Solved: load balancing cisco 2901

smailag00 · ‎11-22-2012

i have a cisco router 2901 /ipbasek9 with 3 adsl interfaces .i tried to do a load balancing and bonding the 3 adsl lines without success.

this is my current configuration :

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

no aaa new-model

!

no ipv6 cef

ipv6 spd queue min-threshold 62

ipv6 spd queue max-threshold 63

ip source-route

ip cef

!

ip dhcp excluded-address 172.20.1.1

!

ip dhcp pool client

import all

network 172.20.0.0 255.255.0.0

dns-server 212.217.0.1 212.217.1.1

default-router 172.20.1.1

!

ip domain name yourdomain.com

ip name-server 212.217.0.1

ip name-server 212.217.1.1

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-1607540217

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1607540217

revocation-check none

rsakeypair TP-self-signed-1607540217

!

crypto pki certificate chain TP-self-signed-1607540217

certificate self-signed 01

!..............................!

quit

license udi pid CISCO2901/K9 sn *******

!

username ***** privilege 15 password 0 *****

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

ip address 172.20.1.1 255.255.0.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface ATM0/0/0

no ip address

ip load-sharing per-packet

no atm ilmi-keepalive

!

interface ATM0/0/0.1 point-to-point

pvc 8/35

pppoe-client dial-pool-number 1

!

interface ATM0/1/0

no ip address

ip load-sharing per-packet

no atm ilmi-keepalive

!

interface ATM0/1/0.1 point-to-point

pvc 8/35

pppoe-client dial-pool-number 2

!

interface ATM0/2/0

no ip address

ip load-sharing per-packet

no atm ilmi-keepalive

!

interface ATM0/2/0.1 point-to-point

pvc 8/35

pppoe-client dial-pool-number 3

!

interface ATM0/3/0

no ip address

shutdown

no atm ilmi-keepalive

!

interface Dialer0

ip address negotiated

ip mtu 1452

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname *****

ppp chap password 0 ******

ppp pap sent-username ***** password 0 *****

!

interface Dialer1

ip address negotiated

ip mtu 1452

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 2

dialer-group 2

ppp authentication chap pap callin

ppp chap hostname *****

ppp chap password 0 *****

ppp pap sent-username ***** password 0 *****

!

interface Dialer2

ip address negotiated

ip mtu 1452

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 3

dialer-group 3

ppp authentication chap pap callin

ppp chap hostname *****

ppp chap password 0 *****

ppp pap sent-username ***** password 0 *****

!

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source list ADSL2 interface Dialer2 overload

ip nat inside source list adsl2 interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 0.0.0.0 0.0.0.0 Dialer2

!

ip access-list standard ADSL2

remark CCP_ACL Category=2

permit 172.20.0.0 0.0.255.255

ip access-list standard adsl2

remark CCP_ACL Category=2

permit 172.20.0.0 0.0.255.255

!

access-list 1 remark INSIDE_IF=GigabitEthernet0/0

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 172.20.0.0 0.0.255.255

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

dialer-list 3 protocol ip permit

!

control-plane

!

thanks

cadet alain · ‎11-22-2012

Hi,

To achieve per flow load-sharing do this:

no ip access-list standard ADSL2

no ip access-list standard adsl2

route-map DIAL0 p 10

match ip add 1

match int Dialer0

route-map DIAL1 p 10

match ip add 1

match int Dialer1

route-map DIAL2 p 10

match ip add 1

match int Dialer2

no ip nat inside source list 1 interface Dialer0 overload

no ip nat inside source list ADSL2 interface Dialer2 overload

no ip nat inside source list adsl2 interface Dialer1 overload

ip nat inside source route-map DIAL0 interface Dialer0 overload

ip nat inside source route-map DIAL2 interface Dialer2 overload

ip nat inside source route-map DIAL1 interface Dialer1 overload

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎11-22-2012

Hi,

To achieve per flow load-sharing do this:

no ip access-list standard ADSL2

no ip access-list standard adsl2

route-map DIAL0 p 10

match ip add 1

match int Dialer0

route-map DIAL1 p 10

match ip add 1

match int Dialer1

route-map DIAL2 p 10

match ip add 1

match int Dialer2

no ip nat inside source list 1 interface Dialer0 overload

no ip nat inside source list ADSL2 interface Dialer2 overload

no ip nat inside source list adsl2 interface Dialer1 overload

ip nat inside source route-map DIAL0 interface Dialer0 overload

ip nat inside source route-map DIAL2 interface Dialer2 overload

ip nat inside source route-map DIAL1 interface Dialer1 overload

Regards.

Alain

Don't forget to rate helpful posts.

smailag00 · ‎11-23-2012

Thank you very much,this solution works fine .

I tested with 'show ip nat translation ' ,'show ip cef ',and i found that the tree lines works .

In a few days I have to add a new isp connection to the gigabitEthernet 0/1 interface which is connected to another router 10.0.0.1(a specialized line). i think i have to do this :

interface gigabitEthernet 0/1

ip address 10.0.0.2 255.255.255.248

no sh

ip nat outside

ip load-sharring peer paquet

route-map DIAL3 p 10

match ip add 1

match int gigabitEthernet 0/1

ip nat inside source route-map DIAL3 interface gigabitEthernet 0/1 overload

ip route 0.0.0.0 0.0.0.0 gigabitEthernet0/1 10.0.0.1

is this a good configuration ?

cadet alain · ‎11-23-2012

Hi,

yes that's corrrect, but i highly encourage you not to do per-packet load-sharing but let the per flow load-sharing( which is default) by doing no ip cef load-sharing per-packet under the interfaces.

Regards.

Alain

Don't forget to rate helpful posts.

Shawn Munster · ‎08-14-2016

Can someone, tell if this configuration is ok

Building configuration...

Current configuration : 11248 bytes
!
! Last configuration change at 05:20:04 UTC Mon Aug 15 2016 by Shawn
!
version 15.5
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
!
!
!
aaa session-id common
ethernet lmi ce
!
!
!
!
!
!
no ip source-route
!
!
!
!
!
!
!
!
!
!

!
ip dhcp excluded-address 192.168.1.1 192.168.1.49
!
ip dhcp pool DHCP-POOl1
import all
network 192.168.1.0 255.255.255.0
dns-server 139.130.4.4 203.50.2.71
default-router 192.168.1.1
!
!
!
no ip bootp server
ip name-server 139.130.4.4
ip name-server 203.50.2.71
ip cef
ip cef load-sharing algorithm include-ports source destination
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
crypto pki trustpoint TP-self-signed-1982477479
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1982477479
revocation-check none
rsakeypair TP-self-signed-1982477479
!
!
license udi pid CISCO2901/K9 sn FTX172481TB
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
!
!
username noone privilege 15 secret 5
!
redundancy
!
!
!
!
!
controller VDSL 0/0/0
operating mode adsl2+
!
controller VDSL 0/1/0
operating mode adsl2+
no cdp run
!
track 1 interface Dialer0 ip routing
!
track 2 interface Dialer1 ip routing
!
ip tcp synwait-time 10
!
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 101
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
!
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
policy-map type inspect ccp-permit
class class-default
drop
policy-map type inspect ccp-pol-outToIn
class type inspect CCP_PPTP
pass
class class-default
drop log
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
!
!
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
!
interface GigabitEthernet0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
no mop enabled
!
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Ethernet0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
no mop enabled
!
interface ATM0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0/1/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface Ethernet0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
no mop enabled
!
interface GigabitEthernet0/3/0
no ip address
!
interface GigabitEthernet0/3/1
no ip address
!
interface GigabitEthernet0/3/2
no ip address
!
interface GigabitEthernet0/3/3
no ip address
!
interface GigabitEthernet0/3/4
no ip address
!
interface GigabitEthernet0/3/5
no ip address
!
interface GigabitEthernet0/3/6
no ip address
!
interface GigabitEthernet0/3/7
no ip address
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1412
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname noone1@ers.com
ppp chap password 7
ppp pap sent-username noone1@ers.com password 7
!
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 2
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname noone2@ers.com
ppp chap password 7
ppp pap sent-username noone1@ers.com password 7
!
!
ip forward-protocol nd
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
!
ip nat inside source route-map ADSL0 interface Dialer0 overload
ip nat inside source route-map ADSL1 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.35 3391 144.139.8.20 3391 extendable
ip nat inside source static udp 192.168.1.35 3391 144.139.8.20 3391 extendable
ip route 0.0.0.0 0.0.0.0 Dialer0 10 track 1
ip route 0.0.0.0 0.0.0.0 Dialer1 10 track 2
!
ip access-list extended NAT
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended NAT-DENY-VPN
ip access-list extended PBR
permit tcp host 192.168.1.35 eq 3391 any
permit udp host 192.168.1.35 eq 3391 any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
!
logging trap debugging
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!
route-map ADSL0 permit 10
match ip address NAT
match interface Dialer0
!
route-map ADSL1 permit 10
match ip address NAT
match interface Dialer1
!
route-map PBR permit 10
description **RDP
match ip address access-list PBR
set interface Dialer0
!
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.35
!
!
!
control-plane
!
!
banner login ^CERS^C
!
line con 0
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
authorization exec local_author
login authentication local_authen
transport input telnet ssh
line vty 5 15
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

Ahmed Ismail · ‎08-15-2016

Is there any another way to make loadbalance more efficient ,dynamically based on total internet traffic

Regards.