Load balancing and automatic fail over of traffic

collinks2 · ‎10-30-2017

Hello Guys, We want to accomplish this using Cisco 2911 router. We have the following networks: 172.16.2.0,172.16.3.0 - 172.16.7.0.

Our goal is to allow all these network to use the two isp links. If one isp link goes down, those network will be redirected to another isp link. All the lan networks must make use of the two links.

Access list is nat-add

Isp1 pool is mtn and isp2 pool is airtel

Route map for isp1is route-mtn

The route map statement matches the access-list nat-add with the next valid hop set to the gateway pointing to isp1

route-map for isp2 is route-airtel.

What access - list statement do we use for the isp2 since the route-map for isp1 is matching all the networks in the access-list, nat-add?

How do we define the ip sla monitor using track command in the default router? I know we will have two default routes, one pointing to isp1 and the other pointing to isp2?which default route will use the track command?

Any suggestions will be appreciated

Francesco Molino · ‎10-31-2017

Hi

Sorry but I'm not sure I get your point.

you have 2 ISPs and 3 LAN subnets : 172.16.2.0,172.16.3.0 and 172.16.7.0, is that right?

What trigger the traffic to go to ISP1 or ISP2? Will that be triggered by protocol (like http, ftp on 1 link and all others on another link)? Or will that be based on source IP or ....?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

collinks2 · ‎10-31-2017

Francesco,
Sorry that I didn't reply your questions.The lan subnets are :
172.16.2.0
172.16.3.0
172.16.4.0
172.16.5.0
172.16.6.0
172.16.7.0
All the subnets are expected to make use of isp 1 and isp 2 links at the
same time. If either of the links fails, it goes to another.
Georg and Paul have provided wonderful suggestions

Georg Pauwen · ‎10-31-2017

Hello,

both route maps need to match the same ACL, just the matching interfaces need to be different.

You need to track both routes, because either one might go down.

Post the full configuration, so we can add the necessary bits and pieces...

paul driver · ‎10-31-2017

Hello

@collinks2 wrote:

Hello Guys, We want to accomplish this using Cisco 2911 router. We have the following networks: 172.16.2.0,172.16.3.0 - 172.16.7.0.

Our goal is to allow all these network to use the two isp links. If one isp link goes down, those network will be redirected to another isp link.

How do we define the ip sla monitor using track command in the default router? I know we will have two default routes, one pointing to isp1 and the other pointing to isp2?which default route will use the track command?

Any suggestions will be appreciated

Given the your requirements the config below maybe applicable -

Apply sla to poll a wan address sourced from your primary wan interface

ip sla 1
icmp-echo 8.8.8.8 source-interface X/X <primary interface>
ip sla schedule 1 life forever start-time now
track 1 rtr 1 reachability

create ACL and NAT statements for dual wan links
access-list 100 permit ip 172.16.2.0 0.0.1.255 any

access-list 100 permit ip 172.16.4.0 0.0.3.255 any

route-map LAN permit 10
match ip address 100
match interface <primary interface>

route-map LAN2 permit 10
match ip address 100
match interface <secondary interface>

ip nat inside source route-map LAN interface <primary interface> overload
ip nat inside source route-map LAN2 interface <secondary interface> overload

Apply default static routes to primary and secondary wan links with tracking and admin distances values

ip route 0.0.0.0 0.0.0.0 x.x.x.x 1 name Primary track 1
ip route 0.0.0.0 0.0.0.0 y.y.y.y. 200

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

collinks2 · ‎10-31-2017

My config is almost the same with Paul except in subinterfaces where I
enabled policy Based routing

ip sla 1
icmp-echo 8.8.8.8 source-interface X/X
ip sla schedule 1 life forever start-time now
track 1 rtr 1 reachability

create ACL and NAT statements for dual wan links

access-list 100 permit ip 172.16.2.0 0.0.1.255 any

access-list 100 permit ip 172.16.4.0 0.0.3.255 any

route-map LAN permit 10
match ip address 100
match interface

route-map LAN2 permit 10
match ip address 100
match interface

ip nat inside source route-map LAN interface overload
ip nat inside source route-map LAN2 interface overload

Apply default static routes to primary and secondary wan links with
tracking and admin distances values

ip route 0.0.0.0 0.0.0.0 x.x.x.x 1 name Primary track 1
ip route 0.0.0.0 0.0.0.0 y.y.y.y. 200

Georg suggested that we should enable track

for the two default routes.

The primary default router carries track 1 should I use another track no
for the secondary router.

Paul put administrative distance of 1 for the primary and 200 for the
secondary. The secondary will take over only if the primary fails. We don't
want the secondary to be redundant. We want the two to be up at the same
time.

According to Georg suggestion, it seems the two routes will have the same
administrative distance but different track nos.

Is there no need for policy Based routing? Will this be enabled on each
subinterface or the physical interface. I will post my configuration
tomorrow.

for the two default routes

Georg Pauwen · ‎10-31-2017

Hello,

if you want load balancing, you need both default routes to be up. They both need to be tracked. I would also install an EEM script that clears the NAT translations in case one of the links goes down, or, as an alternative, set the 'ip nat translation timeout' to a real low value.

So, the entire config could look like this:

track 1 ip sla 1 reachability
track 2 ip sla 2 reachability

ip sla 1
icmp-echo 8.8.8.8 source-interface X/X

ip sla schedule 1 life forever start-time now

ip sla 2
icmp-echo 8.8.8.8 source-interface Y/Y

ip sla schedule 2 life forever start-time now

access-list 100 permit ip 172.16.2.0 0.0.1.255 any

access-list 100 permit ip 172.16.4.0 0.0.3.255 any

route-map LAN permit 10
match ip address 100
match interface x

route-map LAN2 permit 10
match ip address 100
match interface y

ip nat inside source route-map LAN interface overload
ip nat inside source route-map LAN2 interface overload

ip route 0.0.0.0 0.0.0.0 x.x.x.x track 1
ip route 0.0.0.0 0.0.0.0 y.y.y.y. track 2

event manager applet IP_SLA1_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation forced"

event manager applet IP_SLA2_DOWN
event track 2 state down
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation forced"

collinks2 · ‎10-31-2017

Hello Georg,
Can you add event scripts for the states that are up? Is there no need for
that?

paul driver · ‎10-31-2017

Hello

"We don' want the secondary to be redundant. We want the two to be up at the same time."

Then I would suggest to still use a primary default with the track and admin option for you default traffic and ALSO incorporate PBR for the certain lan subnets you wish to utilize the secondary ISP link

As such then the configuration will need to incorporate PBR with Tracking
Please review my post from this ticket - here

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

collinks2 · ‎10-31-2017

Hello Paul driver,
I have read the post in that ticket. However, I will ask questions in that
thread. For this thread, there is something I need you to clear me on.
icmp-echo 8.8.8.8 and
icmp-echo source-ip
What is the difference between the two cos 8.8.8.8 is a public DNS server
while the source-ip is ip address of the wan interface of the router?

paul driver · ‎11-01-2017

Hello

@collinks2 wrote:
Hello Paul driver,
I have read the post in that ticket. However, I will ask questions in that
thread. For this thread, there is something I need you to clear me on.
icmp-echo 8.8.8.8 and
icmp-echo source-ip
What is the difference between the two cos 8.8.8.8 is a public DNS server
while the source-ip is ip address of the wan interface of the router?

Icmp-echo <destination ip of host you would like to poll source-ip/interface <source you wish to orignate poll)
I just used google dns as an example, However you would poll a prefix you know resides off/ is reachable from your primary wan interface

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

collinks2 · ‎11-01-2017

OK. In a scenario, where I have subinterfaces, will PBR be enabled on the
physical interface or on each subinterface.
Also, assume I want to achieve the following scenario with reference to
that previous ticket whose link you attached in your previous comment on
this thread

All the http and https traffic will be routed via isp1
All other traffic will be routed via isp2
In the above scenario, I would create two access list
1 . access-list 100 permit tcp 172.16.2.0 0.0.3.255 any eq 80
access-list 100 permit tcp 172.16.4.0 0.0.7.255 any eq 80
access-list 100 permit tcp 172.16.2.0 0.0.3.255 any eq 443
access-list 100 permit tcp 172.16.4.0 0.0.7.255 any eq 443
2. access-list 101 permit ip 172.16.2.0 0.0.0.3.255 any
access-list 101 permit ip 172.16.4.0 0.0.7.255 any
For the route map statement
route-map PBR permit 10
match ip address 100
Match interface isp 1
route-map PBR permit 20
match ip address 101
match interface isp2

Int Y/Y (the physical lan interface)
ip policy route-map PBR

etc

collinks2 · ‎11-01-2017

Update :
My nat statements for the above scenario that filters traffic would be

access-list 102 permit ip 172.16.2.0 0.0.3.255 any

access-list 102 permit ip 172.16.4.0 0.0.7.255 any

(ignore the error in the wild card bit, it should be 172.16.2.0 0.0.1.255
and 172.16.4.0 0.0.3.255. I can still use a summarized route so that I have
one statement in the access-list 102)

route-map LAN permit 10
match ip address 102
match interface y/y
LAN2 permit 10
match ip address 102
match interface y/y

ip nat inside source route-map LAN interface overload
ip nat inside source route-map LAN2 interface overload

collinks2 · ‎11-02-2017

Hello Paul driver ,

In case a company policy states that "all the http and https traffic from all users should route across isp1 (slower internet connection) while all other ip traffic should be allowed to route across isp2 (faster internet connection)

see the attached config file which i did with reference to the one you posted in another thread.

thanks in anticipation

casanavep · ‎11-02-2017

I would add that a single match on IP SLA is not very reliable. 8.8.8.8 and other global DNS providers often filter ICMP, so a dual positive usually prevents path stability issues. Also, since you need both default routes to be removed during their individual outage and load balancing to occur, you need something more complex.

Dual Match with clean failover (make sure it is really down or up before dropping):

Path 1 validation:

track 1 ip sla 1 reachability
delay down 15 up 60
!
track 2 ip sla 2 reachability
delay down 15 up 60

!
! (or means the track will be up if one "or" the other is up)
track 3 list boolean or
object 1
object 2

!

ip sla 1
icmp-echo 8.8.8.8 source-ip {CE Internet interface #1 IP}
threshold 1000
timeout 1000
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 4.2.2.2 source-ip {CE Internet interface #1 IP}
threshold 1000
timeout 1000
frequency 5
ip sla schedule 2 life forever start-time now

!----- Path 2 validation------:

track 5 ip sla 5 reachability
delay down 15 up 60
!
track 6 ip sla 6 reachability
delay down 15 up 60

!
! (or means the track will be up if one "or" the other is up)
track 7 list boolean or
object 5
object 6

!

ip sla 5
icmp-echo 8.8.8.8 source-ip {CE Internet interface #2 IP}
threshold 1000
timeout 1000
frequency 5
ip sla schedule 5 life forever start-time now
ip sla 6
icmp-echo 4.2.2.2 source-ip {CE Internet interface #2 IP}
threshold 1000
timeout 1000
frequency 5
ip sla schedule 6 life forever start-time now

!

! ---- Load balanced routing

!

ip route 0.0.0.0 0.0.0.0 {ISP#1 PE IP} 100 track 3

ip route 0.0.0.0 0.0.0.0 {ISP#2 PE IP} 100 track 7

!

! failover route, just in case you IP SLA fails to function as desired and you need a back door

ip route 0.0.0.0 0.0.0.0 {ISP#1 PE IP} 200

let us know how this is working our for you.

Cheers,

P