?
Solved

Load Sharing/Failover Cisco 1811

Posted on 2006-10-25
19
Medium Priority
?
604 Views
Last Modified: 2012-08-13
I have a Cisco 1811 router that has two FE WAN Ports.   Each FE WAN port connects to two separate ISP routers (call them ISP1 and ISP2).  Internet speeds are:  ISP1 is a 512k Fract-T1 and ISP is a Full T1.  On the LAN side of the 1811  there is a Nomadix gateway that connects to Fe0/1 that provides DHCP and also does the NAT'ing (both overload and static using IP's from ISP1).  Drawing is shown below.   Can anyone explain how to configure the 1811 router to allow for load sharing and failover without using BGP since ISP2 doesn't allow BGP?

                                                                           ______ ISP1 (Fract T1 - 512k)
LAN Users                                                     Fe0 /              
10.1.1.1/24 ---[ Nomadix ] ----Fe0/1 [ Cisco 1811 ]  
                                                                    Fe1 \______ ISP2 (T1 - 1536k)

Note:  Fe0/1 is configured with an IP address from the ISP1 Pool.  All public IP addresses are configured on the 1811 router currently.

Thanks.
0
Comment
Question by:pbadra
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
  • 3
19 Comments
 
LVL 12

Expert Comment

by:pjtemplin
ID: 17808878
Not much you can do with the hardware and topology you have.  Might want to dump ISP2 and upgrade ISP1 to sufficient bandwidth for your applications.
0
 

Author Comment

by:pbadra
ID: 17808909
That would the last option, but not the answer I was looking for.  The whole purpose the customer purchased this router and the additional ISP connection, was to allow for failover/redundancy and load sharing.
0
 
LVL 12

Expert Comment

by:pjtemplin
ID: 17809028
Best laid plans of mice and men...

Having the hardware doesn't guarantee the intended solution.

Choosing an ISP that doesn't support BGP...

One of the "rules" of this site is that "you can't do that" is a legitimate answer...
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 32

Expert Comment

by:rsivanandan
ID: 17812263
If you're talking about outgoing connections only, then equal load sharing can be done with CEF (Cisco Express Forwarding), which means, one connection goes through ISP1, then the second connection goes through ISP2. Is that something you want ? If so;

ip route 0.0.0.0 0.0.0.0 <ISP1-FarEnd>
ip route 0.0.0.0 0.0.0.0 <ISP2-FarEnd>

ip cef

Done.

Cheers,
Rajesh
0
 
LVL 12

Expert Comment

by:pjtemplin
ID: 17812353
If the packets are coming from ISP1's address space, they'll fail at ISP2's BCP38/uRPF filters.  Packet loss is bad.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17813224
That wouldn't be the case for the outgoing traffic right ? Correct me if I'm wrong Pjtemplin. The address space matters if the traffic is coming inbound, say if I have a webserver in the address space from ISP1 and then the packet loss will be there if the connection tries to come through ISP2.

But for normal outgoing traffic like WWW or anything, it doesn't matter right ?

Cheers,
Rajesh
0
 
LVL 12

Expert Comment

by:pjtemplin
ID: 17813485
Any ISP worth their salt filters the packets coming in from customers to prevent spoofing.  That's part of Best Common Practice #38.

Every single-homed customer of mine has this on their interface:

 ip verify unicast source reachable-via rx allow-self-ping

It's an automatic anti-spoof filter, no human intervention required.  For every inbound packet, check the SOURCE address against the CEF table.  If CEF wouldn't send a reply to this packet back out the interface it arrived on, discard.  As routes are changed on the customer's connection (add a subnet, lose a subnet, switch to BGP for customer-controlled null routing, whatever), the filter updates instantly, since the CEF table updates instantly.  No need to maintain per-customer access-lists.

An "exclusion" ACL can be assigned to this filter for customers who request it.  However, since many of OUR upstreams do the same filtering, customers are advised to resolve their spoofing issues internally, as we won't process any trouble tickets on the issue.

ISPs who don't do this or something similar are getting more and more bad press lately.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17813556
Still, ISP won't be knowing about it right ? Reason being, I'll be natting the connections given to me by the ISP and send it to him, on the other hand I decide who gets natted to this ip address. So the unicast source verification will always be passed since I'm going to nat based on ip assigned to me.

Cheers,
Rajesh
0
 
LVL 12

Expert Comment

by:pjtemplin
ID: 17813588
The Nomadix is doing the NAT.  Unless it's intelligently doing NAT based on the desired egress ISP, AND the 1811 is doing policy-based routing, the packets can't be sent out the "correct" ISP based on source address.  Either way, the Nomadix is not in a position to detect link failure, except to infer that from lack of responses to outbound traffic.  Therefore, ISP2 will receive packets with source addresses in ISP1's subnet assigned to <customer> and uRPF will reject them.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17813610
Ok, so you agree that it wouldn't be a problem if the author does the natting on the router supported by Policy based routing. Then everything should be fine.

Cheers,
Rajesh
0
 
LVL 12

Expert Comment

by:pjtemplin
ID: 17813640
Load sharing will work, but the NAT box will have to be pretty darned smart to balance a 512k and a 1536k link.

Failover will be next to impossible to detect and handle though.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17813665
Yeah, the only drawback I see in this is equal loadsharing will take place (per connection) and won't be 'the best' split across the links, but it still is fair working.....

Cheers,
Rajesh
0
 

Author Comment

by:pbadra
ID: 17818122
90% of the traffic from the LAN side is WWW, the remainig 10% is VPN.  There is a NAT function on the Nomadix, called iNAT, that will perform a static NAT on VPN packets from a pool of IP addresses from ISP1.  The remaining traffic will be NAT'd (overload) to the IP address assigned on the WAN port of the Nomadix (port that connects to fe0/1 on the 1811) which is also an IP address from ISP1.  I rather keep the NAT on the Nomadix.  My main concern is failover if one link should fail.  As far as load sharing, even if traffic is directed to the higher BW ISP (ISP2) and then failover to ISP1 if the link fails, that would be OK.  I am working with ISP2 to see if they will advertise ISP1's addresses.  So, as it stands now, would the two default routes with IP CEF enabled be the way to go?
0
 
LVL 12

Expert Comment

by:pjtemplin
ID: 17818407
Plain and simple, if the address block from ISP1 is longer than /24, they won't/can't.  If it's /24 or shorter, you want BGP.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17819048
Can't do because of your Nomadix setup since it is doing overload using the ISP1 range.

Cheers,
Rajesh
0
 

Author Comment

by:pbadra
ID: 17826241
If ISP1 and ISP2 were to advertise each others IP subnets, then will it work?  Sorry for so many questions, I have to decide how to proceed with this endeavor.  Some pointed out to me to try multihome NAT.
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 900 total points
ID: 17826259
Yeah, if ISP1 and ISP2 can do that, it is piece of cake then. But I doubt they'll do that. As I said before if you are concerned about only the outgoing traffic then shifting the natting onto 1800 router plus some policy based natting will get you going with CEF.

Cheers,
Rajesh
0
 
LVL 12

Expert Comment

by:pjtemplin
ID: 18027989
I like keith alabaster's recommendations more than I do the author's selection.
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question