load balancing or multi homing with two ISP's on ISG 2000

ehteshamali · ‎08-27-2012

Hi all ,

we have two links from two different service providers.

ISG 2000 series firewalls are in HA mode. ie two physical firewalls .

we need to accomplish load balancing , we currently has one default route to one provider .

however for we are unable to achieve load balancing . Please if any one has done multi homing , load balancing etc need your advice and any links will be highly appreciated .

Do i need to put two default routes ? if ISG routes packet from ISP A another ISP B for same tcp session , it will result in out of order delivery on destination ?

sarab · ‎05-12-2012

There is no perfect way to load balancing on firewalls, so what I would suggest is two ways to achieve this :

1. Use source based routing where you can route half of your LAN to one ISP and other half to second ISP

2. Configure PBR (Policy based routing) to route one type of traffic ( e.g http, ftp etc) on one ISP and some other traffic type ( https, voip etc) on

the other ISP.

Sarab [ JNCIS-FWV , JNCIA-SEC , CCIP , CCSA ]
------------------------------------------------------------------------------------

[If it helped please mark it as "Accepted Solution".]

ehteshamali · ‎08-27-2012

Hi sarab,

we have over 150 subnets withing 10.0.0.0/8 space , how can i achieve source based routing here .

we have aroung 2500 users campus wide

. Further i cant go with PBR beacuse 80 % of traffic correspond to http . it will make other ISP underutilised.

sarab · ‎05-12-2012

Hello, Are all these 150 subnets connected on single firewall interface ? And I agree if 80 % is http then PBR to classify traffic on the type basis will not help. Please give me a brief idea about your network so that I can suggest based on that.

ehteshamali · ‎08-27-2012

we have a trust zone with 10.1.0.0 /16 , one dmz and untrust zone .

Also do i need to create untrust 1 and untrust 2 for two isp's or i can put them in same untrust zone.

we dont have flat network ...hierarchial network ..access---distribution---core---fw---router---isp

sarab · ‎05-12-2012

So If I understand correctly you have 10.1.0.0/16 network behind trust zone interface. What you can do is configure source route for traffic coming on trust zone interface to route traffic from 10.1.0.0/17 to one ISP and 10.1.128.0/17 to second ISP. About your another question, you can keep both ISPs in same untrust zone. Please let me know if you have any other questions.

sarab · ‎05-12-2012

Missed to mention the config suggested in my previous update can also be done via PBR if you want.

load balancing or multi homing with two ISP's on ISG 2000

Re: load balancing or multi homing with two ISP's on ISG 2000

Re: load balancing or multi homing with two ISP's on ISG 2000

Re: load balancing or multi homing with two ISP's on ISG 2000

Re: load balancing or multi homing with two ISP's on ISG 2000

Re: load balancing or multi homing with two ISP's on ISG 2000

Re: load balancing or multi homing with two ISP's on ISG 2000