04-18-2008 04:06 AM - edited 03-05-2019 10:27 PM
Hello,
we have a Web Server connected to the DMZ zone in Cisco ASA 5520, this ASA is connected to Two Cisco 3845 Routers each router is connected to a differnet ISP and there is BGP peering configured between the ISPs,
also there is HSRP configuration between these two routers so if one link is down the other router become active.
one router is the primary and active router and the other is secondary and standby router.
what we want to do is to make both routers active active routers and load balance between the two links with per packet load balancing.
this is the configuration of ASA and Routers:
Cisco ASA:
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 86.65.23.4 255.255.255.192 standby 86.65.23.5
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.100.234 255.255.255.224 standby 192.168.100.235
!
interface GigabitEthernet0/2.212
vlan 212
nameif HTTP
security-level 30
ip address 10.1.201.108 255.255.255.192 standby 10.1.201.107
!
static (HTTP,outside) tcp 86.65.23.6 https 10.1.201.100 https netmask 255.255.255.255
static (HTTP,outside) tcp 86.65.23.6 www 10.1.201.100 www netmask 255.255.255.255
!
route outside 0.0.0.0 0.0.0.0 86.65.23.2 1
Primary Active Router:
interface GigabitEthernet0/1
ip address 86.65.23.1 255.255.255.192
ip nbar protocol-discovery
ip route-cache flow
duplex auto
speed auto
media-type rj45
standby 1 ip 86.65.23.2
standby 1 preempt
standby 1 track ATM1/0.811
!
interface ATM1/0
no ip address
no ip route-cache cef
no ip route-cache
no atm ilmi-keepalive
!
!
interface ATM1/0.811 point-to-point
ip address 66.34.20.212 255.255.255.252
no ip route-cache
no ip mroute-cache
no snmp trap link-status
pvc 0/811
vbr-nrt 10240 10239 32
oam-pvc manage
encapsulation aal5snap
!
!
router bgp 47684
no synchronization
bgp log-neighbor-changes
network 86.65.23.0 mask 255.255.255.0
neighbor 86.65.23.3 remote-as 47684
neighbor 86.65.23.3 next-hop-self
neighbor 66.34.20.213 remote-as 23236
neighbor 66.34.20.213 distribute-list 155 out
no auto-summary
!
ip route 86.65.23.0 255.255.255.0 Null0
!
route-map set-as-path permit 10
match as-path 1
set as-path prepend 47684 47684 47684 47684
Secondary Standby Router:
interface GigabitEthernet0/0
ip address 86.65.23.3 255.255.255.192
ip nbar protocol-discovery
ip route-cache flow
duplex auto
speed auto
media-type rj45
standby 1 ip 86.65.23.2
standby 1 priority 95
standby 1 preempt
standby 1 track ATM1/0.1
!
interface ATM1/0.1 point-to-point
ip address 172.20.45.6 255.255.255.252
ip nbar protocol-discovery
no ip mroute-cache
no snmp trap link-status
pvc 0/541
vbr-nrt 10240 10239 32
oam-pvc manage
encapsulation aal5snap
!
!
router bgp 47684
no synchronization
bgp log-neighbor-changes
network 86.65.23.0 mask 255.255.255.0
neighbor 86.65.23.1 remote-as 47684
neighbor 86.65.23.1 next-hop-self
neighbor 172.20.45.5 remote-as 28784
neighbor 172.20.45.5 prefix-list TTNET-OUT out
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 172.30.36.5 201
ip route 86.65.23.0 255.255.255.0 Null0
!
route-map set-as-path permit 10
match ip address 10
set as-path prepend 47684 47684 47684 47684
Thanks,
04-18-2008 05:19 AM
I'm assuming only outbound load balancing is an issue. (I would advise against intentionally trying to obtain per-packet outbound, especially dealing with the Internet.)
I'm unfamilar with the features of the ASA, but it it supports equal cost static routes, you could use MHSRP on your 3845s.
If your 3845s are running 12.3T or later, OER/PfR could also be used for outbound dynamic load balancing. Recommend, at least initially, just dynamic load balancing based on outbound link load.
04-18-2008 05:32 AM
Hi,
May I ask what problem you would like to address?
You might encounter several challenges, when trying to use per packet load balancing with two ISPs. Basically you will have different delays on the two different pathes through the internet. This can lead to packet reordering and problems with TCP sessions and applications in general. The net effect might be worse peformance than without load balancing.
Return traffic from the internet will only use one link, as BGP always selects a best path and ONLY announces the best. Thus in the internet the second return path will mostly be unknown. As such this could create some asymmetric packet flow, which in turn could lead to discarded packets due to uRPF implemented by some providers.
What are your requirements to choose a solution with these challenges and drawbacks?
Regards, Martin
04-19-2008 02:43 AM
Habeeb,
You'll probably never achieve a perfect load balance multihomed across two separate routers and two different providers.
If you're simply trying to distribute the load, you should probably start with having your standby provider send you a partial BGP table that only includes their ASs and direct peers and use the primary provider as a default for everything else. HSRP will send everything to your primary router but BGP will redirect traffic destined to one of your standby provider's ASs down the alternate path via your secondary router.
Here's an idea that I have not put much thought into and may not even be possible: Request full internet routing tables from both providers, filter out 1/2 of the ASs on the primary and filter out the other 1/2 on the secondary. Achieve this using a route-map, a regular expression that blocks ASs ending with an odd or even number and applying the route-map, in bound in a neighbor statement.
Example list of what router would route to what AS.
Primary Router/Block Odd Secondary Router/Block Even
101 100
103 102
505 506
1027 1028
You could also extend BGP to your ASA and let it distribute to the edge routers instead of HSRP sending everything to the primary and bouncing the secondary provider destined traffic back to the other router.
04-21-2008 08:04 AM
Hello,
Thank you all for these useful informations.
As you mentioned, it is difficult to have Load deistribution in two routers with two differnet ISPs beside the problems
that will be faced if we use this technology.
we configured the ASA to distribute the load as Joseph said and we are now testing to see if it will be 50 50 load or not
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide