cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2567
Views
0
Helpful
4
Replies

EIGRP load balancing in WAN, HSRP in LAN

bartholomiew
Level 1
Level 1

Hello

currently we have WAN built with IPSec VPN tunnels and GRE over it. IPSec tunnel peers are the WAN side HSRP virtual IPs. We'd like to balance the load between the two routers in locations and in HQ. Now HSRP activ nodes take all traffic and sometimes are bit overloaded.

The idea is to create separate tunels between physical nodes and use EIGRP (which we also currently run) to load balance between these new paths. Nevertheless we'd like to keep the HSRP virtual IP on the LAN side.

Please refer to the diagram for details.

We assume:

- manipulating path metrics with "delay" parameter

- enabling variance and load-share balance in EIGRP

The question is: is such solution possible to implement? If yes, what should we also focus on beside things marked on the diagram. Maybe some additional settings?

new-gre-design.jpg

Thanks in advance for your responses.

Regards

Bartek

2 Accepted Solutions

Accepted Solutions

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Bartek,

the new GRE and IPSec endpoints will be addresses on the routers.

Because user traffic is sent to HSRP active, If HSRP active role is performed  by  a single router for all groups in all client vlans the end result is that load balancing is difficult..

When playing with EIGRP metric and variance we have to remember that variance command does not override the feasibility condition of EIGRP that says what paths are potential backup paths.

The FC condition says: consider a route via a neighbor a successor if the advertised distance ( that is the metric for the route from the point of view of the neighbor ) is strictly less then best metric to the best path (that is the metric as calculated on the local node)

In your case you should make the EIGRP metric as seen in colocated router  (HSRP standby) less  then the metric seen on HSRP active router in order to have HSRP active router to use both paths. (its GRE over IPSec tunnel and the path made of LAN interconnection to HSRP standby + standby GRE over IPSec tunnel)

This can be done by having an increased delay on GRE tunnel between primary routers. (HSRP active to HSRP active on the LAN side)

You can use show interface to see the delay associated to interfaces.

If multiple client Vlans exist at both sites, the easy way to achieve some load sharing is by having a distribution of HSRP active role per client vlan over the two routers in each site. Even without playing with delay is possible to achieve some load sharing as just described ( if multiple client vlans exist in both sites).

Hope to help

Giuseppe

View solution in original post

Hello Bartek,

yes it is complex but it is possible

1)  GLBP would be the right tool to get load sharing if supported and if the client vlans are directly connected to the routers speaking GLBP as the GLBP load balancing is an ARP game ( different answers to different client ARP requests to resolve the GLBP VIP IP address).

To be noted with GLBP you can avoid to play with delay and EIGRP variance.

It could be the best solution.

2) yes both sides or you could end up with load balancing in only one direction

3) This is the tricky part: to pass the feasibility condition the path between secondary routers has to be better then that between primary routers. To be noted if the cost is equal ( default settings) there is no successor as the reported distance would be equal and not less then best metric on primary router.

I understand that it is not immediate, but it is the only way in your scenario to achieve load balancing unless GLBP is used instead of HSRP.

If you leave the best route on the primary HSRP active routers you cannot achieve load sharing. You just have a backup GRE over IPSec tunnel between secondary routers that is already in place. You would get a gain just in network transitions in network convergence.

Hope to help

Giuseppe

View solution in original post

4 Replies 4

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Bartek,

the new GRE and IPSec endpoints will be addresses on the routers.

Because user traffic is sent to HSRP active, If HSRP active role is performed  by  a single router for all groups in all client vlans the end result is that load balancing is difficult..

When playing with EIGRP metric and variance we have to remember that variance command does not override the feasibility condition of EIGRP that says what paths are potential backup paths.

The FC condition says: consider a route via a neighbor a successor if the advertised distance ( that is the metric for the route from the point of view of the neighbor ) is strictly less then best metric to the best path (that is the metric as calculated on the local node)

In your case you should make the EIGRP metric as seen in colocated router  (HSRP standby) less  then the metric seen on HSRP active router in order to have HSRP active router to use both paths. (its GRE over IPSec tunnel and the path made of LAN interconnection to HSRP standby + standby GRE over IPSec tunnel)

This can be done by having an increased delay on GRE tunnel between primary routers. (HSRP active to HSRP active on the LAN side)

You can use show interface to see the delay associated to interfaces.

If multiple client Vlans exist at both sites, the easy way to achieve some load sharing is by having a distribution of HSRP active role per client vlan over the two routers in each site. Even without playing with delay is possible to achieve some load sharing as just described ( if multiple client vlans exist in both sites).

Hope to help

Giuseppe

Giuseppe - thanks for your answer.

It sounds bit complicated but still possible. We'll try to build a lab to test it.

more questions:

1. How about GLBP (instead of HSRP) - would it work in this scenario?

2. Does EIGRP variance and load-share must be set up on both side to make it work (HQ & branch)?

3. When I'd like to meet the feasibility condition in ths case, I'd need to set up a smaller metric on path C-D than it is on path A. Then, it'd appear that the RB2 (branch standby router) is advertising a better route to the HQ (about branch network) than RB1. I'd like to leave the best route to be only between active routers. Is it possible? or am I mixing something?

If multiple client Vlans exist at both sites, the easy way to achieve some load sharing is by having a distribution of HSRP active role per client vlan over the two routers in each site. Even without playing with delay is possible to achieve some load sharing as just described ( if multiple client vlans exist in both sites).

It's unfortunately not the case here because VLANs are only in the branch side and there is unequal load between them (one big for users, and few small for other stuff e.g. printers)

Regards

BK

Hello Bartek,

yes it is complex but it is possible

1)  GLBP would be the right tool to get load sharing if supported and if the client vlans are directly connected to the routers speaking GLBP as the GLBP load balancing is an ARP game ( different answers to different client ARP requests to resolve the GLBP VIP IP address).

To be noted with GLBP you can avoid to play with delay and EIGRP variance.

It could be the best solution.

2) yes both sides or you could end up with load balancing in only one direction

3) This is the tricky part: to pass the feasibility condition the path between secondary routers has to be better then that between primary routers. To be noted if the cost is equal ( default settings) there is no successor as the reported distance would be equal and not less then best metric on primary router.

I understand that it is not immediate, but it is the only way in your scenario to achieve load balancing unless GLBP is used instead of HSRP.

If you leave the best route on the primary HSRP active routers you cannot achieve load sharing. You just have a backup GRE over IPSec tunnel between secondary routers that is already in place. You would get a gain just in network transitions in network convergence.

Hope to help

Giuseppe

Thanks Giuseppe

I'll try to do some tests with GLBP, maybe it'll work better.

Regards

BK

Review Cisco Networking for a $25 gift card