Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2484
Views
0
Helpful
6
Replies

Load Balancing over a L3 Etherchannel with GRE/IPSec

Tony Riccardi
Level 1
Level 1

‎05-19-2011 02:37 PM - edited ‎03-04-2019 12:27 PM

Here's the proposed network I have to work with:  LAN A >> ASA Cluster >> 2x3750G Stack >> Cross-stack L3 Etherchannel (2x100Mb Circuits) >> 2x3750G Stack >> ASA Cluster >> LAN B  Company policy governs that traffic between LAN A and LAN B must now be encrypted. ASA Firewalls have been purchased in advance and will be place into the network as above.   Src-dst-ip load-balancing is currently in place on the Layer-3 Eherchannel.  How can I encrypt the traffic using the ASAs and still ensure proper load-balancing over the circuits?  I was about to configure a IPSec/GRE Tunnel between the ASA Clusters but I'm concerned that the tunnel will not be load-balanced over the ether channel based on the single source and destination IPs I will need to configure.   The Community's help and suggestions would be warmly appreciated.

Labels:
0 Helpful
6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

‎05-20-2011 04:07 AM 

tony.riccardi wrote:
  How can I encrypt the traffic using the ASAs and still ensure proper load-balancing over the circuits?

I can't see how you could because as you say the src and dst ip will always be the same assuming you are setting up an IPSEC peer to peer VPN ie. a VPN tunnel between the 2 ASA clusters.

And unfortunately the 3750 does not support per-packet load-balancing so you cannot break the etherchannel up and have 2 equal cost paths to the other side.

So unless you can upgrade the link to 10Gbps i'm afraid you will have to make do with only 100Mb and have the other link in the etherchannel purely as a backup.

Jon

0 Helpful

Tony Riccardi
Level 1
Level 1
In response to Jon Marshall

‎05-20-2011 04:26 AM

Thanks for your reply Jon.

Yes - I am going to set up an IPSec GRE between the two clusters.

Can you confirm what you mean by upgrading the links to 10Gbps? How will this help in the load-balancing issue?

Can the ASAs themselves provide encryption on ingress traffic from the LAN (without the need of a VPN) and send it encrypted over the circuits? Then have it decrypted at by the other ASA cluster?

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Tony Riccardi

‎05-20-2011 04:34 AM

Tony

Upgrading to 10Gbps wouldn't help with load-balancing. I just meant that if 100Mbps was not enough ie. you needed the 200Mbps then because you can't use that with an IPSEC VPN your only option would be to interconnect using 10Gbps or alternatively replace the 3750s with routers that can do per-packet load-balancing.

Not sure what you mean about ASAs encrypting without a VPN. If you mean can you simply encrypt between the ASAs ie. no VPN client on end hosts then yes they can do that. You simply setup a site-to-site VPN between the 2 ASA clusters. All traffic is then encrypted/decrypted between the 2 ASAs.

Is that what you were asking ?

Jon

0 Helpful

Tony Riccardi
Level 1
Level 1
In response to Jon Marshall

‎05-20-2011 06:49 AM

Hi Jon,

I see now what you are saying regards the 10Gbps. However we need to maintain two seperate circuits in order to minimise single point of failure.

What I'm wondering is can I encrypt the traffic, or at least secure it, without the need of a site-to-site VPN via the ASA? We've established that if I do configure a VPN it will not be load-balanced across the Etherchannel using src-dst-ip. Is there an encryption service or an encryption module I can utilise on the ASA while maintaining the load-balancing method on the etherchannel?

I need to provide a solution that maintains the Etherchannel configuration AND encrypts the data that crosses the 100Mb circuits.

Hope this clarifies the question?

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Tony Riccardi

‎05-20-2011 06:54 AM

Tony

Basically no you can't encrypt/decrypt without forming a tunnel between the 2 ASAs and this means the src/dst IP endpoints will always be the same. It's the same even with a simple GRE tunnel.

What you really need are devices that can do per-packet as well as per destination load-balancing and 3750s can't.

Sorry for the bad news.

Jon

0 Helpful

Tony Riccardi
Level 1
Level 1
In response to Jon Marshall

‎05-20-2011 07:33 AM

OK no problem.

Can you recommend an ISR that is capable of per-packet load-balancing via 2x100Mb Ethernet circuits? And can you confirm once a VPN is configured using the ASAs, load-balancing will be applied to the IPSec/GRE Tunnel?

LAN A >> ASA Cluster >> Router >> 2 x 100Mbs (via Per-Packet Etherchannel) >> Router >> ASA Cluster >> LAN B

Thanks again for your help and advise

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card