cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13417
Views
0
Helpful
13
Replies
Highlighted
Beginner

Cisco 1921 Dual ADSL Load Balancing/Failover?

Hello,

We have purchased a Cisco 1921 with twin ADSL after advice from a Cisco sales rep. However I am having trouble working out the load balancing/fail over config for the device.

I would like traffic to balance over both ADSL lines and if one goes down not to interrupt connectivity.

I had a look at ppp multilink but I am unsure our ISP (BT) support this?

This is my current config which I think only one ADSL line is being used. Some input would be appreciated

Robbie

!
! Last configuration change at 13:18:34 UTC Tue Mar 29 2011
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxxxxx

!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 xxxxx

enable password xxxx

!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
ip name-server 194.74.65.68
ip name-server 194.72.0.114
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-xxxxxx

enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-xxxxx0
revocation-check none
rsakeypair TP-self-signed-xxxxx!
!
crypto pki certificate chain TP-self-signed-xxxxxx

certificate self-signed 02 nvram:IOS-Self-Sig#4.cer
license udi pid CISCO1921/K9 xxxxx

!
!
username admin privilege 15 secret 5 xxxxxxxxxx/
!
!
!
!
!
!
interface GigabitEthernet0/0
description lan$ETH-LAN$
ip address 10.0.8.1 255.255.248.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
dsl operating-mode adsl2
!
interface ATM0/0/0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
ip flow ingress
pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface ATM0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
dsl operating-mode adsl2
!
interface ATM0/1/0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
ip flow ingress
pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface Dialer0
mtu 1483
ip address negotiated
ip access-group spalding in
ip access-group spalding out
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxx

ppp chap password 0 xxxxx

ppp multilink
ppp multilink links minimum 2
ppp multilink fragment disable
ppp timeout multilink link add 2
no cdp enable
!
interface Dialer1
mtu 1483
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxx

ppp chap password 0 xxxxx

ppp link reorders
ppp multilink
ppp multilink links minimum 2
ppp multilink fragment disable
ppp timeout multilink link add 2
no cdp enable
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.0.15.201 3389 interface Dialer0 3389
ip nat outside source static tcp 195.194.75.218 3389 10.0.15.200 3389 extendable
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 1 remark INSIDE_IF=GigabitEthernet0/0
access-list 1 permit 10.0.0.0 0.254.255.255
dialer-list 1 protocol ip permit
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end

Everyone's tags (6)
13 REPLIES 13
Highlighted
Cisco Employee

Re: Cisco 1921 Dual ADSL Load Balancing/Failover?

Since both DSL links are with same provider, check first if he's providing some sort of load balacing mechanism (MPPP or any layer3 sharing). That's always the best way to achieve efficient load sharing.

If he doesn't, you can look at the below CCO doc which gives an example for load balacing with dynamic NAT.
You need in your case 2 default static route and likely use object tracking to check connectivity.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080950834.shtml

Finally, if you want also to make internal server accessible via both links, you'll need to look at the below post in case provider in using uRPF.

https://supportforums.cisco.com/message/3297523#3297523

Thx,

Fabrice
Highlighted
Beginner

Re: Cisco 1921 Dual ADSL Load Balancing/Failover?

How would this work with a VPN currently over Dialer2? Would I apply the same site to site VPN on the other Dialer?

Can you see any reason why it isnt possible to connect via Dialer0 from the outside? doesnt ping or anything

Robbie

Highlighted
Cisco Employee

Re: Cisco 1921 Dual ADSL Load Balancing/Failover?

I guess the router is terminating a VPN connection and you would like to get redundancy for this VPN connection, correct ?

If yes, that's not a big deal if VPN users need only to access internal services (accessing the Internet through the VPN is another story). This only requires PBR on the inside interface to force traffic destined to private IPs to the selected primary dialer. You need as well to use next-hop tracking to make sure we fall back to secondary dialer when primary is not working properly.

route-map PBR-LAN permit 10

match ip address IPSEC

set ip next-hop verify-availability 10 track 1

set ip next-hop verify-availability 20

!

ip access-list extended IPSEC

permit ip

Having said that, with dialer, we typically don't know the next-hops IP so you might then need to use a fake next-hop (1.1.1.1 for ex) in PBR and use tracking in static route defined for the fake next-hop :

route-map PBR-LAN permit 10

match ip address IPSEC

set ip next-hop recursive 1.1.1.1

ip route 1.1.1.1 255.255.255.255 track 1
ip route 1.1.1.1 255.255.255.255 track 2

ip access-list extended IPSEC

permit ip

N.B. track 1 and track 2 could track whatever known (and always available, typically DNS servers) address on the Internet and specify source IP of probe being primary dialer for track 1 and secondary dilaer for track 2...

Regarding the reachability problem you mentioned, I guess this shows provider is using uRPF so you need to make sure that packets originated by the router are sent out based on source IP. This is achieved with local PBR but might be a challenge to define the acl if address provided dynamically by provider is not within a pre-defined range...

ip local policy route-map LOCAL-PBR
!
route-map LOCAL-PBR permit 10
  match ip address DIALER-0-ADD
  set interface dialer0
!
route-map LOCAL-PBR permit 20
  match ip address DILAER1-ADD
  set interface dialer1
!
ip access-list extended DIALER-0-ADD
  permit ip [range of IPs for dialer0] any
ip access-list extended DIALER-1-ADD
  permit ip [range of IPs for dialer1] any

Highlighted
Beginner

Re: Cisco 1921 Dual ADSL Load Balancing/Failover?

ip local policy route-map LOCAL-PBR
!
route-map LOCAL-PBR permit 10
  match ip address DIALER-0-ADD
  set interface dialer0
!
route-map LOCAL-PBR permit 20
  match ip address DIALER2-ADD
  set interface dialer2
!
ip access-list extended DIALER-0-ADD
  permit ip 217.35.xx.xxx any
ip access-list extended DIALER-2-ADD
  permit ip 217.36.xx.xx  any

The range for the dialer is that the LAN? or the dialers static ip?

 

Thanks

Robbie

Highlighted
Beginner

Hi, Can anyone help me with

Hi,

 

Can anyone help me with this config?  not very reliable.

 

Building configuration...

Current configuration : 17349 bytes
!
! Last configuration change at 06:08:06 UTC Sun Apr 5 2015 by Shawn
!
version 15.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot system flash0:c2900-universalk9-mz.SPA.154-3.M2.bin
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$sNeA$GB6.SMrcsxPf51tK2Eo9Z.
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
no ip source-route
!
!
!
!
!
!
!
!


ip port-map user-protocol--8 port udp 3392
ip port-map user-protocol--9 port tcp 3397
ip port-map user-protocol--2 port udp 3391
ip port-map user-protocol--3 port tcp 14000
ip port-map user-protocol--1 port tcp 3391
ip port-map user-protocol--6 port udp 3394
ip port-map user-protocol--7 port tcp 3392
ip port-map user-protocol--4 port udp 14100
ip port-map user-protocol--5 port tcp 3394
ip port-map user-protocol--10 port udp 3397
!
ip dhcp excluded-address 192.168.1.1 192.168.1.49
ip dhcp excluded-address 192.168.10.1 192.168.10.49
!
ip dhcp pool DHCP_POOL1
 import all
 network 192.168.1.0 255.255.255.0
 dns-server 139.130.4.4 203.50.2.71
 default-router 192.168.1.1
 lease infinite
!
ip dhcp pool ccp-pool1
 import all
 network 192.168.10.0 255.255.255.0
 dns-server 139.130.4.4 203.50.2.71
 default-router 192.168.10.1
 lease infinite
!
!
!
no ip bootp server
ip host SHAWN-PC 192.168.1.10
ip host DIAG 192.168.1.5
ip host MSERV 192.168.1.13
ip name-server 139.130.4.4
ip name-server 203.50.2.71
ip cef
ip cef load-sharing algorithm include-ports source destination
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-1982477479
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1982477479
 revocation-check none
 rsakeypair TP-self-signed-1982477479
!
!
license udi pid 

license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
!
!
!
redundancy
!
!
!
!
!
controller VDSL 0/0/0
 operating mode adsl2+
!
controller VDSL 0/1/0
 operating mode adsl2+
no cdp run
track timer interface 5
!
track 1 interface Dialer0 ip routing
 delay down 15 up 10
!
track 2 interface Dialer1 ip routing
 delay down 15 up 10
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-all sdm-nat-user-protocol--7-1
 match access-group 104
 match protocol user-protocol--7
 match access-group 102
class-map type inspect match-all sdm-nat-user-protocol--4-2
 match access-group 101
 match protocol user-protocol--4
class-map type inspect match-all sdm-nat-user-protocol--6-1
 match access-group 103
 match protocol user-protocol--6
class-map type inspect match-all sdm-nat-user-protocol--5-1
 match access-group 103
 match protocol user-protocol--5
class-map type inspect match-all sdm-nat-user-protocol--4-1
 match access-group 102
 match protocol user-protocol--4
class-map type inspect match-all sdm-nat-user-protocol--7-2
 match access-group 101
 match protocol user-protocol--7
class-map type inspect match-all sdm-nat-user-protocol--3-1
 match access-group 102
 match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--2-1
 match access-group 101
 match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--1-2
 match access-group 102
 match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--1-1
 match access-group 101
 match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--2-2
 match access-group 102
 match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--3-2
 match access-group 101
 match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--8-2
 match access-group 101
 match protocol user-protocol--8
class-map type inspect match-all sdm-nat-user-protocol--9-2
 match access-group 104
 match protocol user-protocol--9
class-map type inspect match-any ccp-skinny-inspect
 match protocol skinny
class-map type inspect match-all sdm-nat-user-protocol--9-1
 match access-group 101
 match protocol user-protocol--9
 match access-group 104
class-map type inspect match-all sdm-nat-user-protocol--8-1
 match access-group 104
 match protocol user-protocol--8
 match access-group 102
class-map type inspect match-any ccp-h323nxg-inspect
 match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-nat-user-protocol--10-2
 match access-group 104
 match protocol user-protocol--10
class-map type inspect match-all sdm-nat-user-protocol--10-1
 match access-group 101
 match protocol user-protocol--10
 match access-group 104
class-map type inspect match-any ccp-h225ras-inspect
 match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
 match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol pptp
 match protocol dns
 match protocol ftp
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all SDM_GRE
 match access-group name SDM_GRE
class-map type inspect match-any ccp-h323-inspect
 match protocol h323
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
class-map type inspect match-all ccp-protocol-http
 match protocol http
class-map type inspect match-any CCP_PPTP
 match class-map SDM_GRE
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
!
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class type inspect ccp-sip-inspect
  inspect
 class type inspect ccp-h323-inspect
  inspect
 class type inspect ccp-h323annexe-inspect
  inspect
 class type inspect ccp-h225ras-inspect
  inspect
 class type inspect ccp-h323nxg-inspect
  inspect
 class type inspect ccp-skinny-inspect
  inspect
 class class-default
  drop
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-nat-user-protocol--1-1
  inspect
 class type inspect sdm-nat-user-protocol--2-1
  inspect
 class type inspect sdm-nat-user-protocol--3-1
  inspect
 class type inspect sdm-nat-user-protocol--4-1
  inspect
 class type inspect sdm-nat-user-protocol--5-1
  inspect
 class type inspect sdm-nat-user-protocol--6-1
  inspect
 class type inspect sdm-nat-user-protocol--7-1
  inspect
 class type inspect sdm-nat-user-protocol--8-1
  inspect
 class type inspect sdm-nat-user-protocol--9-1
  inspect
 class type inspect sdm-nat-user-protocol--10-1
  inspect
 class type inspect CCP_PPTP
  pass
 class type inspect sdm-nat-user-protocol--7-2
  inspect
 class type inspect sdm-nat-user-protocol--8-2
  inspect
 class type inspect sdm-nat-user-protocol--1-2
  inspect
 class type inspect sdm-nat-user-protocol--2-2
  inspect
 class type inspect sdm-nat-user-protocol--9-2
  inspect
 class type inspect sdm-nat-user-protocol--10-2
  inspect
 class type inspect sdm-nat-user-protocol--3-2
  inspect
 class type inspect sdm-nat-user-protocol--4-2
  inspect
 class class-default
  drop log
policy-map type inspect ccp-permit
 class class-default
  drop
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-NATOutsideToInside-1
!
!
!
!
!
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface Embedded-Service-Engine0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 shutdown
!
interface GigabitEthernet0/0
 description $ETH-LAN$
 ip address 192.168.10.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface ATM0/0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface ATM0/0/0.2 point-to-point
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
!
interface Ethernet0/0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 shutdown
 no mop enabled
!
interface ATM0/1/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no atm ilmi-keepalive
!
interface ATM0/1/0.1 point-to-point
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 2
 !
!
interface Ethernet0/1/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 shutdown
 no mop enabled
!
interface GigabitEthernet0/3/0
 no ip address
!
interface GigabitEthernet0/3/1
 no ip address
!
interface GigabitEthernet0/3/2
 no ip address
!
interface GigabitEthernet0/3/3
 no ip address
!
interface GigabitEthernet0/3/4
 no ip address
!
interface GigabitEthernet0/3/5
 no ip address
!
interface GigabitEthernet0/3/6
 no ip address
!
interface GigabitEthernet0/3/7
 no ip address
!
interface Vlan1
 description $FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 zone-member security out-zone
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname erescu0@direct.telstra.net
 ppp chap password 7 1444405858557A
 ppp pap sent-username erescu0@direct.telstra.net password 7 135645415F5D54
 ppp multilink
!
interface Dialer1
 description $FW_OUTSIDE$
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 zone-member security out-zone
 encapsulation ppp
 dialer pool 2
 dialer-group 2
 ppp authentication chap pap callin
 ppp chap hostname mun17238880@direct.telstra.net
 ppp chap password 7 01475E540E5D55
 ppp pap sent-username mun17238880@direct.telstra.net password 7 055F5E5F741A1D
 ppp multilink
!
!
!
router eigrp as#
!
!
router eigrp 10
 network 192.168.1.1 0.0.0.0
!
router rip
 version 2
 network 192.168.1.0
 no auto-summary
!
ip forward-protocol nd
!
ip http server
ip http access-class 3
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat inside source static tcp 192.168.1.10 3392 interface Dialer1 3392
ip nat inside source static udp 192.168.1.10 3392 interface Dialer1 3392
ip nat inside source static tcp 192.168.1.35 3391 interface Dialer0 3391
ip nat inside source static udp 192.168.1.35 3391 interface Dialer0 3391
ip nat inside source static tcp 192.168.1.5 3394 interface Dialer0 3394
ip nat inside source static udp 192.168.1.5 3394 interface Dialer0 3394
ip nat inside source static tcp 192.168.1.17 3397 interface Dialer0 3397
ip nat inside source static udp 192.168.1.17 3397 interface Dialer0 3397
ip nat inside source static tcp 192.168.1.10 14000 interface Dialer0 14000
ip nat inside source static udp 192.168.1.10 14100 interface Dialer0 14100
ip nat inside source route-map ADSL0 interface Dialer0 overload
ip nat inside source route-map ADSL1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 track 1
ip route 0.0.0.0 0.0.0.0 Dialer1 track 2
!
ip access-list extended NAT
 remark CCP_ACL Category=18
 permit ip 192.0.0.0 0.255.255.255 any
ip access-list extended SDM_GRE
 remark CCP_ACL Category=1
 permit gre any any
 remark CCP_ACL Category=1
ip access-list extended STATIC-NAT-SERVICES
 permit ip host 192.168.1.35 any
 permit ip host 192.168.1.5 any
 permit ip host 192.168.1.10 any
 permit ip host 192.168.1.17 any
!
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!
route-map ADSL0 permit 10
 match ip address NAT
 match interface Dialer0
!
route-map ADSL1 permit 10
 match ip address NAT
 match interface Dialer1
!
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny   any
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 3 remark HTTP Access-class list
access-list 3 remark CCP_ACL Category=1
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 3 deny   any
access-list 10 remark INSIDE_IF=NAT
access-list 10 remark CCP_ACL Category=2
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 139.130.227.0 0.0.0.255 any
access-list 100 permit ip 203.45.106.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.10
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.35
access-list 101 permit tcp any any eq www
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.35
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.10
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.1.5
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 192.168.1.17
!
!
!
control-plane
!
!
banner login ^CCE-Rescue Systems^C
!
line con 0
 login authentication local_authen
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line 2
 no activation-character
 no exec
 transport preferred none
 transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
line vty 5 15
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

Thanks

Shawn

Highlighted
Cisco Employee

Hi Shawn, What part of your

Hi Shawn,

 

What part of your config doesn't work as you expect ? Static NAT, Dynamic NAT, failover, etc.. ?

 

Thx,

 

Fabrice

Highlighted
Beginner

Hi Fabrice,I have been trying

Hi Fabrice,

I have been trying to get load balancing between the two ADSL connections

and still have incoming connections to my servers.

when I have equal routes gives me that best download speeds.

but no connection from the outside.

ip route 0.0.0.0 0.0.0.0 Dialer0 track 1

ip route 0.0.0.0 0.0.0.0 Dialer1 10 track 2

is the only way for connections to servers work.

Regards,

Shawn.


Building configuration...

Current configuration : 13178 bytes
!
! Last configuration change at 11:04:44 UTC Sun May 17 2015 by Shawn
!
version 15.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
no ip source-route
!
!
!
!
!
!
!
!


ip port-map user-protocol--2 port udp 3392
ip port-map user-protocol--3 port tcp 3391
ip port-map user-protocol--1 port tcp 3392
ip port-map user-protocol--6 port tcp 14100
ip port-map user-protocol--4 port udp 3391
ip port-map user-protocol--5 port tcp 14000
!
ip dhcp excluded-address 192.168.1.1 192.168.1.49
!
ip dhcp pool DHCP_POOL
 import all
 network 192.168.1.0 255.255.255.0
 dns-server 139.130.4.4 203.50.2.71
 default-router 192.168.1.1
 lease infinite
!
!
!
no ip bootp server
ip name-server 139.130.4.4
ip name-server 203.50.2.71
ip cef
ip cef load-sharing algorithm include-ports source destination
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-1982477479
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1982477479
 revocation-check none
 rsakeypair TP-self-signed-1982477479
!
!
crypto pki certificate chain TP-self-signed-1982477479
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31393832 34373734 3739301E 170D3135 30353137 30393236
  30395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 39383234
  37373437 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B1DB 80FC4173 9A6E3809 D6B9D26A 4504D057 91E3B29E 9A280AD8 84D9B75E
  EE54A95B 8155046E 35ED13AF 10737E6D C8C9D659 B0FA175C BCD2D8EC E7DCC788
  3E2DA4B4 1436F8D6 D0258736 D1885668 E7194CB3 8F06C778 DE8AE70E B4F35A6E
  5A62104F 09BD44A3 50EB257D 6DB0349D DB36E30F AD01E8B7 BD74621A A8504316
  971B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 14CD9762 FE2A5E12 48E75D7D 4F94431E 82833562 DB301D06
  03551D0E 04160414 CD9762FE 2A5E1248 E75D7D4F 94431E82 833562DB 300D0609
  2A864886 F70D0101 05050003 81810088 DACB0EB9 A2FC089B 161BE708 4EC0A57C
  5370CDB7 8FE0056B FC0ABE79 61C17024 C33FD98D 9F09E506 08EB4558 1DD62FC5
  98274FA0 268F0273 2929797C 0964AD41 70B577F7 ABA65C72 A24FC2A5 236D12EB
  D042DD57 3855CF69 89A46260 607BF44B DBB00AFF FB724591 5889F9C9 273A488D
  B6089B42 E20C4AC5 43C344CA B3F5DA
   quit
license udi pid CISCO2901/K9 sn
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
!
!
username Shawn privilege 15 secret 5
!
redundancy
!
!
!
!
!
controller VDSL 0/0/0
 operating mode adsl2+
!
controller VDSL 0/1/0
 operating mode adsl2+
no cdp run
!
track 1 ip sla 1
 delay down 20 up 10
!
track 2 ip sla 2
 delay down 20 up 10
!
ip tcp synwait-time 10
!
class-map type inspect match-all sdm-nat-user-protocol--6-1
 match access-group 103
 match protocol user-protocol--6
class-map type inspect match-all sdm-nat-user-protocol--5-1
 match access-group 103
 match protocol user-protocol--5
class-map type inspect match-all sdm-nat-user-protocol--4-1
 match access-group 102
 match protocol user-protocol--4
class-map type inspect match-all sdm-nat-user-protocol--3-1
 match access-group 102
 match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--2-1
 match access-group 101
 match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--1-1
 match access-group 101
 match protocol user-protocol--1
class-map type inspect match-any ccp-skinny-inspect
 match protocol skinny
class-map type inspect match-any ccp-h323nxg-inspect
 match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
 match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
 match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol pptp
 match protocol dns
 match protocol ftp
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all SDM_GRE
 match access-group name SDM_GRE
class-map type inspect match-any ccp-h323-inspect
 match protocol h323
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
class-map type inspect match-all ccp-protocol-http
 match protocol http
class-map type inspect match-any CCP_PPTP
 match class-map SDM_GRE
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
!
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class type inspect ccp-sip-inspect
  inspect
 class type inspect ccp-h323-inspect
  inspect
 class type inspect ccp-h323annexe-inspect
  inspect
 class type inspect ccp-h225ras-inspect
  inspect
 class type inspect ccp-h323nxg-inspect
  inspect
 class type inspect ccp-skinny-inspect
  inspect
 class class-default
  drop
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-nat-user-protocol--1-1
  inspect
 class type inspect sdm-nat-user-protocol--2-1
  inspect
 class type inspect sdm-nat-user-protocol--3-1
  inspect
 class type inspect sdm-nat-user-protocol--4-1
  inspect
 class type inspect sdm-nat-user-protocol--5-1
  inspect
 class type inspect sdm-nat-user-protocol--6-1
  inspect
 class type inspect CCP_PPTP
  pass
 class class-default
  drop log
policy-map type inspect ccp-permit
 class class-default
  drop
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-NATOutsideToInside-1
!
!
!
!
!
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface Embedded-Service-Engine0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 shutdown
!
interface GigabitEthernet0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface ATM0/0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface Ethernet0/0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 shutdown
 no mop enabled
!
interface ATM0/1/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no atm ilmi-keepalive
!
interface ATM0/1/0.1 point-to-point
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 2
 !
!
interface Ethernet0/1/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 shutdown
 no mop enabled
!
interface GigabitEthernet0/3/0
 no ip address
!
interface GigabitEthernet0/3/1
 no ip address
!
interface GigabitEthernet0/3/2
 no ip address
!
interface GigabitEthernet0/3/3
 no ip address
!
interface GigabitEthernet0/3/4
 no ip address
!
interface GigabitEthernet0/3/5
 no ip address
!
interface GigabitEthernet0/3/6
 no ip address
!
interface GigabitEthernet0/3/7
 no ip address
!
interface Vlan1
 description $FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 zone-member security out-zone
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname
 ppp chap password 7

interface Dialer1
 description $FW_OUTSIDE$
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 zone-member security out-zone
 encapsulation ppp
 dialer pool 2
 dialer-group 2
 ppp authentication chap callin
 ppp chap hostname
 ppp chap password
!
!
!
router eigrp 1
 variance 2
 network 192.168.1.0
!
router ospf 1
 maximum-paths 2
!
router rip
 network 192.168.1.0
!
ip forward-protocol nd
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map ADSL0 interface Dialer0 overload
ip nat inside source route-map ADSL1 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.35 3391 203.45.106.133 3391 extendable
ip nat inside source static udp 192.168.1.35 3391 203.45.106.133 3391 extendable
ip nat inside source static tcp 192.168.1.5 3392 203.45.106.133 3392 extendable
ip nat inside source static udp 192.168.1.5 3392 203.45.106.133 3392 extendable
ip nat inside source static tcp 192.168.1.10 14000 203.45.106.133 14000 extendable
ip nat inside source static tcp 192.168.1.10 14100 203.45.106.133 14100 extendable
ip route 0.0.0.0 0.0.0.0 Dialer0 track 1
ip route 192.168.1.0 255.255.255.0 Dialer0 track 1
ip route 0.0.0.0 0.0.0.0 Dialer1 10 track 2
ip route 192.168.1.0 255.255.255.0 Dialer1 10 track 2
!
ip access-list extended NAT
 remark Be sure to exclude remote LANs in this ACL
 deny   ip 192.168.1.0 0.0.0.255 192.168.7.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended SDM_GRE
 remark CCP_ACL Category=1
 permit gre any any
!
ip sla 1
 icmp-echo 203.45.253.1 source-interface Dialer0
 threshold 4000
 frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo 203.45.253.1 source-interface Dialer1
 threshold 4000
 frequency 5
ip sla schedule 2 life forever start-time now
logging trap debugging
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!
route-map ADSL0 permit 10
 match ip address NAT
 match interface Dialer0
!
route-map ADSL1 permit 10
 match ip address NAT
 match interface Dialer1
!
!
access-list 1 remark HTTP Access-class list
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 deny   any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.5
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.35
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.1.10
!
!
!
control-plane
!
!
banner login ^CERS^C
!
line con 0
 login authentication local_authen
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line 2
 no activation-character
 no exec
 transport preferred none
 transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
line vty 5 15
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

 

Highlighted
Cisco Employee

Re: Cisco 1921 Dual ADSL Load Balancing/Failover?

Depends what you want to achieve with this route-map ?

Applying PBR on dialer is only needed to handle Internet traffic through VPN connection.

Thx,

Fabrice

Highlighted
Beginner

Re: Cisco 1921 Dual ADSL Load Balancing/Failover?

Sorry Fabrice I had two parts of your config meshed together. I have corrected it above and the local PBR works

Now that is working I will move onto the next step of using both lines for VPN

Robbie

Highlighted
Beginner

Re: Cisco 1921 Dual ADSL Load Balancing/Failover?

This is where I am at now. LOCAL PBR working as is 1 VPN. I want to now either balance that VPN to the other Dialer or set specific IP's for the other dialer(these might be assigned to he IP range of the main dialers VPN)

The bits im confused on which is stopping me making progress is

SDM_RMAP_4? What is this it was auto generated and denying IP's?

It is also used here ip nat inside source route-map SDM_RMAP_4 interface Dialer2 overload

version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxxxx

!
boot-start-marker
boot system flash c1900-universalk9-mz.SPA.150-1.M5.bin
boot-end-marker
!
logging buffered 52000
enable secret 5 xxxxxxx

enable password xxxx

!
no aaa new-model
!
!
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
ip name-server 194.74.65.68
ip name-server 194.72.0.114
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-2263841940
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2263841940
revocation-check none
rsakeypair TP-self-signed-2263841940
!
!
crypto pki certificate chain TP-self-signed-2263841940
certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  29816CC6 F92D9FB0
  6C1C45F6 05A25ED0 9C81C940 43C0B3CC 617F46
   quit
license udi pid CISCO1921/K9 sn FCZ1512905W
!
!
username admin privilege 15 secret 5 xxxx

!
redundancy
!
!
no ip ftp passive
!
!
crypto isakmp policy 9
encr 3des
authentication pre-share
crypto isakmp key xxxx address xxxxxx

crypto isakmp aggressive-mode disable
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to195.194.75.218
set peer 195.194.75.218
set transform-set ESP-3DES-SHA3
set pfs group2
match address 107
!
crypto map SDM_CMAP_2 1 ipsec-isakmp
description Tunnel to195.194.75.218
set peer 195.194.75.218
set transform-set ESP-3DES-SHA5
set pfs group2
match address 104
!
!
!
!
!
interface GigabitEthernet0/0
description spaldinglan$ETH-LAN$
ip address 10.0.8.1 255.255.248.0

ip policy route-map PBR-LAN
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
!
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
!
interface ATM0/0/0.1 point-to-point
pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface ATM0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
!
interface ATM0/1/0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 2
!
!
interface Dialer0
ip address negotiated
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat outside

ip access-group spalding in
ip access-group spalding out
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1350
dialer pool 2
dialer-group 2
ppp authentication chap callin
ppp chap hostname xxxx

ppp chap password 0 xxxx

no cdp enable

crypto map SDM_CMAP_1
crypto ipsec df-bit clear
!
!
interface Dialer2
mtu 1452
ip address negotiated
ip access-group spalding in
ip access-group spalding out
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1350
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxx

ppp chap password 0 xxxx

no cdp enable
crypto map SDM_CMAP_1
crypto ipsec df-bit clear
!
!
ip local policy route-map LOCAL-PBR
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map SDM_RMAP_4 interface Dialer2 overload
ip route 1.1.1.1 255.255.255.255 Dialer2 track 1
ip route 1.1.1.1 255.255.255.255 Dialer0 track 2
ip route 0.0.0.0 0.0.0.0 Dialer2
!
ip access-list extended DIALER-0-ADD
permit ip host dialerip any
ip access-list extended DIALER-2-ADD
permit ip host dialerip any
ip access-list extended STATIC-NAT-ISP1
permit ip 10.0.8.0 0.0.7.255 any
ip access-list extended STATIC-NAT-ISP2
permit ip 10.0.8.0 0.0.7.255 any
ip access-list extended nat3
remark SDM_ACL Category=2
permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended rule2
remark SDM_ACL Category=2
permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended spalding
remark CCP_ACL Category=1
remark IPSec Rule
permit ip 192.168.100.0 0.0.0.255 10.0.8.0 0.0.7.255
remark IPSec Rule
permit ip host 172.16.222.30 10.0.8.0 0.0.7.255
remark IPSec Rule
permit ip 194.x.x.0 0.0.0.255 10.0.8.0 0.0.7.255
remark IPSec Rule
permit ip 194.x.x.0 0.0.0.255 10.0.8.0 0.0.7.255
remark IPSec Rule
permit ip 10.0.8.0 0.0.7.255 10.0.0.0 0.0.7.255
remark IPSec Rule
permit ip 10.0.0.0 0.0.7.255 10.0.8.0 0.0.7.255
remark IPSec Rule
permit ip 10.0.8.0 0.0.7.255 194.0.0.0 0.255.255.255
remark IPSec Rule
permit ip 10.0.8.0 0.0.7.255 172.16.0.0 0.0.255.255
remark IPSec Rule
permit ip 172.16.0.0 0.0.255.255 10.0.8.0 0.0.7.255
permit udp host xxxxxx any eq non500-isakmp
permit udp host xxxxxx any eq isakmp
permit esp host xxxxxx any
permit ahp host xxxxxx any
permit ip any any
!
access-list 1 remark INSIDE_IF=GigabitEthernet0/0
access-list 1 remark CCP_ACL Category=16
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 172.16.0.0 0.0.0.255
access-list 1 permit 10.0.0.0 0.254.255.255
access-list 104 remark CCP_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.0.8.0 0.0.7.255 host 172.16.222.30
access-list 107 remark CCP_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.0.8.0 0.0.7.255 172.16.0.0 0.0.255.255
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.0.8.0 0.0.7.255 xx.xx.59.0 0.0.0.255
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.0.8.0 0.0.7.255 xx.xx.58.0 0.0.0.255
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.0.8.0 0.0.7.255 xx.xx.100.0 0.0.0.255
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.0.8.0 0.0.7.255 10.0.0.0 0.0.7.255
access-list 108 remark CCP_ACL Category=2
access-list 108 remark IPSec Rule
access-list 108 deny   ip 10.0.8.0 0.0.7.255 192.168.100.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 10.0.8.0 0.0.7.255 10.0.0.0 0.0.7.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 10.0.8.0 0.0.7.255 xx.xx.58.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 10.0.8.0 0.0.7.255 xx.xx.59.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 10.0.8.0 0.0.7.255 172.16.0.0 0.0.255.255
access-list 108 permit ip 10.0.0.0 0.254.255.255 any
access-list 108 permit ip 172.16.0.0 0.0.0.255 any
access-list 108 permit ip 10.0.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!
!
!
!
route-map LOCAL-PBR permit 10
match ip address DIALER-0-ADD
set interface Dialer0
!
route-map LOCAL-PBR permit 20
match ip address DIALER2-ADD
set interface Dialer2
!

route-map PBR-LAN permit 10
match ip address 107
set ip next-hop recursive 1.1.1.1
!
route-map SDM_RMAP_4 permit 1
match ip address 108
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end

Highlighted
Beginner

Re: Cisco 1921 Dual ADSL Load Balancing/Failover?

I have read that the IPSEC VPN I am using doesn't support load balancing and that I need to use GRE over IPSEC

http://www.dslreports.com/faq/10380

If I find out more i'll post here but if anyone can help me quicker this would be appreciated. The peer device is a watchguard firebox and not a cisco router

Robbie

Highlighted
Cisco Employee

Re: Cisco 1921 Dual ADSL Load Balancing/Failover?

There is indeed no way to use both DSL connections simultaneously for VPN traffic, no matter the tunnel type.

You can only use the 2 DSLs in failover scenario (2nd DSL only used when primary stops working).

Hope this helps,


Fabrice

Highlighted
Beginner

Cisco 1921 Dual ADSL Load Balancing/Failover?

     No need to listen to the naysayers, I have actually acheived this exact setup on a Cisco 2801 with dual HWIC-1ADSL cards, and the performance is outstanding, (so far). You just have to use route-maps with tracking (I tried CEF with load-sharing and it didn't work so well). I used this page for resources:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a00809454c7.shtml