cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1109
Views
0
Helpful
6
Replies
Highlighted
Beginner

GLBP and VPN tunnels

Good afternoon,  I have some questions regarding a setup using GLBP and VPN tunnels.

Scenario: 

We are about to start hosting a cluster of servers for a client.  There are 10 remote sites that will need to have a VPN tunnel to the main site. There will be a relitively low amount of traffic across the VPN tunnels, but they need to be highley available.  Also, we need the main site to have a redundent network.

My thoughts for setup:

-Get 2 different ISP connections at the main site. 

-Use GLBP (Gateway Load Balancing Protocal) to setup redundent routers at the main site.  GLBP should allow both routers to be active and forward traffic. One ISP will connect to one router, the other ISP will connect to the other router. 

-To create the VPN tunnels, set up a VTI (Virtual Tunnel Interface) from each router at the main site to each router at the remote sites.

-After the virtual tunnels are setup, we can run EIGRP (or OSPF) across the tunnels.

Hopefully, this setup would allow both routers at the main site to be active and routing traffic through each ISP.  This will allow VPN traffic to travel across either virtual tunnel to its respective remote site (i.e. traffic from main to remote site goes through router A at main site, then across the tunnel to the router at the remote site.  Or it could go through router B at main site, then across that tunnel to the remote site).  This also means in a failover situation all the traffic will be sent to ether router A or B, then automatically routed (acording to the routing protocols) out the respective ISP.

My Questions:

1)  Will this setup (using GLBP and Virtual Tunnels between routers) actually work?

2)  Will the failover between the two routers at the main site work like described above, with regards to the VPN traffic being sent over a different tunnel?

3)  Is there a better way to acheive router redundancy and ISP redundancy at the main site?  (I considered VRRP or HSRP, but decided on GLBP because both routers could be active)

6 REPLIES 6
Highlighted
VIP Mentor

1)  Will this setup (using GLBP and Virtual Tunnels between routers) actually work?

That will work. VTIs and a dynamic routing-protocol is the way to go nowadays.

2)  Will the failover between the two routers at the main site work like described above, with regards to the VPN traffic being sent over a different tunnel?

Although not seen by everyone as a best practice, I would include the internal network into the routing so that you are not dependent on interface- or route-tracking. You need to make sure that the router that receives the traffic can actually forward the traffic to the other side.

3)  Is there a better way to acheive router redundancy and ISP redundancy at the main site?  (I considered VRRP or HSRP, but decided on GLBP because both routers could be active)

Yes, use VRRP or HSRP. If you don't need both lines for throughput, then choose a technology where you know in advance how your traffic flows. That will make your troubleshooting much easier when the customer complains that "something doesn't work". And to utilize both lines you still could use two HSRP-groups, where both routers hae one active group.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Highlighted

Thanks for the quick reply, I was hoping to be on the right track.

Highlighted
Beginner

Hello Adam,

im looking to implement the same scenario, as i will have two routers with two ISP and need to archive load balancing and VPN connection to a remote site.

can you share with me the results ?

Thanks

Highlighted

Ya definitely.  It is probably going to be another week or two before the routers we ordered arive. After i get everything setup and tested I will post my results.

Highlighted

Hi, would you have time to show me how GLBP can work with load banlancy through two ISP?

Highlighted
Beginner

Yes thanks, i almost forgot to post my results...

(This is a long post, but hopefully it can help others looking  into a similar scenario, you can skip to the bottem if you dont care  about the setup process)

The Setup:

I setup two cisco 1841 routers; Router1 goes to ISP 1 through its  fa0/1  and Router2 goes to ISP 2 through its fa0/1.  Each router is  also connected to a switch (R1->SW1 and R2->SW2) through its fa0/0  port.  The two switches are jumpered together through 2 of their ports  (setup as a LAG).  Basic router commands were configured so we had  internet going through each router (i.e. NAT, basic ACLs, default  gateway, etc).  GLBP was then configured with R1 as the AVG (active  virtual gateway) and R2 as a AVF (active virtual forwarder).  I started  with round robin as the load-balancing.

To start testing things, i setup two computers and connected to  whatsmyip.com.  Each computer had a different WAN IP address (good). I  then shutdown one of the routers and made sure i still could connect to  the internet on both computers; I could.  I continued to set everything  up (servers, computers, etc) and some of the hosts were using one ISP,  some were using the other. When I would turn off one of the routers,  things would fail over as planed. So far so good.

Next I wanted to  get RDP setup to the servers so I could go back and work from my desk,  this is where I ran into some problems. I was able to connect to SOME of  the servers through one ISP, and had to use the other ISP to connect to  the other servers. And, when I was connected to a server, after a few  minutes it would lose connection and I would have to switch to the other  ISP to get back in….only to get kicked out after a little while longer  and be forced to switch back. I quickly changed the load-balancing to  host dependent on the routers. This helped solve the issue of being  kicked out of the RDP sessions, but I was still only able to RDP to  certain servers through each ISP (I was not able to RDP into any server  through both ISPs as I had wanted).

Results:

-GLBP did “load-balance” outgoing traffic through each ISP (good)

-GLBP failover also worked nicely (good)

-GLBP  didn’t allow incoming traffic through each ISP as I had thought. After  seeing what was happening, it made sense why it wasn’t working as i  hoped. I think traffic would come in through each ISP and get sent to  the correct host (although I didn’t actually test this). The problem was  when the host would reply, it would use whatever router was in its ARP  table (not what router the packet came in through), thus the packets are  possibly being sent out through a different ISP then they came in  through. A RDP session obviously will not connect if the reply is coming  back from a different IP address. I can see this same principle  possibly causing issues with other session environments, although I  can’t think of any off the top of my head. (bad)

Conclusion:

GLBP might work well for  load-balancing outgoing traffic, and providing redundancy in a network  where there is not incoming session traffic; but, for things like RDP it  does not work quite like I hoped. This was a deal breaker for us, so we  turned off the load-balancing (so GLBP acts just like VRRP or HSRP,  where one router is the active gateway for all hosts and the other is in  “standby” mode)