Aaron’s Worthless Words

I use Google Analytics to track the 2 or 3 hits I get a day, and sometimes I see some interesting search terms. Yesterday, some googled up the term “does the ASA 5505 run HSRP”; I think that deserves a short article.

The ASA and PIX firewalls don’t actually run any of the usual HA solutions you use on routers. They don’t do HSPR, VRRP, or GLBP at all. Since firewalls have all sorts of state tables, connection tables, translation tables, blah, blah, blah, they need to share more information than just if they’re alive or not, so they use different methods to provide HA.

Cisco uses two different methods to handle this issue - a failover cable or a failover interface.  On a PIX (above the 501s and 506s), you’ll see a DB-15 interface labelled…wait for it…”failover”.  When a very expensive Cisco cable is placed between the failover ports of two PIXes, the boxes do some election stuff over it and decide on an active and a standby state for each (it does all sorts of stuff, but I won’t go into it).  The other method is basically the same, but, instead of an expensive, proprietary Cisco cable, it uses one of the interfaces to connect the two.  You basically connect a crossover cable between two of them, do some configuration, and we’re good.   The ASA doesn’t come with a failover cable so it uses the interface method, but you need a license for that (imagine that).

Just for the record, if an ASA or PIX becomes the active member of the cluster, it takes over both the IP and MAC address of the primary.  There’s no election and configuration of a standby address.  The use of the real addresses, along with the constant sync of the state data, means a very fast and seamless failover.  I actually SSHed through an FWSM (think of it as a PIX on a blade) and pulled the power plugs from it; I actually only lost one packet.

• Leave a comment... (0)

Believe it or not, I got a request for an article on how to configure GLBP. I’m as shocked as you are, so here it goes.

The Gateway Load Balancing Protocol (GLBP) is another Cisco-proprietary protocol for providing highly-available gateways on a network…but there’s a twist. GLBP, as you can figure out from the name, load-balances the traffic going through the participating routers. With HSRP and VRRP, one host is the active peer and handles all the traffic until it dies, then another peer takes over. With GLBP, all the routers accept traffic.

The key is the virtual MAC address. When you configure a router to use GLBP, it discovers all the other routers configured for GLBP, and an election is held. The winner is called the Active Virtual Gateway (AVG) and assigns virtual MAC addresses to all the members in the group (called Active Virtual Forwarders or AVFs). When a host on the network ARPs for the virtual IP, the AVG answers the request with one of the virtual MAC addresses of the AVFs. The next ARP request gets another virtual MAC, etc. Do this a few times, and the hosts are the network are splitting their traffic among all the AVFs.

Config time!

GLBP0(config)#interface f0/0
GLBP0(config-if)#ip address 192.168.0.10 255.255.255.0
GLBP0(config-if)#glbp 0 ip 192.168.0.1

GLBP1(config)#interface f0/0
GLBP1(config-if)#ip address 192.168.0.11 255.255.255.0
GLBP1(config-if)#glbp 0 ip 192.168.0.1

GLBP2(config)#interface f0/0
GLBP2(config-if)#ip address 192.168.0.12 255.255.255.0
GLBP2(config-if)#glbp 0 ip 192.168.0.1

Very simple. This sets the IP on f0/0 of three routers and enables GLBP group 0 for the IP 192.168.0.1. The group number, 0 in this case, is the same as in HSRP; you can have more than one instance of GLBP on an interface, so you have to tell it what settings go with what group.

After a few seconds of yelling at each other, the routers will have decided who the active and backup AVGs are, who the AVFs are, and what the virtual MACs for the AVFs are. After convergence, you can run the show glbp brief command to see what the status is.

GLBP0#sh glbp brief
Interface   Grp  Fwd Pri State    Address         Active router   Standby router
Fa0/0       0    -   100 Listen   192.168.0.1     192.168.0.12    192.168.0.11
Fa0/0       0    1   -   Listen   0007.b400.0001  192.168.0.12    -
Fa0/0       0    2   -   Active   0007.b400.0002  local           -
Fa0/0       0    3   -   Listen   0007.b400.0003  192.168.0.11    -

In our example, the IP 192.168.0.12 is the AVG (GLBP2) with 192.168.0.11 being the backup AVG (GLBP1). You can also see that three virtual MACs have been assigned — 0007.b400.001 - 3.

Those are the basics, but there are a few more things worth mentioning that you should look at on your own.

• By default, the load-balancing method is round robin, but you can set the GLBP balancing method to weighted, which uses configured weights on each router to determine who’s next in line for ARP replies. Use the load-balancing and weighting directives.
• You can set priorities for each router to better control which one becomes the AVG and backup AVG with the priority directive.
• You can have GLBP track objects just as you do with HSRP. Use the weighting track configuration to do so.
• You can put passwords on the GLBP group to protect yourself from random routers trying to participate and hose things up. Look at authentication.
• By default, a higher priority router won’t overthrow a lower one to become the AVG. You can turn this feature on with the preempt directive.

• Leave a comment... (1)

HSRP (Hot Standby Router Protocol) is a Cisco-proprietary method for supplying a highly-available gateway for hosts to use. GLBP (Gateway Load Balancing Protocol) does the same thing. So, what’s the difference?

HSRP works on layer 3 and provides a standby IP address for hosts on that network to use as their gateway (or other routers to use as a next-hop for a route). Two or more routers are configured with the standby IP on a broadcast interface (usually an Ethernet of some kind), and a passive election is held to determine the active router. This router answers ARP requests for the standby IP with a virtual MAC address, so every host that sends packets to the standby IP winds up sending it to the active router. If the active router dies, another election is held, and a new king is crowned who answers for the virtual MAC; the hosts never know anything happened.

GLBP is a little different and runs on layer 2. Instead of one router taking all the traffic all the time, GLBP provides a mechanism to load-balance the standby IP. I’m sure you figured that out by the name, though. When configured, GLBP provides a standby IP just as HSRP does, but it also provides multiple virtual MAC addresses. When a host on the connected network sends an ARP request, one of the routers answers with the virtual MAC address. The next time a host ARPs, a different router answers with a different virtual MAC address. After all is said and done in our perfect world, you have an equal number of hosts sending traffic to each router doing GLBP via the virtual MACs (this never pans out due to the way machines ARP). If a router dies, one of the other participating routers takes over for that virtual MAC, and the host is none-the-wiser.

If you’re having problems deciding on which one to use, it really all boils down to how many hosts you have on that particular network that you want to be HA. For example, if I had a network that only had two routers as the gateway and a single firewall, I’d use HSRP; there will only be the one firewall ARPing and sending packets the standby IP any traffic so you wind up only using one anyway. If you have a network with a thousand hosts on it (say a web farm), then go with GLBP to balance the traffic across your routers.

• Leave a comment... (0)