• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 624
  • Last Modified:

Load Sharing/Failover Cisco 1811

I have a Cisco 1811 router that has two FE WAN Ports.   Each FE WAN port connects to two separate ISP routers (call them ISP1 and ISP2).  Internet speeds are:  ISP1 is a 512k Fract-T1 and ISP is a Full T1.  On the LAN side of the 1811  there is a Nomadix gateway that connects to Fe0/1 that provides DHCP and also does the NAT'ing (both overload and static using IP's from ISP1).  Drawing is shown below.   Can anyone explain how to configure the 1811 router to allow for load sharing and failover without using BGP since ISP2 doesn't allow BGP?

                                                                           ______ ISP1 (Fract T1 - 512k)
LAN Users                                                     Fe0 /              
10.1.1.1/24 ---[ Nomadix ] ----Fe0/1 [ Cisco 1811 ]  
                                                                    Fe1 \______ ISP2 (T1 - 1536k)

Note:  Fe0/1 is configured with an IP address from the ISP1 Pool.  All public IP addresses are configured on the 1811 router currently.

Thanks.
0
pbadra
Asked:
pbadra
  • 8
  • 7
  • 3
1 Solution
 
pjtemplinCommented:
Not much you can do with the hardware and topology you have.  Might want to dump ISP2 and upgrade ISP1 to sufficient bandwidth for your applications.
0
 
pbadraAuthor Commented:
That would the last option, but not the answer I was looking for.  The whole purpose the customer purchased this router and the additional ISP connection, was to allow for failover/redundancy and load sharing.
0
 
pjtemplinCommented:
Best laid plans of mice and men...

Having the hardware doesn't guarantee the intended solution.

Choosing an ISP that doesn't support BGP...

One of the "rules" of this site is that "you can't do that" is a legitimate answer...
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
rsivanandanCommented:
If you're talking about outgoing connections only, then equal load sharing can be done with CEF (Cisco Express Forwarding), which means, one connection goes through ISP1, then the second connection goes through ISP2. Is that something you want ? If so;

ip route 0.0.0.0 0.0.0.0 <ISP1-FarEnd>
ip route 0.0.0.0 0.0.0.0 <ISP2-FarEnd>

ip cef

Done.

Cheers,
Rajesh
0
 
pjtemplinCommented:
If the packets are coming from ISP1's address space, they'll fail at ISP2's BCP38/uRPF filters.  Packet loss is bad.
0
 
rsivanandanCommented:
That wouldn't be the case for the outgoing traffic right ? Correct me if I'm wrong Pjtemplin. The address space matters if the traffic is coming inbound, say if I have a webserver in the address space from ISP1 and then the packet loss will be there if the connection tries to come through ISP2.

But for normal outgoing traffic like WWW or anything, it doesn't matter right ?

Cheers,
Rajesh
0
 
pjtemplinCommented:
Any ISP worth their salt filters the packets coming in from customers to prevent spoofing.  That's part of Best Common Practice #38.

Every single-homed customer of mine has this on their interface:

 ip verify unicast source reachable-via rx allow-self-ping

It's an automatic anti-spoof filter, no human intervention required.  For every inbound packet, check the SOURCE address against the CEF table.  If CEF wouldn't send a reply to this packet back out the interface it arrived on, discard.  As routes are changed on the customer's connection (add a subnet, lose a subnet, switch to BGP for customer-controlled null routing, whatever), the filter updates instantly, since the CEF table updates instantly.  No need to maintain per-customer access-lists.

An "exclusion" ACL can be assigned to this filter for customers who request it.  However, since many of OUR upstreams do the same filtering, customers are advised to resolve their spoofing issues internally, as we won't process any trouble tickets on the issue.

ISPs who don't do this or something similar are getting more and more bad press lately.
0
 
rsivanandanCommented:
Still, ISP won't be knowing about it right ? Reason being, I'll be natting the connections given to me by the ISP and send it to him, on the other hand I decide who gets natted to this ip address. So the unicast source verification will always be passed since I'm going to nat based on ip assigned to me.

Cheers,
Rajesh
0
 
pjtemplinCommented:
The Nomadix is doing the NAT.  Unless it's intelligently doing NAT based on the desired egress ISP, AND the 1811 is doing policy-based routing, the packets can't be sent out the "correct" ISP based on source address.  Either way, the Nomadix is not in a position to detect link failure, except to infer that from lack of responses to outbound traffic.  Therefore, ISP2 will receive packets with source addresses in ISP1's subnet assigned to <customer> and uRPF will reject them.
0
 
rsivanandanCommented:
Ok, so you agree that it wouldn't be a problem if the author does the natting on the router supported by Policy based routing. Then everything should be fine.

Cheers,
Rajesh
0
 
pjtemplinCommented:
Load sharing will work, but the NAT box will have to be pretty darned smart to balance a 512k and a 1536k link.

Failover will be next to impossible to detect and handle though.
0
 
rsivanandanCommented:
Yeah, the only drawback I see in this is equal loadsharing will take place (per connection) and won't be 'the best' split across the links, but it still is fair working.....

Cheers,
Rajesh
0
 
pbadraAuthor Commented:
90% of the traffic from the LAN side is WWW, the remainig 10% is VPN.  There is a NAT function on the Nomadix, called iNAT, that will perform a static NAT on VPN packets from a pool of IP addresses from ISP1.  The remaining traffic will be NAT'd (overload) to the IP address assigned on the WAN port of the Nomadix (port that connects to fe0/1 on the 1811) which is also an IP address from ISP1.  I rather keep the NAT on the Nomadix.  My main concern is failover if one link should fail.  As far as load sharing, even if traffic is directed to the higher BW ISP (ISP2) and then failover to ISP1 if the link fails, that would be OK.  I am working with ISP2 to see if they will advertise ISP1's addresses.  So, as it stands now, would the two default routes with IP CEF enabled be the way to go?
0
 
pjtemplinCommented:
Plain and simple, if the address block from ISP1 is longer than /24, they won't/can't.  If it's /24 or shorter, you want BGP.
0
 
rsivanandanCommented:
Can't do because of your Nomadix setup since it is doing overload using the ISP1 range.

Cheers,
Rajesh
0
 
pbadraAuthor Commented:
If ISP1 and ISP2 were to advertise each others IP subnets, then will it work?  Sorry for so many questions, I have to decide how to proceed with this endeavor.  Some pointed out to me to try multihome NAT.
0
 
rsivanandanCommented:
Yeah, if ISP1 and ISP2 can do that, it is piece of cake then. But I doubt they'll do that. As I said before if you are concerned about only the outgoing traffic then shifting the natting onto 1800 router plus some policy based natting will get you going with CEF.

Cheers,
Rajesh
0
 
pjtemplinCommented:
I like keith alabaster's recommendations more than I do the author's selection.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 8
  • 7
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now