Solved

Cisco ISP Link Load Sharing

Posted on 2002-07-01
17
734 Views
Last Modified: 2012-05-04
guys,

Just a quick one.. is it possible to configure a cisco WAN router with two serial ports to two different ISPs (i.e. IPs) and load share them e.g. 50/50?

I don't want to use BGP or dynamic routing protocols, only static routes.

Is this possible, and what alternatives can I use if the above is not possible?

Please advice...!
Thks
0
Comment
Question by:Haho
  • 6
  • 6
  • 4
  • +1
17 Comments
 
LVL 8

Accepted Solution

by:
scraig84 earned 100 total points
Comment Utility
Here's the problem - you can load share your outbound traffic, but inbound is another story - usually.  The main thing depends on if you have hosted services etc behind the router.  If so, you will have a much more difficult time, because you need to advertise (via BGP) the subnet that those servers sit on.  This means that one ISP will receive all traffic coming back to you and send it your way, and the other ISP will be there in case of a failure on the "primary" side.  

However, there are a couple of alternatives.  The easiest is if you don't have much for hosted services.  The answer is to put NAT right on your Internet router off both interfaces and ensure that your router is using fast-switching (enabled by default).  Since the source of every packet is now related directly to each ISP, the return traffic will come back via each respective ISP.  However, this configuration can cause some issues with certain applications and is best in very standard environments where Internet traffic doesn't consist of much more than standard web, ftp, etc traffic.

More complex environments will require a more complex setup, such as one using BGP.  Also remember that no load sharing is perfect and a true "50/50" share is nearly impossible to achieve.  

You could also just look at getting two links to the same ISP which solves many of the issues.  As long as you are going with a pretty reputable ISP, this shouldn't be much of an issue considering the amount of redundancy they typically build into their own network.  I think often the whole "two ISP" thing can be overrated.
0
 
LVL 17

Expert Comment

by:mikecr
Comment Utility
Yes, you would have two default routes.

0.0.0.0 0.0.0.0 208.15.36.20 50
0.0.0.0 0.0.0.0 63.100.0.44 50

I would also recommend enabling ip route cache on those interfaces so that it will continue to use the same pipe until the session is over.
0
 
LVL 8

Expert Comment

by:scraig84
Comment Utility
Mikecr - what you are suggesting only balances outbound traffic.  Like I said, inbound will all come back via the link on the ISP that owns the network of the source of the traffic.  Unless you NAT directly on the router and are then able to source packets from addresses that belong to each ISP, inbound traffic will never be balanced.  If it were as easy as you suggest, users would never need BGP.
0
 
LVL 17

Expert Comment

by:mikecr
Comment Utility
Scraig84, I assumed that he wanted to load balance outbound traffic since he wanted to use static routes. However I agree that it doesn't load balance incoming traffic but that could only be done using a routing protocol such as BGP anyway and I personally wouldn't do that. I would redistribute a prefered route into my network via BGP and not load balance between the two links unless I were hosting mail or ftp/web services. Since he made no inquiry as to load balancing incoming traffic, my comment would be correct.
0
 
LVL 8

Expert Comment

by:scraig84
Comment Utility
My point is that Haho made no distinction between inbound or outbound and said that he wanted to load share his ports.  Just because Haho wants to do something more simple than BGP such as static routes, that does not necessarily imply that he necessarily realizes the overall difference of how inbound and outbound load balancing will occur.  Often people don't realize or understand the necessity of BGP and its overall relation to traffic flow.  Your post made no distinction between outbound and inbound traffic.  Therefore, when Haho asked "can I load balance my serial ports using static routes?", you simply said yes and showed him how.  My point is that this is false because you are only balancing in one direction and the question never mentioned direction.
0
 
LVL 1

Author Comment

by:Haho
Comment Utility
dear experts,

After absorbing your comments, I would like to add more info. I broke it down to two parts; one for outbound requests and one for inbound requests.

[outbound requests by internal clients to internet servers]

1. NAT should be used, since the server will have an internal address that will be NATed to either ISPs IP i.e. packet going out s0 will have ISP A Ip and packet going out s1 will have ISP B Ip. Outbound load sharing will be done as per your recommendation to have two default routes.
The route back to the server will be that of the ISP Ip assigned by the NAT.

Is there any failover in this case, assuming ISP B goes down? Will all traffic be redirected only to ISP A port and therefore have only ISP A Ip as the source address.

[inbound requests by internet clients to internal servers]

2. What about using DNS to dish out by round robin IPs i.e. 1 ISP A, 1 ISP B, etc, etc which will then be translated to the internal server IP. What about the response back to the client? Will the NAT Ip still be the original dest Ip or it will be reassigned by the load sharing scheme (meaning that the inbound dest was ISP A but the response may show ISP B as the source?)

Is there any failover in this case? I wouldn't think so since the DNS will keep on dishing out ISP A and ISP B Ip without knowing if the network is reachable.

-- What do you think? Please advice ....
0
 
LVL 1

Author Comment

by:Haho
Comment Utility
btw, my main concern is hosted services, which means it is mostly [inbound requests by internet clients to internal servers]... :)
0
 
LVL 8

Expert Comment

by:scraig84
Comment Utility
1) If you are hosting a service and have to use a static NAT, then all traffic to that server from the outside will go through a single ISP - the one that owns the public address you are using.  There is no failover.

2) This may be possible with multiple static NAT statements - with mulitple outside addresses, but it would only possibly work for inbound requests to internal resources and do nothing for inbound replies to outbound requests.

Like I said - if you have internal resources you are hosting, I would recommend either a single ISP with multiple links or using BGP.  Again, multiple ISP's are fairly overrated unless you have REALLY unreliable ISP's.  Just do some research into their network.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 17

Expert Comment

by:mikecr
Comment Utility
For item 1 you will have one drawback by using static default routes, intermittent connectivity problems should one ISP go down, however you can fix this by temporarily removing that route until the ISP comes back up. If you were using BGP though this would be done transparent in the background and would happen automatically since a routing protocol knows what interfaces are "alive".

For item 2, you can only use round robin dns if you have two ftp servers, web servers, or what have you. Each one would have a different IP address and you would set this up on your DNS server but this would not have any effect on incoming traffic other than being routed between servers depending on which one your DNS server sent them to first. They would not pick one route over the other, it would depend on what network that they were on or was their next autonomous system hop away for which direction they would come in. That's why in the discussion BGP was brought up. Using BGP, you can advertise what you would like to have as your primary route and which one is secondary, you can't do that with static routes. Unless you have 10,000 people a day coming in to hit your web/ftp servers, or you have some powerful ASP pages or applications being hosted on them, you don't need to load balance incoming traffic.

Keep in mind, just getting one IP address from an ISP does not help with load balancing either. BGP is designed to route between networks and it will find the shortest path to a network first, then, route the that IP address once it has made it to that network. So knowing that, any joe blow user on the internet will normally come in the same way every time, depending on what BGP says is the closest route to get to your network. If your not advertising whole networks using BGP, then you don't have control over how someone can come into your network.
0
 
LVL 17

Expert Comment

by:mikecr
Comment Utility
Haho, since you mentioned that internal servers would probably be a priority, and I read this after my last post, you may want to use a cluster type technology or Microsofts NTLB to load balance between servers on your network. Since your not running BGP you won't be able to load balance the incoming traffic, and you probably wouldn't be able to do it anyway without help from your ISP, you can internally load balance to the different servers by either using the DNS round robin technique, which does pretty good because I use it for my two VPN servers, or, use the cluster/NTLB technology. Using a static nat on the router is not going to load balance you to the servers on the back end as you will need a smart piece of software somewhere in between to direct those requests.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Out of curiosity, why do you not want to deal with BGP? Contrary to popular belief, you do not need a big honkin' router with tons of horsepower or memory to run BGP. All you have to do is Participate in BGP announcements, sort of like BGP keepalives, with both ISP's, broadcasting the availability of your network only. You do not need a full route exchange.

>Is there any failover in this case, assuming ISP B goes down? Will all traffic be redirected only to ISP A port and therefore have only ISP A Ip as the source address.

IF you are using a single Interface address for NAT at the router interface, AND you have two static default routes, and one interface drops, then yes, the other interface becomes the one and only route available. This is a fail"safe" so that you will still have a route out, and none of your outbound traffic tries to go out the failed interface. Having said that, you can lose connectivity through the ISP without the interface actually dropping. In this case, half of your outbound packets may be lost.

As Scraig84 pointed out, this is not a viable solution for you because you need multiple static one-to-one NAT translations for your server.

No matter what, if you are hosting web services, your global IP address (the one in all the dns tables) must be a static IP that is "owned" by one or the other of your ISP's. That ISP broadcasts the availability of that network to the world via BGP. Almost 100% of your inbound traffic will come in through the interface connected to the ISP that owns that IP address space.

Something else to consider: INBOUND traffic is typically very light--small requests for data, web pages, etc. OUTBOUND traffic is relatively high--data files, web pages w/graphics, etc. You can easily balance your OUTBOUND traffic with the use of route maps in addition to your dual default routes outbound, and just not worry about the inbound. Caution: THERE IS NO FAILOVER for INBOUND if one circuit goes down. If the circuit to the primary ISP that owns your IP address space goes down, you are HOSED!
0
 
LVL 1

Author Comment

by:Haho
Comment Utility
dear mike,

>>>
For item 2, you can only use round robin dns if you have two ftp servers, web servers, or what have you.
>>
I would disgree with that as with multiple 1-1 NAT, it effectively translates to the same internal server. What I am looking for is not server load balancing but rather a way to ISP load share two WAN links to the internet with just static routes.

dear lrmoore,

>>
Something else to consider: INBOUND traffic is typically very light--
>>
Good point here. Assuming that all of my traffic comes in one ISP, Can I load share the outbound replies which is relatively high? i.e. half my replies will have ISP A as the source and the other half have ISP B as the source.


0
 
LVL 17

Expert Comment

by:mikecr
Comment Utility
Haho, the static routes that I showed would give you outbound load sharing, but as stated before, not inbound. You don't have any clue where your traffic is going to originate from. The only way would be to use BGP and send your network updates out to both ISP's with the same metric. Whenever a request was initiated to your web server let's say, both routes to the destination would have the same metric so a similar round robin approach would be used. If your looking for redundancy, that would be easier, but load balancing incoming traffic is definately not easy because BGP on the internet dictates how it will get to the destination, not static routes on your router.
0
 
LVL 8

Expert Comment

by:scraig84
Comment Utility
Even with the same metric, you won't get load balancing.  Routers will still choose a single path - there are quite a few determination factors for BGP route selection, so an equal metric does not create a load balanced scenario.  

The only way to load balance inbound traffic with BGP is to split up your advertised subnet into multiple advertised subnets and advertise them with different metrics to each IP - making certain IP addresses come inbound through different ISP's.  This is less than perfect of course, but it can get the job done.  However, like Lrmoore said, inbound should be relatively light traffic - it may even be that only 1 link is needed for inbound and the other is used for failover - of course without BGP, this isn't possible.

We could go round and round on this for days.  Haho, to me you really have two options.  First, you could use BGP, which gives you both the ability to do some load balancing and gives you failover between multiple ISP's.  Otherwise, like I've said, use a single reliable ISP, and get full load balancing in both direections with easy failover and simple configuration.
0
 
LVL 17

Expert Comment

by:mikecr
Comment Utility
Scraig84, here is an exerpt from the following Cisco article;

http://www.cisco.com/warp/public/105/default.html

"Lastly, if you use multiple ip route 0.0.0.0 0.0.0.0 commands to configure a default route, traffic is load-balanced over the multiple routes."
0
 
LVL 8

Expert Comment

by:scraig84
Comment Utility
Mike,
That's real cute.  Again I was referring to inbound traffic.  I know perfectly well how outbound traffic is routed.

Your quote that I was referring to:
"Haho, the static routes that I showed would give you outbound load sharing, but as stated before, not inbound. You don't have any clue where your traffic is going to originate from. The only way would be to use BGP and send your network updates out to both ISP's with the same metric. Whenever a request was initiated to your web server let's say, both routes to the destination would have the same metric so a similar round robin approach would be used. "

My point was that this was false, because a router that sits outside of the two ISP's will not load balance to those ISP's simply because you advertised with equal metrics.  This is not how BGP works.

Take a look at this:
http://www.cisco.com/warp/public/459/25.shtml
0
 
LVL 1

Author Comment

by:Haho
Comment Utility
Thanks scraig, mike and lrmoore!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now