cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
900
Views
0
Helpful
13
Replies

WAN load balance but synchronous!

dankennedy
Level 1
Level 1

I have a specific requirement and cant seem to find a good solution. I'm hoping Cisco have a technology or method that I'm not familar with. Here is a quick breakdown

Aim - To utilise two links from a remote location to two connections at a data center to achieve an active/active use of the links.

The problem - Firewalls are present at each of the data centers which will prevent asynchronous traffic from being acceptable. See diagram below

ClientA....................ClientB

|......................................|

|......................................|

Switch1---Trunk----Switch2

|......................................|

|......................................|

Router1................Router2

|......................................|

|......................................|

FW............................FW

|......................................|

|......................................|

DC_SW1---Routed---DC_SW2

|.....................................|

|.....................................|

SERVER_LAN1..........SERVER_LAN2

Note that ClientA and ClientB are in the same VLAN. Note in some remote cases only Server_LAN1 or 2 may be used.

Can anyone suggest a possible solution to this problem?

Thanks in advance.

13 Replies 13

paolo bevilacqua
Hall of Fame
Hall of Fame

1. Nice use of dot padding to overcome forum limitations.

2. I suppose that by asynchronous, you mean asymmetric.

3. what DC_SW1 and 2 are ? If they can terminate GRE, and if you can let FWs pass GRE, load balancing should be possible.

1. Thanks :)

2. Yes sorry i did mean asymetric

3. The switches are CAT 3750 stacks.

The routers actually already run IPSEC with tunnel interfaces and terminate on routers that are placed just infront of the firewalls (sorry ommited from diagram). The LAN interface of the routers connect to a firewall DMZ. (which is wear the asymetric problem occurs). I do understand your recommendation though, but could i run a tunnel inside a tunnel? (if you see what i mean).

Yes, in theory in can transport a tunnel within a tunnel, but perhaps there's an easier solution considering the equipment omitted. Really a more complete diagram would be needed.

I hope so. I have attached a complete diagram with all devices. I hope this will make it more clear and present a solution.

I look forward to any suggestions you may have.

Thanks again.

Hi, let's call the four routers

A - B

C - D

Now if you build additional tunnels between A and D, B and C, and make sure you have equal cost routes to destination, the routers will load balance.

Symmetry is guaranteed by the fact that the default load balancing algorithm will make so that each flow sticks to one path only, hence hitting one FW only, that will return traffic back on the connected router.

Good luck!

I understand that would work from Client to Server, but when the server needs to talk to a client will they not always use the same path? i.e. only one ISP link will be used for return traffic?

Even for server to client, each flow will use a single path. But in the average of all conversations will make so that both paths will be used.

Ok so from the perspective of server1, how will its traffic make use both the router behind the dc1 dmz and the dc2 dmz?

How are the 3750s configured ? Do the Fw's present one virtual, or two different IP addresses ?

Two different addresses. The are entirely independent firewalls.

That is the problem. The switches have no way of know from where the connection came.

So a possible solution would be to move or add the lower routers inside, and have gre across the FWs.

Unfortunatley due to security policy that is not

possible. I was thinking that i could use NAT on the routers to change the source address os that it would be clear from which direction the traffic came. Do you think that would work?

Thanks for all your help

Yes, but you would need NAT routers between FWs and servers, so they using multiple outside interfaces, woul always route back to the right interface.

Put it this way, the FW are preventing in practice to fullfill the requirements you've been given. Either change them to be a stateful pair, or change the security policy.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: