how-to block ads
»Cisco router with "load balancing"
Contributed by: Angralitux
Keep in mind that some applications require consistent IP address at all times. If you use multiple public IP addresses to connect to hosts within the Internet (either outbound or inbound), then your connections might not be stable or even fail to connect.
Check out the following FAQ for more info regarding the use of multiple IP addresses for redundancy to keep stable connections.
»Cisco Forum FAQ »Redundant Link Graceful Internet Load Balance/Failover
Below is a full working sample configuration based on the thread:
version 12.4 service timestamps debug datetime localtime service timestamps log datetime localtime service password-encryption ! ! resource policy ! ip subnet-zero ! ! ! ! ip cef vpdn enable ! ! clns routing ! ! ! key chain cisco0 key 1 key-string 7 ******* ! ! ! ! ! ! ! ! ! ! ! ! oer master policy-rules OER max-range-utilization percent 10 keepalive 1 ! border 192.168.20.1 key-chain cisco0 interface FastEthernet0/0.21 internal interface FastEthernet0/0.22 internal interface Ethernet1/0 external interface Ethernet1/1 external ! learn throughput delay periodic-interval 1 monitor-period 2 prefixes 200 expire after time 1 aggregation-type prefix-length 32 max prefix total 2500 backoff 180 360 mode route control mode select-exit best periodic 180 resolve loss priority 1 variance 1 resolve delay priority 2 variance 1 resolve utilization priority 3 variance 1 resolve range priority 5 ! oer border local Loopback0 active-probe address source interface Ethernet1/0 master 192.168.20.1 key-chain cisco0 ! ! ! ! ! ! ! bba-group pppoe global ! ! interface Loopback0 description OER Master Controller ip address 192.168.20.1 255.255.255.255 ! interface FastEthernet0/0 description To L2 Switch port 15 no ip address duplex auto speed auto ! interface FastEthernet0/0.1 description Native VLAN Trunking encapsulation dot1Q 1 native ip address 192.168.205.1 255.255.255.248 ! interface FastEthernet0/0.21 description To Switch A port 10 encapsulation dot1Q 21 ip address 192.168.21.1 255.255.255.252 ip nat inside ip virtual-reassembly ! interface FastEthernet0/0.22 description To Switch B port 2 encapsulation dot1Q 22 ip address 192.168.22.1 255.255.255.252 ip nat inside ip virtual-reassembly ! ! interface Ethernet1/0 description To NAT box of ISP #1 ip address 172.16.0.2 255.255.255.252 full-duplex ! interface Ethernet1/1 description To NAT box of ISP #2 ip address 172.16.0.6 255.255.255.252 ip virtual-reassembly full-duplex ! interface Ethernet1/2 no ip address shutdown half-duplex ! interface Ethernet1/3 no ip address shutdown half-duplex ! ! ! ! ip classless ip route 0.0.0.0 0.0.0.0 172.16.0.1 ip route 0.0.0.0 0.0.0.0 172.16.0.5 ! ! no ip http server no ip http secure-server ! ip prefix-list OER seq 10 permit 0.0.0.0/0 ! access-list 20 remark Approved IP addresses access-list 20 permit 10.0.0.0 0.255.255.255 access-list 20 permit 172.16.0.0 0.15.255.255 access-list 20 permit 192.168.0.0 0.0.255.255 dialer-list 2 protocol ip permit no cdp run ! ! ! oer-map OER 10 match ip address prefix-list OER ! control-plane ! ! ! line con 0 line aux 0 line vty 0 4 access-class 20 in password 7 ****** login ! ! end
The above sample configuration comes from Cisco 2620XM with NM-4E module installed, running Cisco IOS 12.4.3 version. The Ethernet 1/0 goes to a NAT box #1 that connect to ISP #1 and the Ethernet 1/1 goes to another NAT box #2 of ISP #2. NAT box #1 inside interface that goes to the Ethernet 1/0 has IP address of 172.16.0.1. Likewise, the NAT box #2 inside interface that faces the Ethernet 1/1 has IP address of 172.16.0.5. Each NAT box outside interface IP address is the corresponding public IP address from their own ISP. As the LAN side, there are FastEthernet 0/0.21 and FastEthernet 0/0.22 on the 2620XM.
Please note that to make the OER works, your router setup does not necessary have to be exactly the same as the sample. The LAN side can be only one subnet for example.
Keep in mind that as prerequisite, the router needs to be able to go out to the Internet via either ISP. This sample configuration assumes basic connections to either ISP are already working. When this is not the case, please refer to different FAQ topics on how to properly setup your router (i.e. PPP/PPPoE/PPPoA, Static, DHCP).
Another essential issue is that how I setup the network. As previously mentioned, I use one dedicated NAT box for each ISP connection. Therefore the NAT and PAT process are not done at the 2620XM router. Instead they are done at each of the NAT box. The diagram below shows the network setup:
The reason I use dedicated NAT box for each ISP connection is the following. NAT and PAT process (according to the "industry standard" or RFC) only allows one traffic (one-one relationship); from single inside to single outside, and from single outside to single inside. In short; once the NAT process decides that single traffic from one host to use the interface Ethernet 1/0 (ISP #1), it cannot just easily change to the interface Ethernet 1/1 (ISP #2); and vice versa. To keep the NAT and PAT works as usual and integrate them with OER, I then use dedicated NAT box for each ISP. As implementation, you can use smaller router or a PIX 501 as the NAT box.
To get a better understanding of how OER works, here is the routing table of static routes from the 2620XM router:
Router>show ip route static
As you can verify, the above subnets are the Yahoo! website IP addresses and others. From the configuration, you can see that static routes to those subnets are not added manually; instead it is OER doing. It is the OER process that decide "the best route" for specific IP address destination, and put them as static routes.
Note that the above routing table comes up when the outbound traffic are light. When the traffic are heavier, you will see many more static routes the OER process adds.
Just be careful of the prefix-list below if implementing active-probing (mode monitor active) from egress interfaces: ip prefix-list OER seq 10 permit 0.0.0.0/0 The 0.0.0.0/0 prefix will never timeout and will always show in the MTC table, thus any and all prefixes ever learned will always be probed every "periodic" time, regardless if the more specific learned prefix has timed out. The 0.0.0.0/0 prefix still has to probe something, so it just doesn't choose a random prefix, it probes ALL that it ever knew. You'll see that the active probes magically appear for every single prefix that has EVER been learned will begin probing them all. To get around this, don't specify the 0.0.0.0/0 as a parent route, rather use the default behavior (which is learn all routes). That way that 0.0.0.0/0 prefix is never in the MTC and thus the active probes associated with it are gone for good. Regular prefixes will timeout per the "expire after time" as well as it's associated probes. This was tested with 12.4(15)T11 on 3700 series routers. Didn't test using "monitor mode both" which uses active and passive monitoring.
»[Config] Dual WAN with OER/PfR