cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1074
Views
0
Helpful
8
Replies

GLBP Questions

jim_berlow
Level 3
Level 3

I am looking for the most optimal way of providing redundancy from a firewall out to the internet. I have a non-Cisco firewall (Checkpoint) that does not support BGP. In front of the firewall, there are two Cisco routers running BGP which are connected to different providers (pulling default routes only).

My plan is to provide redundancy to the internet as there are nearly 100 VPN's connected to the firewall. My first thought was to use GLBP to load-balance the traffic from the firewall to each of the routers. While I don't see any issues getting this to work, I do have some concerns about how this will work.

The number one question is that since nearly all of the traffic from the firewall will be coming from a single IP & mac address, does this mean that GLBP will direct all the traffic to a single forwarder (ie GLBP looks at the firewall as a single host and tells this single host that its gateway's mac is xxx negating load-balancing?)

I hope that I am clarifying this enough. The goal here is to have the firewall send traffic out equally between both routers. I understand that my inbound traffic is a whole different issue with regards to BGP (and I am negating that conversation right now).

Thanks,

Jim

8 Replies 8

Jon Marshall
Hall of Fame
Hall of Fame

Jim

I think you have summed it up perfectly. You don't get any real benefit from GLBP because the source IP and mac address do not change.

We faced a similiar problem in that we had dual connections to our WAN from 2 cisco routers. The internal interfaces of these routers connected into a vlan that the firewall also connected into. We found that we were only utilising one of the WAN links.

The solution we put in place was to insert 2 more routers between the firewall and the WAN routers. All 4 routers were connected to each other. We ran HSRP on the 2 new routers. And because these routers were dual connected to each WAN router they each had 2 equal cost paths to any remote destination so it didn't matter which one was the active gateway for the firewall.

It may sound like an expensive solution but the routers did not need to be that high-powered and compared to the cost of the unused WAN link it made very good financial sense.

HTH

Jon

Joseph W. Doherty
Hall of Fame
Hall of Fame

Although your firewall doesn't do BGP, does it support any other routing capabilities? For instance, OSPF between it and the WAN routers. If so, by just passing the default, it should load balance.

If your firewall can do static routing, and if it load balances between statics, you can also have two distinct HSRP groups (on the later IOSs), each a gateway backing up the other. I.e. each router has both an active and standby HSRP.

It might also be possible, since your working only with defaults, to stop using BGP and use static defaults. Doing this, your primary router would have one default point to the WAN link and the other to the secondary router.

Lastly, if using 12.4 or later, you could use OER/PfR to dynamically load balance your outbound links.

We have a similar setup, 2 ISP each on a dedicated 7201, and two Netscreen FW in Active/Passive. EBGP to each ISP and IBGP between the 7201. We are pulling a full table from each ISP. HSRP between the 7201 and default route from Netscreen to the HSRP VIP. All outbound traffic does initially hit the HSRP Active 7201, but then BGP takes over and BGP bestpath does a pretty good job outbound and ASPATH prepend for inbound. Now I would not call it load balancing but instead load sharing.

That being said, what is the memory on the WAN routers? The current table is around 240K. Can you take a full or partial table and maybe OER too?

    Hello,

    How do you HSRP between your 7201 ?

gi0/0 to the ISP

gi0/1 to the Netscreens

gi0/2 L3 to the other 7201

interface GigabitEthernet0/1

description To NETSCREEN

ip address x.x.x.x x.x.x.x

no ip redirects

no ip unreachables

no ip proxy-arp

load-interval 30

duplex auto

speed auto

media-type rj45

negotiation auto

standby 0 ip x.x.x.x

standby 0 timers 1 3

standby 0 priority 105

standby 0 preempt delay minimum 90

standby 0 authentication md5 key-string 7 xxxxxxxxxxxxxxxxxxxxxxx

Darren,

I have similar setup g0/1 to pair of ASAs nd g0/2 L3 to the other 7201 ( ospf ).

Can not get the standby to detect each other...

C7200P-ADVSECURITYK9-M), Version 15.1(4)M5 code.

  TAC say it need L2 in between, with is not support on the 7201. Time to debug ?

Loc

I have a 3750 connected L2 to both 7201 Gi0/1.  The HSRP hellos flow down from the active to the 3750 and back up to the standby.  The netscreens are also connected to the 3750.

Got it, that what we need. Thank Darren.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: