cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1308
Views
0
Helpful
6
Replies

PPPoE WAN Load Balance

Neil Riach
Level 1
Level 1

Hi all,

we have recently added another VDSL broadband circuit to our network but am having difficulty integrating it with our existing VDSL one.  We are using a 2851 router with 15.1(4)M12a software.  Both VDSL circuits are FTTC, the existing one is with Plusnet with a static IP and the new one is with BT with a non-static IP.  I can successfully connect to both circuits using PPPoE but with both circuits connected the connection to the internet is very slow and pinging any internet IP results in approx half of the ping's timing out.  If I drop one of the connections the other one works fine then but as soon as the second PPPoE connection is established and the PPP IPCP Route Default is added the ping's start timing out again.

If I delete the PPP IPCP Route Default lines from the Dialer interfaces and manually add static default routes (0.0.0.0 0.0.0.0) the result is the same i.e. internet access is stable when only one static default route is in force.  We utilise NAT for internet access, one subnet is NAT'd to the first Dialer interface and the other two subnet's are NAT'd to the second Dialer interface.  I think that this natting to two different interfaces with the two default routes is where the issue lies.  All I would like to achieve is for the traffic from the first subnet to utilise the exisitng circuit to reach the internet and the other two subnets to use the new circuit, we are not worried about failover.  Below is part of the config -

interface GigabitEthernet0/0
 ip address 192.168.0.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 no ip route-cache
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 ip address 172.16.0.254 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 no ip route-cache
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/2/0
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface FastEthernet0/3/0
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 2
!
interface FastEthernet0/1/0
 no ip address
!
interface FastEthernet0/1/1
 no ip address
!
interface FastEthernet0/1/2
 no ip address
!
interface FastEthernet0/1/3
 no ip address
!
interface FastEthernet0/1/4
 no ip address
!
interface FastEthernet0/1/5
 no ip address
!
interface FastEthernet0/1/6
 no ip address
!
interface FastEthernet0/1/7
 no ip address
!
interface FastEthernet0/1/8
 no ip address
!
interface GigabitEthernet1/0
 ip address 192.168.1.254 255.255.255.0
 ip helper-address 192.168.0.1
 ip helper-address 192.168.0.2
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 no ip route-cache
 no mop enabled
!
interface Vlan1
 no ip address
 ip helper-address 192.168.0.1
 ip helper-address 192.168.0.2
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 no ip route-cache
 shutdown
 no mop enabled
!
interface Dialer1
 ip address negotiated
 ip access-group 101 in
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ppp chap hostname ***********
 ppp chap password 7 *********
 ppp ipcp route default
 ppp ipcp address accept
!
interface Dialer2
 ip address negotiated
 ip access-group 102 in
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 2
 dialer-group 2
 ppp chap hostname *********
 ppp chap password 7 *********
 ppp ipcp route default
 ppp ipcp address accept
!
no ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat translation tcp-timeout 3600
ip nat inside source static tcp 192.168.0.4 25 interface Dialer1 25
ip nat inside source static tcp 192.168.0.4 443 interface Dialer1 443
ip nat inside source route-map NAT-BT interface Dialer2 overload
ip nat inside source route-map NAT-PLUSNET interface Dialer1 overload
ip route 192.168.2.0 255.255.255.0 172.16.0.253
!
ip access-list extended NAT-BT
 permit ip 192.168.1.0 0.0.0.255 any
 permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended NAT-PLUSNET
 permit udp host 192.168.0.1 host 212.159.13.49 eq domain
 permit udp host 192.168.0.1 host 212.159.13.50 eq domain
 permit udp host 192.168.0.2 host 212.159.13.49 eq domain
 permit udp host 192.168.0.2 host 212.159.13.50 eq domain
 permit udp host 192.168.0.1 host 130.159.196.118 eq ntp
 permit tcp host 192.168.0.4 any eq smtp
 permit tcp host 192.168.0.12 23.55.0.0 0.0.255.255 eq www
 permit tcp host 192.168.0.16 134.170.0.0 0.0.255.255 eq 443
 permit tcp host 192.168.0.16 65.55.0.0 0.0.255.255 eq 443
 permit tcp host 192.168.0.16 13.107.4.0 0.0.0.255 eq www
 permit tcp host 192.168.0.16 23.44.0.0 0.0.255.255 eq www
 permit tcp host 192.168.0.16 66.119.0.0 0.0.255.255 eq 443
 permit ip host 192.168.0.19 any
 permit ip host 192.168.0.20 any
!
logging 192.168.0.13
access-list 101 permit tcp any any established
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq smtp log
access-list 101 permit udp host 130.159.196.118 eq ntp any eq ntp log
access-list 101 permit udp any eq domain any gt 1023
access-list 101 permit udp any eq isakmp any eq isakmp log
access-list 101 permit udp any eq non500-isakmp any eq non500-isakmp log
access-list 101 permit icmp any any echo-reply log
access-list 101 deny   ip any any log

access-list 102 permit tcp any any established
access-list 102 permit udp any eq 3700 any gt 1024 log
access-list 102 permit udp any any range 49152 65535
access-list 102 permit icmp any any echo-reply log
access-list 102 deny   ip any any log
no cdp run
!
!
!
route-map NAT-PLUSNET permit 10
 match ip address NAT-PLUSNET
 match interface Dialer1
!
route-map NAT-BT permit 10
 match ip address NAT-BT
 match interface Dialer2

If any one could offer any ponters I would be most grateful.

Regards

Neil

6 Replies 6

Francesco Molino
VIP Alumni
VIP Alumni

Hi

On route-map used for your nat, you don't need the match interface statement, only acl is ok.

Can you paste the following config and test it please:

route-map NAT-PLUSNET permit 10
  no match interface Dialer1
route-map NAT-BT permit 10
  no match interface Dialer2

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi Francesco,

thank you for your suggestion.  I removed the match interface dialer statements but I am afraid it did not make a difference.  As soon as the second dialer connection is established and the second static default route is added the pings start to fail again.

Regards

Neil

Hi Neil,

We're gonna change the config to make Dialer1 default route and Dialer 2 as backup for all subnets. We're also apply PBR config to force subnet 192.168.1.0 to go to Dialer2 and 192.168.0.0 to go through Dialer1.

Can you apply the following config and test back please:


int dialer 1
shut
no ppp ipcp route default
no ppp ipcp address accept
no shut
!
int dialer 2
shut
no ppp ipcp route default
no ppp ipcp address accept
no shut
!
route-map PBR1 permit 10
match ip address NAT-PLUSNET
set interface Dialer1
route-map PBR2 permit 10
match ip address NAT-BT
set interface Dialer2
!
interface GigabitEthernet1/0
ip policy route-map PBR2
!
interface GigabitEthernet0/0
ip policy route-map PBR1
!
ip route 0.0.0.0 0.0.0.0 Dialer 1
ip route 0.0.0.0 0.0.0.0 Dialer 2 50

Can you paste the output of show ip route?

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi Francesco,

I have applied the changes you suggested and now the subnets are accessing the internet with the correct Dialer interface but this has had the effect that subnet 192.168.0.0 cannot communicate with subnet 192.168.1.0.  There is also another subnet on 192.168.2.0 is on another router connected to the first router via Int Gi0/1, I would like this subnet (192.168.2.0) to also use Dialer2 to connect to the internet.

show ip route result

rth_rt01#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S* 0.0.0.0/0 is directly connected, Dialer1
86.0.0.0/32 is subnetted, 1 subnets
C 86.144.6.109 is directly connected, Dialer2
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.16.0.252/30 is directly connected, GigabitEthernet0/1
L 172.16.0.254/32 is directly connected, GigabitEthernet0/1
C 172.16.19.152/32 is directly connected, Dialer2
192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.0.0/24 is directly connected, GigabitEthernet0/0
L 192.168.0.254/32 is directly connected, GigabitEthernet0/0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, GigabitEthernet1/0
L 192.168.1.254/32 is directly connected, GigabitEthernet1/0
S 192.168.2.0/24 [1/0] via 172.16.0.253
195.166.130.0/32 is subnetted, 1 subnets
C 195.166.130.252 is directly connected, Dialer1
212.159.110.0/32 is subnetted, 1 subnets
C 212.159.110.60 is directly connected, Dialer1

Thank you very much for your help so far.

Regards

Neil

Hi 

This is normal that you can reach the other subnets when pbr is applied because I used your acl for test. 

Now you need to create 2 acls that will replace the old one on your pbr route-map.

The acl should looks like: 

deny ip 192.168.0.0 0.0.255 192.168.0.0 0.0.255

permit ip 192.168.1.0 0.0.0.255 any

You need to adapt it by denying which traffic shouldn't be sent to the next hop defined on the route-map.

The other solution could also be having 3 acls. You keep your 2 acls and you create 1 like to authorize inter subnet routing

deny ip 192.168.0.0 0.0.255 192.168.0.0 0.0.255

 and then on each route-map adding a denu statement like: 

route-map PBR2 Deny 5

  Match ip address NEW-ACL

route-map PBR1 Deny 5

Match ip address NEW-ACL

Does that make sense? 

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi Francesco,

thank you very much for your suggestions.  Please accept my apologies for not reposnding sooner but I work offshore sometimes and have only just returned.  Hopefully I will manage to try your suggestions in the next week or so.

I appreciate very much you taking the time to help me, I will let you know how I get on.

Regards

Neil

Review Cisco Networking for a $25 gift card