NAT issue with load balancing between two ISPs

5 pts.
Tags:
Cisco
Cisco 2811
Cisco 2900
ISP connection
isp.dsl
Load balancing
NAT
Network performance
Switches
Hello everybody! This is my first question, I am brand new in this so please excuse me if I do not write properly or straight to the point. I will try my best. These are the devices related to my question: - cisco2811 (completely access) - DSL modem - cisco2900 series I have access to all except cisco2900. I guess the configuration in cisco2950 is ok and so simple, no special routing or security task, just a point to connect with the provider and through internet (At the moment is working properly). DSL modem is pretty simple, just a connection straight to internet like a SOHO (small office home office), with no command line interface or similar. [outbound connection] Proventia firewall ethernet --------- cisco2811------------ethernet cisco2900 (ISP 1) [local network traffic] |_________ethernet DSL modem (ISP 2) [outbound connection] I am trying to make a simple load balancing between two ISPs with NAT. I found three possible solutions (for sure exist more). The starting state is forwarding all the traffic through ISP1, and everything is ok. ip route 0.0.0.0 0.0.0.0 interfaz ISP1 and basic nat translation ip nat inside source static network IP_firewall_to_cisco2811 IP_cisco2811_to_ISP1 /32 A. Use two static routes in cisco2811 ip route 0.0.0.0 0.0.0.0 interfaz ISP1 ip route 0.0.0.0 0.0.0.0 interfaz ISP2 But not working as it supose to be. When I made a traceroute, the information shows that cisco2811 try to route twice between both ISPs and at the end some pages were not load in the browser. Maybe I have to add more commands to this solution, appart from the small part of nat inside for these interfaces. qosrouter#traceroute Protocol [ip]: Target IP address: 80.81.96.190 Source address: Numeric display [n]: Timeout in seconds [3]: Probe count [3]: Minimum Time to Live [1]: Maximum Time to Live [30]: Port Number [33434]: Loose, Strict, Record, Timestamp, Verbose[none]: Type escape sequence to abort. Tracing the route to 80.81.96.190 1 * IP_ISP1 0 msec * 2 194.25.5.110 124 msec * 116 msec 3 * 217.5.66.34 124 msec * 4 217.5.66.46 128 msec * 128 msec 5 * 212.20.155.38 116 msec * 6 130.117.0.210 128 msec * 124 msec 7 * 130.117.3.77 120 msec * 8 130.117.1.114 128 msec * 132 msec 9 * 130.117.3.101 192 msec * 10 130.117.0.213 144 msec * 130.117.2.209 148 msec 11 * 130.117.2.133 172 msec * 12 * * * 13 * 149.6.82.206 152 msec * 14 213.172.34.122 156 msec * ...etc B. Use route-map to both ISPs But not working as it supose to be. Should I put default routes even with route-map next-hop ip defined? ip nat inside source route-map isp1 interface vlan 12 overload ip nat inside source route-map isp2 interface dialer 1 overload access-list 110 permit ip host IP_firewall_to_cisco2811 any access-list 120 permit ip host IP_firewall_to_cisco2811 any route-map isp1 permit 10 match ip address 110 set ip next-hop IP_ISP1 route-map isp2 permit 10 match ip address 120 set ip next-hop IP_ISP2 C. Use OER, whilst I have no simple solution with static routes I will wait till use this solution, in addition, I am not sure about compatibility between route-map configuration. Below this lines, you can see the configuration in cisco2811 which traffic can get access to internet through ISP1 only: ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! boot-start-marker boot system flash c2800nm-advipservicesk9-mz.124-13a.bin boot-end-marker ! no aaa new-model no ip source-route ! vpdn enable ip tcp synwait-time 10 ! ! interface FastEthernet0/0 description # traffic to ISP 2 DSL modem# no ip address duplex half speed 10 pppoe enable group global pppoe-client dial-pool-number 1 ! interface Dialer1 description # dialer connection to fastethernet 0/0 # ip address negotiated ip mtu 1452 encapsulation ppp ip nat outside no ip mroute-cache dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname usuario@domain_text ppp chap password 7 password_text ppp pap sent-username usuario@domain_text password 7 password_text ! interface FastEthernet0/1 description # firewall to cisco2811 traffic # bandwidth 100000 ip address xx.yy.zz.169 255.255.255.248 ip access-group 100 in ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip nbar protocol-discovery ip nat inside ip virtual-reassembly ip route-cache flow ip tcp adjust-mss 1412 duplex half speed 10 no mop enabled ! interface FastEthernet0/0/2 description # swith port for ISP 1 cisco2900 # switchport access vlan 12 ! interface Vlan12 description # traffic to ISP 1 cisco2900 # ip address xx.yy.zz.76 255.255.255.248 ip access-group 101 in ip access-group 102 out ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip nbar protocol-discovery ip nat outside ip virtual-reassembly ip route-cache flow ip tcp adjust-mss 1412 fair-queue 64 16 256 no mop enabled ! ip route 0.0.0.0 0.0.0.0 ip_next_hop_ISP1 ! ip nat inside source static network IP_firewall_to_cisco2811 IP_cisco2811_to_ISP1 /32 ! no cdp run dialer-list 1 protocol ip permit ip classless ! When I try to apply the above commands, I lose communication with ISPs from web browser although traceroute still shows correct path and informations to achieve destination web sites. qosrouter#traceroute Protocol [ip]: Target IP address: 213.4.130.210 Source address: Numeric display [n]: Timeout in seconds [3]: Probe count [3]: Minimum Time to Live [1]: Maximum Time to Live [30]: Port Number [33434]: Loose, Strict, Record, Timestamp, Verbose[none]: Type escape sequence to abort. Tracing the route to 213.4.130.210 1 ISP1 0 msec 0 msec 0 msec 2 194.25.5.110 276 msec 272 msec 252 msec 3 217.5.66.34 164 msec 224 msec 284 msec 4 * 62.154.16.161 128 msec 128 msec 5 62.156.138.90 160 msec 240 msec 136 msec 6 84.16.13.34 144 msec 144 msec 140 msec 7 213.140.36.73 168 msec 240 msec 164 msec 8 80.58.75.158 164 msec 164 msec 168 msec 9 * * * 10 etc... qosrouter#traceroute Protocol [ip]: Target IP address: 80.81.96.190 Source address: Numeric display [n]: Timeout in seconds [3]: Probe count [3]: Minimum Time to Live [1]: Maximum Time to Live [30]: Port Number [33434]: Loose, Strict, Record, Timestamp, Verbose[none]: Type escape sequence to abort. Tracing the route to 80.81.96.190 1 ISP2 8 msec 40 msec 20 msec 2 212.18.6.213 12 msec 8 msec 12 msec 3 62.140.24.9 8 msec 8 msec 12 msec 4 * * * 5 4.68.118.80 12 msec 4.68.118.16 16 msec 4.68.118.144 16 msec 6 62.67.33.242 16 msec 20 msec 16 msec 7 212.23.42.173 [MPLS: Label 3083 Exp 0] 40 msec 44 msec 44 msec 8 84.233.207.86 [MPLS: Label 616 Exp 0] 44 msec 40 msec 40 msec 9 84.233.204.209 [MPLS: Label 969 Exp 0] 40 msec 44 msec 44 msec 10 84.233.204.234 [MPLS: Label 258 Exp 0] 44 msec 40 msec 40 msec 11 212.23.42.198 44 msec 44 msec 44 msec 12 84.233.187.18 44 msec 44 msec 40 msec 13 213.172.34.122 40 msec 44 msec 44 msec 14 * * * 15 etc... Why I can not surf internet using both ISPs at the same time load balancing traffic between both. Traceroute commands are ok. Thank all of you in advance kind regards

Answer Wiki

Thanks. We'll let you know when a new response is added.

Hi Okrus,

Did u find a way to resolve this problem? I’m also interested on this and was trying to find a working config.

I just managed to split the traffic on two ISP links without complexing the LAN, simply with a single LAN segment with a default gateway. (Without splitting the LAN into two VRFs)

Problem is there is no ready availabel redundancy eventhough I have two links. Its a manual work.

Below given my config template.

InternetGW#sh run
Building configuration…

Current configuration : 1543 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname InternetGW
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
ip vrf ISP-A
rd 100:1
!
ip vrf ISP-B
rd 100:2
!
!
!
!
!
interface FastEthernet0/0
description *** LAN ***
ip address 192.168.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
description ### Connected to ISP-A ###
ip vrf forwarding ISP-A
ip address 202.124.160.2 255.255.255.252
ip nat outside
duplex auto
speed auto
!
interface FastEthernet1/0
description ### COnnected to ISP-B ###
ip vrf forwarding ISP-B
ip address 205.25.25.34 255.255.255.252
ip nat outside
duplex auto
speed auto
!
ip forward-protocol nd
ip route vrf ISP-A 0.0.0.0 0.0.0.0 202.124.160.9
ip route vrf ISP-B 0.0.0.0 0.0.0.0 205.25.24.33
!
!
ip http server
no ip http secure-server
ip nat inside source list ISP-A-HOSTS interface FastEthernet0/1 vrf ISP-A overload
ip nat inside source list ISP-B-HOSTS interface FastEthernet1/0 vrf ISP-B overload
!
ip access-list extended ISP-A-HOSTS
permit ip 0.0.0.0 255.255.255.128 any
ip access-list extended ISP-B-HOSTS
permit ip 0.0.0.0 255.255.255.128 any
!
route-map ISP-B-ROUTE-MAP permit 10
match ip address ISP-B-HOSTS
set vrf ISP-B
!
route-map ISP-A-ROUTE-MAP permit 10
match ip address ISP-A-HOSTS
set vrf ISP-A
!
!
!
control-plane
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end

InternetGW#

If anyone has a working configuration pl update.

Thanks,

Chamindaw363

Discuss This Question:  

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following