Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Load Balancing internet traffic from 1 LAN segment only

Hi team,

I have a core switch 3750 stack with G0/0 going to firewall-1 and G0/1 going to firewall-2 and G1/0 going to another router that has a network of A.A.A.0/24 ; B.B.B.0/24 ; C.C.C.0/24

the scenario would be the internet traffic should pass through the G0/0 and G0/1 for load balancing from the LAN network 192.168.12.0 and can also access the network A.A.A.0/24 ; B.B.B.0/24 ; C.C.C.0/24 from the G1/0 inteface...

What would be the best approach? and if route-map will be used, how i can create the route-map statement since i have only one LAN network segment going through internet and needs to be balance and the same time can access the other network as indicated above.

thanks!

7 REPLIES

Re: Load Balancing internet traffic from 1 LAN segment only

Hi,

How is the firewalls deployed on your network?

What firewalls are they?

If they are deployed in Active/Active or someother clustering technologies, then the firewalls will automatically take care about load balancing. We dont have to perform any configuration changes in our network.

As far as your requirement of accessing a.a.a.0/24;b.b.b.0/24;c.c.c.0/24 networks, the routing in your core switch is going to take care about where to forward the traffic destined for these destination IPs.

Kindly give us more details of your setup/configuration to understand your scenario better, if the above explanation is not applicable to you.

Hope this helps.

-VJ

New Member

Re: Load Balancing internet traffic from 1 LAN segment only

hi VJ,

thank you for your response...

yes the firewall is active/active and it's fortigate800.

well right now i don?t have exact conf so far, but i'm thinking of using the PBR in the core switch to distribute equally the Internet traffic ONLY on the two Gig Interface which are G0/0 and G0/1 facing the each fortigate firewall. And LAN segment that I have is only 192.168.12.0/24.

please see attachment..thanks..

Re: Load Balancing internet traffic from 1 LAN segment only

I believe that routing can solve your issue, how about if you add tow default routes pointing on both interfaces G0/0 and G0/1, the traffic will be load balancing suing CEF per-destination fashion, also regarding the A/B/C network it will be more specific routes so any traffic target this networks will be match on the more specific routes and go to the right outgoing interface, something link that

LAN|----RouteR-------G0/0 Firewall 1

-------G0/1 Firewall 2

-------G1/0 A/B/C destinations

ip route 0.0.0.0 0.0.0.0 G0/0

ip route 0.0.0.0 0.0.0.0 G0/1

ip route A.A.A.A 255.255.255.0 G1/0

ip route B.B.B.B 255.255.255.0 G1/0

ip route C.C.C.C 255.255.255.0 G1/0

Also you can use the same NAT configurations on both Firewalls, with care for static NAT

Best Regards,

Mounir Mohamed

Re: Load Balancing internet traffic from 1 LAN segment only

Hi,

Thanks for reverting back.

As stated earlier, if your firewalls are running in active/active mode, then there is no need to perform any explicit configurations to do any load balancing.

You need to ensure that you have proper routes in your core switch for the networks A.A.A.0/24, B.B.B.0/24 and C.C.C.0/24 pointing to the router connected on g1/0.

This is enough.To summarise,

All your lan users will have their default gateway point to the core.

There should be a default route in your core pointing to the firewall's internal ip address( virtual).

The core should have static routes to reach the subnets A.A.A.0/24, B.B.B.0/24 and C.C.C.0/24 pointing to the router connected on g1/0.

Revert back to us if you need further clarifications.

Hope this helps.

-VJ

New Member

Re: Load Balancing internet traffic from 1 LAN segment only

Team,

Thank you for you response, i really appreciate...

i just want to get your idea and explanation if the conf below will be run on my core switch..

this was posted by Eithel from other forum addressed to l.ruiz@gamcustom.com.

ip access-list extended internal_routes

deny ip any 10.0.0.0 0.255.255.255

deny ip any 172.0.0.0 0.240.255.255

deny ip any 192.168.0.0 0.0.255.255

permit ip any any

route-map groupa permit 10

match ip address internal_routes

set ip next-hop x.x.x.x

route-map groupb permit 10

match ip address internal_routes

set ip next-hop y.y.y.y

int e0 (from my scenario this could be G0/0)

ip policy route-map groupa

int e1 (from my scenario this could be G0/1)

ip policy route-map groupb

this will block the internal traffic to traverse on the firewall and allow the rest.

Questions:

-will this be feasible on my case?

-from the ip policy route-map that was applied from E0 and E1 interfaces which same match statements used, will this run the load balancing of internet traffic which will distribute equally to the 2 interface using the round robin fashion?

if so, im going to add the default routes or static routes to the G1/0

thanks....

Re: Load Balancing internet traffic from 1 LAN segment only

Hi,

first some clarifications:

1) load balancing is done in the 3750, which works as Layer3 switch (router)?

2) load balancing will be done from G1/0 to G0/0 and G0/1 based on source IP, return traffic will always go through G1/0

3) the firewalls are doing the dynamic NAT !?

4) each firewall has a dedicated connection to the internet with separate official IP?

Assuming 4) is true and because of 3) you MUST make sure all IP packets from a TCP/UDP session are always going through the same firewall. Otherwise different packets from a single session will reach the destination internet host with different source IPs and the TCP session will not work.

Therefore also "perfect" load balancing is not possible (assuming only a single TCP session there is NO load sharing possible).

So the solution would be f.e. to send half of your hosts in 192.168.12.0/24 to FW1 and half to FW2 based on source IP. This can be achieved through policy based routing.

An example config could be:

ip access-list extended lowIP

deny ip any 10.0.0.0 0.255.255.255

deny ip any 172.16.0.0 0.15.255.255

deny ip any 192.168.0.0 0.0.255.255

permit ip 192.168.12.0 0.0.0.127 any

ip access-list extended highIP

deny ip any 10.0.0.0 0.255.255.255

deny ip any 172.16.0.0 0.15.255.255

deny ip any 192.168.0.0 0.0.255.255

permit ip 192.168.12.128 0.0.0.127 any

route-map PBR permit 10

match ip address lowIP

set ip next-hop

route-map PBR permit 20

match ip address highIP

set ip next-hop

int G1/0

ip policy route-map PBR

Another option would be to use CEF based load balancing. Then you should only install two default routes pointing to the FW1 and FW2 internal IP respectively. CEF per default uses per destination load sharing, which should also ditribute the traffic between the two FWs so that a single session is alwas going through one FW.

Which option is more suitable in your environments will involve some testing, as it depends on your traffic pattern, i.e. which hosts are generating how much load.

Hope this helps! Please use the rating system.

Regards, Martin

New Member

Re: Load Balancing internet traffic from 1 LAN segment only

Hi Martin,

thank you for your information..

first some clarifications:

1) load balancing is done in the 3750, which works as Layer3 switch (router)? --> yes it will use the L3 IOS and configured as stack.

2) load balancing will be done from G1/0 to G0/0 and G0/1 based on source IP, return traffic will always go through G1/0 (correct - the specific network will exit on this interface G1/0)

3) the firewalls are doing the dynamic NAT ? --> yes

4) each firewall has a dedicated connection to the internet with separate official IP? -->yes (two different ISP with dirrent range of IP's.)

thanks..

275
Views
13
Helpful
7
Replies
CreatePlease to create content