PFR routing on WAN routers

carl_townshend · ‎03-14-2018

Hi All

We have a simple setup, 2 ASR 1001 routers at site A, both with 200Mbit links, these then connect to site B with the same routers at the other end.

At the moment, we route to a HSRP IP of the active router, so an active standby setup.

We want to start using the other link, but we don't want to start putting individual routes from the firewall etc as it just gets messy.

My thoughts are to use PFR for this.

What is the easiest way to do this? do we need a layer 3 router / switch in front of the ASR?

Can we run the MC on one of the ASRs? would the other end need a MC/BR?

Would it be easier to get APIC to do this?

cheers

Joseph W. Doherty · ‎03-14-2018

Could you expand your topology description?

carl_townshend · ‎03-14-2018

Hi pretty much like below

RTR A ---------200Mbit----------RTR B

FW FW

RTR C ---------200Mbit----------RTR D

There is a IPsec GRE tunnel currently on each router connecting each site, the FW simply points to an HSRP IP, So at the moment all traffic flows over A to B. we use EIGRP for the routing, we redistribute static into eigrp from each end

cheers

Joseph W. Doherty · ‎03-14-2018

A and C, and B and D then are HSRP pairs? If so, how do the the HSRP pair interact at L2?

These HSRP pairs are also EIGRP neighbors?

carl_townshend · ‎03-14-2018

Hi

Yes that's correct about HSRP

on the LAN side, they are not neighbours, they only form a neighbourship over the WAN tunnel interface

cheers

Joseph W. Doherty · ‎03-14-2018

But each LAN pair could become EIGRP neighbors?

Also, you doing any kind of tracking if a tunnel goes down on the hot HSRP gateway router? (I.e. so HSRP will move to the standby?)

carl_townshend · ‎03-14-2018

Hi

Yes they could become neighbours and we do have tracking on there

Joseph W. Doherty · ‎03-14-2018

Ok, keep in mind, last I worked with PfR was about a decade ago, so there might be some improvements of which I'm unaware.

First, way back in ye olden times, I seldom had an issue combining the MC and a BR. As likely all your PfR needs to do is dynamically load balance, I would expect even a lessor PfR processing load.

You'll want both (same) site routers be able to route between themselves, and from your answers, this should be doable.

With each MC (one per site [unless you want one side doing both egress and ingress for a single site]) knowing of all the egress flows transiting the active HSRP gateway, the MC should be able to inject routes to redirect some traffic to use the standby router.

An issue you might encounter is whether there's enough routing destination distribution to balance the load across both links. If not, PfR might use PBR to accomplish that.

If using EIGRP, you'll want a PIRO capable version of PfR, which shouldn't be an issue unless you're using an early PfR IOS version.

PfR takes some time, but not a lot, to migrate flows around. To statically balance your links, you could use mHSRP. Then you can allow PfR to "fine tune" the load. (You also might fine mHSRP, alone, is good enough to balance your links. It's also a very simple change to your FW and ASRs.)

I mention mHSRP because I suspect GLBP won't balance if it "sees" the FW as one source.