Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k

COMO CONFIGURAR GLBP CON UN FIREWALL ENTRE LOS ROUTERS Y HOSTS

Estamos con dos routers 2801 implantando la opcion GLBP.

Los dos routers estan conectados a un switch 2960 y entre el switch 2960 y los host hay un firewall checkpoint instalado.

Los host tienen como default-gateway el firewall y en el firewall  manda todo el trafico hacia la direccion ip virtual.

Consulta:

Sabemos que el default-gateway de los Hosts debe ser al direccion ip virtual, pero como estan detras del firewall su default-gateway es la ip address del firewall. Que consideraciones se debe tomar en cuenta para que el GLBP opere correctamente con el Firewall?

Gracias por sus respuestas.

Se adjunta diagrama.

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: COMO CONFIGURAR GLBP CON UN FIREWALL ENTRE LOS ROUTERS Y HOS

GLBP is a Layer 2 protocol, it can only operate on a local subnet.  Since the routers are on a different subnet (10.12.0.0/16) than the hosts (10.144.0.0/16), GLBP will not load balance for the hosts. The ARP requests from the hosts never cross the firewall, they will be abswered by the default gateway, which is 10.144.200.1

In your GLBP configuration, there will be no load balancing since only one host (10.12.200.2) will issue ARP requests for the router (10.12.200.1) for all transit traffic.  You will still have redundancy.

The routes will ruin your redundancy since the fact that they use the "real" IP address means that if the router fails, all traffic sent to that router will fail.  The routes defeat the whole purpose of GLBP.

You might want to run a routing protocol instead - have the two routers advertise default route information to the firewall.  The routing table will correct itself when one or the other router fails, and should load balance.  This can be tricky, since load balancing may vary depending on the device, software and configuration (is this an ASA firewall?)

On possibility is to consider running the firewall in transparent (layer 2) mode and put the routers on the same subnet as the hosts.  Without knowing what you expect the firewall to do, I can't tell you if that is a good idea.

3 REPLIES
Cisco Employee

Re: COMO CONFIGURAR GLBP CON UN FIREWALL ENTRE LOS ROUTERS Y HOS

In your PowePoint diagram, the ARPs will stop at the firewall since the PCs are on a different subnets than the GLBP routers (the firewall is acting as a router, and answers the ARP request).  Only the firewall can see the GLBP routers, not the PCs.  Your configuration looks correct.  The firewall is a single point of failure in this diagram.

Re: COMO CONFIGURAR GLBP CON UN FIREWALL ENTRE LOS ROUTERS Y HOS

Thanks for you answer.

Is the GLBP configuration o.k.?

What we want is that all traffic from users (10.144.0.0/16) be forwarder to both routers at the same time so if one router is DOWN there is not any interruption of traffic.

Is the firewall blocking or canceling this behavior of load balancing of GLBP?

We have addedd two static routes to switch cisco:

     ip route 0.0.0.0 0.0.0.0 10.12.201.4

     ip route 0.0.0.0 0.0.0.0 10.12.201.3

The purpose of this two static routes is to forwar traffic to both routers at the same time to reach load balancing.

Are these two static routes help something to load balancing?

Thanking in advance your answer.

P.D.: We apologize the delay to answer to your commentaries.

Cisco Employee

Re: COMO CONFIGURAR GLBP CON UN FIREWALL ENTRE LOS ROUTERS Y HOS

GLBP is a Layer 2 protocol, it can only operate on a local subnet.  Since the routers are on a different subnet (10.12.0.0/16) than the hosts (10.144.0.0/16), GLBP will not load balance for the hosts. The ARP requests from the hosts never cross the firewall, they will be abswered by the default gateway, which is 10.144.200.1

In your GLBP configuration, there will be no load balancing since only one host (10.12.200.2) will issue ARP requests for the router (10.12.200.1) for all transit traffic.  You will still have redundancy.

The routes will ruin your redundancy since the fact that they use the "real" IP address means that if the router fails, all traffic sent to that router will fail.  The routes defeat the whole purpose of GLBP.

You might want to run a routing protocol instead - have the two routers advertise default route information to the firewall.  The routing table will correct itself when one or the other router fails, and should load balance.  This can be tricky, since load balancing may vary depending on the device, software and configuration (is this an ASA firewall?)

On possibility is to consider running the firewall in transparent (layer 2) mode and put the routers on the same subnet as the hosts.  Without knowing what you expect the firewall to do, I can't tell you if that is a good idea.

1185
Views
0
Helpful
3
Replies
CreatePlease to create content