socalsuperhero
asked on
Protocol routing on pix for multiple internet connections
I have a pix 515e and two internet connections (2xT1's and DSL). I need to offload general internet usage from the T1's and keep only business services there. Without creating static routes for every individual service that I know should be on the T1's, is there a way to route all outbound port 80 traffic to a different gateway (ie the dsl router)?
ASKER
I'm not looking to load balance. Our edge router already load balances our t1's. I'm looking to add a rule to route traffic based upon what protocol/port the traffic is. I've got a couple extra 2600's sitting around, as well as an asa and a couple other gateway devices that I'll use as a second firewall/nat box for the dsl circuit.
I suppose I could also make the edge router handle the protocol routing.
To summarize my original question:
Is there way on cisco devices to route traffic based on protocol/port as opposed to just based on ip?
I suppose I could also make the edge router handle the protocol routing.
To summarize my original question:
Is there way on cisco devices to route traffic based on protocol/port as opposed to just based on ip?
Right, I understand this - the bottom line though is that your ISP probably won't allow return traffic from something that was sourced from another ISP's line as it isn't using an established connection that was initiated by your equipment.
The tool you are talking about is PBR as I mentioned.
Here is an extended article on PBR from Cisco and then Wikipedia's explanation of it:
http://www.cisco.com/warp/
http://en.wikipedia.org/wi
PBR is a VERY powerful tool. I think you'll find it very useful.
Let me know if that answers your question!
The tool you are talking about is PBR as I mentioned.
Here is an extended article on PBR from Cisco and then Wikipedia's explanation of it:
http://www.cisco.com/warp/
http://en.wikipedia.org/wi
PBR is a VERY powerful tool. I think you'll find it very useful.
Let me know if that answers your question!
ASKER
Ok, so I've got the topology portion of the solution figured out. I'll change the default route on our core switch which aggregates all the vlan's to point to an 2600 router which I'll place internal on our network instead of pointing to the pix. There I can implement policy-map to handle routing the HTTP traffic to one gateway while all other traffic gets routed through the current pix. I may also end up implementing WCCP on the 2600 to facilitate a transparent caching proxy. Sound reasonable?
Not being familiar with policy-map, can someone give me an example of what would be needed to implement this on a router for routing HTTP traffic?
Not being familiar with policy-map, can someone give me an example of what would be needed to implement this on a router for routing HTTP traffic?
Before you consider that let me tell you this - routers absolutely KILL LAN speed. They are a huge bottleneck unless you have a giant (aka very expensive) router. Instead, consider using an L3 switch that has an IP Services license. An example of a switch that does this the Cisco Catalyst 3560. With the advanced license, the switch routes like a router but without slowing down your network.
What I recommend instead is to route all traffic through the PIX (assuming it can handle the load). Using an aditional router for this or splitting traffic just complicates things.
Only have VLANS on your core switch and switches. On the PIX, just use the inside inteface address and put one route in your core switch to that IP address (your core switch has IP Services or EMI license, right? Check by doing a sh ver on it.). Then use the PIX for firewall/VPN and filtering functions. Put one route in the PIX to the inside interface of the edge router. Then, use PBR on the edge router to send the right traffic out the right WAN line.
Here is a quick topology map of the right way to do it.
Internet ------ Edge router with PBR >> PIX >> Core Switch (VLANS go here) >> network
|
Internet ----------------^
What I recommend instead is to route all traffic through the PIX (assuming it can handle the load). Using an aditional router for this or splitting traffic just complicates things.
Only have VLANS on your core switch and switches. On the PIX, just use the inside inteface address and put one route in your core switch to that IP address (your core switch has IP Services or EMI license, right? Check by doing a sh ver on it.). Then use the PIX for firewall/VPN and filtering functions. Put one route in the PIX to the inside interface of the edge router. Then, use PBR on the edge router to send the right traffic out the right WAN line.
Here is a quick topology map of the right way to do it.
Internet ------ Edge router with PBR >> PIX >> Core Switch (VLANS go here) >> network
|
Internet ----------------^
ASKER
our core switch is a 6509, I'm assuming I could just implement this on there?
Yes that's right. We have 6509s as well. Just make sure in the sh ver that you see the word IP SERVICES. Please check that before we proceed.
When possible, you want all LAN routing done on switches - they're much faster than routers.
When possible, you want all LAN routing done on switches - they're much faster than routers.
Reserve WAN routing for routers.
ASKER
"Just make sure in the sh ver that you see the word IP SERVICES. Please check that before we proceed. "
hmmmm...this is what I'm getting
WS-C6509 Software, Version NmpSW: 8.5(4)
Copyright (c) 1995-2006 by Cisco Systems
NMP S/W compiled on Apr 28 2006, 22:06:23
System Bootstrap Version: 8.1(3)
System Boot Image File is 'bootflash:cat6000-sup720k
System Configuration register is 0x102
Hardware Version: 3.0 Model: WS-C6509 Serial #: SAL08290K1Z
PS1 Module: WS-CAC-3000W Serial #: SNI1032AWJ9
PS2 Module: WS-CAC-3000W Serial #: AZS09220015
Mod Port Model Serial # Versions
--- ---- ------------------- ----------- --------------------------
1 24 WS-X6724-SFP SAL1010FC8A Hw : 2.4
Fw : 8.5(4)
Sw : 8.5(4)
WS-F6700-CFC SAL1004BD7C Hw : 2.1
Sw :
2 48 WS-X6748-GE-TX SAL09211NSJ Hw : 2.2
Fw : 8.5(4)
Sw : 8.5(4)
WS-F6700-CFC SAL0917A8DW Hw : 2.0
Sw :
3 48 WS-X6748-GE-TX SAL10019HKK Hw : 2.3
Fw : 8.5(4)
Sw : 8.5(4)
WS-F6700-CFC SAL09518BUH Hw : 2.0
Sw :
5 2 WS-SUP720-BASE SAD083900WP Hw : 3.1
Fw : 8.1(3)
Fw1: 8.5(4)
Sw : 8.5(4)
Sw1: 8.5(4)
WS-F6K-PFC3A SAD083505ZR Hw : 2.4
Sw :
15 1 WS-SUP720 SAD083701Z4 Hw : 2.3
Fw : 12.2(17d)SXB11a
Sw : 12.2(17d)SXB11a
DRAM FLASH NVRAM
Module Total Used Free Total Used Free Total Used Free
------ ------- ------- ------- ------- ------- ------- ----- ----- -----
5 524288K 157796K 366492K 64000K 17955K 46045K 2048K 373K 1675K
Uptime is 2 days, 15 hours, 10 minutes
hmmmm...this is what I'm getting
WS-C6509 Software, Version NmpSW: 8.5(4)
Copyright (c) 1995-2006 by Cisco Systems
NMP S/W compiled on Apr 28 2006, 22:06:23
System Bootstrap Version: 8.1(3)
System Boot Image File is 'bootflash:cat6000-sup720k
System Configuration register is 0x102
Hardware Version: 3.0 Model: WS-C6509 Serial #: SAL08290K1Z
PS1 Module: WS-CAC-3000W Serial #: SNI1032AWJ9
PS2 Module: WS-CAC-3000W Serial #: AZS09220015
Mod Port Model Serial # Versions
--- ---- ------------------- ----------- --------------------------
1 24 WS-X6724-SFP SAL1010FC8A Hw : 2.4
Fw : 8.5(4)
Sw : 8.5(4)
WS-F6700-CFC SAL1004BD7C Hw : 2.1
Sw :
2 48 WS-X6748-GE-TX SAL09211NSJ Hw : 2.2
Fw : 8.5(4)
Sw : 8.5(4)
WS-F6700-CFC SAL0917A8DW Hw : 2.0
Sw :
3 48 WS-X6748-GE-TX SAL10019HKK Hw : 2.3
Fw : 8.5(4)
Sw : 8.5(4)
WS-F6700-CFC SAL09518BUH Hw : 2.0
Sw :
5 2 WS-SUP720-BASE SAD083900WP Hw : 3.1
Fw : 8.1(3)
Fw1: 8.5(4)
Sw : 8.5(4)
Sw1: 8.5(4)
WS-F6K-PFC3A SAD083505ZR Hw : 2.4
Sw :
15 1 WS-SUP720 SAD083701Z4 Hw : 2.3
Fw : 12.2(17d)SXB11a
Sw : 12.2(17d)SXB11a
DRAM FLASH NVRAM
Module Total Used Free Total Used Free Total Used Free
------ ------- ------- ------- ------- ------- ------- ----- ----- -----
5 524288K 157796K 366492K 64000K 17955K 46045K 2048K 373K 1675K
Uptime is 2 days, 15 hours, 10 minutes
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://www.cisco.com/en/US/products/ps5854/
The bottom line is that PIXes cannot load balance - the multiple ISP feature is only for backup in case the main line goes down. All load balancing must be done on a router.
Do you have any other questions?