Q:
NAT issue with load balancing between two ISPs
Switches, Cisco, NAT, Load balancing, Network performance, ISP connection, isp.dsl, Cisco 2811, Cisco 2900 Hello everybody!
This is my first question, I am brand new in this so please excuse me if I do not write properly or straight to the point.
I will try my best.
These are the devices related to my question:
- cisco2811 (completely access)
- DSL modem
- cisco2900 series
I have access to all except cisco2900.
I guess the configuration in cisco2950 is ok and so simple, no special routing or security task, just a point to connect with the provider and through internet (At the moment is working properly).
DSL modem is pretty simple, just a connection straight to internet like a SOHO (small office home office), with no command line interface or similar.
[outbound connection]
Proventia firewall ethernet --------- cisco2811------------ethernet cisco2900 (ISP 1)
[local network traffic] |_________ethernet DSL modem (ISP 2)
[outbound connection]
I am trying to make a simple load balancing between two ISPs with NAT.
I found three possible solutions (for sure exist more).
The starting state is forwarding all the traffic through ISP1, and everything is ok.
ip route 0.0.0.0 0.0.0.0 interfaz ISP1
and basic nat translation
ip nat inside source static network IP_firewall_to_cisco2811 IP_cisco2811_to_ISP1 /32
A. Use two static routes in cisco2811
ip route 0.0.0.0 0.0.0.0 interfaz ISP1
ip route 0.0.0.0 0.0.0.0 interfaz ISP2
But not working as it supose to be.
When I made a traceroute, the information shows that cisco2811 try to route twice between both ISPs and at the end some pages were not load in the browser.
Maybe I have to add more commands to this solution, appart from the small part of nat inside for these interfaces.
qosrouter#traceroute
Protocol [ip]:
Target IP address: 80.81.96.190
Source address:
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 80.81.96.190
1 *
IP_ISP1 0 msec *
2 194.25.5.110 124 msec * 116 msec
3 *
217.5.66.34 124 msec *
4 217.5.66.46 128 msec * 128 msec
5 *
212.20.155.38 116 msec *
6 130.117.0.210 128 msec * 124 msec
7 *
130.117.3.77 120 msec *
8 130.117.1.114 128 msec * 132 msec
9 *
130.117.3.101 192 msec *
10 130.117.0.213 144 msec *
130.117.2.209 148 msec
11 *
130.117.2.133 172 msec *
12 * * *
13 *
149.6.82.206 152 msec *
14 213.172.34.122 156 msec *
...etc
B. Use route-map to both ISPs
But not working as it supose to be.
Should I put default routes even with route-map next-hop ip defined?
ip nat inside source route-map isp1 interface vlan 12 overload
ip nat inside source route-map isp2 interface dialer 1 overload
access-list 110 permit ip host IP_firewall_to_cisco2811 any
access-list 120 permit ip host IP_firewall_to_cisco2811 any
route-map isp1 permit 10
match ip address 110
set ip next-hop IP_ISP1
route-map isp2 permit 10
match ip address 120
set ip next-hop IP_ISP2
C. Use OER, whilst I have no simple solution with static routes I will wait till use this solution, in addition, I am not sure about compatibility between route-map configuration.
Below this lines, you can see the configuration in cisco2811 which traffic can get access to internet through ISP1 only:
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
boot-start-marker
boot system flash c2800nm-advipservicesk9-mz.124-13a.bin
boot-end-marker
!
no aaa new-model
no ip source-route
!
vpdn enable
ip tcp synwait-time 10
!
!
interface FastEthernet0/0
description # traffic to ISP 2 DSL modem#
no ip address
duplex half
speed 10
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Dialer1
description # dialer connection to fastethernet 0/0 #
ip address negotiated
ip mtu 1452
encapsulation ppp
ip nat outside
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname usuario@domain_text
ppp chap password 7 password_text
ppp pap sent-username usuario@domain_text password 7 password_text
!
interface FastEthernet0/1
description # firewall to cisco2811 traffic #
bandwidth 100000
ip address xx.yy.zz.169 255.255.255.248
ip access-group 100 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412
duplex half
speed 10
no mop enabled
!
interface FastEthernet0/0/2
description # swith port for ISP 1 cisco2900 #
switchport access vlan 12
!
interface Vlan12
description # traffic to ISP 1 cisco2900 #
ip address xx.yy.zz.76 255.255.255.248
ip access-group 101 in
ip access-group 102 out
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412
fair-queue 64 16 256
no mop enabled
!
ip route 0.0.0.0 0.0.0.0 ip_next_hop_ISP1
!
ip nat inside source static network IP_firewall_to_cisco2811 IP_cisco2811_to_ISP1 /32
!
no cdp run
dialer-list 1 protocol ip permit
ip classless
!
When I try to apply the above commands, I lose communication with ISPs from web browser although traceroute still shows correct path and informations to achieve destination web sites.
qosrouter#traceroute
Protocol [ip]:
Target IP address: 213.4.130.210
Source address:
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 213.4.130.210
1 ISP1 0 msec 0 msec 0 msec
2 194.25.5.110 276 msec 272 msec 252 msec
3 217.5.66.34 164 msec 224 msec 284 msec
4 *
62.154.16.161 128 msec 128 msec
5 62.156.138.90 160 msec 240 msec 136 msec
6 84.16.13.34 144 msec 144 msec 140 msec
7 213.140.36.73 168 msec 240 msec 164 msec
8 80.58.75.158 164 msec 164 msec 168 msec
9 * * *
10 etc...
qosrouter#traceroute
Protocol [ip]:
Target IP address: 80.81.96.190
Source address:
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 80.81.96.190
1 ISP2 8 msec 40 msec 20 msec
2 212.18.6.213 12 msec 8 msec 12 msec
3 62.140.24.9 8 msec 8 msec 12 msec
4 * * *
5 4.68.118.80 12 msec
4.68.118.16 16 msec
4.68.118.144 16 msec
6 62.67.33.242 16 msec 20 msec 16 msec
7 212.23.42.173 [MPLS: Label 3083 Exp 0] 40 msec 44 msec 44 msec
8 84.233.207.86 [MPLS: Label 616 Exp 0] 44 msec 40 msec 40 msec
9 84.233.204.209 [MPLS: Label 969 Exp 0] 40 msec 44 msec 44 msec
10 84.233.204.234 [MPLS: Label 258 Exp 0] 44 msec 40 msec 40 msec
11 212.23.42.198 44 msec 44 msec 44 msec
12 84.233.187.18 44 msec 44 msec 40 msec
13 213.172.34.122 40 msec 44 msec 44 msec
14 * * *
15 etc...
Why I can not surf internet using both ISPs at the same time load balancing traffic between both.
Traceroute commands are ok.
Thank all of you in advance
kind regards
This is my first question, I am brand new in this so please excuse me if I do not write properly or straight to the point.
I will try my best.
These are the devices related to my question:
- cisco2811 (completely access)
- DSL modem
- cisco2900 series
I have access to all except cisco2900.
I guess the configuration in cisco2950 is ok and so simple, no special routing or security task, just a point to connect with the provider and through internet (At the moment is working properly).
DSL modem is pretty simple, just a connection straight to internet like a SOHO (small office home office), with no command line interface or similar.
[outbound connection]
Proventia firewall ethernet --------- cisco2811------------ethernet cisco2900 (ISP 1)
[local network traffic] |_________ethernet DSL modem (ISP 2)
[outbound connection]
I am trying to make a simple load balancing between two ISPs with NAT.
I found three possible solutions (for sure exist more).
The starting state is forwarding all the traffic through ISP1, and everything is ok.
ip route 0.0.0.0 0.0.0.0 interfaz ISP1
and basic nat translation
ip nat inside source static network IP_firewall_to_cisco2811 IP_cisco2811_to_ISP1 /32
A. Use two static routes in cisco2811
ip route 0.0.0.0 0.0.0.0 interfaz ISP1
ip route 0.0.0.0 0.0.0.0 interfaz ISP2
But not working as it supose to be.
When I made a traceroute, the information shows that cisco2811 try to route twice between both ISPs and at the end some pages were not load in the browser.
Maybe I have to add more commands to this solution, appart from the small part of nat inside for these interfaces.
qosrouter#traceroute
Protocol [ip]:
Target IP address: 80.81.96.190
Source address:
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 80.81.96.190
1 *
IP_ISP1 0 msec *
2 194.25.5.110 124 msec * 116 msec
3 *
217.5.66.34 124 msec *
4 217.5.66.46 128 msec * 128 msec
5 *
212.20.155.38 116 msec *
6 130.117.0.210 128 msec * 124 msec
7 *
130.117.3.77 120 msec *
8 130.117.1.114 128 msec * 132 msec
9 *
130.117.3.101 192 msec *
10 130.117.0.213 144 msec *
130.117.2.209 148 msec
11 *
130.117.2.133 172 msec *
12 * * *
13 *
149.6.82.206 152 msec *
14 213.172.34.122 156 msec *
...etc
B. Use route-map to both ISPs
But not working as it supose to be.
Should I put default routes even with route-map next-hop ip defined?
ip nat inside source route-map isp1 interface vlan 12 overload
ip nat inside source route-map isp2 interface dialer 1 overload
access-list 110 permit ip host IP_firewall_to_cisco2811 any
access-list 120 permit ip host IP_firewall_to_cisco2811 any
route-map isp1 permit 10
match ip address 110
set ip next-hop IP_ISP1
route-map isp2 permit 10
match ip address 120
set ip next-hop IP_ISP2
C. Use OER, whilst I have no simple solution with static routes I will wait till use this solution, in addition, I am not sure about compatibility between route-map configuration.
Below this lines, you can see the configuration in cisco2811 which traffic can get access to internet through ISP1 only:
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
boot-start-marker
boot system flash c2800nm-advipservicesk9-mz.124-13a.bin
boot-end-marker
!
no aaa new-model
no ip source-route
!
vpdn enable
ip tcp synwait-time 10
!
!
interface FastEthernet0/0
description # traffic to ISP 2 DSL modem#
no ip address
duplex half
speed 10
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Dialer1
description # dialer connection to fastethernet 0/0 #
ip address negotiated
ip mtu 1452
encapsulation ppp
ip nat outside
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname usuario@domain_text
ppp chap password 7 password_text
ppp pap sent-username usuario@domain_text password 7 password_text
!
interface FastEthernet0/1
description # firewall to cisco2811 traffic #
bandwidth 100000
ip address xx.yy.zz.169 255.255.255.248
ip access-group 100 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412
duplex half
speed 10
no mop enabled
!
interface FastEthernet0/0/2
description # swith port for ISP 1 cisco2900 #
switchport access vlan 12
!
interface Vlan12
description # traffic to ISP 1 cisco2900 #
ip address xx.yy.zz.76 255.255.255.248
ip access-group 101 in
ip access-group 102 out
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412
fair-queue 64 16 256
no mop enabled
!
ip route 0.0.0.0 0.0.0.0 ip_next_hop_ISP1
!
ip nat inside source static network IP_firewall_to_cisco2811 IP_cisco2811_to_ISP1 /32
!
no cdp run
dialer-list 1 protocol ip permit
ip classless
!
When I try to apply the above commands, I lose communication with ISPs from web browser although traceroute still shows correct path and informations to achieve destination web sites.
qosrouter#traceroute
Protocol [ip]:
Target IP address: 213.4.130.210
Source address:
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 213.4.130.210
1 ISP1 0 msec 0 msec 0 msec
2 194.25.5.110 276 msec 272 msec 252 msec
3 217.5.66.34 164 msec 224 msec 284 msec
4 *
62.154.16.161 128 msec 128 msec
5 62.156.138.90 160 msec 240 msec 136 msec
6 84.16.13.34 144 msec 144 msec 140 msec
7 213.140.36.73 168 msec 240 msec 164 msec
8 80.58.75.158 164 msec 164 msec 168 msec
9 * * *
10 etc...
qosrouter#traceroute
Protocol [ip]:
Target IP address: 80.81.96.190
Source address:
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 80.81.96.190
1 ISP2 8 msec 40 msec 20 msec
2 212.18.6.213 12 msec 8 msec 12 msec
3 62.140.24.9 8 msec 8 msec 12 msec
4 * * *
5 4.68.118.80 12 msec
4.68.118.16 16 msec
4.68.118.144 16 msec
6 62.67.33.242 16 msec 20 msec 16 msec
7 212.23.42.173 [MPLS: Label 3083 Exp 0] 40 msec 44 msec 44 msec
8 84.233.207.86 [MPLS: Label 616 Exp 0] 44 msec 40 msec 40 msec
9 84.233.204.209 [MPLS: Label 969 Exp 0] 40 msec 44 msec 44 msec
10 84.233.204.234 [MPLS: Label 258 Exp 0] 44 msec 40 msec 40 msec
11 212.23.42.198 44 msec 44 msec 44 msec
12 84.233.187.18 44 msec 44 msec 40 msec
13 213.172.34.122 40 msec 44 msec 44 msec
14 * * *
15 etc...
Why I can not surf internet using both ISPs at the same time load balancing traffic between both.
Traceroute commands are ok.
Thank all of you in advance
kind regards
ASKED:
Jun 2 2008 4:31 PM GMT
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
A:
RATE THIS ANSWER
0
Click to Vote:
0
Click to Vote:
- 0
0
Did u find a way to resolve this problem? I'm also interested on this and was trying to find a working config.
I just managed to split the traffic on two ISP links without complexing the LAN, simply with a single LAN segment with a default gateway. (Without splitting the LAN into two VRFs)
Problem is there is no ready availabel redundancy eventhough I have two links. Its a manual work.
Below given my config template.
InternetGW#sh run
Building configuration...
Current configuration : 1543 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname InternetGW
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
ip vrf ISP-A
rd 100:1
!
ip vrf ISP-B
rd 100:2
!
!
!
!
!
interface FastEthernet0/0
description *** LAN ***
ip address 192.168.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
description ### Connected to ISP-A ###
ip vrf forwarding ISP-A
ip address 202.124.160.2 255.255.255.252
ip nat outside
duplex auto
speed auto
!
interface FastEthernet1/0
description ### COnnected to ISP-B ###
ip vrf forwarding ISP-B
ip address 205.25.25.34 255.255.255.252
ip nat outside
duplex auto
speed auto
!
ip forward-protocol nd
ip route vrf ISP-A 0.0.0.0 0.0.0.0 202.124.160.9
ip route vrf ISP-B 0.0.0.0 0.0.0.0 205.25.24.33
!
!
ip http server
no ip http secure-server
ip nat inside source list ISP-A-HOSTS interface FastEthernet0/1 vrf ISP-A overload
ip nat inside source list ISP-B-HOSTS interface FastEthernet1/0 vrf ISP-B overload
!
ip access-list extended ISP-A-HOSTS
permit ip 0.0.0.0 255.255.255.128 any
ip access-list extended ISP-B-HOSTS
permit ip 0.0.0.0 255.255.255.128 any
!
route-map ISP-B-ROUTE-MAP permit 10
match ip address ISP-B-HOSTS
set vrf ISP-B
!
route-map ISP-A-ROUTE-MAP permit 10
match ip address ISP-A-HOSTS
set vrf ISP-A
!
!
!
control-plane
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
InternetGW#
If anyone has a working configuration pl update.
Thanks,
Chamindaw363
