GLBP problem

mohammady · ‎12-04-2007

Dears,

I have two cisco routers connected to a firewall through a multi-layer switch ,I tried to configure glbp on the two routers on fastethernet interface but the problem is when I shutdown fa interface to test glbp the router remain in the "Init state" and didnt go to standby state,this mean that the second router will not handle the traffic!!

Any advise...Thanks

Edison Ortiz · ‎12-04-2007

Can you post the portion of the config from those 2 devices along with the show glbp output ?

mohammady · ‎12-04-2007

it is a basic glbp configuration...see following:

Router1:

glbp 1 ip

glbp 1 priority 150

glbp 1 preempt

glbp 1 load-balancing round-robin

Router2:

glbp 1 ip

glbp 1 priority 100

glbp 1 preempt

glbp 1 load-balancing round-robin

Edison Ortiz · ‎12-04-2007

Still missing the show glbp output while the interface is shutdown.

mohammady · ‎12-04-2007

attached is the output of show glbp on router 1 while interface is down

mohammady · ‎12-05-2007

Any help??

Kevin Dorrell · ‎12-05-2007

It will be in init state as long as the interface is down. It cannot be in standby if the interface is down. Also, it cannot know the state of the partner, so it assumes that is init as well.

Have a look at the show glbp on the remaining router. You will see the shut-down one as init and the other as active.

Then re-enable the original. They will both be active forwarders. But only one will be active virtual gateway, while the other will be standby.

Kevin Dorrell

Luxembourg

mohammady · ‎12-05-2007

This is right but the second router must handle all the traffic and this didnt happen!!!???

Kevin Dorrell · ‎12-05-2007

So could you post the show glbp and show int at the router that you didn't shut down?

Also, I assume your firewall has a static route to targeted at the vitual address of the GLBP group, yes?

In any case, I don't think you are going to get the traffic from the firewall load-balanced between the two routers. GLBP works by having a different MAC address for each forawrder, and handing each host one of the two MAC addresses in response to the ARP. One host (like one firewall) will operate on one MAC address. When a router fails, its partner takes its MAC address as well as its own.

You might be better off load-sharing at layer-3 using OSPF. That really can load-share per-packet.

Kevin Dorrell

Luxembourg

mohammady · ‎12-05-2007

Thank you Kevin Dorrell for your cooperation...the firewall has a default route to the "Virtual IP address" but I have different real IP range on the firewall and nating is implemented on the firewall..there is a load sharing but it's unequal..what is the other solutions you suggests

Kevin Dorrell · ‎12-05-2007

Can your firewall do OSPF?

mohammady · ‎12-05-2007

Yes it is a juniper firewall

Kevin Dorrell · ‎12-05-2007

I would go for OSPF then. Configure the two routers and the firewall as OSPF, and forget about the GLBP. In your routers, re-distribute your external routes into the OSPF with the same path cost.

(The routes in your firewall - are they statics, or are they picked up by OSPF on the untrusted zone? If they are statics, you must make sure they do not get redistributed if the output interface is down.)

The firewall should pick up routes via both routers. If I remember right, there is a parameter you have to set up in the Juniper to make it load balance, but once it is set, it works quite well.

Kevin Dorrell

Luxembourg

mohammady · ‎12-06-2007

what if i configure two default routes on my firewall???first route consider router one as a next hop and the second route consider router 2 as a next hop???

Kevin Dorrell · ‎12-06-2007

That would work for the outgoing load balancing, but it would not failover correctly if one of the routers failed. The inaccessible static default route would still be in your firewall and would sink half the traffic.

Kevin Dorrell

Luxembourg