IOS Firewall in a HSRP - Load balancing Configuration

cpalayoor · ‎09-04-2003

Hi there,

Has anyone successfully implemented 2 Cisco IOS based firewalls in an HSRP configuration with load balancing.

Is this possible. If yes, are there configuration documents available and what would be the system requirements.

Thanks in advance for any suggestions or words of advise.

Regards

CP

tohuang · ‎09-04-2003

Hi ,

You can't do the load balance on IOS based firewalls.

Thanks

Tony

cpalayoor · ‎09-04-2003

Hi Tony,

Thanks for the reply.

What about HSRP. Is that possible on IOS based firewalls.

Regards

CP

scoclayton · ‎09-05-2003

Hi CP,

In an HSRP environment, IOS FW or CBAC should not be a problem. That is, *if* you can assure that the return path of the packet will come back through the same router from the HSRP from where it was sent. For instance, let's say you have HSRP configured between router A and B; A is your primary and B is your backup router. Assume host C tries to access www.yahoo.com (or whatever). The outgoing traffic from C will go through router A, since it's the "active" router. But how about the return traffic? Is it guaranteed to go back through A? Or it could be either A and B? IOS firewall is doing stateful inspection. Or in other words, we have to see every packet of a session to trace its state. If the SYN packet goes through A, and SYN-ACK comes back through router B we have no way of maintaining the state and the connections will fail.

Obviously, if a failover occurs to the stand-by router, then the established sessions through the previous master will fail on the new master. But other than that, as long as the same router sees all of the connections, you should be fine. No known issues that I am aware of. Clear as mud?

Scott

cpalayoor · ‎09-06-2003

Hi Scott,

Thanks for your lengthy reply.

I was hoping to have it configured in the following manner.

Split the network behind the Firewall into subnets say Network A and network B. Network A has router X as its primery and router Y as its secondary. Similarly Network B would have router Y as its primary and router X as its secondary. The return traffic would have to be similarly directed to the respective routers by the preceding device. This way if either fail their respective secondaries would take over.

My prelimnary research on HSRP gives me the understanding that in an HSRP with load sharing environment, the 2 routers would have the same ip addresses albeit in a primary and secondary role. eg : Router X would have xy.1 as its prim ip and xy.2 as its second and Router Y would have xy.2 and xy.1 as its prim & second respectively.

A return packet originally sent out thru X wud find Y with the ip xy.1 (on router X's failure)and consequently wud have its state maintained.

Would the above configuration successfully address the problem of the state not being maintained.

Do you reckon this configuration would work using IOS firewalls or is my understanding of how HSRP with load sharing incorrect ???

That is my million dollar question.

Regards

CP

scoclayton · ‎09-09-2003

Interesting. I have never setup HSRP in a load sharing environment so I cannot really comment on this design. However, in theory, this would appear to work. From an IOS FW stand-point, as long as you can assure the return path of the packets goes back through the router where it was sent, then you should be fine. Good luck with this.

Scott