Solved: Re: Request for Load Balancing Configuration Assistance

mohamed-gamal179 · ‎01-25-2025

I am seeking your assistance in setting up and verifying a load balancing configuration between two ISPs on my router. Below are the details of my device and the current configuration for your review:

hostname Router
no aaa new-model
ip dhcp excluded-address 192.168.30.1 192.168.30.10
ip dhcp pool 30
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 8.8.8.8 8.8.4.4
ipv6 unicast-routing
multilink bundle-name authenticated
license udi pid ISR4221/K9 sn FGL233331DC
license accept end user agreement
license boot level securityk9
no license smart enable
diagnostic bootup level minimal
spanning-tree extend system-id
redundancy mode none
interface GigabitEthernet0/0/0
no ip address
negotiation auto
interface GigabitEthernet0/0/0.9
encapsulation dot1Q 9
ip address 192.168.9.2 255.255.255.0
ip nat outside
ipv6 address autoconfig
ipv6 enable
ipv6 nd autoconfig default-route
ipv6 dhcp client request vendor
interface GigabitEthernet0/0/0.10
encapsulation dot1Q 10
ip address 192.168.10.2 255.255.255.0
ip nat outside
interface GigabitEthernet0/0/1
no ip address
negotiation auto
interface GigabitEthernet0/0/1.30
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
ip nat inside
ip policy route-map LOAD_BALANCING
ip nat inside source list NAT_ACL_ISP1 interface GigabitEthernet0/0/0.9 overload
ip nat inside source list NAT_ACL_ISP2 interface GigabitEthernet0/0/0.10 overload
ip forward-protocol nd
no ip http server
ip http secure-server
ip tftp source-interface GigabitEthernet0/0/0.9
ip route 0.0.0.0 0.0.0.0 192.168.9.1
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ip access-list standard NAT_ACL_ISP1
permit 192.168.30.0 0.0.0.255
ip access-list standard NAT_ACL_ISP2
permit 192.168.30.0 0.0.0.255
ip access-list extended ISP1_TRAFFIC
permit ip 192.168.30.0 0.0.0.255 any
ip access-list extended ISP2_TRAFFIC
permit ip 192.168.30.0 0.0.0.255 any
route-map LOAD_BALANCING permit 10
match ip address ISP1_TRAFFIC
set ip next-hop 192.168.9.1 192.168.10.1
route-map LOAD_BALANCING permit 20
match ip address ISP2_TRAFFIC
set ip next-hop 192.168.10.1
control-plane

I would appreciate your guidance on any adjustments needed to ensure optimal load balancing functionality

Richard Burts · ‎01-25-2025

I agree with MHM that when you want to do NAT on 2 interfaces that you need to use a route map. In the route map you have a match statement for the ACL identifying traffic and a match statement for the interface.

But I do not agree with him that your config is correct. The biggest issue is that the route-map LOAD_BALANCING has 2 stanzas, the first sending traffic to ISP1 and the second sending traffic to ISP2. The issue is that all traffic will match stanza one and no traffic will match stanza two.

Load balancing when you have a single subnet for traffic to be policy routed and 2 ISP needs to have a way to separate traffic outbound. Probably the easier solution would be to have an acl that matches the first half of the subnet (192.168.30.0 through 192.168.30.127) and have a second acl that matches the last half of the subnet (192.168.30.128 through 192.168.30.255).

And you really do not need PBR and a route map for both ISP. It would work to let the default route send traffic to ISP1 and PBR to send one half of the subnet to ISP2.

HTH

Rick

View solution in original post

MHM Cisco World · ‎01-25-2025

Your config is correct except NAT' you need to use route-map (match interface ISP1 or ISP2)

MHM

MHM Cisco World · ‎01-25-2025

https://blog.pierky.com/dual-wan-connection-on-cisco-with-policy-based-routing-pbr/

MHM

Richard Burts · ‎01-25-2025

I agree with MHM that when you want to do NAT on 2 interfaces that you need to use a route map. In the route map you have a match statement for the ACL identifying traffic and a match statement for the interface.

But I do not agree with him that your config is correct. The biggest issue is that the route-map LOAD_BALANCING has 2 stanzas, the first sending traffic to ISP1 and the second sending traffic to ISP2. The issue is that all traffic will match stanza one and no traffic will match stanza two.

Load balancing when you have a single subnet for traffic to be policy routed and 2 ISP needs to have a way to separate traffic outbound. Probably the easier solution would be to have an acl that matches the first half of the subnet (192.168.30.0 through 192.168.30.127) and have a second acl that matches the last half of the subnet (192.168.30.128 through 192.168.30.255).

And you really do not need PBR and a route map for both ISP. It would work to let the default route send traffic to ISP1 and PBR to send one half of the subnet to ISP2.

HTH

Rick

mohamed-gamal179 · ‎01-26-2025

ip nat inside source route-map isp1 interface GigabitEthernet0/0/0.9 overload
ip nat inside source route-map isp2 interface GigabitEthernet0/0/0.10 overload
ip forward-protocol nd
no ip http server
ip http secure-server
ip tftp source-interface GigabitEthernet0/0/0.9
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0.9 192.168.9.1 10
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0.10 192.168.10.1 10
!
!
!
ip access-list extended internet
deny ip any any
permit ip 192.168.30.0 0.0.0.255 any
!
!
route-map isp2 permit 10
match ip address internet
match interface GigabitEthernet0/0/0.10
!
route-map isp1 permit 10
match ip address internet
match interface GigabitEthernet0/0/0.9

i need achieve redundancy and load balancing in scenario, where there are two ISPs (ISP1 and ISP2) each providing 1 Gbps of bandwidth, and VLAN 30 serves as the exit interface with a total capacity of 2 Gbps, you can configure dual-homing with failover. how i can implement it

MHM Cisco World · ‎01-26-2025

I will send you PM tonight

MHM

mohamed-gamal179 · ‎01-26-2025

Thank you for your support and guidance

Richard Burts · ‎01-26-2025

Thanks for the update. It is much better, especially in its use of route-map for the nat. But it has one fatal flaw in the acl that it uses:

ip access-list extended internet
deny ip any any
permit ip 192.168.30.0 0.0.0.255 any

The order of steps is wrong. First it denies everything, then it tries to permit traffic. But the second line will never execute because the first line denies everything. My suggestion is to remove the deny any any, so the acl would have a single line to permit 192.168.30.0. You do not need to explicitly deny any any because in the acl there is an implied statement to do that.

HTH

Rick

mohamed-gamal179 · ‎01-29-2025

ip dhcp pool VLAN30
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 8.8.8.8 8.8.4.4
lease 7
!

interface GigabitEthernet0/0/0
no ip address
negotiation auto
!
interface GigabitEthernet0/0/0.9
encapsulation dot1Q 9
ip address 192.168.9.2 255.255.255.0
ip nat outside
ipv6 address autoconfig
ipv6 enable
ipv6 nd autoconfig default-route
ipv6 dhcp client request vendor
!
interface GigabitEthernet0/0/0.10
encapsulation dot1Q 10
ip address 192.168.10.2 255.255.255.0
ip nat outside
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
!
interface GigabitEthernet0/0/1.30
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
ip nat inside
!
ip nat inside source route-map isp1 interface GigabitEthernet0/0/0.9 overload
ip nat inside source route-map isp2 interface GigabitEthernet0/0/0.10 overload
ip forward-protocol nd
no ip http server
ip http secure-server
ip tftp source-interface GigabitEthernet0/0/0.9
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0.9 192.168.9.1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0.10 192.168.10.1
!
ip access-list extended internet
permit ip 192.168.30.0 0.0.0.255 any
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/0.9
ip sla schedule 1 life forever start-time now
!
route-map isp2 permit 10
match ip address internet
match interface GigabitEthernet0/0/0.10
!
route-map isp1 permit 10
match ip address internet
match interface GigabitEthernet0/0/0.9
*****************************************
I removed deny ip any any
Router#ping 8.8.8.8 source 192.168.9.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.9.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 33/37/40 ms
Router#ping 8.8.8.8 source 192.168.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.2
*****************

Gateway of last resort is 192.168.10.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 192.168.10.1, GigabitEthernet0/0/0.10
[1/0] via 192.168.9.1, GigabitEthernet0/0/0.9
192.168.9.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.9.0/24 is directly connected, GigabitEthernet0/0/0.9
L 192.168.9.2/32 is directly connected, GigabitEthernet0/0/0.9
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, GigabitEthernet0/0/0.10
L 192.168.10.2/32 is directly connected, GigabitEthernet0/0/0.10
192.168.30.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.30.0/24 is directly connected, GigabitEthernet0/0/1.30
L 192.168.30.1/32 is directly connected, GigabitEthernet0/0/1.30
*************

Richard Burts · ‎01-29-2025

Thanks for the update. I am glad to see that you removed the deny ip any any. I am puzzled about your test specifying the source as the outside interface address. Traffic sourced from the outside interface would not be translated. It seems a better test would be to ping specifying the source as the inside interface.

HTH

Rick