Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WAN load balance but synchronous!

I have a specific requirement and cant seem to find a good solution. I'm hoping Cisco have a technology or method that I'm not familar with. Here is a quick breakdown

Aim - To utilise two links from a remote location to two connections at a data center to achieve an active/active use of the links.

The problem - Firewalls are present at each of the data centers which will prevent asynchronous traffic from being acceptable. See diagram below

ClientA....................ClientB

|......................................|

|......................................|

Switch1---Trunk----Switch2

|......................................|

|......................................|

Router1................Router2

|......................................|

|......................................|

FW............................FW

|......................................|

|......................................|

DC_SW1---Routed---DC_SW2

|.....................................|

|.....................................|

SERVER_LAN1..........SERVER_LAN2

Note that ClientA and ClientB are in the same VLAN. Note in some remote cases only Server_LAN1 or 2 may be used.

Can anyone suggest a possible solution to this problem?

Thanks in advance.

13 REPLIES
Hall of Fame Super Gold

Re: WAN load balance but synchronous!

1. Nice use of dot padding to overcome forum limitations.

2. I suppose that by asynchronous, you mean asymmetric.

3. what DC_SW1 and 2 are ? If they can terminate GRE, and if you can let FWs pass GRE, load balancing should be possible.

New Member

Re: WAN load balance but synchronous!

1. Thanks :)

2. Yes sorry i did mean asymetric

3. The switches are CAT 3750 stacks.

The routers actually already run IPSEC with tunnel interfaces and terminate on routers that are placed just infront of the firewalls (sorry ommited from diagram). The LAN interface of the routers connect to a firewall DMZ. (which is wear the asymetric problem occurs). I do understand your recommendation though, but could i run a tunnel inside a tunnel? (if you see what i mean).

Hall of Fame Super Gold

Re: WAN load balance but synchronous!

Yes, in theory in can transport a tunnel within a tunnel, but perhaps there's an easier solution considering the equipment omitted. Really a more complete diagram would be needed.

New Member

Re: WAN load balance but synchronous!

I hope so. I have attached a complete diagram with all devices. I hope this will make it more clear and present a solution.

I look forward to any suggestions you may have.

Thanks again.

Hall of Fame Super Gold

Re: WAN load balance but synchronous!

Hi, let's call the four routers

A - B

C - D

Now if you build additional tunnels between A and D, B and C, and make sure you have equal cost routes to destination, the routers will load balance.

Symmetry is guaranteed by the fact that the default load balancing algorithm will make so that each flow sticks to one path only, hence hitting one FW only, that will return traffic back on the connected router.

Good luck!

New Member

Re: WAN load balance but synchronous!

I understand that would work from Client to Server, but when the server needs to talk to a client will they not always use the same path? i.e. only one ISP link will be used for return traffic?

Hall of Fame Super Gold

Re: WAN load balance but synchronous!

Even for server to client, each flow will use a single path. But in the average of all conversations will make so that both paths will be used.

New Member

Re: WAN load balance but synchronous!

Ok so from the perspective of server1, how will its traffic make use both the router behind the dc1 dmz and the dc2 dmz?

Hall of Fame Super Gold

Re: WAN load balance but synchronous!

How are the 3750s configured ? Do the Fw's present one virtual, or two different IP addresses ?

New Member

Re: WAN load balance but synchronous!

Two different addresses. The are entirely independent firewalls.

Hall of Fame Super Gold

Re: WAN load balance but synchronous!

That is the problem. The switches have no way of know from where the connection came.

So a possible solution would be to move or add the lower routers inside, and have gre across the FWs.

New Member

Re: WAN load balance but synchronous!

Unfortunatley due to security policy that is not

possible. I was thinking that i could use NAT on the routers to change the source address os that it would be clear from which direction the traffic came. Do you think that would work?

Thanks for all your help

Hall of Fame Super Gold

Re: WAN load balance but synchronous!

Yes, but you would need NAT routers between FWs and servers, so they using multiple outside interfaces, woul always route back to the right interface.

Put it this way, the FW are preventing in practice to fullfill the requirements you've been given. Either change them to be a stateful pair, or change the security policy.

131
Views
0
Helpful
13
Replies