Re: Load balancing between two deafult gatways in FTD

Chess Norris · ‎04-24-2023

Hello,

I'm planning for a new FTD setup where the outside interface on the FTD connects with an etherchannel to a switchstack. On the same outside subnet there will be two ASR 1001 routers, each connected to different ISP:s. Now on the FTD I want to add both those ASR routers as default gateways and load balance the traffic between then and also use IP SLA if one of the ASR interface is down.

Would it be possible to achive this by just adding two static routes with the same metric in the FTD, using the ASR routers as gateways and then add tracking with two IP SLA objects - one for each router interface?

I'm a bit unsure if this will be enough or if I need to configure ECMP as well?

Thanks

/Chess

Rob Ingram · ‎04-25-2023

@Chess Norris you can use ECMP zones to group the outside interfaces and load balance

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/routing-ecmp.html

Chess Norris · ‎04-25-2023

@Rob Ingram In this case there is only a singe outside interface on the FTD and the two ASR routers are on the same subnet. Is ECMP still a requirement or is it only for situations were you are using multiple interfaces on the FTD?

Rob Ingram · ‎04-25-2023

@Chess Norris ok, FTD ECMP would be if you had multiple interfaces on the FTD.

In your situation then you only have 1 interface and 1 next hop, so if the ASR router has equal cost routes to the internet, let the ASR do the ECMP.

Chess Norris · ‎04-25-2023

@Rob Ingram It will be only 1 interface on the FTD, but two next hop (one to each ASR)

Rob Ingram · ‎04-25-2023

@Chess Norris ok, so the switch is merely L2 then, so configure 2 default routes on the FTD.

Chess Norris · ‎04-25-2023

Thanks Rob. We will try with that.

MHM Cisco World · ‎04-25-2023

Config hsrp in asr and add defualt route in FTD toward the the VIP of hsrp.

This give you redundacy not load balance

Chess Norris · ‎04-25-2023

I've suggested HSRP to the network team, but they was a bit doubtful to use it due to some previous issues with HSRP on ASR rotuers. Will it work by configuring two default gateways on the FTD with the same metric instead?

MHM Cisco World · ‎04-25-2023

You can associate the ECMP zone interfaces with equal cost static route by defining them with same destination and metric value, but with different gateway.
the FTD ECMP guide dont specify if you can or can not use same interface but it mention you must use different gateway and that same in your case, you use two gateway.
you can try and add same interface and check if FTD can accept it.

Marvin Rhoads · ‎04-25-2023

I have used ASRs with separate ISPs as the devices to make routing decisions regarding availability and best path. Standard eBGP to the world and iBGP between them. Then an HSRP VIP that the FTD device points to as the default gateway for first hop redundancy.

That way the firewall has the simplest possible external routing and you still get all the benefits of BGP full tables along with resiliency, redundancy etc.

MHM Cisco World · ‎04-25-2023

I already suggest to him hsrp but he mention that asr have some issue with hsrp.

Thanks

Marvin Rhoads · ‎04-25-2023

I've used HSRP this way successfully on several deployment where the customer ASR is the small-medium type (1002, 1006 models I recall) running IOS-XE.

I have not had the chance to try it on one of the big ASR 9k series models that run IOS-XR.

Chess Norris · ‎04-26-2023

HSRP was my first thought as well, but the network team that deals with the routers was against from previous experiences. Anyway thanks for confirming that HSRP is working and we can have that as a backup plan if the other solution doesn't work.

/Chess