02-13-2008 02:13 PM - edited 03-03-2019 08:41 PM
I have a specific requirement and cant seem to find a good solution. I'm hoping Cisco have a technology or method that I'm not familar with. Here is a quick breakdown
Aim - To utilise two links from a remote location to two connections at a data center to achieve an active/active use of the links.
The problem - Firewalls are present at each of the data centers which will prevent asynchronous traffic from being acceptable. See diagram below
ClientA....................ClientB
|......................................|
|......................................|
Switch1---Trunk----Switch2
|......................................|
|......................................|
Router1................Router2
|......................................|
|......................................|
FW............................FW
|......................................|
|......................................|
DC_SW1---Routed---DC_SW2
|.....................................|
|.....................................|
SERVER_LAN1..........SERVER_LAN2
Note that ClientA and ClientB are in the same VLAN. Note in some remote cases only Server_LAN1 or 2 may be used.
Can anyone suggest a possible solution to this problem?
Thanks in advance.
02-13-2008 03:00 PM
1. Nice use of dot padding to overcome forum limitations.
2. I suppose that by asynchronous, you mean asymmetric.
3. what DC_SW1 and 2 are ? If they can terminate GRE, and if you can let FWs pass GRE, load balancing should be possible.
02-13-2008 04:11 PM
1. Thanks :)
2. Yes sorry i did mean asymetric
3. The switches are CAT 3750 stacks.
The routers actually already run IPSEC with tunnel interfaces and terminate on routers that are placed just infront of the firewalls (sorry ommited from diagram). The LAN interface of the routers connect to a firewall DMZ. (which is wear the asymetric problem occurs). I do understand your recommendation though, but could i run a tunnel inside a tunnel? (if you see what i mean).
02-14-2008 02:35 AM
Yes, in theory in can transport a tunnel within a tunnel, but perhaps there's an easier solution considering the equipment omitted. Really a more complete diagram would be needed.
02-14-2008 05:25 AM
02-14-2008 05:38 AM
Hi, let's call the four routers
A - B
C - D
Now if you build additional tunnels between A and D, B and C, and make sure you have equal cost routes to destination, the routers will load balance.
Symmetry is guaranteed by the fact that the default load balancing algorithm will make so that each flow sticks to one path only, hence hitting one FW only, that will return traffic back on the connected router.
Good luck!
02-14-2008 05:59 AM
I understand that would work from Client to Server, but when the server needs to talk to a client will they not always use the same path? i.e. only one ISP link will be used for return traffic?
02-14-2008 06:12 AM
Even for server to client, each flow will use a single path. But in the average of all conversations will make so that both paths will be used.
02-14-2008 07:26 AM
Ok so from the perspective of server1, how will its traffic make use both the router behind the dc1 dmz and the dc2 dmz?
02-14-2008 07:30 AM
How are the 3750s configured ? Do the Fw's present one virtual, or two different IP addresses ?
02-14-2008 07:34 AM
Two different addresses. The are entirely independent firewalls.
02-14-2008 08:04 AM
That is the problem. The switches have no way of know from where the connection came.
So a possible solution would be to move or add the lower routers inside, and have gre across the FWs.
02-14-2008 09:36 AM
Unfortunatley due to security policy that is not
possible. I was thinking that i could use NAT on the routers to change the source address os that it would be clear from which direction the traffic came. Do you think that would work?
Thanks for all your help
02-14-2008 02:59 PM
Yes, but you would need NAT routers between FWs and servers, so they using multiple outside interfaces, woul always route back to the right interface.
Put it this way, the FW are preventing in practice to fullfill the requirements you've been given. Either change them to be a stateful pair, or change the security policy.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide