load balance traffic over to 2 WAN router

mustansirt · ‎02-14-2020

We have 2 WAN routers, each connected to a different ISP. on the WAN routers we also have HSRP between them for the LAN Segment and then there is an edge firewall points to HSRP virtual IP.

ON WAN side we have achieved load balancing and are receiving inbound internet traffic on both routers.

How can i achieve load balancing on the LAN segment , by changing HSRP to GLBP help me achieve load balancing but since the FW is doing natting for all LAN traffic hence source of each packet will be same of that of FW, so would the WAN router assign different gateway MAC for each inbound packet and if not then how can i achieve the LB.

balaji.bandi · ‎02-14-2020

Need more clarification, how could you able to achieve incoming traffic load-balancing between ISP?

Do you have a BGP arrangement with ISP?

Are you Looking outbound LB or inBound? what is the requirement, Do you have any hosted service inside?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

mustansirt · ‎02-14-2020

We have cloud solution which help us load balance the input internet traffic to our WAN router.

i am looking for outbound internet traffic Load balancing. i.e from LAN to WAN. we have hosted services behind FW.

Georg Pauwen · ‎02-14-2020

Hello,

post a schematic drawing of your topology that shows how the firewall, LAN and WAN routers are connected, and how the cloud connections are configured...

Georg Pauwen · ‎02-15-2020

Your best (and probably only) option is, as you already stated, to use GLBP instead of HSRP. That would equally distribute traffic out to both ISPs. Depending on the bandwidth you have available from both ISPs, you could configure GLBP weighting to reflect different bandwidths...

So, configure the LAN interfaces on both routers with the below:

ISP-A

interface GigabitEthernet0/0
description LAN interface
ip address 192.168.1.2 255.255.255.0
glbp 1 ip 192.168.1.1

ISP-B

interface GigabitEthernet0/0
description LAN interface
ip address 192.168.1.3 255.255.255.0
glbp 1 ip 192.168.1.1

paul driver · ‎02-15-2020

Hello

@mustansirt wrote:

We have 2 WAN routers, each connected to a different ISP. on the WAN routers we also have HSRP between them for the LAN Segment and then there is an edge firewall points to HSRP virtual IP.

, by changing HSRP to GLBP help me achieve load balancing but since the FW is doing natting for all LAN traffic hence source of each packet will be same of that of FW, so would the WAN router assign different gateway MAC for each inbound packet and if not then how can i achieve the LB.

Use glbp as you have stated , and then change its load balancing host-independent this should allow statefull nat return the same virtual mac address to the vip address the FW is using, Also suggest append the redirect timers for a failed active virtual forwarder (hrsp member) so glbp will continue to respond to arp on behalf of that failed avf within the designated redirect time value specified.

Example:
glbp x load-balancing host independent
glbp x timers redirect 600 14400

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎02-15-2020

Hello,

below is what I have come up with. Since you have GLBP and the ISPs on the same router, you also need a mechanism to indirectly trigger the failover when the link to the ISP is down. For that, I have configured an IP SLA that monitors the ISP link,and if the ISP link is down, it will shut down the GLBP enabled interface as well (and clear the NAT translations). If only the GLBP enabled interface is down, an EEM script will clear the NAT translations. I hope my logic makes sense, and that I didn't miss anything. The GLBP timers are set to the lowest values possible, that might be too aggressive, so if you get a lot of flaps, increase the timers:

R1

track 1 ip sla 1 reachability
!
ip sla 1
icmp-echo 8.8.8.8 source interface GigabitEthernet 0/1
timeout 500
threshold 500
frequency 2
!
ip sla schedule 1 start-time now life forever
!
interface GigabitEthernet0/0
ip address 192.168.1.2 255.255.255.0
glbp 1 ip 192.168.1.1
glbp 1 timers msec 50 msec 70
glbp 1 priority 110
glbp 1 preempt
!
interface GigabitEthernet0/1
description Link to ISP
!
event manager applet GLBP_DOWN
event syslog pattern "Active - Init"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation *"
action 3.0 cli command "end"
!
event manager applet ISP_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "interface GigabitEthernet 0/0"
action 4.0 cli command "shut"
action 5.0 cli command "end"
action 6.0 cli command "clear ip nat translation *"
action 7.0 cli command "end"

R2

track 1 ip sla 1 reachability
!
ip sla 1
icmp-echo 8.8.8.8 source interface GigabitEthernet 0/1
timeout 500
threshold 500
frequency 2
!
ip sla schedule 1 start-time now life forever
!
interface GigabitEthernet0/0
ip address 192.168.1.3 255.255.255.0
glbp 1 ip 192.168.1.1
glbp 1 timers msec 50 msec 70
!
interface GigabitEthernet0/1
description Link to ISP
!
event manager applet GLBP_DOWN
event syslog pattern "Active - Init"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation *"
action 3.0 cli command "end"
!
event manager applet ISP_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "interface GigabitEthernet 0/0"
action 4.0 cli command "shut"
action 5.0 cli command "end"
action 6.0 cli command "clear ip nat translation *"
action 7.0 cli command "end"

Georg Pauwen · ‎02-15-2020

Hello,

if your routers don't NAT, you don't need the NAT part of the EEM script. The fact that all traffic is sourced from the same MAC address (the firewall) shouldn't be a problem, as the default GLBP load balancing algorithm is round robin. With round-robin, AVG replies to each ARP request for the GLBP virtual IP with each AVF’s virtual MAC address in turns, so all AVFs will be used equally. I would test though if that works...

Here is the changed config minus the NAT part. I also added two EEM scripts for the IP SLA being 'up':

R1

track 1 ip sla 1 reachability
!
ip sla 1
icmp-echo 8.8.8.8 source interface GigabitEthernet 0/1
timeout 500
threshold 500
frequency 2
!
ip sla schedule 1 start-time now life forever
!
interface GigabitEthernet0/0
ip address 192.168.1.2 255.255.255.0
glbp 1 ip 192.168.1.1
glbp 1 load-balancing round-robin
glbp 1 timers msec 50 msec 70
glbp 1 priority 110
glbp 1 preempt
!
interface GigabitEthernet0/1
description Link to ISP
!
event manager applet ISP_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "interface GigabitEthernet 0/0"
action 4.0 cli command "shut"
action 5.0 cli command "end"
!
event manager applet ISP_UP
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "interface GigabitEthernet 0/0"
action 4.0 cli command "no shut"
action 5.0 cli command "end"

R2

track 1 ip sla 1 reachability
!
ip sla 1
icmp-echo 8.8.8.8 source interface GigabitEthernet 0/1
timeout 500
threshold 500
frequency 2
!
ip sla schedule 1 start-time now life forever
!
interface GigabitEthernet0/0
ip address 192.168.1.3 255.255.255.0
glbp 1 ip 192.168.1.1
glbp 1 load-balancing round-robin
glbp 1 timers msec 50 msec 70
!
interface GigabitEthernet0/1
description Link to ISP
!
event manager applet ISP_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "interface GigabitEthernet 0/0"
action 4.0 cli command "shut"
action 5.0 cli command "end"
!
event manager applet ISP_UP
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "interface GigabitEthernet 0/0"
action 4.0 cli command "no shut"
action 5.0 cli command "end"

paul driver · ‎02-15-2020

Hello

@Georg Pauwen wrote:

The fact that all traffic is sourced from the same MAC address (the firewall) shouldn't be a problem, as the default GLBP load balancing algorithm is round robin. With round-robin, AVG replies to each ARP request for the GLBP virtual IP with each AVF’s virtual MAC address in turns, so all AVFs will be used equally. I would test though if that works...

I tend to disagree, when your dealing with statefull nat you need each lan host to be able to see the same virtual mac address each time its arps for the glbp vip address , My understanding this will NOT occur with the default glbp load balancing of round-robin , host independent is required in this scenario.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎02-15-2020

As I understand is, the firewall does the NAT, and the routers do not, as they have public IP addresses. Part of this thread has been between me and OP in private messages, so not all information is posted here...

paul driver · ‎02-15-2020

Hello

@Georg Pauwen wrote:

As I understand is, the firewall does the NAT, and the routers do not, as they have public IP addresses. Part of this thread has been between me and OP in private messages, so not all information is posted here...

As this is on a open forum I wasn't aware this was a private discussion and was only responding to the post, so apologies.

I am aware the the FW is performing the NAT and it has a default route/gateway to the wan rtrs glbp virtual ip address because the OP had already stated this.

So with this information it does suggest that the FW is using the glbp virtual ip address for the hosts nat translations via the glbp virtual mac addresses of the AVF's in the glbp group of the wan rtrs, Now if this is correct then host independent load balancing is required for the successful statetful nat translation because glbp round robin load balancing as you suggested within a snat topology wont work, as RR function is to choose each glbp AVF virtual mac address in a sequence ,one after each other which my understanding isn't applicable for stateful nat hosts that require to respond to the same virtual mac address of the glbp vip each time it sends an arp request.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎02-16-2020

I am not sure where the stateful NAT is configured, as I don't see it anywhere in this topology. Either way, how did you configure the routers to get the load balancing to work ?

paul driver · ‎02-16-2020

Hello

@Georg Pauwen wrote:

I am not sure where the stateful NAT is configured, as I don't see it anywhere in this topology.

With this topology it looks like its with the statefulness of the fws dynamic nat translations upon glbp failover regards the vip address and the ability for host to be able to use the same glbp rtrs virtual mac address it was using before failover.

@Georg Pauwen wrote:

Either way, how did you configure the routers to get the load balancing to work ?

Example:
wan rtr(s)
int x/x
description Lan fw facing link
glbp x load-balancing host independent
glbp x timers redirect 600 14400

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎02-16-2020

Actually, I tested all three load balancing algorithms yesterday. The problem seems to be that only one MAC address comes from the firewall, so GLBP sees only one host, which always takes the same path amd never load balances. The only way I got it to work was with stateful NAT and GLBP on the same router...which is basically a different topology...

paul driver · ‎02-16-2020

Hello

@Georg Pauwen wrote:

The problem seems to be that only one MAC address comes from the firewall,

No problem, It is correct as this will the the virtual-mac address of the glbp wan rtr that is forwarding packets to the AVG, or the AVGs own virtual-mac address.

@Georg Pauwen wrote:

so GLBP sees only one host, which always takes the same path and never load balances.

The AVG will be the wan rtr with the highest glpb priority, and it will assign itself and each glbp member (other wan rtrs in the same glbp group) a virtual mac address
sh glbp brief < here you should all virtual mac-addresses, one for each glbp member (active and listen states)

Each glbp member (avf) will then be able to forward packets sent to it via the glbp vip address of the group and in return the AVG will reply to arp from the hosts for the vip address.

When traffic internally from natted lan hosts is initiated, if an arp check is performed on the nat rtr/fw for the glbp vip address this should show the glbp active forwarder virtual mac-address that is responding to the nat on behalf of the AVG or it may even be the AVG itself.
sh arp | in <glbp vip)

Either way whichever wan rtr virtual mac-address is responding, if you close that interface down, the other standby glbp will become the AVG if it isn't already but now it will be active for two virtual mac-addresses, its own and the old AVG/AVF virtual mac-address, so the nat router can and will be responding to the same virtual mac-address even though the physical router that owned it is down, this is where host independent load-balancing works!

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul