GLBP and Asymmetric Routing

Hi Guys,

 

I've been searching for the past few days with no luck.

 

IF you don't mind please explain how we can avoid asymmetric routing when Multihomed (Twol local routers, One ISP, reciving only BGP default routes)

and using GLBP on the LAN.

 

Ahmed

Comments

  • If you are using GLBP in your LAN, all the outgoing traffic are load balanced. So, I think you can't perform the same in easy way like we usually do in the case of HSRP or VRRP. 

    Since there is no guarantee on how traffic exit your network, you probably can't influance remote end to send the reply back from the same interface. But, you can still try with AS-path prepending option, in which you prepend same AS path and sent it to the peer. Not sure about the result but please give a try.

    Good luck!

  • Hi Hari

    Controlling inbound traffic is a peace of cake, but as you said since we don't know on which link the traffic left our network then how ingress traffic can be controlled?

     

    I didn't get your suggestion on using AS-path prepending can you pls explain in details?

     

    Ahmed

  • peetypeety ✭✭✭

    Why would you avoid asymmetric routing if you chose GLBP?

  • To be honest with you. I was not planning to use GLBP at all.

     

    I have a customer with the follwoing requirements: 

     

    1- No multiple gateways (No MHSRP)

    2- NO Asymmetric routing

    3- Active - Active setup with HA on LAN & WAN

     

    I don't see a way to acheive the above, just thought may be I'm missing something

     

    Ahmed

  • Hi Hari

    Controlling inbound traffic is a peace of cake, but as you said since we don't know on which link the traffic left our network then how ingress traffic can be controlled?

    I didn't get your suggestion on using AS-path prepending can you pls explain in details?

    Ahmed

     

    Hi Ahmed,

    As we know, AS path prepending can be used to influence the incoming traffic but in the case with GLBP, i'm not quite sure whether it works or not. If the exit point is not constant , I don't think that it would also be the good solution.

     

  • Hi Hari,

     

    As you said AS-Path prepend can be used fo inbound but the issue here is on the LAN and I'm not running BGP.

     

    I've convinced my customer to use MHSRP and all parties are happy now :)

     

    Thank you all for participation

    Ahmed Musa

     

  • Depending on the network setup/design you could possibly use NAT to ensure there is not asymmetric routing. 


    So have GLBP running on R1 and R2. R1 NATs the hosts to 1.1.1.1 R2 NATs the hosts to 2.2.2.2. On the north side just ensure 1.1.1.1 routes back to R1 and 2.2.2.2 routes back to R2. You will then ensure return traffic always goes back to the host it started on. If you did do this you could have all sessions drop during a failover event (clients inside global address would change if the GLBP forwarder is swapped to the other host). It would be best to setup NAT HA between R1 and R2 (requiring you to use a NAT pool not the outside interface addresses) and have a backup route in places for both NAT addresses/pools in the event eithe router goes down. That should prevent the sessions from dropping - but to be honest I have only does this in the lab so I am not sure how well it works in the real world.

    http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/12-4t/iadnat-ha.html

    Obviously this is all only good if you can use NAT on the GLBP routers. 

    Aside from that, the other idea I had (and I will be the first to say its ugly) would be to take your subnet and basically split it in half and use 2 hsrp groups with 2 dhcp pools. So assume its a /24 - take the first half (0-127) and define one DHCP pool with HSRP address for group #1 as the default gateway. Make R1 the active router for the standby group and R2 the standby (using priority and preemption). Then create a second dhcp pool (128-254) and assign the virtual IP of HSRP group #2 to those hosts. Ensure R2 is the active router for group 2, with R1 as the backup. Then on your upstream routing advertise the subnet as two /25's. Make sure the lower half has a preferred route to R1 (using whatever traffic engineering your routing protocol allows) and upper half has a preffered route to R2. Should work - say R1 fails, R2 would take over for HSRP and the inbound routing will begin using the backup path to R2 for that /25 once the route to R1 is pulled out. If it comes back up, hsrp goes back to the primary (if you enabled preempt) and the incoming routing should switch back as well. Viola. Note that the mask for all of the clients, routers, etc in that subnet would still be a /24. you are only logically splitting up the subnet - not really doing it. The only place the /25 mask would be used is for the inbound (north) routing

  • AhmedMusa, in your first post you said you were recieving BGP default routes. Now you say you cannot use AS-prepend because you (or your customer) arent running BGP.

  • Hi Mike,

     

    I like the NAT solution though it is not an option for me because of internal policies, cuurent design blah blah

     

    Your second suggestion is some sort of MHSRP which I have implemented. Why is it bad? except having to have two gateways?

  • Hi Jon,

     

    BGP is on the WAN and GLBP is on the LAN - AS-prepending will control inbound traffic in this case where the problem is in controlling outbound.

     

    Ahmed

  • AhmedMusa, in your first post you said you were recieving BGP default routes. Now you say you cannot use AS-prepend because you (or your customer) arent running BGP.

     

    Hi Jon,

     

    BGP is configured on the WAN and GLBP is on the LAN. AS-prepending will influnce inbound traffic while the issue is in controlling outbound which it seems to complicated to acheive with GLBP.

  • Your second suggestion is some sort of MHSRP which I have implemented. Why is it bad? except having to have two gateways?

    The only reason I consider it 'ugly' is because I think its convoluted. I don't see any reason why it wouldn't work fine - its just a more complication & configuration than the situation really calls for. Its necessary to fulfill the no-async requriement - but ultimately I cannot imagine async routing would actually be an issue in this case (same number of hops, same playform routers I assume, etc). Unless there is some soft of stateful firewalling I bet it would work just fine... but requirements are not always driven by reality.. So I just say its ugly because its not obvious or overly clear. You have a single subnet configured but 2 dhcp pools w/2 different gateways, 2 routes northbound etc. Just convoluted :)

Sign In or Register to comment.