Solved: load sharing issue with cef

n.bokhar1 · ‎11-26-2017

hi guys

i have an issue with cef load sharing i have two pppoe interfaces and when i set both of them as default route one of them dies and half of my network goes down if i use policy mapping to use the second link my policy routed traffic gets nated to the other interface i have my config below please tell what I'm doing wrong :

Building configuration...

Current configuration : 8580 bytes
!
! Last configuration change at 10:40:04 SF Mon Nov 27 2017 by Nima
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname R-1_1
!
boot-start-marker
boot system flash bootflash:isr4400-universalk9.03.17.04.S.156-1.S4-std.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$wSPK$HIXigzVU5pmwwLXEfcnvn/
!
no aaa new-model
!
!
!

no ip domain lookup
ip domain name test.com
ip dhcp excluded-address 10.1.6.1 10.1.6.10
!
ip dhcp pool WIFI
network 10.1.6.0 255.255.255.0
default-router 10.1.6.1
dns-server 8.8.8.8 4.2.2.2
!
!
!
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
flow record R1-RECORD
match ipv4 source address
match ipv4 destination address
match ipv4 protocol
match transport source-port
match transport destination-port
match ipv4 tos
match flow direction
match interface input
collect interface output
collect counter bytes
collect counter packets
!
!
flow exporter R1-EXPORTER
destination 10.1.1.205
source GigabitEthernet0/0/0
transport udp 9999
!
!
flow monitor R1-MONITOR
exporter R1-EXPORTER
cache timeout inactive 60
cache timeout active 120
record R1-RECORD
!
!
!
!
!
license udi pid ISR4431/K9 sn FOC21050KU3
!
spanning-tree extend system-id
!
username Nima secret 5 $1$J6L.$RIOTAbbf.10jnA1Py2vkb1
username it secret 5 $1$w48b$AcvomqH2O7m/cqNZf/Jpp/
!
redundancy
mode none
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface Tunnel0
ip address 172.17.1.1 255.255.0.0
no ip redirects
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
ip nhrp map multicast dynamic
ip nhrp network-id 1
shutdown
tunnel source 172.21.10.62
tunnel mode gre multipoint
!
interface Tunnel1
description NET-TU
ip address 172.18.1.1 255.255.0.0
no ip redirects
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
ip nhrp map multicast dynamic
ip nhrp network-id 500
shutdown
tunnel source Dialer2
tunnel mode gre multipoint
!
interface GigabitEthernet0/0/0
description INSIDE
ip address 10.1.10.2 255.255.255.252
ip nat inside
ip flow monitor R1-MONITOR input
ip flow monitor R1-MONITOR output
negotiation auto
!
interface GigabitEthernet0/0/1
description OUT_MPLS
ip address 172.21.10.62 255.255.255.252
negotiation auto
!
interface GigabitEthernet0/0/2
description OUT-NET
no ip address
negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 2
!
interface GigabitEthernet0/0/3
no ip address
negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname ***************
ppp chap password 0 ***************
ppp pap sent-username ********* password 0 ******
!
interface Dialer2
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 2
ppp authentication chap pap callin
ppp chap hostname **************
ppp chap password 0 *******
ppp pap sent-username ********** password 0 ***********
!
!
router eigrp 1
network 10.1.10.2 0.0.0.0
network 172.17.1.1 0.0.0.0
network 172.18.1.1 0.0.0.0
redistribute static
!
ip nat inside source static tcp 10.1.2.225 22 interface Dialer2 28585
ip nat inside source static tcp 10.1.2.39 3389 interface Dialer2 18585
ip nat inside source static tcp 10.1.2.36 3389 interface Dialer2 17474
ip nat inside source static tcp 10.1.2.43 3389 interface Dialer2 32322
ip nat inside source static tcp 10.1.2.42 3389 interface Dialer2 32323
ip nat inside source static tcp 10.1.2.64 1433 interface Dialer2 28271
ip nat inside source static tcp 192.168.110.5 8291 interface Dialer2 43000
ip nat inside source static tcp 10.1.1.211 22 interface Dialer2 49000
ip nat inside source static tcp 10.1.2.49 3389 interface Dialer2 49001
ip nat inside source list NA interface Dialer1 overload
ip nat inside source list NAT interface Dialer2 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0/0/2
ip route 0.0.0.0 0.0.0.0 Dialer2
ip route 10.1.1.0 255.255.255.0 10.1.10.1
ip route 10.1.2.0 255.255.255.0 10.1.10.1
ip route 10.1.3.0 255.255.255.0 10.1.10.1
ip route 10.1.5.0 255.255.255.0 10.1.10.1
ip route 10.1.6.0 255.255.255.0 10.1.10.1
ip route 10.1.8.0 255.255.255.0 10.1.10.1
ip route 10.1.9.0 255.255.255.0 10.1.10.1
ip route 172.21.48.180 255.255.255.252 172.21.10.61
ip route 192.168.110.0 255.255.255.0 10.1.10.1
ip ssh maxstartups 3
ip ssh time-out 90
ip ssh authentication-retries 5
ip ssh version 2
!
!
ip access-list standard D
deny 77.64.153.130
permit any
ip access-list standard DENY
deny 10.1.2.50
permit any
ip access-list standard NA
permit 10.1.0.0 0.0.255.255
ip access-list standard NAT
permit 10.1.0.0 0.0.255.255
ip access-list standard RO-PO
permit 10.1.2.49
!
logging trap warnings
logging host 10.1.1.209
!
route-map RO-PO permit 10
match ip address RO-PO
set interface Dialer1
!
!
!
control-plane

!
line con 0
logging synchronous
login local
stopbits 1
line aux 0
stopbits 1
line vty 0 4
logging synchronous
login local
transport input ssh
line vty 5 97
logging synchronous
login local
transport input ssh
!
!
end

Georg Pauwen · ‎11-27-2017

Hello,

the parts in bold provide for basic NAT load balancing (for the dynamic part). Try this and see if you get it to work for your dynamic NAT. Static NAT entries are the next step...

Current configuration : 8580 bytes
!
! Last configuration change at 10:40:04 SF Mon Nov 27 2017 by Nima
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname R-1_1
!
boot-start-marker
boot system flash bootflash:isr4400-universalk9.03.17.04.S.156-1.S4-std.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$wSPK$HIXigzVU5pmwwLXEfcnvn/
!
no aaa new-model
!
ip cef
!
no ip domain lookup
ip domain name test.com
ip dhcp excluded-address 10.1.6.1 10.1.6.10
!
ip dhcp pool WIFI
network 10.1.6.0 255.255.255.0
default-router 10.1.6.1
dns-server 8.8.8.8 4.2.2.2
!
subscriber templating
multilink bundle-name authenticated
!
flow record R1-RECORD
match ipv4 source address
match ipv4 destination address
match ipv4 protocol
match transport source-port
match transport destination-port
match ipv4 tos
match flow direction
match interface input
collect interface output
collect counter bytes
collect counter packets
!
flow exporter R1-EXPORTER
destination 10.1.1.205
source GigabitEthernet0/0/0
transport udp 9999
!
flow monitor R1-MONITOR
exporter R1-EXPORTER
cache timeout inactive 60
cache timeout active 120
record R1-RECORD
!
license udi pid ISR4431/K9 sn FOC21050KU3
!
spanning-tree extend system-id
!
username Nima secret 5 $1$J6L.$RIOTAbbf.10jnA1Py2vkb1
username it secret 5 $1$w48b$AcvomqH2O7m/cqNZf/Jpp/
!
redundancy
mode none
!
vlan internal allocation policy ascending
!
interface Tunnel0
ip address 172.17.1.1 255.255.0.0
no ip redirects
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
ip nhrp map multicast dynamic
ip nhrp network-id 1
shutdown
tunnel source 172.21.10.62
tunnel mode gre multipoint
!
interface Tunnel1
description NET-TU
ip address 172.18.1.1 255.255.0.0
no ip redirects
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
ip nhrp map multicast dynamic
ip nhrp network-id 500
shutdown
tunnel source Dialer2
tunnel mode gre multipoint
!
interface GigabitEthernet0/0/0
description INSIDE
ip address 10.1.10.2 255.255.255.252
ip nat inside
ip flow monitor R1-MONITOR input
ip flow monitor R1-MONITOR output
negotiation auto
!
interface GigabitEthernet0/0/1
description OUT_MPLS
ip address 172.21.10.62 255.255.255.252
negotiation auto
!
interface GigabitEthernet0/0/2
description OUT-NET
no ip address
negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 2
!
interface GigabitEthernet0/0/3
no ip address
negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname ***************
ppp chap password 0 ***************
ppp pap sent-username ********* password 0 ******
!
interface Dialer2
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 2
ppp authentication chap pap callin
ppp chap hostname **************
ppp chap password 0 *******
ppp pap sent-username ********** password 0 ***********
!
!
router eigrp 1
network 10.1.10.2 0.0.0.0
network 172.17.1.1 0.0.0.0
network 172.18.1.1 0.0.0.0
redistribute static
!
ip nat inside source static tcp 10.1.2.225 22 interface Dialer2 28585
ip nat inside source static tcp 10.1.2.39 3389 interface Dialer2 18585
ip nat inside source static tcp 10.1.2.36 3389 interface Dialer2 17474
ip nat inside source static tcp 10.1.2.43 3389 interface Dialer2 32322
ip nat inside source static tcp 10.1.2.42 3389 interface Dialer2 32323
ip nat inside source static tcp 10.1.2.64 1433 interface Dialer2 28271
ip nat inside source static tcp 192.168.110.5 8291 interface Dialer2 43000
ip nat inside source static tcp 10.1.1.211 22 interface Dialer2 49000
ip nat inside source static tcp 10.1.2.49 3389 interface Dialer2 49001
!
ip nat inside source route-map DIALER_1 interface Dialer1 overload
ip nat inside source route-map DIALER_2 interface Dialer2 overload
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0/0/2
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 0.0.0.0 0.0.0.0 Dialer2
!
ip route 10.1.1.0 255.255.255.0 10.1.10.1
ip route 10.1.2.0 255.255.255.0 10.1.10.1
ip route 10.1.3.0 255.255.255.0 10.1.10.1
ip route 10.1.5.0 255.255.255.0 10.1.10.1
ip route 10.1.6.0 255.255.255.0 10.1.10.1
ip route 10.1.8.0 255.255.255.0 10.1.10.1
ip route 10.1.9.0 255.255.255.0 10.1.10.1
ip route 172.21.48.180 255.255.255.252 172.21.10.61
ip route 192.168.110.0 255.255.255.0 10.1.10.1
ip ssh maxstartups 3
ip ssh time-out 90
ip ssh authentication-retries 5
ip ssh version 2
!
ip access-list standard D
deny 77.64.153.130
permit any
ip access-list standard DENY
deny 10.1.2.50
permit any
ip access-list standard NA
permit 10.1.0.0 0.0.255.255
ip access-list standard NAT
permit 10.1.0.0 0.0.255.255
ip access-list standard RO-PO
permit 10.1.2.49
!
route-map DIALER_1 permit 10
match ip address NAT
match interface Dialer1
!
route-map DIALER_2 permit 10
match ip address NAT
match interface Dialer2
!
logging trap warnings
logging host 10.1.1.209
!
route-map RO-PO permit 10
match ip address RO-PO
set interface Dialer1
!
control-plane
!
line con 0
logging synchronous
login local
stopbits 1
line aux 0
stopbits 1
line vty 0 4
logging synchronous
login local
transport input ssh
line vty 5 97
logging synchronous
login local
transport input ssh
!
end

View solution in original post

Georg Pauwen · ‎11-27-2017

Hello,

the parts in bold provide for basic NAT load balancing (for the dynamic part). Try this and see if you get it to work for your dynamic NAT. Static NAT entries are the next step...

Current configuration : 8580 bytes
!
! Last configuration change at 10:40:04 SF Mon Nov 27 2017 by Nima
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname R-1_1
!
boot-start-marker
boot system flash bootflash:isr4400-universalk9.03.17.04.S.156-1.S4-std.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$wSPK$HIXigzVU5pmwwLXEfcnvn/
!
no aaa new-model
!
ip cef
!
no ip domain lookup
ip domain name test.com
ip dhcp excluded-address 10.1.6.1 10.1.6.10
!
ip dhcp pool WIFI
network 10.1.6.0 255.255.255.0
default-router 10.1.6.1
dns-server 8.8.8.8 4.2.2.2
!
subscriber templating
multilink bundle-name authenticated
!
flow record R1-RECORD
match ipv4 source address
match ipv4 destination address
match ipv4 protocol
match transport source-port
match transport destination-port
match ipv4 tos
match flow direction
match interface input
collect interface output
collect counter bytes
collect counter packets
!
flow exporter R1-EXPORTER
destination 10.1.1.205
source GigabitEthernet0/0/0
transport udp 9999
!
flow monitor R1-MONITOR
exporter R1-EXPORTER
cache timeout inactive 60
cache timeout active 120
record R1-RECORD
!
license udi pid ISR4431/K9 sn FOC21050KU3
!
spanning-tree extend system-id
!
username Nima secret 5 $1$J6L.$RIOTAbbf.10jnA1Py2vkb1
username it secret 5 $1$w48b$AcvomqH2O7m/cqNZf/Jpp/
!
redundancy
mode none
!
vlan internal allocation policy ascending
!
interface Tunnel0
ip address 172.17.1.1 255.255.0.0
no ip redirects
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
ip nhrp map multicast dynamic
ip nhrp network-id 1
shutdown
tunnel source 172.21.10.62
tunnel mode gre multipoint
!
interface Tunnel1
description NET-TU
ip address 172.18.1.1 255.255.0.0
no ip redirects
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
ip nhrp map multicast dynamic
ip nhrp network-id 500
shutdown
tunnel source Dialer2
tunnel mode gre multipoint
!
interface GigabitEthernet0/0/0
description INSIDE
ip address 10.1.10.2 255.255.255.252
ip nat inside
ip flow monitor R1-MONITOR input
ip flow monitor R1-MONITOR output
negotiation auto
!
interface GigabitEthernet0/0/1
description OUT_MPLS
ip address 172.21.10.62 255.255.255.252
negotiation auto
!
interface GigabitEthernet0/0/2
description OUT-NET
no ip address
negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 2
!
interface GigabitEthernet0/0/3
no ip address
negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname ***************
ppp chap password 0 ***************
ppp pap sent-username ********* password 0 ******
!
interface Dialer2
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 2
ppp authentication chap pap callin
ppp chap hostname **************
ppp chap password 0 *******
ppp pap sent-username ********** password 0 ***********
!
!
router eigrp 1
network 10.1.10.2 0.0.0.0
network 172.17.1.1 0.0.0.0
network 172.18.1.1 0.0.0.0
redistribute static
!
ip nat inside source static tcp 10.1.2.225 22 interface Dialer2 28585
ip nat inside source static tcp 10.1.2.39 3389 interface Dialer2 18585
ip nat inside source static tcp 10.1.2.36 3389 interface Dialer2 17474
ip nat inside source static tcp 10.1.2.43 3389 interface Dialer2 32322
ip nat inside source static tcp 10.1.2.42 3389 interface Dialer2 32323
ip nat inside source static tcp 10.1.2.64 1433 interface Dialer2 28271
ip nat inside source static tcp 192.168.110.5 8291 interface Dialer2 43000
ip nat inside source static tcp 10.1.1.211 22 interface Dialer2 49000
ip nat inside source static tcp 10.1.2.49 3389 interface Dialer2 49001
!
ip nat inside source route-map DIALER_1 interface Dialer1 overload
ip nat inside source route-map DIALER_2 interface Dialer2 overload
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0/0/2
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 0.0.0.0 0.0.0.0 Dialer2
!
ip route 10.1.1.0 255.255.255.0 10.1.10.1
ip route 10.1.2.0 255.255.255.0 10.1.10.1
ip route 10.1.3.0 255.255.255.0 10.1.10.1
ip route 10.1.5.0 255.255.255.0 10.1.10.1
ip route 10.1.6.0 255.255.255.0 10.1.10.1
ip route 10.1.8.0 255.255.255.0 10.1.10.1
ip route 10.1.9.0 255.255.255.0 10.1.10.1
ip route 172.21.48.180 255.255.255.252 172.21.10.61
ip route 192.168.110.0 255.255.255.0 10.1.10.1
ip ssh maxstartups 3
ip ssh time-out 90
ip ssh authentication-retries 5
ip ssh version 2
!
ip access-list standard D
deny 77.64.153.130
permit any
ip access-list standard DENY
deny 10.1.2.50
permit any
ip access-list standard NA
permit 10.1.0.0 0.0.255.255
ip access-list standard NAT
permit 10.1.0.0 0.0.255.255
ip access-list standard RO-PO
permit 10.1.2.49
!
route-map DIALER_1 permit 10
match ip address NAT
match interface Dialer1
!
route-map DIALER_2 permit 10
match ip address NAT
match interface Dialer2
!
logging trap warnings
logging host 10.1.1.209
!
route-map RO-PO permit 10
match ip address RO-PO
set interface Dialer1
!
control-plane
!
line con 0
logging synchronous
login local
stopbits 1
line aux 0
stopbits 1
line vty 0 4
logging synchronous
login local
transport input ssh
line vty 5 97
logging synchronous
login local
transport input ssh
!
end

n.bokhar1 · ‎11-30-2017

thanks man that worked beautifully