2

Currently we have a Cisco ISA570 Firewall which does failover load-balancing between two ISP links.

I would like to get a Sonicwall NSA6000 which should be primary and the ISA570 as a failover device. How should I re-design network such that the WAN Links as well as LAN traffic gets loadbalanced properly?

The ISPs provide just one Gateway IP each.

Currently LAN traffic comes over through Cisco 2960s.

The network should be able to switch from the Sonicwall to ISA570 in case of any failure at Sonicwall. The two Firewalls should also be able to load balance between the two ISP links.

Please suggest possible designs to accomplish the same with the extra equipment required.

Thanks,

ewwhite
  • 194,921
  • 91
  • 434
  • 799
gokul varma nk
  • 67
  • 2
  • 15
  • 3
    Why not just get two SonicWall's, set them up as an HA pair and let the SonicWall do the loadbalacing and failover? Otherwise, you could get the Sonicwall and another appliance to do the failover/load balancing.. but you then still have a single point of failure on the appliance - so you would have to get the SonicWall, plus two appliances.. – Rex Apr 16 '15 at 16:26
  • Is it possible to get failover to be done between a Sonicwall and a Cisco ISA570? Also say we get two Sonicwalls, how would the LAN loadbalancing take place? We have a single gateway IP coming from each of two ISPs how do we route traffic through this single IP from two Firewall ports? – gokul varma nk Apr 17 '15 at 16:42
  • 3
    Why are you dead set on keeping the Cisco ISA570? It goes full end of life next year and I would recommend against implementing new solutions by keeping old, end of life hardware. When you say "single gateway IP" do you have one ISP or two? Do you have one external IP address for each link or one external IP total for both? – Rex Apr 17 '15 at 16:54
  • We plan on keeping ISA570 because it is fiscally not an option to get a dedicated HA pair of new firewalls and management wants ISA570 as a backup to a new firewall being purchased. We have one external IP for each ISP link, that is total of two external gateway NAT IPs – gokul varma nk Apr 19 '15 at 09:48
  • One of my customer did that, other model, but sonicwall&cisco, and I agree with other, keep two same gear. I can't tell my customer is happy & hes looking to change the setup at the moment. I add it's not a config error, as they had to create a ticket with cisco for the final config. – yagmoth555 Apr 21 '15 at 02:03

1 Answers1

2

The answer to the specific question about to set up the existing network architecture to support load balancing between the two existing firewalls is to set up a load balancing router behind the firewalls and in front of your LAN, or two routers in HA if you need failover from hardware failure.

This is achievable with a Cisco router that support IP SLAs. Eg. we have done this with the Cisco 800 series before. Using multiple gateways, the router can route out both connections (achieving the load balancing requirement) and if required you can used policy based routing to send all traffic via a specific link based on source or destination IP.

The router can be set up to monitor two different IP addresses, one for each ISP, and set up to route traffic for those IPs only out their respective links. If one of those IPs is not reachable the IP SLA can be configured to remove the route through that ISP, hence routing only through the other ISP that is still available (satisfying the failover requirement). Once the failed ISP comes back online the router can be configured to automatically add the route back in and the links are load balancing again. This is a relatively complex setup and a sample config depends on various factors, including the version of IOS, the types of links, latency, reliability of links, network topology, incoming traffic requirements etc.

This setup also requires quite a bit of testing of the failover and failback logic in the case of an ISP failure. If the failover between the ISP links is too sensitive you'll end up with flapping routes, and if not sensitive enough it will take a long time to fail over and there will be intermittent traffic disruptions in both cases. Note that this method does not use any fancy routing protocols, it's set up with "roll-your-own" logic.

Deviating from the specific question being asked, the best option is likely to be to decommission one or both of the existing firewalls and replace with an HA firewall solution that supports outbound load balancing and failover. It's a simpler solution, and different firewall technologies are typically used in-line rather then in parallel, with the theory being that dual layer multi-vendor firewalls give an additional layer of security. There are many firewall vendors and technologies that support outbound load balancing (eg. PFSense, F5, many more), and determining the best one would be best done through further investigation.

You can read about Cisco IP SLAs here, and about Cisco Policy Based Routing here.

jotap
  • 711
  • 3
  • 8
  • Would it help if I set up a Cisco 1941 router behind the Firewalls ( on LAN side) with a default route to the two Firewalls ( one route with more preferred AD than another) and a 3560 in front of Firewalls, one VLAN for each ISP link and one port channel each again in which one cable goes to WAN port of each firewall? That way failover loadbalancing can be done at the individual firewall itself. – gokul varma nk Apr 19 '15 at 09:55
  • If you only have a single IP, would you plan on assigning the same IP to each WAN port on the firewall? You would then have duplicate IP's and things would not work very well. If you have a 1941 router, you would setup IP SLA's. But if you are keeping the ISA570 for backup, whats your backup to the 1941 router? If you are purchasing the 1941 router, why not just purchase a second Sonicwall instead for a much cleaner solution. – Rex Apr 19 '15 at 18:19
  • @gokulvarmank the 3650 in front of the firewalls will always be redundant because the firewalls need to communicate with each other in order to determine who should be the "master" and do fail over and the 3650 is never going to help that. A 1941 will do the job if it has the right IOS and license (show ver or simply try ip sla ? to see if the commands are there). There is still a strong chance that if you look at TCO of the complexity of this setup compared to a simpler solution with two HA firewalls is going to be higher (not to harp on about it :-)). – jotap Apr 21 '15 at 04:45
  • I do understand that having two different firewalls is just a lot of mess. Say if I do go with a HA pair of Sonicwalls or Checkpoints how would the architecture be? If I do away with the 3560s ahead of (WAN side) the firewalls how would I assign the WAN Gateway IPs? If I go with a HA Pair would the same WAN Gateway IP be shared by an interface each in the two firewalls? We have a single RJ45 link coming from the ISP's MUX, how would the connections be made – gokul varma nk Apr 21 '15 at 19:00
  • Different vendors implement dual ISP and HA different ways, so I think that's a whole new question. Fortunately the answer will be much better documented since it's a vendor supported configuration rather than a roll-your-own IP SLA setup. It would be a good idea to do a bit of googling to figure out what is out there and what's going to be simplest / most secure / best load balancing / whatever is critical for the specific scenario. – jotap Apr 22 '15 at 04:03