cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4187
Views
0
Helpful
24
Replies

Critical Issue for Redundancy and Load Sharing between routers and switches for Internet

tarnhundal
Level 1
Level 1

Hi All,

             I have two routers 3845 both have two ISPs then I have two switches 3750 and 3560 connected to these routers and then further I have checkpoint firewalls. Now I want redundancy and load sharing of Lan traffic coming by firewalls to switches and routers . I choose GLBP for this but now I have some issues. Both routers have only two giga ports and 4 fast ethernet ports but these Fa ports are L2 ports so i cant give IP to those ports. Should I make vlans there ? then both ISPs provide me ethernet links so these interfaces never get down so cant able to use track command.Sometimes I thought I should do clustering between switches, these wll act as one switch then I can run GLBP easily. I m not sure what to do ?  One main condition is that my internet should not never get down and also need load sharing between two routers.

Plz help me to sort out this issue .

thanx and regards,

Taran

3 Accepted Solutions

Accepted Solutions

Hi Taran,

I woulg suggest you to do some change in your setup to have glbp running for local LAN and as well IP SLA configuartion for external ISP fail over.

1) Make a etherchannel between your two cisco switches and create a vlan between your check point and two switches.

2) configure GLBP in cisco switches for local lan load balancing and assign them a vip which will be acting as gateway for checkpoint.

3)configure two default routes in both the switches towards both the isp's as reachbilty will be there because of etherchannel bundling.

4)configure IP SLA track in both the switches for some destination server icmp.check out the below sample config fo IP SLA which will help out to track the link status and when ever there is link problem as per the track configuration the default route will removed from cisco switch and the traffic will moving to next available ISP.

Check out the below sample config on IP SLA with some explanation:-

ip sla 1
icmp-echo 192.168.1.2
timeout 500
frequency 1
ip sla schedule 1 life forever start-time now

ip sla 2
icmp-echo 172.16.1.2
timeout 500
frequency 1
ip sla schedule 2 life forever start-time now

IP sla 1 will sends icp echo to ISP 1 ip address every 1 second and IP sla 2 will send it to ISP 2

track 10 rtr 1 reachability
delay down 1 up 1
!

track 20 rtr 2 reachability
delay down 1 up 1
!

if ip sla 1 did not get icmp replay within 1 second track 10 will be considered as down ( from ISP 1) track 20 same for ISP 2

ip route 0.0.0.0 0.0.0.0 192.168.1.2 track 10
ip route 0.0.0.0 0.0.0.0 172.16.1.2 track 20

we have two default routes each one point to one of the ISP's IP address, also each static
default route is associated with the corresponding IP SLA track created above
in this case if ISP 1 link is down the first default route will disappear from the routing table.

Hope that clear your query !!

Regards

Ganesh.H

View solution in original post

Taran

ispR1 ------cisco3750 ---

                                             checkpoint firewall

ispR2 ----cisco3760---

an alternative is to run your switches as L3. Each switch is then connected to both ISP routers. Run a dynamic routing protocol between the switches and the routers and send a default-route from both ISP routers to your switches. You will still need to track the next-hop on the ISP routers.

Then use HSRP or if you want GLBP (altho the same proviso's apply as before with GLBP) on the switch LAN interfaces facing the checkpoint. The checkpoint will send traffic to the active switch which then has 2 equal cost paths to the Internet via both ISP routers.

Jon

View solution in original post

Hi Ganesh,

                     I have tried this setting and it works. I have created SLA for tracking and now its shifting if icmp is unreachable but I have done one thing that my ISP's other end IP is not always unreachable so I have set the ICMP for google.com because if google is unreachable then it means internet is down .

Anyhow thanx for total support.

Thanx and regards,

Taran

Hi Taran,

That great that your problem has been resolved it will be great if you can mark this thread as resolved so that others can get benifitted if they have these type of problem in there network.

Ganesh.H

View solution in original post

24 Replies 24

Ganesh Hariharan
VIP Alumni
VIP Alumni

Hi Taran,

What i understand with your current setup is something like this

ispR1 ------cisco3750 ---

                                             checkpoint firewall

ispR2 ----cisco3760---

is those four ports are switching module ports,If yes then make vlan in router and connecting switch and do the glbp configuration or go with HSRP for load balancing with IP SLA configuration for tracking of external link failure.

check out the below link for ip sla

http://www.cisco.com/en/US/docs/ios/12_4/ip_sla/configuration/guide/hsthresh.html

Hope this helps out your query !!

Regards

Ganesh.H

Hi Ganesh,

                      Thanx for reply. I m using same design which u mentioned here . Now i m confused that if any of the WAN port gets down then will this be monitored by SLA or not ? will GLBP shift its traffic from one forwarder to other ? What should i do there on routers , should I create vlan there and should I do bridging there on router . I m thinking to cluster two switches because these will act as one switch . Will it be fine ? Plz let me know about it .

thanx and regards,

Taran

Hi Taran,

Yes create bridging in router for vlan for switches connecting to routers and configure GLBP weighting functionality with interface tracking in router where you will configure GLBP for local LAN.

check out the below link for GLBP configuration for interface tracking

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_glbp.html#wp1046944

Hope this clear your query !!

Regards

Ganesh.H

Hi Ganesh,

                 Thanx for reply. Actually , as I mentioned earlier that I have ethernet link from ISP then this link never gets down but sometimes internet gets down. So I think in this particular case track will not work . I dont know any alternate to it. I hope u wll help me in this.

thanx and regards,

Taran

Hi Ganesh,

                         I have one thing in my mind , I dont know whether this will work or not !! Actually , both of my routers have content engines so I can run WCCP. it can cache traffic . In any case of failure traffic will be redirected to other router .On the other point routers and switches will get redundancy.

thanx and regards,

Taran

Hi Taran,

I woulg suggest you to do some change in your setup to have glbp running for local LAN and as well IP SLA configuartion for external ISP fail over.

1) Make a etherchannel between your two cisco switches and create a vlan between your check point and two switches.

2) configure GLBP in cisco switches for local lan load balancing and assign them a vip which will be acting as gateway for checkpoint.

3)configure two default routes in both the switches towards both the isp's as reachbilty will be there because of etherchannel bundling.

4)configure IP SLA track in both the switches for some destination server icmp.check out the below sample config fo IP SLA which will help out to track the link status and when ever there is link problem as per the track configuration the default route will removed from cisco switch and the traffic will moving to next available ISP.

Check out the below sample config on IP SLA with some explanation:-

ip sla 1
icmp-echo 192.168.1.2
timeout 500
frequency 1
ip sla schedule 1 life forever start-time now

ip sla 2
icmp-echo 172.16.1.2
timeout 500
frequency 1
ip sla schedule 2 life forever start-time now

IP sla 1 will sends icp echo to ISP 1 ip address every 1 second and IP sla 2 will send it to ISP 2

track 10 rtr 1 reachability
delay down 1 up 1
!

track 20 rtr 2 reachability
delay down 1 up 1
!

if ip sla 1 did not get icmp replay within 1 second track 10 will be considered as down ( from ISP 1) track 20 same for ISP 2

ip route 0.0.0.0 0.0.0.0 192.168.1.2 track 10
ip route 0.0.0.0 0.0.0.0 172.16.1.2 track 20

we have two default routes each one point to one of the ISP's IP address, also each static
default route is associated with the corresponding IP SLA track created above
in this case if ISP 1 link is down the first default route will disappear from the routing table.

Hope that clear your query !!

Regards

Ganesh.H

  Hi Ganesh,

                            Thanx for reply. I wll try this setup. But cant do it now because this structure is on live project. When I wll do this I wll tell u . One more setup is in mind that I wll create vlans on both routers with same subnet and will make each two ports of both routers as L2 then will make them access then I wll attach those routers with both switches. It wll become like a cross structure .then I wll run GLBP on it .I wll make clusture of both switches .But dont know will this work or not ?

thanx and regards,

Taran

tarnhundal wrote:

  Hi Ganesh,

                            Thanx for reply. I wll try this setup. But cant do it now because this structure is on live project. When I wll do this I wll tell u . One more setup is in mind that I wll create vlans on both routers with same subnet and will make each two ports of both routers as L2 then will make them access then I wll attach those routers with both switches. It wll become like a cross structure .then I wll run GLBP on it .I wll make clusture of both switches .But dont know will this work or not ?

thanx and regards,

Taran

Taran

Ganesh has covered most of this but it's not entirely clear whether the switches are running as L2 or as L3 ?

Also be aware that you get no benefit from GLBP on the switches because GLBP load balances based on the src mac-address and this will always be the same ie. the checkpoint firewall so it will always go via one switch only. If you really want to load-balance then you would need to look into running a routing protocol between either

1) the ISP routers and the checkpoint if the switches are acting as L2

or

2) if the swtches are acting as L3 then between the switches and the checkpoint

Jon

Hi Jon,

                   The switches are L2 . I m thinking that we can load balance not only source mac dependent but also round robin , we can change it. I m running GLBP between routers and switches now .So what design u suggest ? My wan int never got down because i have eth link there.I m also thinking about WCCP for this . what both of u say ?

thanx and regards,

Taran

tarnhundal wrote:

Hi Jon,

                   The switches are L2 . I m thinking that we can load balance not only source mac dependent but also round robin , we can change it. I m running GLBP between routers and switches now .So what design u suggest ? My wan int never got down because i have eth link there.I m also thinking about WCCP for this . what both of u say ?

thanx and regards,

Taran

Taran

To be honest i'm not sure how round robin would work in this case because to do round robin the mac-addresses of the 2 routers are cyled through each time an arp reply is sent. However once the checkpoint has the arp reply it doesn't need to request it again so it will only use one of the routers. And even if it did timeout you cannot be sure these timeouts would occur often enough to do proper load-sharing.

To achieve proper load-sharing you could either

1) run a dynamic routing protocol as suggested before between the routers and the checkpoint

or

2) configure 2 default routes on the checkpoint, one for each ISP router.

If the switches are acting as L2 switches only then you do not need any GLBP/routing config on them.

Jon

Hi Jon,

            Thanx for reply. Actually , chkpoint is fine but we are using other hardware with it which doesnt understand the dyanmic protocols. So I have to run these only between routers.there are 4 Fa ports on each router which are L2 . So i m thinking to create Vlan on both routers and put the ports into this vlan . Actually I m still confuse that what design will be more suitable. GLBP can do load balancing host specific and also round robin and also with weigtage.


thanx and regards,

Taran

tarnhundal wrote:

Hi Jon,

            Thanx for reply. Actually , chkpoint is fine but we are using other hardware with it which doesnt understand the dyanmic protocols. So I have to run these only between routers.there are 4 Fa ports on each router which are L2 . So i m thinking to create Vlan on both routers and put the ports into this vlan . Actually I m still confuse that what design will be more suitable. GLBP can do load balancing host specific and also round robin and also with weigtage.


thanx and regards,

Taran

Taran

Yes, you can create vlans on the routers to achieve what you want.

But i need to expand a bit on the GLBP.  GLBP works by responding with different mac-addresses of routers to arp requests from clients. So different clients get different mac-addresses to forward their traffic to. Now if there is only one client ie. the checkpoint, then it sends an arp request to the AVG and it gets one of the 2 routers mac-addresses back to use. As long as that mac-address stays in the checkpoints arp table it will use the same router. Doesn't matter what type of load-balancing you have setup on the routers because the checkpoint now has it's mac-address and will use it. Only when the mac-address times out of the checkpoint arp table will it then send another arp request.

So this is not load-balancing. Yes it may use both routers at different times but it will not be predictable and it certainly won't be per-destination load-balancing as it would be with a routing protocol.

So far i have assumed that between the routers and the firewall, apart from the switches, there are no other devices. But your statement -

 chkpoint is fine but we are using other hardware with it which doesnt understand the dyanmic protocols.


makes me question whether that is correct. I would have though the other hardware would have to go through the checkpoint firewall to get to the ISP routers. Is this not the case ? If it isn't then you do have multiple clients behind the ISP routers and GLBP could be used but i suspect these other devices are behind or on a DMZ of the checkpoint.

If they are behind then they don't have to understand routing protocols, only the checkpoint and the ISP routers need to understand them.

Just to be totally clear, you can use GLBP and you will have connectivity but you won't have proper load-balancing.

Jon

Hi Jon,

               We are using Ndurant firewall hardware with checkpoint . Now i m also confused that will be the right solution for load balancing. I m thinking that I should attach checkpoint with both switches , the problem is that these security devices are managed by security people and one more thing is that they told me that it wll work in only active standby mode.So one thing is clear that chkpoint and also some other devices connected to switches will shift to other router only when one router gets down but now what u say about load balancing and redundancy because suppose both routers are working and internet gots down then my Lan will never know about this . I have total 11 mbps internet band from both isp 6 and 5 from both so i cant sacrifice any of the bandwidth. for any case first of all i have to confirm that if my internet gets down and Wan int is up and ping is working till ISP end then my Lan traffic will shift from one router to other. this is major issue. no track and no SLA will work in it. what u say ?

thanx and regards,

Taran

tarnhundal wrote:

Hi Jon,

               We are using Ndurant firewall hardware with checkpoint . Now i m also confused that will be the right solution for load balancing. I m thinking that I should attach checkpoint with both switches , the problem is that these security devices are managed by security people and one more thing is that they told me that it wll work in only active standby mode.So one thing is clear that chkpoint and also some other devices connected to switches will shift to other router only when one router gets down but now what u say about load balancing and redundancy because suppose both routers are working and internet gots down then my Lan will never know about this . I have total 11 mbps internet band from both isp 6 and 5 from both so i cant sacrifice any of the bandwidth. for any case first of all i have to confirm that if my internet gets down and Wan int is up and ping is working till ISP end then my Lan traffic will shift from one router to other. this is major issue. no track and no SLA will work in it. what u say ?

thanx and regards,

Taran

Taran

We seem to be going over the same things again. If this is you setup -

ispR1 ------cisco3750 ---

                                             checkpoint firewall

ispR2 ----cisco3760---

and the switches are acting as L2 devices then

1) on the ISP routers run IP SLA to track the reachability of the next-hop - see post from Ganesh for details

2) If you use static routes on the checkpoint pointing to both ISP routers for load-balancing then the 2 ISP routers will need to share routes between themselves. The reason for this is that if one of the links goes down because the checkpoint is using static routes it doesn't know so it will still send traffic to both routers. The router that has lost it's internet link must then redirect the traffic to the other ISP router.

3) the other alternative is to run a dynamic routing protocol between the checkpoint and the ISP routers. Then if one of the ISP links goes down the checkpoint will no longer receive any route(s) from that router and will only have one path ie. the other router to forward traffic out of. Note if you do this you are better off simply redistributing a default-route from both ISP routers to the checkpoint and removing that route if the link fails. Don't send a full internet routing table from both ISP routers to the checkpoint.

Those are your options with your current setup if you want to use both links to send the traffic.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: