Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Critical Issue for Redundancy and Load Sharing between routers and switches for Internet

Hi All,

             I have two routers 3845 both have two ISPs then I have two switches 3750 and 3560 connected to these routers and then further I have checkpoint firewalls. Now I want redundancy and load sharing of Lan traffic coming by firewalls to switches and routers . I choose GLBP for this but now I have some issues. Both routers have only two giga ports and 4 fast ethernet ports but these Fa ports are L2 ports so i cant give IP to those ports. Should I make vlans there ? then both ISPs provide me ethernet links so these interfaces never get down so cant able to use track command.Sometimes I thought I should do clustering between switches, these wll act as one switch then I can run GLBP easily. I m not sure what to do ?  One main condition is that my internet should not never get down and also need load sharing between two routers.

Plz help me to sort out this issue .

thanx and regards,

Taran

Everyone's tags (5)
3 ACCEPTED SOLUTIONS

Accepted Solutions

Re: Critical Issue for Redundancy and Load Sharing between route

Hi Taran,

I woulg suggest you to do some change in your setup to have glbp running for local LAN and as well IP SLA configuartion for external ISP fail over.

1) Make a etherchannel between your two cisco switches and create a vlan between your check point and two switches.

2) configure GLBP in cisco switches for local lan load balancing and assign them a vip which will be acting as gateway for checkpoint.

3)configure two default routes in both the switches towards both the isp's as reachbilty will be there because of etherchannel bundling.

4)configure IP SLA track in both the switches for some destination server icmp.check out the below sample config fo IP SLA which will help out to track the link status and when ever there is link problem as per the track configuration the default route will removed from cisco switch and the traffic will moving to next available ISP.

Check out the below sample config on IP SLA with some explanation:-

ip sla 1
icmp-echo 192.168.1.2
timeout 500
frequency 1
ip sla schedule 1 life forever start-time now

ip sla 2
icmp-echo 172.16.1.2
timeout 500
frequency 1
ip sla schedule 2 life forever start-time now

IP sla 1 will sends icp echo to ISP 1 ip address every 1 second and IP sla 2 will send it to ISP 2

track 10 rtr 1 reachability
delay down 1 up 1
!

track 20 rtr 2 reachability
delay down 1 up 1
!

if ip sla 1 did not get icmp replay within 1 second track 10 will be considered as down ( from ISP 1) track 20 same for ISP 2

ip route 0.0.0.0 0.0.0.0 192.168.1.2 track 10
ip route 0.0.0.0 0.0.0.0 172.16.1.2 track 20

we have two default routes each one point to one of the ISP's IP address, also each static
default route is associated with the corresponding IP SLA track created above
in this case if ISP 1 link is down the first default route will disappear from the routing table.

Hope that clear your query !!

Regards

Ganesh.H

Hall of Fame Super Blue

Re: Critical Issue for Redundancy and Load Sharing between route

Taran

ispR1 ------cisco3750 ---

                                             checkpoint firewall

ispR2 ----cisco3760---

an alternative is to run your switches as L3. Each switch is then connected to both ISP routers. Run a dynamic routing protocol between the switches and the routers and send a default-route from both ISP routers to your switches. You will still need to track the next-hop on the ISP routers.

Then use HSRP or if you want GLBP (altho the same proviso's apply as before with GLBP) on the switch LAN interfaces facing the checkpoint. The checkpoint will send traffic to the active switch which then has 2 equal cost paths to the Internet via both ISP routers.

Jon

Re: Critical Issue for Redundancy and Load Sharing between route

Hi Ganesh,

                     I have tried this setting and it works. I have created SLA for tracking and now its shifting if icmp is unreachable but I have done one thing that my ISP's other end IP is not always unreachable so I have set the ICMP for google.com because if google is unreachable then it means internet is down .

Anyhow thanx for total support.

Thanx and regards,

Taran

Hi Taran,

That great that your problem has been resolved it will be great if you can mark this thread as resolved so that others can get benifitted if they have these type of problem in there network.

Ganesh.H

24 REPLIES

Re: Critical Issue for Redundancy and Load Sharing between route

Hi Taran,

What i understand with your current setup is something like this

ispR1 ------cisco3750 ---

                                             checkpoint firewall

ispR2 ----cisco3760---

is those four ports are switching module ports,If yes then make vlan in router and connecting switch and do the glbp configuration or go with HSRP for load balancing with IP SLA configuration for tracking of external link failure.

check out the below link for ip sla

http://www.cisco.com/en/US/docs/ios/12_4/ip_sla/configuration/guide/hsthresh.html

Hope this helps out your query !!

Regards

Ganesh.H

New Member

Re: Critical Issue for Redundancy and Load Sharing between route

Hi Ganesh,

                      Thanx for reply. I m using same design which u mentioned here . Now i m confused that if any of the WAN port gets down then will this be monitored by SLA or not ? will GLBP shift its traffic from one forwarder to other ? What should i do there on routers , should I create vlan there and should I do bridging there on router . I m thinking to cluster two switches because these will act as one switch . Will it be fine ? Plz let me know about it .

thanx and regards,

Taran

Re: Critical Issue for Redundancy and Load Sharing between route

Hi Taran,

Yes create bridging in router for vlan for switches connecting to routers and configure GLBP weighting functionality with interface tracking in router where you will configure GLBP for local LAN.

check out the below link for GLBP configuration for interface tracking

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_glbp.html#wp1046944

Hope this clear your query !!

Regards

Ganesh.H

New Member

Re: Critical Issue for Redundancy and Load Sharing between route

Hi Ganesh,

                 Thanx for reply. Actually , as I mentioned earlier that I have ethernet link from ISP then this link never gets down but sometimes internet gets down. So I think in this particular case track will not work . I dont know any alternate to it. I hope u wll help me in this.

thanx and regards,

Taran

New Member

Re: Critical Issue for Redundancy and Load Sharing between route

Hi Ganesh,

                         I have one thing in my mind , I dont know whether this will work or not !! Actually , both of my routers have content engines so I can run WCCP. it can cache traffic . In any case of failure traffic will be redirected to other router .On the other point routers and switches will get redundancy.

thanx and regards,

Taran

Re: Critical Issue for Redundancy and Load Sharing between route

Hi Taran,

I woulg suggest you to do some change in your setup to have glbp running for local LAN and as well IP SLA configuartion for external ISP fail over.

1) Make a etherchannel between your two cisco switches and create a vlan between your check point and two switches.

2) configure GLBP in cisco switches for local lan load balancing and assign them a vip which will be acting as gateway for checkpoint.

3)configure two default routes in both the switches towards both the isp's as reachbilty will be there because of etherchannel bundling.

4)configure IP SLA track in both the switches for some destination server icmp.check out the below sample config fo IP SLA which will help out to track the link status and when ever there is link problem as per the track configuration the default route will removed from cisco switch and the traffic will moving to next available ISP.

Check out the below sample config on IP SLA with some explanation:-

ip sla 1
icmp-echo 192.168.1.2
timeout 500
frequency 1
ip sla schedule 1 life forever start-time now

ip sla 2
icmp-echo 172.16.1.2
timeout 500
frequency 1
ip sla schedule 2 life forever start-time now

IP sla 1 will sends icp echo to ISP 1 ip address every 1 second and IP sla 2 will send it to ISP 2

track 10 rtr 1 reachability
delay down 1 up 1
!

track 20 rtr 2 reachability
delay down 1 up 1
!

if ip sla 1 did not get icmp replay within 1 second track 10 will be considered as down ( from ISP 1) track 20 same for ISP 2

ip route 0.0.0.0 0.0.0.0 192.168.1.2 track 10
ip route 0.0.0.0 0.0.0.0 172.16.1.2 track 20

we have two default routes each one point to one of the ISP's IP address, also each static
default route is associated with the corresponding IP SLA track created above
in this case if ISP 1 link is down the first default route will disappear from the routing table.

Hope that clear your query !!

Regards

Ganesh.H

New Member

Re: Critical Issue for Redundancy and Load Sharing between route

  Hi Ganesh,

                            Thanx for reply. I wll try this setup. But cant do it now because this structure is on live project. When I wll do this I wll tell u . One more setup is in mind that I wll create vlans on both routers with same subnet and will make each two ports of both routers as L2 then will make them access then I wll attach those routers with both switches. It wll become like a cross structure .then I wll run GLBP on it .I wll make clusture of both switches .But dont know will this work or not ?

thanx and regards,

Taran

Hall of Fame Super Blue

Re: Critical Issue for Redundancy and Load Sharing between route

tarnhundal wrote:

  Hi Ganesh,

                            Thanx for reply. I wll try this setup. But cant do it now because this structure is on live project. When I wll do this I wll tell u . One more setup is in mind that I wll create vlans on both routers with same subnet and will make each two ports of both routers as L2 then will make them access then I wll attach those routers with both switches. It wll become like a cross structure .then I wll run GLBP on it .I wll make clusture of both switches .But dont know will this work or not ?

thanx and regards,

Taran

Taran

Ganesh has covered most of this but it's not entirely clear whether the switches are running as L2 or as L3 ?

Also be aware that you get no benefit from GLBP on the switches because GLBP load balances based on the src mac-address and this will always be the same ie. the checkpoint firewall so it will always go via one switch only. If you really want to load-balance then you would need to look into running a routing protocol between either

1) the ISP routers and the checkpoint if the switches are acting as L2

or

2) if the swtches are acting as L3 then between the switches and the checkpoint

Jon

New Member

Re: Critical Issue for Redundancy and Load Sharing between route

Hi Jon,

                   The switches are L2 . I m thinking that we can load balance not only source mac dependent but also round robin , we can change it. I m running GLBP between routers and switches now .So what design u suggest ? My wan int never got down because i have eth link there.I m also thinking about WCCP for this . what both of u say ?

thanx and regards,

Taran

Hall of Fame Super Blue

Re: Critical Issue for Redundancy and Load Sharing between route

tarnhundal wrote:

Hi Jon,

                   The switches are L2 . I m thinking that we can load balance not only source mac dependent but also round robin , we can change it. I m running GLBP between routers and switches now .So what design u suggest ? My wan int never got down because i have eth link there.I m also thinking about WCCP for this . what both of u say ?

thanx and regards,

Taran

Taran

To be honest i'm not sure how round robin would work in this case because to do round robin the mac-addresses of the 2 routers are cyled through each time an arp reply is sent. However once the checkpoint has the arp reply it doesn't need to request it again so it will only use one of the routers. And even if it did timeout you cannot be sure these timeouts would occur often enough to do proper load-sharing.

To achieve proper load-sharing you could either

1) run a dynamic routing protocol as suggested before between the routers and the checkpoint

or

2) configure 2 default routes on the checkpoint, one for each ISP router.

If the switches are acting as L2 switches only then you do not need any GLBP/routing config on them.

Jon

New Member

Re: Critical Issue for Redundancy and Load Sharing between route

Hi Jon,

            Thanx for reply. Actually , chkpoint is fine but we are using other hardware with it which doesnt understand the dyanmic protocols. So I have to run these only between routers.there are 4 Fa ports on each router which are L2 . So i m thinking to create Vlan on both routers and put the ports into this vlan . Actually I m still confuse that what design will be more suitable. GLBP can do load balancing host specific and also round robin and also with weigtage.


thanx and regards,

Taran

Hall of Fame Super Blue

Re: Critical Issue for Redundancy and Load Sharing between route

tarnhundal wrote:

Hi Jon,

            Thanx for reply. Actually , chkpoint is fine but we are using other hardware with it which doesnt understand the dyanmic protocols. So I have to run these only between routers.there are 4 Fa ports on each router which are L2 . So i m thinking to create Vlan on both routers and put the ports into this vlan . Actually I m still confuse that what design will be more suitable. GLBP can do load balancing host specific and also round robin and also with weigtage.


thanx and regards,

Taran

Taran

Yes, you can create vlans on the routers to achieve what you want.

But i need to expand a bit on the GLBP.  GLBP works by responding with different mac-addresses of routers to arp requests from clients. So different clients get different mac-addresses to forward their traffic to. Now if there is only one client ie. the checkpoint, then it sends an arp request to the AVG and it gets one of the 2 routers mac-addresses back to use. As long as that mac-address stays in the checkpoints arp table it will use the same router. Doesn't matter what type of load-balancing you have setup on the routers because the checkpoint now has it's mac-address and will use it. Only when the mac-address times out of the checkpoint arp table will it then send another arp request.

So this is not load-balancing. Yes it may use both routers at different times but it will not be predictable and it certainly won't be per-destination load-balancing as it would be with a routing protocol.

So far i have assumed that between the routers and the firewall, apart from the switches, there are no other devices. But your statement -

 chkpoint is fine but we are using other hardware with it which doesnt understand the dyanmic protocols.


makes me question whether that is correct. I would have though the other hardware would have to go through the checkpoint firewall to get to the ISP routers. Is this not the case ? If it isn't then you do have multiple clients behind the ISP routers and GLBP could be used but i suspect these other devices are behind or on a DMZ of the checkpoint.

If they are behind then they don't have to understand routing protocols, only the checkpoint and the ISP routers need to understand them.

Just to be totally clear, you can use GLBP and you will have connectivity but you won't have proper load-balancing.

Jon

New Member

Re: Critical Issue for Redundancy and Load Sharing between route

Hi Jon,

               We are using Ndurant firewall hardware with checkpoint . Now i m also confused that will be the right solution for load balancing. I m thinking that I should attach checkpoint with both switches , the problem is that these security devices are managed by security people and one more thing is that they told me that it wll work in only active standby mode.So one thing is clear that chkpoint and also some other devices connected to switches will shift to other router only when one router gets down but now what u say about load balancing and redundancy because suppose both routers are working and internet gots down then my Lan will never know about this . I have total 11 mbps internet band from both isp 6 and 5 from both so i cant sacrifice any of the bandwidth. for any case first of all i have to confirm that if my internet gets down and Wan int is up and ping is working till ISP end then my Lan traffic will shift from one router to other. this is major issue. no track and no SLA will work in it. what u say ?

thanx and regards,

Taran

Hall of Fame Super Blue

Re: Critical Issue for Redundancy and Load Sharing between route

tarnhundal wrote:

Hi Jon,

               We are using Ndurant firewall hardware with checkpoint . Now i m also confused that will be the right solution for load balancing. I m thinking that I should attach checkpoint with both switches , the problem is that these security devices are managed by security people and one more thing is that they told me that it wll work in only active standby mode.So one thing is clear that chkpoint and also some other devices connected to switches will shift to other router only when one router gets down but now what u say about load balancing and redundancy because suppose both routers are working and internet gots down then my Lan will never know about this . I have total 11 mbps internet band from both isp 6 and 5 from both so i cant sacrifice any of the bandwidth. for any case first of all i have to confirm that if my internet gets down and Wan int is up and ping is working till ISP end then my Lan traffic will shift from one router to other. this is major issue. no track and no SLA will work in it. what u say ?

thanx and regards,

Taran

Taran

We seem to be going over the same things again. If this is you setup -

ispR1 ------cisco3750 ---

                                             checkpoint firewall

ispR2 ----cisco3760---

and the switches are acting as L2 devices then

1) on the ISP routers run IP SLA to track the reachability of the next-hop - see post from Ganesh for details

2) If you use static routes on the checkpoint pointing to both ISP routers for load-balancing then the 2 ISP routers will need to share routes between themselves. The reason for this is that if one of the links goes down because the checkpoint is using static routes it doesn't know so it will still send traffic to both routers. The router that has lost it's internet link must then redirect the traffic to the other ISP router.

3) the other alternative is to run a dynamic routing protocol between the checkpoint and the ISP routers. Then if one of the ISP links goes down the checkpoint will no longer receive any route(s) from that router and will only have one path ie. the other router to forward traffic out of. Note if you do this you are better off simply redistributing a default-route from both ISP routers to the checkpoint and removing that route if the link fails. Don't send a full internet routing table from both ISP routers to the checkpoint.

Those are your options with your current setup if you want to use both links to send the traffic.

Jon

Hall of Fame Super Blue

Re: Critical Issue for Redundancy and Load Sharing between route

Taran

ispR1 ------cisco3750 ---

                                             checkpoint firewall

ispR2 ----cisco3760---

an alternative is to run your switches as L3. Each switch is then connected to both ISP routers. Run a dynamic routing protocol between the switches and the routers and send a default-route from both ISP routers to your switches. You will still need to track the next-hop on the ISP routers.

Then use HSRP or if you want GLBP (altho the same proviso's apply as before with GLBP) on the switch LAN interfaces facing the checkpoint. The checkpoint will send traffic to the active switch which then has 2 equal cost paths to the Internet via both ISP routers.

Jon

New Member

Re: Critical Issue for Redundancy and Load Sharing between route

HI Jon,

                Thanx for reply and giving ur time. Look Jon , I was considering to run ospf on both routers and switches because due to ospf it wll shift from one router to other if one of the link got down and then i wll do object tracking on wan int . I dont know much about firewalls because these are not handled by me . but security guys told me that Ndurant attached to checkpoint and it doesnt know about dynamic routing and i saw Ndurant they put static routes there but dont know about the conf of chkpoint. so dont know what to do there but i wll try to sort out this on there end chekpoint.

what u say about it.

thanx and regards,

Taran

New Member

Re: Critical Issue for Redundancy and Load Sharing between route

HI ,

            I m using design like two routers connecting to one switch using GLBP.now i can run other switch with other switch as trunk. Now everything is fine ,means whenever wan link got down then AVF shifted to other router . but now having one more problem ie after a short interval AVF shifted from one to other , so my internet gets down . I have tried to change redirect and forwarder configuration but AVF shifts continoulsy , approx 2-3 min .plz help to sort out this issue.

thanx and regards,

Taran

New Member

Re: Critical Issue for Redundancy and Load Sharing between route

HI,

            I think you are right. Right now my chekpoint is connected with switch and what i have seen that if i wll telnet from my Lan to router via chkpt then gateway wll shift continously and when i wll go to internet sw then wll telnet to virtual gateway then always it wll go to my higher priority router . it means chkpt doesnt understand this concept . should i do load balancing with host dependent method or apply some other way ??

thanx and regards,

Taran

New Member

Re: Critical Issue for Redundancy and Load Sharing between route

Hi Jon and Ganesh,

                                    Both of u helped me lot to sort out this issue. What i have seen that from switch all is well but from my LAN i m getting issue. MY AVF is not stable , every 3-4 min it shifts from one router to other router. I think its due to chkpoint , so what u say , should i try to load -balance GLBP with host -dependent method or do some thing else. waiting a postive response .

thanx and regards,

Taran

Re: Critical Issue for Redundancy and Load Sharing between route

Hi Jon and Ganesh,

                                   Both of u helped me lot to sort out this issue. What i have seen that from switch all is well but from my LAN i m getting issue. MY AVF is not stable , every 3-4 min it shifts from one router to other router. I think its due to chkpoint , so what u say , should i try to load -balance GLBP with host -dependent method or do some thing else. waiting a postive response .

thanx and regards,

Taran

Hi Taran,

As suggeted by Jon in previous post do the same type of configuration but for your query if you go with GLBP host-dependent method for load balancing it will always be a single mac from checkpoint towards the vip of GLBP  so it will always be single forwarder only at all the time for outgoing traffic.Try configure HSRP with active/passive mode it will be helpful with full redundancy.

Hope that helps out your query !!

If helpful do rate the vlauable post.

Regards

Ganesh.H

New Member

Re: Critical Issue for Redundancy and Load Sharing between route

Hi Jon,

                   I m using same diagram as you have mentioned , now i have realised one thing that if i wll telnet to VIP of GLBP form my LAN behind the chkpnt then after short intervals it shifts from one router to other but when i try to telnet this VIP , every time it goes to higher prioritize router . it means chkpnt doesnt know exactly about the gateway , and then i saw that proxy arp is enabled on chkpt . i m thinking to disable this feature because i already set default gateway at ckpt then no need of this command . chkpt is my firewall but it has to be connected with some hardware firewall like Nokia,Ndurant or some else . I m using Ndurant , which doesnt understand dynamic protocols so we have to put static router on ndurant chpt firewall , i cant run dynamic protocol at switches and routers .what u say about this ?

waiting a positive response from ur side.

thanx and regards,

Taran

New Member

Re: Critical Issue for Redundancy and Load Sharing between route

HI Jon,

                     This problem has been resolved now and thanx for your support till now . You and Ganesh both supported me a lot.

Thanx and regards,

Taran

New Member

Re: Critical Issue for Redundancy and Load Sharing between route

Hi Ganesh,

                      I have tried this setting and it works. I have created SLA for tracking and now its shifting if icmp is unreachable but I have done one thing that my ISP's other end IP is not always unreachable so I have set the ICMP for google.com because if google is unreachable then it means internet is down .

Anyhow thanx for total support.

Thanx and regards,

Taran

Re: Critical Issue for Redundancy and Load Sharing between route

Hi Ganesh,

                     I have tried this setting and it works. I have created SLA for tracking and now its shifting if icmp is unreachable but I have done one thing that my ISP's other end IP is not always unreachable so I have set the ICMP for google.com because if google is unreachable then it means internet is down .

Anyhow thanx for total support.

Thanx and regards,

Taran

Hi Taran,

That great that your problem has been resolved it will be great if you can mark this thread as resolved so that others can get benifitted if they have these type of problem in there network.

Ganesh.H

2424
Views
0
Helpful
24
Replies