughput from one PIX is 370MBps. Of course, I can't get the sales engineer to return my call now. Doe anyone know if this is true? Do you have to have 3 PIX to do load balancing? I would like to just do load balancing across 2 PIX firewalls. Is this possible? Thanks in advance. Thanks Stan Rossetti NASA - PriSMS Advanced Technology Group Voice: (256) 544-5031 Email: [EMAIL PROTECTED] Beeper: 544-1183 pin 0112 CCDA, CCNA, CCSE _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Load Balancing Across Multiple PIX
They won't load balance natively. The problem with getting a load balancer before the PIX is that you either have it on the inside balancing outbound traffic or outside balancing inbound traffic. The PIX needs a static route for traffic going the other direction and you can't have multiple default routes on a PIX. The interface without the load balancer would have to have some kind of rigged BGP or something like that to distribute coming to the pixes or you'll have routing issues. I could be wrong...just my first thougth on the situationwithout COFFEE. I don't think there's any easy way to do this... - Original Message - From: "Rossetti, Stan" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 07, 2001 10:01 AM Subject: Load Balancing Across Multiple PIX Hello Everyone, Does anybody know if it is possible to load balance across multiple PIX firewalls? I have looked at numerous Cisco web pages, but never any mention of load balancing. I have talked to a sales engineer and he has said that to get 1GB of throughput from a PIX firewall, you need to install 3 PIX firewalls and do load balancing across them. The max throughput from one PIX is 370MBps. Of course, I can't get the sales engineer to return my call now. Doe anyone know if this is true? Do you have to have 3 PIX to do load balancing? I would like to just do load balancing across 2 PIX firewalls. Is this possible? Thanks in advance. Thanks Stan Rossetti NASA - PriSMS Advanced Technology Group Voice: (256) 544-5031 Email: [EMAIL PROTECTED] Beeper: 544-1183 pin 0112 CCDA, CCNA, CCSE _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Load Balancing Across Multiple PIX
You may need a combination of devices to get optimal load balancing, and the solution may very well depend on the protocols involved. One of the problems in our industry is to try to get a single box, with a single processor, to do everything well. It may be appropriate to treat the PIXen (informal plural I just invented, after the plural of DEC VAX being VAXen) as a cluster (boy, am I sounding VAX-ish). The actual load balancing would be done on Local Directors (or similar TCP session level load distributors) between the PIXen and the routers, potentially both on the inside and outside. If your management demands that everything be done on the PIX, you might quote Samuel Johnson to them: "the important thing about a dog walking on his hind legs is not how well he does it, but that he does it at all." They won't load balance natively. The problem with getting a load balancer before the PIX is that you either have it on the inside balancing outbound traffic or outside balancing inbound traffic. The PIX needs a static route for traffic going the other direction and you can't have multiple default routes on a PIX. The interface without the load balancer would have to have some kind of rigged BGP or something like that to distribute coming to the pixes or you'll have routing issues. Remember that the finest granularity of which BGP is aware is a subnet, ignoring global prefix length issues. As soon as you start to deal with things on a server level, you are talking about things that operate at Layer 4 or 7, and that standard routing doesn't understand (ignoring the ill-defined term content routing, which simply injects layer 7 information into the routing system). I could be wrong...just my first thougth on the situationwithout COFFEE. I don't think there's any easy way to do this... - Original Message - From: "Rossetti, Stan" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 07, 2001 10:01 AM Subject: Load Balancing Across Multiple PIX Hello Everyone, Does anybody know if it is possible to load balance across multiple PIX firewalls? I have looked at numerous Cisco web pages, but never any mention of load balancing. I have talked to a sales engineer and he has said that to get 1GB of throughput from a PIX firewall, you need to install 3 PIX firewalls and do load balancing across them. The max throughput from one PIX is 370MBps. Of course, I can't get the sales engineer to return my call now. Doe anyone know if this is true? Do you have to have 3 PIX to do load balancing? I would like to just do load balancing across 2 PIX firewalls. Is this possible? Thanks in advance. Thanks Stan Rossetti NASA - PriSMS Advanced Technology Group Voice: (256) 544-5031 Email: [EMAIL PROTECTED] Beeper: 544-1183 pin 0112 CCDA, CCNA, CCSE _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Load Balancing Across Multiple PIX
I don't think you can load-balance on a PIX. Someone mentioned Cisco is working on Ver. 6.0 , I wonder if this might be a feature included. Nabil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Allen May Sent: Wednesday, March 07, 2001 11:35 AM To: Rossetti, Stan; [EMAIL PROTECTED] Subject: Re: Load Balancing Across Multiple PIX They won't load balance natively. The problem with getting a load balancer before the PIX is that you either have it on the inside balancing outbound traffic or outside balancing inbound traffic. The PIX needs a static route for traffic going the other direction and you can't have multiple default routes on a PIX. The interface without the load balancer would have to have some kind of rigged BGP or something like that to distribute coming to the pixes or you'll have routing issues. I could be wrong...just my first thougth on the situationwithout COFFEE. I don't think there's any easy way to do this... - Original Message - From: "Rossetti, Stan" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 07, 2001 10:01 AM Subject: Load Balancing Across Multiple PIX Hello Everyone, Does anybody know if it is possible to load balance across multiple PIX firewalls? I have looked at numerous Cisco web pages, but never any mention of load balancing. I have talked to a sales engineer and he has said that to get 1GB of throughput from a PIX firewall, you need to install 3 PIX firewalls and do load balancing across them. The max throughput from one PIX is 370MBps. Of course, I can't get the sales engineer to return my call now. Doe anyone know if this is true? Do you have to have 3 PIX to do load balancing? I would like to just do load balancing across 2 PIX firewalls. Is this possible? Thanks in advance. Thanks Stan Rossetti NASA - PriSMS Advanced Technology Group Voice: (256) 544-5031 Email: [EMAIL PROTECTED] Beeper: 544-1183 pin 0112 CCDA, CCNA, CCSE _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Load Balancing Across Multiple PIX
Stan, As pointed out by others, your best bet for load-balancing across multiple PIX boxes is an external load-balancer ala local-director, arrowpoint, foundry, etc. However, in regards to throughput, Cisco claims 1Gbps cleartext throughput on the new PIX 535. At that speed, its doubtful you need load-balancing for most environments. HTH, Kent On 7 Mar 2001, at 10:01, Rossetti, Stan wrote: Hello Everyone, Does anybody know if it is possible to load balance across multiple PIX firewalls? I have looked at numerous Cisco web pages, but never any mention of load balancing. I have talked to a sales engineer and he has said that to get 1GB of throughput from a PIX firewall, you need to install 3 PIX firewalls and do load balancing across them. The max throughput from one PIX is 370MBps. Of course, I can't get the sales engineer to return my call now. Doe anyone know if this is true? Do you have to have 3 PIX to do load balancing? I would like to just do load balancing across 2 PIX firewalls. Is this possible? Thanks in advance. Thanks Stan Rossetti NASA - PriSMS Advanced Technology Group Voice: (256) 544-5031 Email: [EMAIL PROTECTED] Beeper: 544-1183 pin 0112 CCDA, CCNA, CCSE _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Load Balancing Across Multiple PIX
Be VERY careful of sales pitches... 1Gbps cleartext may well be only a few Mbps in a full encryption mode. Case in point, after much research and many sales pitches, my site settled on Alcatel TimeStep VPN's to replace older Motorola NES's. Alcatel's pitch was that their top of the line series could pass a consistent 70Mbps Encrypted. (With Fast Ethernet input and output, 100Mbps cleartext. As one of the few devices that were FIPS 140-1 certified at the time, (A requirement we made from the beginning), we went with them. When we started in house testing, we found that when configured in FIPS mode, 3DES, SHA1,(As required by us) they would only pass 6Mbps When we finally got to talk to someone that truly had a clue, we were informed that in order to meet FIPS certification, that all data must pass through a FIPS certified module on the mainboard. This module was the same one that was used on their lower speed units, and the throughput was 6Mbps! But we had failed to ask the proper questions so they had done nothing wrong. Needless to say, we are now stuck with equipment that will still improve our throughput from what it was, but it's no where near what we thought we were going to get. Pay very close attention, and do your homework. Brad Stanfield CCNA/CCDA Network/Integration Engineer [EMAIL PROTECTED] Government Micro Resources Network Operations Control Center Norfolk Naval Shipyard Bldg 33 NAVSEA NCOE 757-393-9526 1-800-626-6622 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, February 16, 2001 3:57 PM To: '[EMAIL PROTECTED]'; Rossetti, Stan Subject: Re: Load Balancing Across Multiple PIX Stan, As pointed out by others, your best bet for load-balancing across multiple PIX boxes is an external load-balancer ala local-director, arrowpoint, foundry, etc. However, in regards to throughput, Cisco claims 1Gbps cleartext throughput on the new PIX 535. At that speed, its doubtful you need load-balancing for most environments. HTH, Kent On 7 Mar 2001, at 10:01, Rossetti, Stan wrote: Hello Everyone, Does anybody know if it is possible to load balance across multiple PIX firewalls? I have looked at numerous Cisco web pages, but never any mention of load balancing. I have talked to a sales engineer and he has said that to get 1GB of throughput from a PIX firewall, you need to install 3 PIX firewalls and do load balancing across them. The max throughput from one PIX is 370MBps. Of course, I can't get the sales engineer to return my call now. Doe anyone know if this is true? Do you have to have 3 PIX to do load balancing? I would like to just do load balancing across 2 PIX firewalls. Is this possible? Thanks in advance. Thanks Stan Rossetti NASA - PriSMS Advanced Technology Group Voice: (256) 544-5031 Email: [EMAIL PROTECTED] Beeper: 544-1183 pin 0112 CCDA, CCNA, CCSE _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Load Balancing Across Multiple PIX
there is a specific example in the IOS 12.1(5a)E release notes- http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121 limit/121e/121e5/iosslb5e.htm you end up back-ending the PIXen on the inside ;-) with a multiple-interface router. -e- - Original Message - From: Rossetti, Stan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 07, 2001 8:01 AM Subject: Load Balancing Across Multiple PIX Hello Everyone, Does anybody know if it is possible to load balance across multiple PIX firewalls? I have looked at numerous Cisco web pages, but never any mention of load balancing. I have talked to a sales engineer and he has said that to get 1GB of throughput from a PIX firewall, you need to install 3 PIX firewalls and do load balancing across them. The max throughput from one PIX is 370MBps. Of course, I can't get the sales engineer to return my call now. Doe anyone know if this is true? Do you have to have 3 PIX to do load balancing? I would like to just do load balancing across 2 PIX firewalls. Is this possible? Thanks in advance. Thanks Stan Rossetti NASA - PriSMS Advanced Technology Group Voice: (256) 544-5031 Email: [EMAIL PROTECTED] Beeper: 544-1183 pin 0112 CCDA, CCNA, CCSE _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Load Balancing Across Multiple PIX
I probably should have stated this in the prior email, but the claim for 3DES encryption on the PIX 535 is 100 Mbps with the addition of a hardware accelerator card. -Kent On 7 Mar 2001, at 14:26, Stanfield Hilman B (Brad) CON wrote: Be VERY careful of sales pitches... 1Gbps cleartext may well be only a few Mbps in a full encryption mode. Case in point, after much research and many sales pitches, my site settled on Alcatel TimeStep VPN's to replace older Motorola NES's. Alcatel's pitch was that their top of the line series could pass a consistent 70Mbps Encrypted. (With Fast Ethernet input and output, 100Mbps cleartext. As one of the few devices that were FIPS 140-1 certified at the time, (A requirement we made from the beginning), we went with them. When we started in house testing, we found that when configured in FIPS mode, 3DES, SHA1,(As required by us) they would only pass 6Mbps When we finally got to talk to someone that truly had a clue, we were informed that in order to meet FIPS certification, that all data must pass through a FIPS certified module on the mainboard. This module was the same one that was used on their lower speed units, and the throughput was 6Mbps! But we had failed to ask the proper questions so they had done nothing wrong. Needless to say, we are now stuck with equipment that will still improve our throughput from what it was, but it's no where near what we thought we were going to get. Pay very close attention, and do your homework. ** ** Brad Stanfield CCNA/CCDA Network/Integration Engineer [EMAIL PROTECTED] Government Micro Resources Network Operations Control Center Norfolk Naval Shipyard Bldg 33 NAVSEA NCOE 757-393-9526 1-800-626-6622 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, February 16, 2001 3:57 PM To: '[EMAIL PROTECTED]'; Rossetti, Stan Subject: Re: Load Balancing Across Multiple PIX Stan, As pointed out by others, your best bet for load-balancing across multiple PIX boxes is an external load-balancer ala local-director, arrowpoint, foundry, etc. However, in regards to throughput, Cisco claims 1Gbps cleartext throughput on the new PIX 535. At that speed, its doubtful you need load-balancing for most environments. HTH, Kent On 7 Mar 2001, at 10:01, Rossetti, Stan wrote: Hello Everyone, Does anybody know if it is possible to load balance across multiple PIX firewalls? I have looked at numerous Cisco web pages, but never any mention of load balancing. I have talked to a sales engineer and he has said that to get 1GB of throughput from a PIX firewall, you need to install 3 PIX firewalls and do load balancing across them. The max throughput from one PIX is 370MBps. Of course, I can't get the sales engineer to return my call now. Doe anyone know if this is true? Do you have to have 3 PIX to do load balancing? I would like to just do load balancing across 2 PIX firewalls. Is this possible? Thanks in advance. Thanks Stan Rossetti NASA - PriSMS Advanced Technology Group Voice: (256) 544-5031 Email: [EMAIL PROTECTED] Beeper: 544-1183 pin 0112 CCDA, CCNA, CCSE _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
