cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
883
Views
0
Helpful
5
Replies
waqas hameed
Beginner

I have configured NAT load balancing with IP SLA, and it is not working. Below is my configuration

load balancing.JPG

RTR#sh run
Building configuration...

Current configuration : 1722 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTR
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip sla monitor 1
type echo protocol ipIcmpEcho 192.168.1.1 source-ipaddr 192.168.1.111
timeout 1000
threshold 10
frequency 1
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
type echo protocol ipIcmpEcho 10.2.2.2 source-ipaddr 192.168.1.111
timeout 1000
threshold 10
frequency 1
ip sla monitor schedule 2 life forever start-time now
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback1
description INSIDE NETWORK
ip address 172.16.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0
description CONNECTED TO INTERNET1
ip address 192.168.1.111 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1/0
description CONNECTED TO INTERNET2
ip address 10.2.2.111 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 1
!
ip nat inside source route-map LDN_EXIT interface FastEthernet1/0 overload
ip nat inside source route-map PTCL_EXIT interface FastEthernet0/0 overload
!
access-list 110 permit ip 172.16.1.0 0.0.0.255 any
!
route-map LDN_EXIT permit 10
match ip address 110
match interface FastEthernet1/0
!
route-map PTCL_EXIT permit 10
match ip address 110
match interface FastEthernet0/0
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

5 REPLIES 5
cadet alain
Advisor

Hi,

Could you try not to post duplicates please otherwise it will be difficult to follow the evolution of the thread.

Concerning your problem:

you must add a second default route with a superior AD ( as it is secondary route I suppose) tracking sla 2.

In the sla I would configure frequency higher than timeout and for testing I would get rid of the threshold so that one missing ping will trigger the sla and I would source from the Loopback or from the connected network corresponding to interface otherwise sla 2 will never work as you configured.

Regards.

Alain.

Don't forget to rate helpful posts.

Have done following changes . He is my office collegue btw . Is the below config ok ?. I dont want to acomplish Redundancy , I want to configure IOS NAT Load Balancing .

After doing these changes things are working fine and i can see multiple interface ip in sh ip nat trans. . The problem is that I m getting ping breaks when sending icmp from inside host to outside . Also there is packet loss , websites are responding slow .

RTR(config-if)#do sh run
Building configuration...

Current configuration : 1791 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTR
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
memory-size iomem 15
!
!
ip cef
no ip domain lookup
!
!
ip sla monitor 1
type echo protocol ipIcmpEcho 192.168.1.1 source-ipaddr 192.168.1.111
timeout 1000
frequency 1
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
type echo protocol ipIcmpEcho 10.2.2.1 source-ipaddr 10.2.2.111
timeout 1000
frequency 1
ip sla monitor schedule 2 life forever start-time now
!
!
!
!
!
!
!
!
!
!
!
!
!
!        
!
!
!
!
!
!
!
interface FastEthernet0/0
description INTERNET1
ip address 10.2.2.111 255.255.255.0
ip load-sharing per-packet
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1/0
description INTERNET2
ip address 192.168.1.111 255.255.255.0
ip load-sharing per-packet
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet2/0
description INSIDE NETWORK
ip address 172.16.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 0.0.0.0 0.0.0.0 10.2.2.1
!
!
ip nat inside source route-map LDN_EXIT interface FastEthernet1/0 overload
ip nat inside source route-map PTCL_EXIT interface FastEthernet0/0 overload
!
access-list 110 permit ip 172.16.1.0 0.0.0.255 any
!
route-map LDN_EXIT permit 10
match ip address 110
match interface FastEthernet1/0
!
route-map PTCL_EXIT permit 10
match ip address 110
match interface FastEthernet0/0
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
!
end

Hi,

So you want traffic going through each links? Why implement ip sla with route tracking then?

With the 2 static routes you entered as they have the same AD the IOS is and will only install in routing table the latest one

You can verify with the output of sh ip route static

edit: sorry they are 2 different static routes so forget about my stupidity

Your config should work but the ip sla becomes unnecessary then.

Regards.

Alain.

Ce message a été modifié par: cadet alain

Don't forget to rate helpful posts.

It's been a while since you've replied to this thread Alain. I would think that the IP SLA is needed here for automatic failover if one of the routes goes down since there can only be one static default route facing the cloud. Are you saying that if the primary route goes down we won't need IP SLA because NAT would understand that one of the static default routes is down and would 'ALL' traffic in the NAT ACL than go via the link that is up?

Thanks.

Hi,

first, in the latest config that was posted the IP SLA config was not tied to anything so all it was doing was pinging 2 IP

addresses from 2 different sources and furthermore the frequency was equal to the timeout so I'm not sure the result would represent the reachability of these IP.

Second, there are 2 static default configured  with same AD so both will get installed in the RIB and so there will be load balancing.

3rd the load balancing for CEF switched packets will be per packet due to ip load-sharing per-packet interface command

so this is the cause of all the problems encountered.

of course if the line-protocol status of the link  does not come down when there is a problem on the other end of the link

then it would be best to use IP SLA because otherwise both routes will still be used for Load Balancing and packets going through the bad link will get blackholed and it will be worse here because there is per-packet load-balancing so most applications will fail.

Regards.

Alain

Don't forget to rate helpful posts.