ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

load balancing or multi homing with two ISP's on ISG 2000

09.03.12   |  
‎09-03-2012 11:21 PM

Hi all ,

 

we  have two links  from two different service providers.

 

ISG 2000  series firewalls are in HA mode. ie two physical firewalls .

 

we need to accomplish load balancing , we currently has one default route to one provider .

 

however for we are unable to achieve load balancing  . Please if any one has done multi homing , load balancing etc need your advice and any links will be highly appreciated .

 

 

Do i need to put two default routes ? if  ISG routes packet from ISP A another ISP B for same tcp session , it will result in out of order delivery on destination ?

 

 

6 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: load balancing or multi homing with two ISP's on ISG 2000

09.03.12   |  
‎09-03-2012 11:29 PM

There is no perfect way to load balancing on firewalls, so what I would suggest is two ways to achieve this :

 

1. Use source based routing where you can route half of your LAN to one ISP and other half to second ISP

2. Configure PBR (Policy based routing) to route one type of traffic ( e.g http, ftp etc) on one ISP and some other traffic type ( https, voip etc) on  

     the   other ISP.

 

 

Sarab [ JNCIS-FWV , JNCIA-SEC , CCIP , CCSA ]
------------------------------------------------------------------------------------

[If it helped please mark it as "Accepted Solution".]

ScreenOS Firewalls (NOT SRX)

Re: load balancing or multi homing with two ISP's on ISG 2000

09.04.12   |  
‎09-04-2012 12:17 AM

Hi sarab,

 

we  have over 150 subnets withing 10.0.0.0/8 space , how can i achieve source based routing here .

 

we have aroung 2500 users campus wide

 

 . Further i cant go with PBR beacuse 80 % of traffic correspond to http . it will make other ISP underutilised.

 

 

ScreenOS Firewalls (NOT SRX)

Re: load balancing or multi homing with two ISP's on ISG 2000

09.04.12   |  
‎09-04-2012 12:39 AM
Hello, Are all these 150 subnets connected on single firewall interface ? And I agree if 80 % is http then PBR to classify traffic on the type basis will not help. Please give me a brief idea about your network so that I can suggest based on that.
ScreenOS Firewalls (NOT SRX)

Re: load balancing or multi homing with two ISP's on ISG 2000

09.04.12   |  
‎09-04-2012 02:14 AM

we have a trust zone with 10.1.0.0 /16  , one dmz and untrust zone .

 

Also do i need to create untrust 1 and untrust 2 for two isp's or i can put them in same untrust zone.

 

we dont have flat network ...hierarchial network ..access---distribution---core---fw---router---isp

 

 

ScreenOS Firewalls (NOT SRX)
Solution
Accepted by topic author ehteshamali
‎08-26-2015 01:27 AM

Re: load balancing or multi homing with two ISP's on ISG 2000

09.04.12   |  
‎09-04-2012 02:44 AM
So If I understand correctly you have 10.1.0.0/16 network behind trust zone interface. What you can do is configure source route for traffic coming on trust zone interface to route traffic from 10.1.0.0/17 to one ISP and 10.1.128.0/17 to second ISP. About your another question, you can keep both ISPs in same untrust zone. Please let me know if you have any other questions.
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: load balancing or multi homing with two ISP's on ISG 2000

09.04.12   |  
‎09-04-2012 06:27 PM

Missed to mention the config suggested in my previous update can also be done via PBR if you want.