Solved

Load Sharing/Failover Cisco 1811

Posted on 2006-10-25
19
576 Views
Last Modified: 2012-08-13
I have a Cisco 1811 router that has two FE WAN Ports.   Each FE WAN port connects to two separate ISP routers (call them ISP1 and ISP2).  Internet speeds are:  ISP1 is a 512k Fract-T1 and ISP is a Full T1.  On the LAN side of the 1811  there is a Nomadix gateway that connects to Fe0/1 that provides DHCP and also does the NAT'ing (both overload and static using IP's from ISP1).  Drawing is shown below.   Can anyone explain how to configure the 1811 router to allow for load sharing and failover without using BGP since ISP2 doesn't allow BGP?

                                                                           ______ ISP1 (Fract T1 - 512k)
LAN Users                                                     Fe0 /              
10.1.1.1/24 ---[ Nomadix ] ----Fe0/1 [ Cisco 1811 ]  
                                                                    Fe1 \______ ISP2 (T1 - 1536k)

Note:  Fe0/1 is configured with an IP address from the ISP1 Pool.  All public IP addresses are configured on the 1811 router currently.

Thanks.
0
Comment
Question by:pbadra
  • 8
  • 7
  • 3
19 Comments
 
LVL 12

Expert Comment

by:pjtemplin
ID: 17808878
Not much you can do with the hardware and topology you have.  Might want to dump ISP2 and upgrade ISP1 to sufficient bandwidth for your applications.
0
 

Author Comment

by:pbadra
ID: 17808909
That would the last option, but not the answer I was looking for.  The whole purpose the customer purchased this router and the additional ISP connection, was to allow for failover/redundancy and load sharing.
0
 
LVL 12

Expert Comment

by:pjtemplin
ID: 17809028
Best laid plans of mice and men...

Having the hardware doesn't guarantee the intended solution.

Choosing an ISP that doesn't support BGP...

One of the "rules" of this site is that "you can't do that" is a legitimate answer...
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17812263
If you're talking about outgoing connections only, then equal load sharing can be done with CEF (Cisco Express Forwarding), which means, one connection goes through ISP1, then the second connection goes through ISP2. Is that something you want ? If so;

ip route 0.0.0.0 0.0.0.0 <ISP1-FarEnd>
ip route 0.0.0.0 0.0.0.0 <ISP2-FarEnd>

ip cef

Done.

Cheers,
Rajesh
0
 
LVL 12

Expert Comment

by:pjtemplin
ID: 17812353
If the packets are coming from ISP1's address space, they'll fail at ISP2's BCP38/uRPF filters.  Packet loss is bad.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17813224
That wouldn't be the case for the outgoing traffic right ? Correct me if I'm wrong Pjtemplin. The address space matters if the traffic is coming inbound, say if I have a webserver in the address space from ISP1 and then the packet loss will be there if the connection tries to come through ISP2.

But for normal outgoing traffic like WWW or anything, it doesn't matter right ?

Cheers,
Rajesh
0
 
LVL 12

Expert Comment

by:pjtemplin
ID: 17813485
Any ISP worth their salt filters the packets coming in from customers to prevent spoofing.  That's part of Best Common Practice #38.

Every single-homed customer of mine has this on their interface:

 ip verify unicast source reachable-via rx allow-self-ping

It's an automatic anti-spoof filter, no human intervention required.  For every inbound packet, check the SOURCE address against the CEF table.  If CEF wouldn't send a reply to this packet back out the interface it arrived on, discard.  As routes are changed on the customer's connection (add a subnet, lose a subnet, switch to BGP for customer-controlled null routing, whatever), the filter updates instantly, since the CEF table updates instantly.  No need to maintain per-customer access-lists.

An "exclusion" ACL can be assigned to this filter for customers who request it.  However, since many of OUR upstreams do the same filtering, customers are advised to resolve their spoofing issues internally, as we won't process any trouble tickets on the issue.

ISPs who don't do this or something similar are getting more and more bad press lately.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17813556
Still, ISP won't be knowing about it right ? Reason being, I'll be natting the connections given to me by the ISP and send it to him, on the other hand I decide who gets natted to this ip address. So the unicast source verification will always be passed since I'm going to nat based on ip assigned to me.

Cheers,
Rajesh
0
 
LVL 12

Expert Comment

by:pjtemplin
ID: 17813588
The Nomadix is doing the NAT.  Unless it's intelligently doing NAT based on the desired egress ISP, AND the 1811 is doing policy-based routing, the packets can't be sent out the "correct" ISP based on source address.  Either way, the Nomadix is not in a position to detect link failure, except to infer that from lack of responses to outbound traffic.  Therefore, ISP2 will receive packets with source addresses in ISP1's subnet assigned to <customer> and uRPF will reject them.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 32

Expert Comment

by:rsivanandan
ID: 17813610
Ok, so you agree that it wouldn't be a problem if the author does the natting on the router supported by Policy based routing. Then everything should be fine.

Cheers,
Rajesh
0
 
LVL 12

Expert Comment

by:pjtemplin
ID: 17813640
Load sharing will work, but the NAT box will have to be pretty darned smart to balance a 512k and a 1536k link.

Failover will be next to impossible to detect and handle though.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17813665
Yeah, the only drawback I see in this is equal loadsharing will take place (per connection) and won't be 'the best' split across the links, but it still is fair working.....

Cheers,
Rajesh
0
 

Author Comment

by:pbadra
ID: 17818122
90% of the traffic from the LAN side is WWW, the remainig 10% is VPN.  There is a NAT function on the Nomadix, called iNAT, that will perform a static NAT on VPN packets from a pool of IP addresses from ISP1.  The remaining traffic will be NAT'd (overload) to the IP address assigned on the WAN port of the Nomadix (port that connects to fe0/1 on the 1811) which is also an IP address from ISP1.  I rather keep the NAT on the Nomadix.  My main concern is failover if one link should fail.  As far as load sharing, even if traffic is directed to the higher BW ISP (ISP2) and then failover to ISP1 if the link fails, that would be OK.  I am working with ISP2 to see if they will advertise ISP1's addresses.  So, as it stands now, would the two default routes with IP CEF enabled be the way to go?
0
 
LVL 12

Expert Comment

by:pjtemplin
ID: 17818407
Plain and simple, if the address block from ISP1 is longer than /24, they won't/can't.  If it's /24 or shorter, you want BGP.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17819048
Can't do because of your Nomadix setup since it is doing overload using the ISP1 range.

Cheers,
Rajesh
0
 

Author Comment

by:pbadra
ID: 17826241
If ISP1 and ISP2 were to advertise each others IP subnets, then will it work?  Sorry for so many questions, I have to decide how to proceed with this endeavor.  Some pointed out to me to try multihome NAT.
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 300 total points
ID: 17826259
Yeah, if ISP1 and ISP2 can do that, it is piece of cake then. But I doubt they'll do that. As I said before if you are concerned about only the outgoing traffic then shifting the natting onto 1800 router plus some policy based natting will get you going with CEF.

Cheers,
Rajesh
0
 
LVL 12

Expert Comment

by:pjtemplin
ID: 18027989
I like keith alabaster's recommendations more than I do the author's selection.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now