From: Jelle Borsje (borsjej@yahoo.dk)
Date: Tue Apr 12 2005 - 07:27:07 GMT-3
Hi,
I understand the drawing in the original mail as
follows:
R1
|
Users - Sw2 (L3) - Fw (L3) - Sw1 (L2)
|
R2
I do run the risk that everything gets shifted (and
the gets garbled), but I hope everyone can see the
above correctly when viewed with the courier font.
I have been pondering it a bit... and as I see it we
can get the requested behaviour (sharing the load
based on source addresses) with policy-based routing
on Sw1, if Sw1 was a layer 3 device. Traffic coming
from Fw could be matched against an ACL, and depending
on that we could select the outgoing interface to be
the one to R1 or R2. Otherwise, which is true in this
case as Sw1 is a layer 2 device only, it would have to
be implemented on Fw (however, my knowledge about
firewalls is not good enough, to say PBR is something
it would support). We could implement something with
static routes on Fw, but that would mean sharing the
load over R1 and R2 based on destination.
HOWEVER... since the request is to implement PBR on
Sw2, I don't see how the requested behaviour could be
configured. Sw2 has ONLY one interface in the
direction of R1/R2, and that is the interface to the
firewall (Fw), it can therefore not make the decision
to use either R1 or R2 (it should all be routed to
Fw). As far as I know, PBR is local on the device we
configure it on (not advertised). I can therefore not
see how we can force traffic to use either R1 or R2 by
configuring PBR on Sw2. Sw1 (if configured with L3)
and Fw will make a routing decision based on their own
routing table.
My conclusion is therefore, that it cannot be done by
configuring PBR on Sw2... but I might be on thin ice
here ;-)
It sounds like you have HSRP between R1 and R2, and
the firewall has a static route to the virtual IP
address. You could implement M-HSRP (giving you 2
virtual IP addresses, one 'owned' by R1 and the other
by R2). You could then make a split on the firewall,
by pointing some traffic to use one virtual IP
address, and some other traffic the other. This will
provide a form of load sharing based on destination ,
while maintaining redundancy.
Alternatively, use GLBP, which is a form of HSRP. The
idea is that there is only one virtual default-gateway
(like with HSRP and VRRP) in a group, but there are
multiple routers that can function as exit for your
network. The loadsharing is achieved by handing out a
different MAC address to the various hosts in the
network. So the load is distributed over multiple
routers, by aswering ARP requests with different MAC
addresses. GLBP is quite a new feature introduced in
12.2(15)T:
Hope this helps... Looking forward to some comments.
Greetz
Jelle
--- gladston@br.ibm.com wrote:
> Yes, you can. Why not?
>
> Maybe this url can help:
>
>
http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a00802135d3.shtml
>
>
This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:54:56 GMT-3