Re: I am looking for a way to efficiently move from HSRP to GLBP

p.lagatta · ‎10-20-2010

I want to move from using HSRP to GLBP and encountering issues with making it a smooth transition. I am testing my plans using GNS3

Our two external production routers are configured to use HSRP and the current traffic demands are taking a toll on the primary router. The primary HSRP router's CPU is running above 70% while the standby router is hovering in the 20's. The main reason is the firewalls are running High Availability Load Sharing (Sidewinders) so each firewall is able to transmit / receive data. Our routers are setup in a BGP multihome configuration with the ISP. The upstream routers are associated with the same AS. Each side has maximum-path 2 enabled within the BGP process. The two firewalls associate a multicast mac address with a vIP. Each router has a static arp entry for the firewall vIP multicast address allowing them to send traffic they receive from the world to the firewall pair. The firewalls then decide if they will accept the traffic or defer to the other. Unfortunately I cannot upgrade the NPE's on the external routers (NPE-400) so the next best thing is to try and distribute the load coming from the two firewalls. I hope to get both routers running in the mid 50’s which aren’t great but it's better than the current situation. I've been told money is coming but you know how that goes.

Here is my glbp scheme I want to implement

R1 (This will be my AVG)

track 20 interface g2/0 line-protocol (Gi2/0 is the external interface)

interface gi0/0 (Serves as the gateway interface for the Firewalls)

glbp 10 ip 10.1.1.1 (fictitious address)
glbp 10 timers 5 15
glbp 10 weighting 100 lower 90 upper 95
glbp 10 load-balancing host-dependent
glbp 10 authentication md5 key-string #######
glbp 10 weighting track 20 decrement 20
glbp 10 forwarder preempt delay minimum 5

R2

track 20 interface g2/0 line-protocol (Gi2/0 is the external interface)

interface gi0/0 (Serves as the gateway interface for the Firewalls)

glbp 10 ip 10.1.1.1 (fictitious address)
glbp 10 timers 5 15
glbp 10 priority 95 (the interface physical ip address on this router is greater than the one on R1)
glbp 10 weighting 100 lower 90 upper 95
glbp 10 load-balancing host-dependent
glbp 10 authentication md5 key-string #######
glbp 10 weighting track 20 decrement 20
glbp 10 forwarder preempt delay minimum 5

Initially I thought this would be simple to transition from HSRP to GLBP. I would remove the standby ip ip-address command from the interface and replace it with the glbp ip ip-address command. The interface would already be configured with the other glbp commands prior to making the change. I thought this method would also aid in the event I had to roll back to HSRP due to something I didn't account for in testing.

When I attempt to execute the above command sequence, the router reports the virtual IP address is being used by another application on the interface. I tried shutting down the interface and rerun the sequence with no success. To get around this obstacle, I remove all standby commands from the interface by entering either no standby 1 or no standby.

So here is what I am thinking. On the day of moving from HSRP to GLBP, I will have a console connection to both routers.

On R2

shutdown interface g0/0 since this router is designated as the HSRP standby router and paste the following commands into the router

track 20 interface g2/0 line-protocol

interface gi0/0

no standby 1

glbp 10 ip ip-address
glbp 10 timers 5 15
glbp 10 priority 95
glbp 10 weighting 100 lower 90 upper 95
glbp 10 load-balancing host-dependent
glbp 10 authentication md5 key-string #######
glbp 10 weighting track 20 decrement 20
glbp 10 forwarder preempt delay minimum 5

While this is occurring, on router #1 which is the primary hsrp router, paste the following commands in

track 20 interface GigabitEthernet2/0 line-protocol

interface GigabitEthernet0/0
no standby 1
glbp 10 ip ip-adddress
glbp 10 timers 5 15
glbp 10 weighting 100 lower 90 upper 95
glbp 10 load-balancing host-dependent
glbp 10 authentication md5 key-string ######
glbp 10 weighting track 20 decrement 20
glbp 10 forwarder preempt delay minimum 5

Once the commands are pasted into Router #1, enable the interface on Router #2 and monitor GLBP with the following debug commands enabled on both routers.

debug glbp events

debug glbp errors

My test runs using GNS seem to run well. I know I am going to interrupt traffic and I scheduled network downtime to perform the change. I am anticipating total downtime to be less than 5 minutes.

Does this approach sound logical or is there a better method to transition from HSRP to GLBP?

thanks in advanced.

Phillip Remaker · ‎10-26-2010

One thing you can do is to configure GLBP on the interfaces with a different IP address, and then point the firewalls to that new IP address when ready.

I understand this is possible, but I have not personally tried it.

In that case, switching form one to the other is just a matter of changing the firewall configs (and the configs of any other device pointing to the virtual interface address)

p.lagatta · ‎10-27-2010

Thanks for the reply. I don't know if I want to reconfigure all the external devices to point to a new GW address. I

think I am going to remain with the game plan I posted. If I have to fall back to using HSRP after implementing GLBP,

I will have the HSRP commands available in notepad ++.

Paul

Jon Marshall · ‎10-27-2010

Just to clarify.

The two firewalls associate a multicast mac address with a vIP

Not familiar with Sidewinders but when they do load-sharing is the mac-address seen by the routers unique to each firewall or do they share it somehow. If they share it GLBP will gain you nothing because GLBP load-balances based on mac-address so it will always go to the same mac-address.

Jon

p.lagatta · ‎10-27-2010

Jon, Thanks for the reply. The Siderwinder Firewalls associate a Multicast MAC address with the vIP. That's the reason for the static ARP entry in each router. Since our Layer II switches located between the firewalls and routers do not register the MAC with a specific port, both firewalls receive the traffic. Once the traffic reaches the firewalls, they pass information across a heartbeat interface and the selection process is based on odd / even ports. Receive traffic is already working in this configuration. Both our external routers are peered with two EBGP routers located in the same AS. The GLBP implementation will allow us to load balance the traffic each firewall is sending to the GW address.

Jon Marshall · ‎10-27-2010

p.lagatta wrote:
Jon, Thanks for the reply.  The Siderwinder Firewalls associate a Multicast MAC address with the vIP.  That's the reason for the static ARP entry in each router.  Since our Layer II switches located between the firewalls and routers do not register the MAC with a specific port, both firewalls receive the traffic.  Once the traffic reaches the firewalls, they pass information across a heartbeat interface and the selection process is based on odd / even ports.  Receive traffic is already working in this configuration.  Both our external routers are peered with two EBGP routers located in the same AS.  The GLBP implementation will allow us to load balance the traffic each firewall is sending to the GW address.

Perhaps i'm misunderstaning.

If there is one mac-address then GLBP will assign that mac-address to one of the routers and it will keep that router for forwarding the traffic with the same mac-address. So the traffic will always be forwarded by the same router. GLBP works by assigning different source mac-addresses to different routers within the same group but it sounds like the source mac-address is always the same from the firewalls.

Jon

p.lagatta · ‎10-27-2010

Jon,

The problem isn't the routers sending traffic to the firewalls but the firewalls forwarding traffic to the routers. Each firewall has the ability to forward traffic. The firewalls are configured for high available load sharing. We currently have the two external routers configured to use HSRP. Both firewalls have the HSRP vIP as their default-gateway. As I stated in my initial post, we want to load balance the traffic exiting the firewalls. Since the AVG will assign each firewall a different GLBP MAC Address, firewall #1 will send its traffic to let's say router #2 and firewall #2 will send its traffic to router #1 which will better utilize the bandwidth for traffic leaving our site.

Jon Marshall · ‎10-27-2010

p.lagatta wrote:

Jon,

The problem isn't the routers sending traffic to the firewalls but the firewalls forwarding traffic to the routers. Each firewall has the ability to forward traffic. The firewalls are configured for high available load sharing. We currently have the two external routers configured to use HSRP. Both firewalls have the HSRP vIP as their default-gateway. As I stated in my initial post, we want to load balance the traffic exiting the firewalls. Since the AVG will assign each firewall a different GLBP MAC Address, firewall #1 will send its traffic to let's say router #2 and firewall #2 will send its traffic to router #1 which will better utilize the bandwidth for traffic leaving our site.

So the router sees unique addresses coming from the firewalls ? - i think that is where i was misunderstanding. Apologies for any confusion.

Jon

I am looking for a way to efficiently move from HSRP to GLBP.