WAN load balance but synchronous!

Unanswered Question
Feb 13th, 2008
User Badges:

I have a specific requirement and cant seem to find a good solution. I'm hoping Cisco have a technology or method that I'm not familar with. Here is a quick breakdown


Aim - To utilise two links from a remote location to two connections at a data center to achieve an active/active use of the links.


The problem - Firewalls are present at each of the data centers which will prevent asynchronous traffic from being acceptable. See diagram below


ClientA....................ClientB

|......................................|

|......................................|

Switch1---Trunk----Switch2

|......................................|

|......................................|

Router1................Router2

|......................................|

|......................................|

FW............................FW

|......................................|

|......................................|

DC_SW1---Routed---DC_SW2

|.....................................|

|.....................................|

SERVER_LAN1..........SERVER_LAN2


Note that ClientA and ClientB are in the same VLAN. Note in some remote cases only Server_LAN1 or 2 may be used.


Can anyone suggest a possible solution to this problem?


Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
paolo bevilacqua Wed, 02/13/2008 - 15:00
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

1. Nice use of dot padding to overcome forum limitations.


2. I suppose that by asynchronous, you mean asymmetric.


3. what DC_SW1 and 2 are ? If they can terminate GRE, and if you can let FWs pass GRE, load balancing should be possible.

dankennedy Wed, 02/13/2008 - 16:11
User Badges:

1. Thanks :)


2. Yes sorry i did mean asymetric


3. The switches are CAT 3750 stacks.


The routers actually already run IPSEC with tunnel interfaces and terminate on routers that are placed just infront of the firewalls (sorry ommited from diagram). The LAN interface of the routers connect to a firewall DMZ. (which is wear the asymetric problem occurs). I do understand your recommendation though, but could i run a tunnel inside a tunnel? (if you see what i mean).

paolo bevilacqua Thu, 02/14/2008 - 02:35
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Yes, in theory in can transport a tunnel within a tunnel, but perhaps there's an easier solution considering the equipment omitted. Really a more complete diagram would be needed.

dankennedy Thu, 02/14/2008 - 05:25
User Badges:

I hope so. I have attached a complete diagram with all devices. I hope this will make it more clear and present a solution.


I look forward to any suggestions you may have.


Thanks again.



paolo bevilacqua Thu, 02/14/2008 - 05:38
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Hi, let's call the four routers


A - B

C - D


Now if you build additional tunnels between A and D, B and C, and make sure you have equal cost routes to destination, the routers will load balance.


Symmetry is guaranteed by the fact that the default load balancing algorithm will make so that each flow sticks to one path only, hence hitting one FW only, that will return traffic back on the connected router.


Good luck!




dankennedy Thu, 02/14/2008 - 05:59
User Badges:

I understand that would work from Client to Server, but when the server needs to talk to a client will they not always use the same path? i.e. only one ISP link will be used for return traffic?

paolo bevilacqua Thu, 02/14/2008 - 06:12
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Even for server to client, each flow will use a single path. But in the average of all conversations will make so that both paths will be used.

dankennedy Thu, 02/14/2008 - 07:26
User Badges:

Ok so from the perspective of server1, how will its traffic make use both the router behind the dc1 dmz and the dc2 dmz?

paolo bevilacqua Thu, 02/14/2008 - 07:30
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

How are the 3750s configured ? Do the Fw's present one virtual, or two different IP addresses ?

dankennedy Thu, 02/14/2008 - 07:34
User Badges:

Two different addresses. The are entirely independent firewalls.

paolo bevilacqua Thu, 02/14/2008 - 08:04
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

That is the problem. The switches have no way of know from where the connection came.

So a possible solution would be to move or add the lower routers inside, and have gre across the FWs.

dankennedy Thu, 02/14/2008 - 09:36
User Badges:

Unfortunatley due to security policy that is not

possible. I was thinking that i could use NAT on the routers to change the source address os that it would be clear from which direction the traffic came. Do you think that would work?


Thanks for all your help

paolo bevilacqua Thu, 02/14/2008 - 14:59
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Yes, but you would need NAT routers between FWs and servers, so they using multiple outside interfaces, woul always route back to the right interface.


Put it this way, the FW are preventing in practice to fullfill the requirements you've been given. Either change them to be a stateful pair, or change the security policy.


Actions

This Discussion