cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6045
Views
0
Helpful
24
Replies

Critical Issue for Redundancy and Load Sharing between routers and switches for Internet

tarnhundal
Level 1
Level 1

Hi All,

             I have two routers 3845 both have two ISPs then I have two switches 3750 and 3560 connected to these routers and then further I have checkpoint firewalls. Now I want redundancy and load sharing of Lan traffic coming by firewalls to switches and routers . I choose GLBP for this but now I have some issues. Both routers have only two giga ports and 4 fast ethernet ports but these Fa ports are L2 ports so i cant give IP to those ports. Should I make vlans there ? then both ISPs provide me ethernet links so these interfaces never get down so cant able to use track command.Sometimes I thought I should do clustering between switches, these wll act as one switch then I can run GLBP easily. I m not sure what to do ?  One main condition is that my internet should not never get down and also need load sharing between two routers.

Plz help me to sort out this issue .

thanx and regards,

Taran

24 Replies 24

Taran

ispR1 ------cisco3750 ---

                                             checkpoint firewall

ispR2 ----cisco3760---

an alternative is to run your switches as L3. Each switch is then connected to both ISP routers. Run a dynamic routing protocol between the switches and the routers and send a default-route from both ISP routers to your switches. You will still need to track the next-hop on the ISP routers.

Then use HSRP or if you want GLBP (altho the same proviso's apply as before with GLBP) on the switch LAN interfaces facing the checkpoint. The checkpoint will send traffic to the active switch which then has 2 equal cost paths to the Internet via both ISP routers.

Jon

HI Jon,

                Thanx for reply and giving ur time. Look Jon , I was considering to run ospf on both routers and switches because due to ospf it wll shift from one router to other if one of the link got down and then i wll do object tracking on wan int . I dont know much about firewalls because these are not handled by me . but security guys told me that Ndurant attached to checkpoint and it doesnt know about dynamic routing and i saw Ndurant they put static routes there but dont know about the conf of chkpoint. so dont know what to do there but i wll try to sort out this on there end chekpoint.

what u say about it.

thanx and regards,

Taran

HI ,

            I m using design like two routers connecting to one switch using GLBP.now i can run other switch with other switch as trunk. Now everything is fine ,means whenever wan link got down then AVF shifted to other router . but now having one more problem ie after a short interval AVF shifted from one to other , so my internet gets down . I have tried to change redirect and forwarder configuration but AVF shifts continoulsy , approx 2-3 min .plz help to sort out this issue.

thanx and regards,

Taran

HI,

            I think you are right. Right now my chekpoint is connected with switch and what i have seen that if i wll telnet from my Lan to router via chkpt then gateway wll shift continously and when i wll go to internet sw then wll telnet to virtual gateway then always it wll go to my higher priority router . it means chkpt doesnt understand this concept . should i do load balancing with host dependent method or apply some other way ??

thanx and regards,

Taran

Hi Jon and Ganesh,

                                    Both of u helped me lot to sort out this issue. What i have seen that from switch all is well but from my LAN i m getting issue. MY AVF is not stable , every 3-4 min it shifts from one router to other router. I think its due to chkpoint , so what u say , should i try to load -balance GLBP with host -dependent method or do some thing else. waiting a postive response .

thanx and regards,

Taran

Hi Jon and Ganesh,

                                   Both of u helped me lot to sort out this issue. What i have seen that from switch all is well but from my LAN i m getting issue. MY AVF is not stable , every 3-4 min it shifts from one router to other router. I think its due to chkpoint , so what u say , should i try to load -balance GLBP with host -dependent method or do some thing else. waiting a postive response .

thanx and regards,

Taran

Hi Taran,

As suggeted by Jon in previous post do the same type of configuration but for your query if you go with GLBP host-dependent method for load balancing it will always be a single mac from checkpoint towards the vip of GLBP  so it will always be single forwarder only at all the time for outgoing traffic.Try configure HSRP with active/passive mode it will be helpful with full redundancy.

Hope that helps out your query !!

If helpful do rate the vlauable post.

Regards

Ganesh.H

Hi Jon,

                   I m using same diagram as you have mentioned , now i have realised one thing that if i wll telnet to VIP of GLBP form my LAN behind the chkpnt then after short intervals it shifts from one router to other but when i try to telnet this VIP , every time it goes to higher prioritize router . it means chkpnt doesnt know exactly about the gateway , and then i saw that proxy arp is enabled on chkpt . i m thinking to disable this feature because i already set default gateway at ckpt then no need of this command . chkpt is my firewall but it has to be connected with some hardware firewall like Nokia,Ndurant or some else . I m using Ndurant , which doesnt understand dynamic protocols so we have to put static router on ndurant chpt firewall , i cant run dynamic protocol at switches and routers .what u say about this ?

waiting a positive response from ur side.

thanx and regards,

Taran

HI Jon,

                     This problem has been resolved now and thanx for your support till now . You and Ganesh both supported me a lot.

Thanx and regards,

Taran

Hi Ganesh,

                      I have tried this setting and it works. I have created SLA for tracking and now its shifting if icmp is unreachable but I have done one thing that my ISP's other end IP is not always unreachable so I have set the ICMP for google.com because if google is unreachable then it means internet is down .

Anyhow thanx for total support.

Thanx and regards,

Taran

Hi Ganesh,

                     I have tried this setting and it works. I have created SLA for tracking and now its shifting if icmp is unreachable but I have done one thing that my ISP's other end IP is not always unreachable so I have set the ICMP for google.com because if google is unreachable then it means internet is down .

Anyhow thanx for total support.

Thanx and regards,

Taran

Hi Taran,

That great that your problem has been resolved it will be great if you can mark this thread as resolved so that others can get benifitted if they have these type of problem in there network.

Ganesh.H