RE: HSRP with load balancing on a Cisco IOS based firewall

• Previous message: kawaii: "Re: Writing Security Policies"
• Maybe in reply to: Cherian M. Palayoor: "HSRP with load balancing on a Cisco IOS based firewall"
• Next in thread: Dave: "RE: HSRP with load balancing on a Cisco IOS based firewall"
• Reply: Dave: "RE: HSRP with load balancing on a Cisco IOS based firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 8 Sep 2003 12:16:39 -0700
To: "Dave" <update@dsrtech.com>, <security-basics@securityfocus.com>

Hi Dave,

Can I implement MHSRP across IOS based firewalls on Ciso routers ?

I was hoping to have it configured in the following manner.
Split the network behind the Firewall into subnets say Network A and network
B. Network A has router X as its primery and router Y as its secondary.
Similarly Network B would have router Y as its primary and router X as its
secondary. The return traffic would have to be similarly directed to the
respective routers by the preceding device. This way if either fail their
respective secondaries would take over.
My prelimnary research on HSRP gives me the understanding that in an HSRP
with load sharing environment, the 2 routers would have the same ip addresses
albeit in a primary and secondary role. eg : Router X would have xy.1 as its
prim ip and xy.2 as its second and Router Y would have xy.2 and xy.1 as its
prim & second respectively.

A return packet originally sent out thru X wud find Y with the ip xy.1 (on
router X's failure)and consequently wud have its state maintained.

Would the above configuration successfully address the problem of the state
not being maintained.

Do you reckon this configuration would work using IOS firewalls or is my
understanding of how HSRP with load sharing incorrect ???

Regards

Cherian

-----Original Message-----
From: Dave [mailto:update@dsrtech.com]
Sent: Friday, September 05, 2003 6:17 PM
To: security-basics@securityfocus.com
Cc: Cherian M. Palayoor
Subject: RE: HSRP with load balancing on a Cisco IOS based firewall

HSRP is only for fail over.

You can use MHSRP which is multiple groups to "load split".

Lets say you have a /24 network. you would make your HSRP group 1
primary for 0/25 and your HSRP group 2 primary for 128/25.

Then make them each redundant for the other and "split" the load. Your
responsibility would be to ensure you load balance your busiest hosts
between networks.

This same principal applies for BGP. You can essentially balance the
connections by splitting the network routing.

On Fri, 2003-09-05 at 17:05, David Gillett wrote:
> HSRP does fail-over, but I don't see how it would do load balancing
> without some outside help. I think whatever does load-balancing for
> you becomes your alternative to HSRP. (If I'm wrong, I'd be really
> interested in seeing a lot more detail of what you're doing....)
>
> David Gillett
>
>
> > -----Original Message-----
> > From: Cherian M. Palayoor [mailto:cpalayoor@cwalkergroup.com]
> > Sent: September 5, 2003 09:44
> > To: security-basics@securityfocus.com
> > Subject: HSRP with load balancing on a Cisco IOS based firewall
> >
> >
> > Hi there,
> >
> > Has anyone implemented HSRP with load balancing on a Cisco IOS based
> > firewall.
> >
> > I have come across vague references to HSRP on IOS firewalls, though I
> > have'nt managed to locate a configuration document as such. I
> > am not so sure
> > on the possibility of load balancing though.
> >
> > Any ideas ?
> >
> > Thanks in advance.
> >
> > Regards
> >
> > CP
> >
> >
> >
> >
> > --------------------------------------------------------------
> > -------------
> > Attend Black Hat Briefings & Training Federal, September
> > 29-30 (Training),
> > October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
> > technical IT security event. Modeled after the famous Black
> > Hat event in
> > Las Vegas! 6 tracks, 12 training sessions, top speakers and
> > sponsors.
> > Symantec is the Diamond sponsor. Early-bird registration
> > ends September 6.Visit us: www.blackhat.com
> > --------------------------------------------------------------
> > --------------
> >
>
>
> ______________________________________________________________________
> ---------------------------------------------------------------------------
> Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
> October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
> technical IT security event. Modeled after the famous Black Hat event in
> Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
> Symantec is the Diamond sponsor. Early-bird registration ends September
6.Visit us: www.blackhat.com
>
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Captus Networks
Are you prepared for the next Sobig & Blaster?
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Precisely Define and Implement Network Security
 - Automatically Control P2P, IM and Spam Traffic
FIND OUT NOW - FREE Vulnerability Assessment Toolkit
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Captus Networks
Are you prepared for the next Sobig & Blaster?
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Precisely Define and Implement Network Security
 - Automatically Control P2P, IM and Spam Traffic
FIND OUT NOW - FREE Vulnerability Assessment Toolkit
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------

• Previous message: kawaii: "Re: Writing Security Policies"
• Maybe in reply to: Cherian M. Palayoor: "HSRP with load balancing on a Cisco IOS based firewall"
• Next in thread: Dave: "RE: HSRP with load balancing on a Cisco IOS based firewall"
• Reply: Dave: "RE: HSRP with load balancing on a Cisco IOS based firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: [fw-wiz] Firewalls v. Router ACLs ... people to take in consideration in network design and layout. ... here and the old firewalls list often emphasized an approach that avoided ... The logging alert features alone turn this layer into a IDS as ... > An appropriately sized router will not have any performance problems. ... (Firewall-Wizards) Re: [fw-wiz] Firewall routing thought... ... networks that the firewalls are protecting, ... and let the router sort out what networks are ... >>Your network layout isn't really clear from your email, ... >>you make a change in broadcast domains, the router is going to be involved. ... (Firewall-Wizards) [fw-wiz] Firewalls v. Router ACLs ... used firewalls to protect our part of the network from network ... 100% successful and we have not been impacted by the numerous network-borne ... We are now being pressurised to remove the firewalls by the rest of the company. ... A secondary argument is cost - the router is seen as a one-off purchase ... (Firewall-Wizards) RE: HSRP with load balancing on a Cisco IOS based firewall ... Your understanding is of HSRP is correct. ... > Split the network behind the Firewall into subnets say Network A and network ... > B. Network A has router X as its primery and router Y as its secondary. ... (Security-Basics) Re: local networking and firewalls ... you will need to open the appropriate ports in the firewalls on ... As for whether your router is an adequate firewall is hard to say. ... All computers, the printer, and the DSL modem connect ... > The network only functions if I turn off all Firewalls on the individual ... (microsoft.public.windowsxp.network_web)