cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1068
Views
0
Helpful
10
Replies

HSRP for Internet Load Balancing configuration

Anand Narayana
Level 6
Level 6

Hi,

my network will be having 2 ISP, 2 Routers, 2 ASA firewall, each router is connected to respected ASA, ASA has configured as failover.i wanted to achieve load balancing for internet access, so that users should not feel even if only of the ISP or Router fails.

juz go through this configuration & correct me if i am wrong & also giv suggestion where ever it is required.

also suggest me any tracking commands should also be issued.

each router is connected each other for trunking.

10 Replies 10

bjornarsb
Level 4
Level 4

Hi,

If we loook at HSRP separately the users will not notice anything. If you try a ping -t you will se that you lose 4-5 ping packets.

The key point is how your routing is set up.

As I can see from your configuration you have 2 ISP links and 2 different address spaces. Is this PI adresses ? If its provider dependent addresses the ISP's will not route the other IPS's network.

So the users with public addresses will reach Internet only if the link and IP adr. is from the same ISP.

So for full redundancy in this setting you need to run Multihomed BGP with PI addresse.

Have a look at this example:

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080093f2c.shtml

and this:

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a00800945bf.shtml#conf5

Keep in mind that this will only work if you have PI addresses!

HTH

Regards,

Bjornarsb

Thanks for ur reply Bjornarsb , even if i configure BGP, an mutual understanding between 2 ISP is required, am i right? also can you juz throw a sample working config. bcoz i am bit confused abt the configuration mentioned in the site.

Hi,

Yes you need to agree with your 2 ISP's.

And then you need to choose if you want loadbalancing or just failover (one "cold" link).

Load balancing is not possible in a multihomed environment with two ISPs. BGP selects only the single best path to a destination among the BGP paths that are learned from different ASs, which makes load balancing impossible. However, load sharing is possible in such multihomed BGP networks when you load balance based on using for instance 2 address spaces.

So if you want load balancing this configuration is brilliant : see attachment.

HTH

Regards,

Bjornarsb

You don't have to get into BGP on the routers or neither do you need HSRP. Just give two default routes on your ASA firewall pointing each to the router inside interface. The firewall will do the load balancing for you.

-Hoogen

Do rate if this helps :)

Hi Hoogen,

this is something different from other reply i got, you mean to say juz by entering 2 default routes 1 to Router-1 & the other to Router-2, the ASA itself does a load balancing by nature or any special commands i need to configure on ASA?

No, you need to have proper routing if one link fails and you want both IP segments to work!

Regards,

Bjornarsb

Hi anand,

http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/ip.html#wp1047900

Please have a look at the above link. It clearly states that

"You can define up to three equal cost default route entries per device. Defining more than one equal cost default route entry causes the traffic sent to the default route to be distributed among the specified gateways. When defining more than one default route, you must specify the same interface for each entry."

Only constraint is that if one of your ISP link fails you would have to manually delete the def route.

For the HSRP solution you have used you would probably end up doing the same. The extra commands you might be adding would be the standby track command.

http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_command_reference_chapter09186a008017d168.html#wp1084290

With which you would monitor if your ISP link goes down. Also in this solution you would be giving two default routes to the two HSRP ip's for which the ASA would do the load balancing.

So there is no need of high end BGP stuff which people think is neccessary for this kind of scenario. And if you are worried about your users getting 4-5 ping drops adjust the HSRP timers to as low 2 - 3 seconds, and you might be suprised that there are no drops.

-Hoogen

Do rate if this helps :)

Hi ,

Manually configuring is not a prefered solution. On the FW i'm sure that you can add multiple default routes.

However, how about the clients and servers that have an IP in the scope of the IPS that fails!

You definetly need som routing and agree with your ISP's.

We have set up such redundant solution for our own Internet connection, we run BGP outside the two FW's and use local preference for primary path selection. The only different is that we do not have loadbalancing and we have PI addresses.

Regards,

Bjornarsb

Hi Hoogan & Bjor,

k lemme come to final conclusion, if i wanted load balancing then i need to manually add a command, if i want a fail-over the i loose load balancing, so how does a load balancing device is used in between this? radware does the following, any suggestion on this?

i think with a single router connected to 2 ISP, radware can be configured well for load balancing & failover. correct me if i am wrong.

Hi,

We had a loadbalancing device before, but it was very unstable.

Your loadbalancing case is actually solved based on that you have 2 different IP scopes , one for each provider. So when everything is up you have loadbalancing in the same way as the configuration example that i posted in my first reply. (the second one)

Second, if you want full redundancy for both of your IP scopes then its not enough to remove the static route for outgoing traffic.

The case is that PC and servers with public address space need to have a route back for return traffic from Internet. Since you have 2 ISP's they do not route the same 2 address spaces unless you have PI (provider independent addresses)

However if you hesitate to run Multihomed BGP,

you can achive inside reahability to Internet based on floating/manually static route and NAT overload. But then from the outside user cannot reach your servers from internet on the IP scope belonging to the ISP that has the link failure. :)

Hope this was clarifying.

BR,

Bjornarsb

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco