There's a mobile version of our website.
Hello! We have the following setup:
Two 1700 routers with one WIC-ADSL interface in each connected to the same ISP; the two ADSL lines are separate.
The ethernet interfaces are on the same VLAN as each other plus there is also the outside interface of a PIX firewall on the same VLAN.
All users access the internet through the firewall and then out of the routers. We have normal Active/Passive HSRP running, however the customer now wants to load balance the two ADSL circuits to maximise throughput.
The question is which is the best way to load balance please? Is it GBLP or OER or VRRP?
A concern that our tech guys are bringing up is the fact that the balancing methods are based on MAC addresses, and since there is only internal device (i.e. the PIX firewall) there may be difficulty balancing the load since the PIX will only look at one router.
Can anyone shed light on this for me please? Which is the best method of load balancing?
It's not quite true to say that a VRRP/GLBP setup will not work because the PIX only looks at one interface. In fact, with such a setup, the PIX will only believe that there is a single physical device out there, with it's IP address being the virtual address assigned via VRRP/GLBP.
I would go for GLBP because it lets you do load-sharing and will certainly work in this scenario. While you can do load-sharing by using multiple VRRP groups, that is not quite applicable in your scenario since you only have a single device connected to the 2 routers.
Pls do remember to rate posts.
Thanks for the amazingly quick response! I notice you don't mention OER; is there a reason for that based on some previous experience?
The reason I did not mention OER is that it is probably overkill for your setup and secondly, I don't personally have much operational experience with it. But, of course, you are welcome to use it ...
Pls do remember to rate posts.
I'm doing some research into GLBP and have seen the following:
GLBP Active Virtual Gateway
Members of a GLBP group elect one gateway to be the active virtual gateway (AVG) for that group. Other group members provide backup for the AVG in the event that the AVG becomes unavailable. The function of the AVG is that it assigns a virtual MAC address to each member of the GLBP group. Each gateway assumes responsibility for forwarding packets sent to the virtual MAC address assigned to it by the AVG. These gateways are known as active virtual forwarders (AVFs) for their virtual MAC address.
The AVG is also responsible for answering Address Resolution Protocol (ARP) requests for the virtual IP address.
Load sharing is achieved by the AVG replying to the ARP requests with different virtual MAC addresses.
The last sentence is the one that concerns me - we have a single PIX firewall that is doing the ARP requests; surely the PIX will only ARP for it's gateway once every once in a while - once it receives the response containing the virtual MAC (which is attached to only one of the routers - each router has it's own virtual MAC) then it will send all it's traffic to that router.
Is the above correct?
Paresh - thanks for your help - I really appreciate it.
Good observation.. you are correct. The load-balancing part of GLBP will not work too well with your setup since it's very unlikely to time out its MAC association once it acquires it.
I guess that kinda rules out GLBP. I'm not an expert on PIXes but don't they run OSPF ? You could run OSPF between the PIX and the two routers and get it to load-share that way. You could configure the two routers to conditionally inject a default route into OSPF when their outbound link is up.
Just a thought...
Darn!! I was hoping you were going to prove me wrong on this; GLBP seems like an easy option...
We have tried OSPF and balanced using source IP address however the links were not well balanced; even as bad as 80/20 sometimes.
Looking through OER - you were right about it being heavy; going to take some time to implement.
Login to share your discussion activity with your friends on Facebook. You can control what you share and turn off sharing anytime.
Your Facebook friends can now see that you have started this discussion
Your Facebook friends can now see that you have commented on this discussion
Your Facebook friends can now see that you have read this discussion