Thanks for responding Georg.  Internal - EIGRP and static to the Firewall /Internet.

Hello,

if you have only one Internet link, you can use policy based routing on the Internet facing interface. What firewall do you have ?

Palo Alto

This is how static routes would work. Let's say the nexr hop IP address for the 75% link is 1.1.1.1, and for the 25% link is 2.2.2.2.

You would create four static host routes using dummy IP addresses:

ip route 10.10.10.1 255.255.255.255 1.1.1.1

ip route 10.10.10.2 255.255.255.255 1.1.1.1

Ip route 10.10.10.3 255.255.255.255 1.1.1.1

Ip route 10.10.10.4 255.255.255.255 2.2.2.2

Then configure four static default routes with the dummy addresses as the next hop. This results im 75/25 load balancing,:

ip route 0.0.0.0 0.0.0.0 10.10.10.1

Ip route 0.0.0.0 0.0.0.0 10.10.10.2

ip route 0.0.0.0 0.0.0.0 10.10.10.3

ip route 0.0.0.0 0.0.0.0 10.10.10.4

I kind of thought QoS (hard gulp) was gonna be the way.  I wanted to specify a guarantee for the backup traffic because historically, when mixed in with normal prod traffic, backup jobs failed due to lack of bw.

I need to know now where to apply being that I have a mixture of vendors in my Internet Services block.  I have a Palo alto leveraging FW and internet filtering.  Also an external Cisco L2 switch and an IS router on deck for future use.  My assumption is that this will land on my firewall - .  Thanks for suggestion Joseph

Several of the suggestions seem to be based on an assumption that you will have 2 links to the Internet. If that is the case then either the multiple static routes or PBR to steer backup traffic to the other link would work. But my reading of the original post suggests that there will continue to be a single link to the Internet and that the two lanes is virtual.

If there is to be a single link to Internet then I agree that QOS is the better solution. You would want to implement QOS on a single device which passes both the backup traffic and the other Internet traffic and I assume that probably would be your firewall.

Yes, Richard I will be utilizing a single connection to the provider.  

"I kind of thought QoS (hard gulp) was gonna be the way."

"hard gulp", laugh, QoS really isn't that difficult, although reading some "how to" QoS documentation does make it seem that way.

". . . backup jobs failed due to lack of bw."

Interesting!  Do you know what protocol(s) your backup traffic uses?  Generally, applications only fail for lack of bw when they are pretty much deprived of any or are, shall we say, not well designed to run across a network (sharing bw).

Hmm, QoS, possibly on a FW (hard gulp).  Don't have much experience there (like none, specifically QoS on a FW).  Generally, there are devices inline of traffic flow, before and/or after, FW.  Depending on FW QoS capabilities, it might even be better, if possible, to add another device.

BTW, possibly a cause of your backup failing, for lack of bw, might be because you mention having 4 Gbps, but is this on, for example, a 10g interface?  If so, then you might have "burst" 10G going to your provider, who, for the overrun, drops some traffic on an "unknown" basis.  I have seen network applications "die" not so much for lack of bw, but because, during some time period, too much of their traffic is fully lost (rather than delayed).

If you do have 4 Gbps on a 10 Gbps interface, normally you first want to "shape" for your allowed rate, and then, if that congests, you determine how to "meter" out your traffic.

On a Cisco router, something like the following would "shape" for 4 Gbps, and split your traffic 3:1, yet allow either class to use otherwise unused bw.

E.g.:

class-map match-any BackupTraffic
match . . . !various ways to match traffic, including using ACLs

policy-map CIR
class class-default
shape average 4000000000
service-policy Regulate

policy-map Regulate
class BackupTraffic
bandwidth percent 25 !adjust percentage, as needed (for backup, recommend going as low as possible)
fair-queue !optional
class class-default
bandwidth remaining percent 100
fair-queue !optional

As mentioned in my prior post, dealing with ingress traffic is much, much more difficult, but there are a few tricks that can be used.

Joseph,

This has yet to be implemented (scheduled for EOM).  Not entirely sure what protocol was being used.  Also, when we last performed this, we were using a smaller pipe  <1Gbps. I am having our Sys Admin get some more data for me now. 

Nevertheless, I may be just a tad bit paranoid about this.  Upping our pipe to 4Gbps may be sufficient enough to not have the same problems.  I want to be prepared just in case we run into an issue.

Thanks for your wealth of information.  It's very much appreciated

DeeReal_99 

". . . we were using a smaller pipe <1Gbps."

Well, again, if your were contracted for less bandwidth than the interface permits, it can be easy to "flood" over your contracted limit and have your provider drop traffic.  Also, again, if enough of that happens, some applications just give up.

If you do try QoS, it's best correlated to the end-to-end bottleneck, either the physical interface or a limit further downstream.