Solved: Re: Dual ISP connection and load balancing

Piotr Pawlowski · ‎01-17-2013

Dear all,

I have Cisco 2911k9/sec router with 3 gbit ports. I also have two different ISP connections, both have different bandwidth available (one is asymmetric, other one symmetric).

What I would like to achieve is to provide nice load balance between both ISP for all PCs behind the NAT.

What I know so far, is that I can use CEF or PfR/OER . For both of this technologies I have some doubts.

CEF: distributes network load between both connections based on sessions (which is good, because I strongly use tools like Skype or Lync for voice/video chats). However, what happens, when on one of the ISP connections I reach max bandwidth? Is it going to choke for 50% of connections? Or is it going to detect utilization of the bandwidth and force using second ISP ?

PfR/OER: as far as I understood it solves my concern regarding connection utilization, but what happens to the session? Does it also based on this mechanism? As you probably know this is very important for voice/video connections.

Are there other tools which can provide such load balancing? I know PBR, but I do not want to decide manually, where every service (i.e. http or ssh) will have to go. I am looking for something more automatic.

Thank you in advance for any help.

Piotr

Abzal · ‎04-08-2013

Hi,

I suppose you have a static route to subnet 213.192.65.0/24 from above output and with combination of command

ip default-network 213.192.65.105 IP address 213.192.65.105 is installed as default gateway. And is this of ISP #2?

if so it explains why it always goes only over ISP2.

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094374.shtml#flagging

Just remove from config:

no ip default-network 213.192.65.105

no ip default-gateway 213.192.65.105

Then verify routing table again:

sh ip route

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

View solution in original post

smailag00 · ‎01-17-2013

hi

i already put this topic :

https://supportforums.cisco.com/thread/2184033

actually it's working fine i just add this command to the config:

track 1 interface Dialer0 ip routing

delay up 30

!

track 2 interface Dialer1 ip routing

delay up 30

!

track 3 interface Dialer2 ip routing

delay up 30

!

track 4 interface GigabitEthernet0/1 ip routing

delay up 30

ip route 0.0.0.0 0.0.0.0 Dialer0 track 1

ip route 0.0.0.0 0.0.0.0 Dialer1 track 2

ip route 0.0.0.0 0.0.0.0 Dialer2 track 3

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 172.20.1.1 track 4

Abzal · ‎01-17-2013

Hi,

If your router is connected to both ISPs then I believe load balancing already is running because of CEF. You could verify it:

sh ip cef 0.0.0.0/0

1. If you have critical voice/video application you could use one of the connection for such applications. All other traffic second link.

2. Or you could configure QoS for voice/video traffic to reserve some bandwidth.

3. And you need to monitor both your connection with IP SLA and track them. In case of failure. Like above example.

As you see you have some options here.

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

Piotr Pawlowski · ‎04-08-2013

Dear all,

Some time ago I've applied IP SLA configuration in order to make two ISP work together. However, several days I had possibility to connect second ISP to the router. And here the story begins.

Of course, because of enabled CEF (that's how I think), network is load balanced between two ISP. However, I faced following issues now:

IP address from first ISP is not pingable
because of above fact, VPN site-to-site, configured in interface from first ISP, stopped working
ip nat inside source static tcp entries for first ISP IP address also are not working

Additionally, I figured out, that some PCs/servers inside my LAN, needs to go out only via first ISP connection (I think that is also why port forwarding is not working correctly). Adding static routes doesn't work for me (or I am doing it wrong).

Below is a configuration of my router (unimportant entries has been omitted):

! Last configuration change at 12:06:26 UTC Mon Apr 8 2013
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msecno service password-encryption
ip cef!
multilink bundle-name authenticated
!track 1 ip sla 1 reachability
!track 2 ip sla 2 reachability
!class-map match-all skype
 match protocol skype!
policy-map skype-policy class skype
  set dscp ef
!
 interface GigabitEthernet0/0 description LAN
 ip address 10.0.0.1 255.255.254.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!interface GigabitEthernet0/1
 description TASK ip address 213.192.65.106 255.255.255.252
 ip access-group 101 in
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map GLIWICE-MAP
 service-policy input skype-policy
 service-policy output skype-policy
!
interface GigabitEthernet0/2 description "Wit-NET"
 mac-address 0030.4f61.5521
 ip address 193.107.215.133 255.255.255.224
 ip access-group 101 in
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
ip default-gateway 213.192.65.105
ip forward-protocol nd
ip nat inside source route-map nat_isp1 interface GigabitEthernet0/1 overload
ip nat inside source route-map nat_isp2 interface GigabitEthernet0/2 overloadip nat inside source static tcp 10.0.0.24 777 193.107.215.133 777 extendable
ip nat inside source static tcp 10.0.0.2 1723 193.107.215.133 1723 extendable
ip nat inside source static tcp 10.0.0.24 777 213.192.36.106 777 extendable
!---more static routes has been omitted---
ip default-network 213.192.65.105
ip route 0.0.0.0 0.0.0.0 213.192.65.105 track 1ip route 0.0.0.0 0.0.0.0 193.107.215.129 track 2
ip sla 1
 icmp-echo 213.192.65.105 source-interface GigabitEthernet0/1
 threshold 2
 timeout 1000
 frequency 5
ip sla schedule 1 life forever start-time nowip sla 2
 icmp-echo 193.107.215.129 source-interface GigabitEthernet0/2
 threshold 2
 timeout 1000
 frequency 5
ip sla schedule 2 life forever start-time now
!
access-list 110 deny   ip 10.0.0.0 0.0.1.255 10.0.100.0 0.0.0.255access-list 110 permit ip 10.0.0.0 0.0.1.255 any
access-list 190 permit ip 10.0.0.0 0.0.1.255 10.0.100.0 0.0.0.255
route-map TASK permit 10
 match ip address 110
 match interface GigabitEthernet0/1
!route-map track_isp permit 10 match ip address 101
 match interface GigabitEthernet0/1
 set ip next-hop 213.192.65.105
!route-map track_isp permit 20
 match ip address 102
 match interface GigabitEthernet0/2
 set ip next-hop 193.107.215.129
!
route-map nat_isp2 permit 10
 match ip address 110
 match interface GigabitEthernet0/2
!
route-map nat_isp1 permit 10
 match ip address 110
 match interface GigabitEthernet0/1
!

I will appriecieate for any kind of tip or a help, beceuse for now this is my huge brick wall...

Regards

Piotr

Abzal · ‎04-08-2013

Hi,

>Additionally, I figured out, that some PCs/servers inside my LAN, needs to go out only via first ISP connection (I think that is also why port forwarding is not working correctly).

This might a reason for below issue.

>IP address from first ISP is not pingable

For servers that need to accessed only from one ISP you need to configure PBR (Policy-based routing). Match with ACL those servers IP address and route over first ISP. Second leave Static NAT entry for those servers only for first ISP.

>because of above fact, VPN site-to-site, configured in interface from first ISP, stopped working

Extra configuration info (VPN configurations) needed to understand what cause of the issue.

>ip nat inside source static tcp entries for first ISP IP address also are not working

Config looks correct try above solution.

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

Piotr Pawlowski · ‎04-08-2013

@Abzal

As far as I know, PBR is responsible for routing from inside to outside. How it applying PBR cause, that IP from ISP1 will be pingable again?

I made traceroute from router to some external IP and I figured out, that it always goes via ISP2. The funniest thing is, that routing table looks like this:

Gateway of last resort is 213.192.65.105 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 213.192.65.105 [1/0] via 193.107.215.129

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.0.0.0/23 is directly connected, GigabitEthernet0/0 L 10.0.0.1/32 is directly connected, GigabitEthernet0/0 193.107.215.0/24 is variably subnetted, 2 subnets, 2 masks C 193.107.215.128/27 is directly connected, GigabitEthernet0/2 L 193.107.215.133/32 is directly connected, GigabitEthernet0/2 213.192.65.0/24 is variably subnetted, 3 subnets, 3 masks S 213.192.65.0/24 [1/0] via 213.192.65.105 C 213.192.65.104/30 is directly connected, GigabitEthernet0/1 L 213.192.65.106/32 is directly connected, GigabitEthernet0/1

I think, that it explains why even ssh service is available only on ISP2 IP address .

Sorry for asking a lot of questions, but for now I am working on 'production' router so if I do some mistake, I will have a lot of people on my head.

Abzal · ‎04-08-2013

Hi,

I suppose you have a static route to subnet 213.192.65.0/24 from above output and with combination of command

ip default-network 213.192.65.105 IP address 213.192.65.105 is installed as default gateway. And is this of ISP #2?

if so it explains why it always goes only over ISP2.

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094374.shtml#flagging

Just remove from config:

no ip default-network 213.192.65.105

no ip default-gateway 213.192.65.105

Then verify routing table again:

sh ip route

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

Piotr Pawlowski · ‎04-08-2013

Yeah, two problems solved. Now both ISP addresses are pingable. In same time, VPN site-to-site established it's connection to the branch. Thank you so much, Abzal.

The remaining thing is to force using only one ISP for servers and some PCs. I will try to use PBR for this purpose and let you know if it works as I expected.

Abzal · ‎04-08-2013

Hi,

I'm glad that it helped you.

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

admin@mcgs.ac.in · ‎01-19-2019

Hi ,

I am also facing same problem of dual isp load balancing .
will you please help it out ..

jbarahona · ‎07-27-2018

Abzal:

I do have the same problem I need to configure my router to load valance and fail over using two different ISP and two different blocks of IP public address for my e-mails and web servers.

will be possible you help me?

if so, can you give me your email to send you my current configuration.

Thanks, Jorge.

admin@mcgs.ac.in · ‎01-19-2019

Hi Afzal,

I do Also have same Problem..will you please share your e mail

Georg Pauwen · ‎01-19-2019

Hello,

you might just be able to accomplish this with policy based routing. Post your configuration and indicate which source IP addresses you want to go where...