cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1562
Views
0
Helpful
6
Replies

GLB two routers 2 ISPs one firewall behind

minoc
Level 1
Level 1

Hello all,

I am working with the following solution:

1. 2 3700

2. Each router has a connection to a different ISP.

3. A firewall behind the routers

To simplify things, I would like to perform stateful nat on the 3700's instead of the firewall. Here is the thing, I was reading a Cisco document that says " Special considerations apply in environments where network address translation (NAT) is used, as the ARP-based load sharing of GLBP may redirect client traffic to the alternate path. Currently, the use of NAT and more specifically, Stateful NAT is not recommended with GLBP." at http://www.cisco.com/en/US/customer/tech/tk869/tk769/technologies_white_paper0900aecd801790a3.shtml

I am confuse on this, does it means clients from the Internet or internal clients (In my case the firewall)?.

What I am looking for is a way to perform static NAT on the routers for servers behind the firewall. Also have a way to obtain redundancy and failover. By this I mean, internal clients behind the firewall should have access to the Internet without disruption. In the event router1 goes down, router2 will provide access to the Internet. Or better yet load balance between both routers. Clients coming from ISP 2 domain must enter router2 this is a local government own WAN that offers Internet access also. All other request to our internal web server coming from anywhere on the Internet should enter router1 which connects to a local ISP. For this we will setup the DNS server records to point to the ISP IP address range.

I am including a PPT file with the configuration for your reference.

Any ideas or comments on this?...

Regards

Carlos Roque

Office Of Management And Budget

6 Replies 6

aacole
Level 5
Level 5

Hi Carlos,

I was just in this form posting up a question on another topic and read this, sounds interesting.

I've done something similar to this, my customer wanted to have multiple WAN links to different ISP's and load balance outbound (to the Internet) traffic.

I achieved this by simply running OSPF on the Inside networks of the Internet routers and the firewall, it provided both automatic failiver and load balancing.

Andy

Hello,

thanks for replying my message...

The only problem is that we are not allow to run any routing protocol between both providers. We use only default routes towards both upstream routers. This means that asymetric routing will not happen, and that's what I am looking for. See the IT Manager wants all traffic coming from the Internet to always enter trough router1 (ISP). Any client located in the Gov WAN should enter trough router2.

Have you done this doing stateful NAT in the routers and running GLB at the same time?...

Regards,

Carlos Roque

Hi Carlos,

No I havn't, in the solution I provided we had 2 ISP's but we supplied and managed the routers, the ISP's just provided a serial link each. So OSPF was not a problem.

Andy

I see, so you setup OSPF between the routers and the ISP?. Or just between both routers only?. And then use default gateway towards both providers upstream routers.

Does GLB requires a routing protocol to work?.

I was thinking that with default routes will work just fine.

Regards,

Carlos Roque

Do you have any links to documentation on how to set this up?

We have a similar setup as this, but I believe we 'control the routers' as well (we just get regular T1 lines into here, and we want to share among them, and have fall-over. What's we will soon have cisco IOS routers all over the place to terminate the T1s and elsewhere. I just don't know where to look, or what it is called that I'm looking for--which makes finding a solution hard.

I appreciate any help you can provide.

In my original post there is a link to a document on GLBP. It basically describes everything about this new feature.

Here is another link with more info:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00801541c8.html#wp1027177

GLBP provides failover with load sharing that is much better than HSRP. Configuring GLBP is the same as HSRP, the command are very similar.

The problem or question I have is that behind both routers there is only one firewall. so I am not sure if using GLB will provide us any advantage. As per Cisco documentation what are behind the routers are regular users. GLBP provides at least three way of sharing the links on the routers, host dependent, round-robin or weighted.

Also the document states that GLBP is not recommended when using stateful Nating. I am not sure what this means ...

In my case the following applies:

1. The firewall behind the routers uses clustering.

2. One router will connect to a private WAN

3. The second router will connect to an ISP

4. GLBP works well when using Asymetric routing. In my environment this will not happen. Both routers will connect to different WAN's. I am not planning on using any routing protocol either, so we will be using static routes and default gateways.

I am planning on doing some testing to see how it works.

If you need more assistance or have more questions let me know, I may be able to help you with configuration examples.

Regards,

Carlos Roque