Solved: Source IP based load sharing

i.va · ‎07-25-2011

Hi,

a customer has an ASA5520 and 2 ISP routers with one WAN link each, and wants to split the load over both routers based on source IP ("natted" IP on ASA).

I found this excellent doc on the topic: https://supportforums.cisco.com/docs/DOC-13015.

Using PBR to achieve this is an option I was looking at, but I have come across a possible loop doing this with 2 routers. Please take a look at my setup:

-----------CE-1---------ISP-1

| |

ASA55020---- HSRP |

| |

-----------CE-2---------ISP-2

Both Routers receive default routes via BGP, and customer networks are propagated via BGP as well (i.e. the customer can specify the return path for the traffic). The ASA5520 forwards traffic to a HSRP virtual IP for redundancy purposes. If one router or ISP fails, all the traffic should use the other router/ISP. The customer wants to specify which traffic is sent over which link, by defining nat rules on the ASA. e.g. traffic sourced from the network 10.10.1.0/24 will always use ISP 1, and traffic sourced from the network 10.10.2.0/24 will always use ISP 2.

My problem: if I use route-maps on both routers (CE-1 and CE-2), sending part of the traffic to the other, and one ISP link fails, in my optinion I have a loop, since part of the traffic will get sent back to the router it came from.

Is there any other was to achieve my goal without using PBR? I have looked at CEF and GLBP, but I cannot seem to find a way to load share via source IP. I am happy to provide more info or configs if needed.

Marwan ALshawi · ‎07-26-2011

ok lets keep the same config i suggested you above but to avoid looping add additional line to the BRP to check other CE/Peer connectivity/track state as bellow

in the suggested above config we had track 1 to check the icmp to the ISP peer to make sur eits up

now what you can do let the other peer aware about this track and change it PBR accordingly this can be done as bellow

create a dummy static route pointing to null 0 and associated to track 1 if track 1 is down this static will disapear

then redistribute this static route to BGP

in this case the other CE will se this route in the routing table what you can do is create IPSLA track to watch this route in the routing table if the route is not there ( track 1 in the other end is down ) then the local track will be down adn make another PBR routing

example

CE1

ip sla monitor 1
type echo protocol ipIcmpEcho 10.0.1.110 source-ipaddr 10.0.1.109
timeout 2000
frequency 3
ip sla monitor schedule 4 start-time now
!
track 1 rtr 1 reachability

the bellow PBR will send the traffic match with acl 153 to next hope 10.0.1.109 if track 1 above is down
no ICMP then it will send it to next hope (CE2) over the BVI interface ( No BRP must be applied on the BVI ) so traffic
will use the local routing table of CE2

route-map POLICY permit 20
match ip address 153
set ip next-hop verify-availability 10.0.1.109 1 track 1
set ip default next-hop 192.168.1.194

conditionally advertise the bellow static route based on ipsla track 1 state above

ip route 1.1.1.1 255.255.255.0 null 0 track 1

now redistribute this static route into BGP

CE2

CE2 supposed to get this 1.1.1.0 thorugh iBGP--CE1

in the case track 1 in CE1 is down this route will disappear and you need to send traffic defrently in this case to avoid the looping issue

track 10 ip route 1.1.1.0/24 reachability

route-map POLICY permit 20

match ip address 153

set ip next-hop verify-availability 192.168.1.195 track 10

set ip default next-hop 10.0.0.225

if track 1 is down in CE1 the route 1.1.1.0 will disappear from routing table of CE2 and track 10 will be down and when traffic get redirected from CE1 to CE2 over the BI interface because the above route map has track 10 is down it will route the traffic using 10.0.0.225 ISP connected to CE2

once this works in lab to prove it you can have the same idea for traffic coming form CE2 to CE1 using another static route and dummy subnet to be advertised

HTH

View solution in original post

Marwan ALshawi · ‎07-25-2011

in your case you need to make sure first you sending the traffic to the right router

for example ifyou are going to send the traffic to the VIP of HSRP that mean all the traffic from the ASA will go to the active HSRP router and no need to the complex polices of the ASA nating and the PBR can Handel the traffic where to be sent in the router level, but i do not believe this is a better way to do it because you will keep send the traffic to one router (active to process the PBR first

what other option you might do it use the polices of the ASA NATing

creat two HSRP VIPs and make one router active for one HSRP group VIP and the other active for the other HSRP gorup/VIP

then you can load the share

also the answer for your PBR fall back in the case of link failur you can use IPSLA with is as described in the document bellow i posted in CSC

https://supportforums.cisco.com/docs/DOC-8313

by the way i am assuming there is no IBGP between the routers otherwise there might be a problem with which default route preferred from the routers point of view

HTH

if helpful Rate

i.va · ‎07-26-2011

Hi,

first of all, thank you for the quick reply! I think I need to elaborate. Please take a look at the network diagram I attached to the original post. I have replaced the public IPs with private IPs, and replaced the AS numbers, as well as passwords.

iBGP is also planned, but there should only be one active default route on each CE router. If the link goes down, another default route (with a higher metric) should become active.

It is important that I can influence the traffic regarding which link should be used (inbound and outbound), since the customer is planning to do VoIP in the future, and one link has higher delay than the other.

I am aware that traffic using the backup link will have to go through CE-1, and then to CE-2. Both routers should be able to handle all the traffic. Unfortunately I am limited to 3 interfaces per CE Router.

Using 2 HSRP groups would not really be an option, since I cannot specify different next-hop addresses on the ASA (PBR). Entering 2 default routes will not allow me to control which link is used.

The route-maps displayed should cause a loop. when one of the ISP links go down. I have not tried this in a lab yet though.

Do you have a suggestion? We would like to keep the ASAs in Active/Standby mode if possible instead of Active/Active.

Marwan ALshawi · ‎07-26-2011

Ok, correct me if i am wrong

from my understanding and yur topology attaached, you have two firewalls working in Active/Standby

each FW connecting directly to one of the CE routers ( i cant see a shared switched/L2 network between the FWs and CE routers to have HSRP !! )

anyway, traffic coming to the Active FW will go to CE1 in the fallback situation traffic from FWs will go to CE2

if this is correct then you have iBGP and third interface over the third interface between the CEs and you do PBR on the LAN/inbound interface of each CE to redirect the traffic based on the source to the respctive ISP over ( PBRed traffic will go over the BVI interface to the other CE

now each of your CEs connecting to a deferent BGP peer and receiving default route

- first of all you need to create inbound route-map for BGP in each CE to increase the wight of the default route received from the directly connected ISP/PE to make sure each CE will use the right default route and avoid the loop

- then you can keep the logic of your PBRs if its what you are looking for but to avoid a situation when one of the ISPs down and the traffic will be keep sent to the ISP using the PBR and get dropped by using IPSLA with you PBRS

Note: as long as there is no PBR applied on the BVI interface once you send the traffic to the other peer/CE over the BVI interface the receiving CE will route the traffic using its local routing table and once you made sure you have the above recommendation to increase the default route weight received from the directly connected ISP/Peer then it will route using that default route ( no Loop ) if not route it will dorp no loop as well

what you can do in each CE you can send icmp to the directly connected ISP peer and monitor it using IPSLA if the ping fails for 3 times for example you consider this track is down and then this track can be used in the route map to effect the PBR decision

for example in you CE PBR

ip sla monitor 1
type echo protocol ipIcmpEcho 10.0.1.110 source-ipaddr 10.0.1.109
timeout 2000
frequency 3
ip sla monitor schedule 4 start-time now
!
track 1 rtr 1

the bellow PBR will send the traffic match with acl 153 to next hope 10.0.1.109 if track 1 above is down
no ICMP then it will send it to next hope (CE2) over the BVI interface ( No BRP must be applied on the BVI ) so traffic
will use the local routing table of CE2

route-map POLICY permit 20
match ip address 153
set ip next-hop verify-availability 10.0.1.109 1 track 1
set ip default next-hop 192.168.1.194

HTH

if helpful Rate

i.va · ‎07-26-2011

To clarify the topology: Gi0/1 and Gi0/2 create BVI1 interface on each router (both bridge group 1), so the FWs are in the same network as both CE routers. HSRP is bound to the BVI1 interface (the HSRP config was omitted in the network diagram).The traffic can be switched from e.g. CE-1 to CE-2, e.g. if the ISP1 link fails.

So in this configuration there is unfortunately always PBR applied to the BVI interfaces, which causes the following:

The problem occurs when CE-1 sends traffic sourced from 192.168.2.0/24 (FW) to CE-2. On CE-2 this traffic is sent to next-hop 10.0.1.109. If this next hop is unavailble, the traffic is sent using the default route (learned by iBGP), which points back to CE-1. Even if I use IP SLA the traffic will still be routed back to CE-1 and the PBR will be appliced nonetheless, and CE-1 sends it back to CE-2 etc.

At the moment I am thinking of putting IP SLA to use on CE-1 (and CE-2 respectively) to solve the problem, e.g. for CE-1:

!

ip route 10.0.1.109 255.255.255.255 192.168.1.195

!

ip sla monitor 1

type echo protocol ipIcmpEcho 10.0.1.109 source-ipaddr 192.168.1.194

timeout 2000

frequency 3

ip sla monitor schedule 4 start-time now

!

track 1 rtr 1

!

access-list 152 permit ip 192.168.1.0 0.0.0.255 any

access-list 153 permit ip 192.168.2.0 0.0.0.255 any

!

route-map LB-INTERNET permit 10

match ip address 152

set ip next-hop 10.0.0.225

!

route-map LB-INTERNET permit 20

match ip address 153

set ip next-hop verify-availability 192.168.1.195 1 track 1

!

Interface BVI1

no ip redirects

ip policy route-map LB-INTERNET

ip address 192.168.1.194 255.255.254.0

!

This should cause traffic arriving at CE-1 sourced from 192.168.2.0/24 not to be sent to CE-2, if the ISP2 link on CE-2 is down. It would then be sent using the default route on CE-1 (link ISP1). Is this correct?

Marwan ALshawi · ‎07-26-2011

ok lets keep the same config i suggested you above but to avoid looping add additional line to the BRP to check other CE/Peer connectivity/track state as bellow

in the suggested above config we had track 1 to check the icmp to the ISP peer to make sur eits up

now what you can do let the other peer aware about this track and change it PBR accordingly this can be done as bellow

create a dummy static route pointing to null 0 and associated to track 1 if track 1 is down this static will disapear

then redistribute this static route to BGP

in this case the other CE will se this route in the routing table what you can do is create IPSLA track to watch this route in the routing table if the route is not there ( track 1 in the other end is down ) then the local track will be down adn make another PBR routing

example

CE1

ip sla monitor 1
type echo protocol ipIcmpEcho 10.0.1.110 source-ipaddr 10.0.1.109
timeout 2000
frequency 3
ip sla monitor schedule 4 start-time now
!
track 1 rtr 1 reachability

the bellow PBR will send the traffic match with acl 153 to next hope 10.0.1.109 if track 1 above is down
no ICMP then it will send it to next hope (CE2) over the BVI interface ( No BRP must be applied on the BVI ) so traffic
will use the local routing table of CE2

route-map POLICY permit 20
match ip address 153
set ip next-hop verify-availability 10.0.1.109 1 track 1
set ip default next-hop 192.168.1.194

conditionally advertise the bellow static route based on ipsla track 1 state above

ip route 1.1.1.1 255.255.255.0 null 0 track 1

now redistribute this static route into BGP

CE2

CE2 supposed to get this 1.1.1.0 thorugh iBGP--CE1

in the case track 1 in CE1 is down this route will disappear and you need to send traffic defrently in this case to avoid the looping issue

track 10 ip route 1.1.1.0/24 reachability

route-map POLICY permit 20

match ip address 153

set ip next-hop verify-availability 192.168.1.195 track 10

set ip default next-hop 10.0.0.225

if track 1 is down in CE1 the route 1.1.1.0 will disappear from routing table of CE2 and track 10 will be down and when traffic get redirected from CE1 to CE2 over the BI interface because the above route map has track 10 is down it will route the traffic using 10.0.0.225 ISP connected to CE2

once this works in lab to prove it you can have the same idea for traffic coming form CE2 to CE1 using another static route and dummy subnet to be advertised

HTH

i.va · ‎07-26-2011

Hi! I will try to set this up in a lab today and let you know about my findings ...

servicel · ‎07-28-2011

Hi,

so I set this up in a lab. I found the following configuration to be working on my CE Routers:

!

hostname CE1

ip cef

!

track 1 rtr 1

bridge irb

!

interface FastEthernet0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

duplex auto

speed auto

no mop enabled

bridge-group 1

!

interface FastEthernet0/1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

duplex auto

speed auto

no mop enabled

bridge-group 1

!

interface FastEthernet1/0

ip address 10.0.0.226 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

duplex auto

speed auto

no mop enabled

!

interface BVI1

ip address 192.168.1.194 255.255.252.0

no ip redirects

ip policy route-map LB-INTERNET

standby 1 ip 192.168.1.193

standby 1 timers 1 3

standby 1 priority 150

standby 1 preempt

!

router bgp 65222

bgp log-neighbor-changes

neighbor 10.0.0.225 remote-as 65534

neighbor 192.168.1.195 remote-as 65222

!

address-family ipv4

neighbor 10.0.0.225 activate

neighbor 10.0.0.225 prefix-list default-v4 in

neighbor 10.0.0.225 route-map LINK1 out

neighbor 192.168.1.195 activate

neighbor 192.168.1.195 prefix-list default-v4 in

neighbor 192.168.1.195 prefix-list default-v4 out

no auto-summary

no synchronization

network 192.168.1.0

network 192.168.2.0

exit-address-family

!

ip forward-protocol nd

ip route 10.0.1.109 255.255.255.255 192.168.1.195

ip route 192.168.1.0 255.255.255.0 BVI1

ip route 192.168.1.0 255.255.255.0 Null0 220

ip route 192.168.2.0 255.255.255.0 BVI1

ip route 192.168.2.0 255.255.255.0 Null0 220

!

ip http server

no ip http secure-server

!

ip prefix-list MyAdd1 seq 5 permit 192.168.1.0/24

!

ip prefix-list MyAdd2 seq 5 permit 192.168.2.0/24

!

ip prefix-list default-v4 seq 5 permit 0.0.0.0/0

ip sla 1

icmp-echo 10.0.1.109 source-ip 192.168.1.194

timeout 2000

frequency 3

ip sla schedule 1 life forever start-time now

access-list 152 permit ip 192.168.1.0 0.0.0.255 any

access-list 153 permit ip 192.168.2.0 0.0.0.255 any

!

route-map LINK1 permit 10

match ip address prefix-list MyAdd1

set metric 50

!

route-map LINK1 permit 20

match ip address prefix-list MyAdd2

set metric 100

!

route-map LB-INTERNET permit 20

match ip address 153

set ip next-hop verify-availability 192.168.1.195 1 track 1

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

!

Thank you for your input on tracking the next hop! Just needed to add the "life forever" parameters on the ip sla configuration.

Marwan ALshawi · ‎07-28-2011

Iam glad that you get it working

Pls rate the helpful posts

Sent from Cisco Technical Support iPhone App