×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

GLBP on public interfaces

Answered Question
May 23rd, 2012
User Badges:

I have a few questions I am wondering if anyone can help me with.


We currently have two cisco 2861's with c2800nm-adventerprisek9-mz.124-15.T8.bin loaded


Currently one of these routers is in production.


It has a public address, one secondary address and a bunch of ip nat rules (some with source addresses in that nat rule, that do not match either ip on the public interface)


I have been asked to set up GLBP on both sides of the router, LAN and WAN side.


Thinking about it in my head it sounds resonable, the router(s) would just fake an arp to our upstream router at the data center (which we do not control).


I however, looking at the command reference, cannot see a way to assign a secondary address to a glb group, as you can with HSRP.


Would I need to create a group for each ip address we want to float betweeen routers? Or did I miss something in the command reference ?


We only have a single upstream link (it is an HSRP link) but that is transparent to us.


Is it possible to one, run GLBP on a public facing interface with the routers sharing a public address ?

Two, if it is possible, how do I assign the secondary addresses into the GLB pool/group ?

Correct Answer by Giuseppe Larosa about 5 years 2 months ago

Hello John,

the real issue is the use of NAT with GLBP rather then enabling GLBP on interface with a public IP address that is a small detail.

Cisco has developed a feature called stateful NAT that uses HSRP to have resiliency for a scenario like yours.


The issue with GLBP would be that return traffic could be received on the other router that hasn't performed the NAT translation. Generally speaking NAT works well with only one active device at a time.


Read the following white paper about Stateful NAT, there is only one router working that is the primary but secondary router is kept in sync receiving the NAT translation table from primary. If the primary router fails the secondary takes over  for the HSRP groups and can handle the current NAT translations with no issues.


see

http://www.cisco.com/en/US/products/ps6600/products_white_paper09186a0080118b04.shtml


and

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtsnatay.html



Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Giuseppe Larosa Thu, 05/24/2012 - 01:06
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello John,

the real issue is the use of NAT with GLBP rather then enabling GLBP on interface with a public IP address that is a small detail.

Cisco has developed a feature called stateful NAT that uses HSRP to have resiliency for a scenario like yours.


The issue with GLBP would be that return traffic could be received on the other router that hasn't performed the NAT translation. Generally speaking NAT works well with only one active device at a time.


Read the following white paper about Stateful NAT, there is only one router working that is the primary but secondary router is kept in sync receiving the NAT translation table from primary. If the primary router fails the secondary takes over  for the HSRP groups and can handle the current NAT translations with no issues.


see

http://www.cisco.com/en/US/products/ps6600/products_white_paper09186a0080118b04.shtml


and

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtsnatay.html



Hope to help

Giuseppe

Actions

This Discussion

Related Content