04-26-2010 11:02 PM - edited 03-06-2019 10:49 AM
We have 2 CISCO 2951 routers and 1 ASA 5510 firewall. We have 2 internet links from different service providers (Leased Lines).
How we need to configure both the routers for load balance and failover?
04-26-2010 11:10 PM
We have 2 CISCO 2951 routers and 1 ASA 5510 firewall. We have 2 internet links from different service providers (Leased Lines).
How we need to configure both the routers for load balance and failover?
Hi,
If you want to go for failover of links then configure HSRP with tracking configuration so whenever external link goes down oother routers will come to picture and drop default route from ASA towards the vip of the HSRP of the routers.
Check out the below link for more information
http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094e8c.shtml
Hope to Help !!
Ganesh.H
Remember to rate the helpful post
04-26-2010 11:22 PM
Hello ganeshh,
Thanks for the quick reply. But infact it works only for failover but we need to configure load balance for both ISPs' along with failover.
Regards
Mahesh
04-26-2010 11:39 PM
Hello ganeshh,
Thanks for the quick reply. But infact it works only for failover but we need to configure load balance for both ISPs' along with failover.
Regards
Mahesh
Hi Mahesh,
If you are not looking for redundancy and with 1 ASA it appear to be a single point of failure, you replace your concept of 2 routers with a singe router with multiple WAN interfaces and use policy based routing to route your traffic out the interface you would like.
Two routers, both with 2 WAN interfaces, configured for HSRP, policy based routing on both, and you basically have an active router and a standby router for redundancy.
So what i would suggest as ASA also dont have capabilty for policy based routing in 5500 series,you can go with redundacy setup design,check out the below link for ASA capabilties to support PBR.
https://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#pbr
Hope to Help !!
Ganesh.H
Remember to rate the helpful post
04-27-2010 12:18 AM
Hi Ganesh,
I have tried GLBP (2 Routers) as well as static routes (1 router with 2 WAN interfaces).
Under GLBP, few users were able to connect to internet whereas the rest of the users were unable to. With Static routes (1 router only), the traffic goes out on both interfaces, but comes back only on 1 interface (The Gi0/0 interface).
If you need detailed info about static route config tried out, below is the same;
interface GigabitEthernet0/0
ip address xxx.xxx.xx.xxx 255.255.255.252
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address xxx.xxx.xxx.xx 255.255.255.252
ip nat outside
ip virtual-reassembly
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address 192.168.1.2 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip flow-export version 5
!
ip nat pool isp1 xxx.xxx.xx.xxx xxx.xxx.xx.xxx netmask 255.255.255.252
ip nat pool isp2 xxx.xxx.xxx.xx xxx.xxx.xxx.xx netmask 255.255.255.252
ip nat inside source route-map isp1 pool isp1 overload
ip nat inside source route-map isp2 pool isp2 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
!
access-list 1 permit any
access-list 10 permit any
!
route-map isp2 permit 10
match ip address 1 Gi0/1
set interface GigabitEthernet0/1
!
route-map isp1 permit 10
match ip address 1
match interface GigabitEthernet0/0
set interface GigabitEthernet0/0
Note: IP addresses are the WAN IP address provided by each ISP.
Do the router has correct configuration?
ON ASA, the default route is set to 192.168.1.2 which is Router's LAN IP address (NAT Inside)
Please let me know,
Regards
Mahesh
04-27-2010 03:18 AM
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address 192.168.1.2 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip flow-export version 5
!
ip nat pool isp1 xxx.xxx.xx.xxx xxx.xxx.xx.xxx netmask 255.255.255.252
ip nat pool isp2 xxx.xxx.xxx.xx xxx.xxx.xxx.xx netmask 255.255.255.252
ip nat inside source route-map isp1 pool isp1 overload
ip nat inside source route-map isp2 pool isp2 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
!
access-list 1 permit any
access-list 10 permit any
!
route-map isp2 permit 10
match ip address 1 Gi0/1
set interface GigabitEthernet0/1
!
route-map isp1 permit 10
match ip address 1
match interface GigabitEthernet0/0
set interface GigabitEthernet0/0
Note: IP addresses are the WAN IP address provided by each ISP.
Do the router has correct configuration?
Hi Mahesh,
what ip address are configured in acl 1 and why you want to have two checks in ISP1 route map whay dont you try a simple one and then check is it working like
route-map isp1 permit 10
match ip address 1
set interface gig0/1
route-map isp2 permit 10
match ip address 1
set interface gig0/0
Hope to help !!
Ganesh.H
Remember to rate the helpful post
04-27-2010 03:49 AM
Hi Ganeshh,
No specific IP address has been configured using ACL. It's just a standard ACL entry as specified in the router configuration.
!
access-list 1 permit any
access-list 10 permit any
!
As for the two checks in ISP1 route map, earlier, i had tried the route-map similar to the one you have advised but with no luck.
route-map isp1 permit 10
match ip address 1
set interface gig0/1
route-map isp2 permit 10
match ip address 1
set interface gig0/0
After, i followed the instruction from one of the support forums, which stated the route map similar to the one which exists on the router now.
Please Advise
Regards
Mahesh.M
04-28-2010 10:35 AM
04-28-2010 10:45 AM
Ideally, HSRP or GLBP should suffice the requirement. I dont know really why the GLBP didnot work for you but Ideally it should. Did you check with the ISP. Ideally if a traffic exits from your ISP 1, it should come back from the same ISP. The other ISP will not allow your transit traffic and blocks it unless you have you own AS.
Did you try the PFR? PFR will be the ideal choice for you.
http://www.cisco.com/en/US/products/ps8787/products_ios_protocol_option_home.html
HTH,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: