Re: Load Balance Multiple ISP's Wireless and DSL

mmarange · ‎06-11-2002

I have a PIX 515. I am trying to load balance 2 internet connections, one Wireless and one DSL modem. Can the PIX do this or will I have to buy another router. I also have servers on the DMZ and Inside interface that have public IP addresses. The load balance will be on ethernet ports.

I am looking for outbound load balancing, and nat on each ISP.

jljamison · ‎06-12-2002

Here's what I can tell you about the setup I just completed.

1) I don't believe you can do much with only a PIX - it can only have one static default route, and the pix doesn't do policy routing

2) I have a 2620 (T1, ADSL) on the edge, in front of a pix 515. I have two address blocks, one frrom each ISP, and I am unable to do BGP - the DSL provider does not support BGP on ADSL customers.

3) The customer uses private addressing inside, and I turn NAT off on the pix. In fact I statically map all hosts to themselves - eg. 192.168.12.0 0.0.0.255 mapped to 192.168.12.0 0.0.0.255.

4) I have a policy route map attached to the fastethernet interface. It selectively binds certain inside addresses and protocols first to the next hop on one interface then the next hop on the other interface, and vice versa for the other interface.

Here's the config info

access-list 111 remark

access-list 111 remark DSL preferring hosts

access-list 111 remark

access-list 111 remark first, all inside-to-outside web surfing over DSL

access-list 111 remark

access-list 111 permit tcp 192.168.12.0 0.0.0.255 any eq www

access-list 111 permit tcp 192.168.12.0 0.0.0.255 any eq 443

access-list 111 remark

access-list 111 remark then outside available services on pacbell addresses

access-list 111 remark

access-list 111 permit ip host 192.168.12.8 any

access-list 111 permit ip host 192.168.12.9 any

access-list 111 permit ip host 192.168.12.25 any

access-list 111 permit ip host 192.168.12.29 any

access-list 111 permit ip host 192.168.12.45 any

access-list 111 remark

access-list 111 remark then selected interior DHCP clients

access-list 111 remark

access-list 111 permit ip 192.168.12.172 0.0.0.3 any

access-list 111 permit ip 192.168.12.180 0.0.0.3 any

access-list 111 permit ip 192.168.12.188 0.0.0.3 any

access-list 111 permit ip 192.168.12.208 0.0.0.15 any

access-list 111 permit ip 192.168.12.240 0.0.0.15 any

access-list 113 remark

access-list 113 remark T1 preferring hosts

access-list 113 remark

access-list 113 permit ip host 192.168.12.5 any

access-list 113 permit ip host 192.168.12.48 any

access-list 113 permit ip host 192.168.12.49 any

access-list 113 permit ip 192.168.12.176 0.0.0.3 any

access-list 113 permit ip 192.168.12.184 0.0.0.3 any

access-list 113 permit ip 192.168.12.192 0.0.0.15 any

access-list 113 permit ip 192.168.12.224 0.0.0.15 any

route-map TBroute permit 10

match ip address 111

set ip next-hop w.x.y.z a.b.c.d

!

route-map TBroute permit 20

match ip address 113

set ip next-hop a.b.c.d w.x.y.z

!

5) NAT is performed also using route-maps, and I overload the interface address. There are certain services statically mapped - e.g. the smtp service, POP service, etc.

ip nat inside source route-map DSLNat interface BVI1 overload

ip nat inside source route-map T1Nat interface Serial0/0 overload

access-list 2 remark

access-list 2 remark NAT list

access-list 2 permit 192.168.12.0 0.0.0.255

route-map DSLNat permit 10

match ip address 2

match interface BVI1

!

route-map T1Nat permit 10

match ip address 2

match interface Serial0/0

!

There are a number of downfalls in this configuration. It is very specific to each application and protocol whether it can survive a drop of one link unfettered. Secondly, this configuration only detects the drop of a direct link (T1 or DSL) and not an upstream failure at the provider - that would require mutually advertised routes and BGP, as I understand it.

The scheme for an externally visible, inbound service is as follows. The internal host is set up with two local addresses. One address is statically mapped to a global address from one ISP, and the other address is statically mapped to a global address from the other ISP. The policy route map supports this mapping on outbound traffic. If one of the addresses is unavailable, then the other must be chosen for use, either manually (e.g. POP service) or by the operation of the protocoll (SMTP).

Outbound load balancing is achieved through the route-map - in my case I break up the internal address pool into chunks, and route blocks of internal hosts over one or the other. Also I route based on traffic - internal HTTP browsing is sent over the DSL line because the bandwidth properties support HTTP better via DSL (6mbps downstream, 384kbps upstream) than T1.

Its not perfect.

In your case, the pix (or a router that you purchase) will not detect a failure of your DSL link because the ethernet connection between the pix/router and the DSL modem will not go down if the DSL line goes down. I put a DSL card in the 2620 for this purpose.

I invite comments and suggestions from you experts out there how I could have done my setup differently or better. I did get advice several times using this forum.

Good luck,

John

aal-buali · ‎06-18-2002

Thanks John,

I have a similar router configuration. but in my case 3 interfaces connected to

Internet (same ISP) with 256 Kbps each. All the 3 are pointed to one

inteface connected to LAN. I'm using a 3640 Router.

That's a portion of it (the a.b.c.x are public IPs):

route-map GW1 permit 10

match ip address 101

match ip next-hop 1

set ip next-hop a.b.c.1

!

route-map GW2 permit 10

match ip address 102

match ip next-hop 2

set ip next-hop a.b.c.2

!

route-map GW3 permit 10

match ip address 103

set ip next-hop a.b.c.3

But I'm not convinced that this really works!!

What other kinds of load-balancing could this router do? If one Internet interface is too busy does it direct the request to another interface?

Thanks