cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1630
Views
0
Helpful
5
Replies

GLBP + NAT/FW - What about the 'outside' side of things ?

sylvain.munaut
Level 1
Level 1

Hi,

First the setup:

- 2 * 1921 routers ( with 15.1(4)M )

- 20~30 servers that need a NATed internet connection (just for general purpose net access)

- A WAN ip range that can either be routed to either 1921 (via a private point to point link), or that can appear as a 'LAN' (routing handled upstream).

I'd like to use the 1921 for the NAT and have the setup redundant, preferrably load shared.

Now, I see that GLBP can handle providing a unique 'virtual gw' on the LAN side that that will map to one or another router depending on the host asking.

But what about the other side (outside) ?

If I have the WAN IP directly on the 1921 wan interface:

Router A:

interface GigabitEthernet0

  description WAN

  ip address 100.100.100.2 255.255.255.240

  ip nat outside

interface GigabitEthernet1

  description LAN

  ip address 10.0.0.2 255.255.255.0

  ip nat inside

ip nat inside source list 100 interface GigabitEthernet0 overload

ip route 0.0.0.0 0.0.0.0 100.100.100.4

Router B:

interface GigabitEthernet0

  description WAN

  ip address 100.100.100.3 255.255.255.240

  ip nat outside

interface GigabitEthernet1

  description LAN

  ip address 10.0.0.3 255.255.255.0

  ip nat inside

ip nat inside source list 100 interface GigabitEthernet0 overload

ip route 0.0.0.0 0.0.0.0 100.100.100.4

But if I add GLBP here, when a router fails, how can it 'take over' the WAN ip of the other router to maintain the connections ?

If I have the WAN IP range as a local pool on each router:

Router A:

interface GigabitEthernet0

  description WAN

  ip address 172.16.1.2 255.255.255.240

  ip nat outside

interface GigabitEthernet1

  description LAN

  ip address 10.0.0.2 255.255.255.0

  ip nat inside

ip nat pool wan-ip-pool 100.100.100.1 100.100.100.7 netmask 255.255.255.240

ip nat inside source list 100 pool wan-ip-pool overload

ip route 0.0.0.0 0.0.0.0 172.16.1.4

Router B:

interface GigabitEthernet0

  description WAN

  ip address 172.16.1.3 255.255.255.240

  ip nat outside

interface GigabitEthernet1

  description LAN

  ip address 10.0.0.3 255.255.255.0

  ip nat inside

ip nat pool wan-ip-pool 100.100.100.1 100.100.100.7 netmask 255.255.255.240

ip nat inside source list 100 pool wan-ip-pool overload

ip route 0.0.0.0 0.0.0.0 172.16.1.4

how does my upstream provider knows which return packet to send to which router ?

Am I missing something here ?

(I've read that GLBP + stateful nat failover + stateful cabac failover should work nicely together)

5 Replies 5

harsingh2
Level 1
Level 1

GLBP is from the prospective of internal network (LAN - To share the load for the default gateway) and not from Outside prospective. Packets are sent to AVG (actual Virtual Gateway) and it forwards it to AVF (Actual Virtual Forwarder).

This can be done in 3 ways:

1) Round Robin

2) Weighted

3) Host Dependent

In your case it should work fine. I can lab this out later tonight if you want or you can use GNS3 to check.

Hope that helps.

If you have a working setup, that would be useful because I couldn't make it work ...

I couldn't get the upstream router to forward the packet back to the right router in either case.

Couple of things to consider :

You mentioned that you have 2 routers (1921) . Are both of them connected to each other? As far as I know ,In order for any L2 load balancing protocol to work you need to run cross over connection between them. They exchange hello packets and after certain time when no response is received from the active router the other one takes over. But remember this is all from the prospective of LAN side.

R1 ------- R2

I             I

SW1 -----SW2

You can segregate your servers into diff VLAN's or can put all of them under 1 VLAN.

for eg:

interface g1

ip address 10.0.0.2 255.255.255.0

ip helper-address 10.x.x.x

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

standby ip 10.0.0.1

end

In the above example the Virual IP is 10.0.0.1 and Router 1's physical IP as 10.0.0.2. You would configure 10.0.0.3 on Router 2. On your LAN side all the servers would have Default Gateway set up as 10.0.0.1.

You can implement Interface tracking with GLBP where is the interface goes down all the traffic will fall back to the other router. Please find the Cisco Doc below for reference:

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_glbp.html#wp1027188

I'm not an expert but hope this would guide you in the right direction.

Yes, they're connected to each other.

The problem is not with the GLBP side of things. The GLBP setup works just fine.

The problems comes when you get NAT in the mix.

Imagine a client on the lan, sends a packet to a host on the WAN. The packets gets to one of the router (let say the router A), it's source IP is changed to one ip of the nat pool (let says 100.100.100.1).

Now, when the packet returns, the upstream router somehow has to 'know' if the return packet is for router A or router B ...

This could eventually be solved with two nat pool and two HSRP groups on the WAN side (router A is active for 100.100.100.1 and standby for 100.100.100.2  and opposite for router B).

But to support stateful NAT failover you would then need the router A to update state to router B for one pool and vice-versa for the other pool. And unfortunately that doesn't seem possible ... I couldn't get each router to maintain two 'nat stateful database' one in active and one in standby. It may be a limitation of the low end 1921 I'm using ...

And then to finish it off, when you have ACL and you need the ACL state (pin-hole made by the inspect rules) to failover as well, then it just becomes impossible at all AFAICT.

You definitely are going in the right dierction with your setup. I tried looking at limitations of 1921 but couldn't find about NAT stateful databases but it seems like you are correct. Is it possible for you to take second opinion from TAC engineer? That way we will know for sure and not miss anything.

Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: