Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 595
  • Last Modified:

load balancing two ISP

Hello,

I have some problems when configuring access against two ISP providers.
First of all I`ll describe the scenario.

The customer uses Cisco Router 800 Series, the first ISP uses 7200 series router for PPPoE (VRF) and another ISP uses the Router 2600 series for VPN Tunnel Interface.

So the customer router 800 series is configured to use both PPPoE (VRF) and VPN Virtual Tunnel. (PPPoE (VRF) against one ISP and VPN Virtual Tunnel against another ISP).

So the problem now is that VPN Virtual Tunnel doesn`t  goes down when Dialer0 interface goes up.
Or better to say the VPN Virtual Tunnel goes down, but it takes to long time, is possible to force it ?
I mean force the process where the VPN Tunnel goes down once the Dialer0 interface is up ?
My point here is that tunnel needs to go down once the Dialer0 goes up.

Now when You understod my problem and my question, let me show You the config of these routers below:

Cuscomer router Cisco 800 Series config :

router-800_series#sh config
Using 2006 out of 131072 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxxxxx
!
boot-start-marker
boot-end-marker
!
enable secret ********************
!
aaa new-model
!
!
!
aaa session-id common
!
resource policy
!
ip subnet-zero
ip cef
!
!
!
!
no ip domain lookup
ip domain name xxxxxxxxxx
vpdn enable
!
!
!
!
username admin password ******************
!
!
track 1 interface Dialer0 ip routing
!
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key ****************** address 1.1.1.1 no-xauth
!
!
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
!
crypto ipsec profile ESP-AES-128-SHA-PROFIL
 set transform-set ESP-AES-128-SHA
!
!
!
!
!
interface Tunnel0
 ip address 10.13.1.2 255.255.255.0
 tunnel source Vlan3
 tunnel destination 1.1.1.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ESP-AES-128-SHA-PROFIL
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
 switchport access vlan 3
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Vlan1
 ip address 192.168.40.1 255.255.255.0
 ip helper-address 172.16.10.60
!
interface Vlan3
 ip address 80.80.80.1 255.255.255.0
!
interface Dialer0
 ip address negotiated
 ip mtu 1492
 encapsulation ppp
 dialer pool 1
 ppp authentication chap callin
 ppp chap hostname *********
 ppp chap password *********
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0 track 1
ip route 0.0.0.0 0.0.0.0 80.80.80.10 2
ip route 192.168.4.0 255.255.255.0 Tunnel0 2
!
!
no ip http server
no ip http secure-server
!
access-list 2 permit 172.25.1.0 0.0.0.255
!
!
control-plane
!
!
line con 0
 no modem enable
 transport output all
line aux 0
line vty 0 4
 access-class 2 in
 exec-timeout 0 0
 length 0
 transport input all
!
scheduler max-task-time 5000
end
______________________________________________
VPN Tunnel Router 2600 Series ISP 2:

router_2600#sh config
Using 2624 out of 29688 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxxxxxxxx
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret ***********************
!
aaa new-model
!
!
!
!
aaa session-id common
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
no ip domain lookup
ip domain name xxxxxxx
ip ssh time-out 60
ip ssh authentication-retries 5
!        
multilink bundle-name authenticated
!
!
!
!
!
username admin password ********************
!
!
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key ******************* address 80.80.80.1 no-xauth
!
!
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
!
crypto ipsec profile ESP-AES-128-SHA-PROFIL
 set transform-set ESP-AES-128-SHA
!
!
!
!
!
interface Tunnel0
 ip address 10.13.1.1 255.255.255.0
 tunnel source FastEthernet0/0.99
 tunnel destination 80.80.80.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ESP-AES-128-SHA-PROFIL
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.50
 encapsulation dot1Q 50
 ip address 172.25.1.10 255.255.255.0
!
interface FastEthernet0/0.99
 encapsulation dot1Q 99
 ip address 1.1.1.1 255.255.255.0
!
interface Serial0/0
 no ip address
 shutdown
 no fair-queue
!
interface Serial0/1
 no ip address
 shutdown
!
ip route 0.0.0.0 0.0.0.0 2.2.2.2
ip route 192.168.4.0 255.255.255.0 172.25.1.1
ip route 192.168.9.0 255.255.255.0 172.25.1.1
ip route 192.168.40.0 255.255.255.0 Tunnel0
!
!
no ip http server
no ip http secure-server
!        
access-list 1 permit x.x.x.x
access-list 1 permit x.x.x.x
!
!
!
!
control-plane
!
!
!
line con 0
 password **************
line aux 0
line vty 0 4
 access-class 1 in
 password **************
line vty 5 15
 access-class 1 in
 transport input ssh
!
!
end

router_2600#exit
________________________________________________________

i really hope that someone can figure it out and let us accomplish our goal.

Thank You !!
Best regards




0
Shex_
Asked:
Shex_
  • 7
  • 6
1 Solution
 
wingateslCommented:
It looks like you are trying to do a failover between the Tunnel 0 and the Dialer 0. The easy way to do this is y tracking reachability as opposed to the interface

ip sla 1
icmp-echo <IP address that you can track for reachability>
timeout 500
frequency 3
ip sla schedule 1 start now life forever
track 10 rtr 1 reachability
ip route 0.0.0.0 0.0.0.0 <primary path> track 10
ip route 0.0.0.0 0.0.0.0 <secondary path> 5

When the icmp echo fails the track stae changes and removes the route. This way you are not dealing with interface status which can be unreliable.
0
 
Shex_Author Commented:
First of all thank You very much for reply !!

Yes, You have right. The PPPoE (VRF) will be used as a primaty ISP and if this goes down the Virtual VPN Tunnel takes over. So when the PPPoE comes up again than the Virtual VPN Tunnel should go down and the router will than use PPPoE (VRF) again. This is what I want.

Still sure that it will help ? well I also will try this so I`ll let You know !!

You have Your points, I`ll just check this config so we are 100 % sure before I set it as answer, so other people can read the correct config.

Thank You very much again !!
Best regards
0
 
wingateslCommented:
With your existing configuration, you are waiting for the PPPoE to go down before the tunnel route becomes the default. This method actively probes a host on the other end out your primary route and when it is unreachable it forces all traffic out the other route. I wrote a little about this with the Cisco reference at the bottom of the post. you can read it here (it also goes into detail on the commands)
http://www.inacom-sby.net/Shawn/post/2007/11/Cisco-IP-SLA-for-failover.aspx
0
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

 
Shex_Author Commented:
I see, very nice detailed explanation, I wish other could be so detailed.
So in all case You mean this will work ? I am not sitting behind these routers right now I can only connect from the office ip address, so I`ll test this tomorrow and I`ll let You know !!

Our problem with config above which we are using now is that Virtual VPN Tunnel don`t go down when the Dialer0 (PPPoE) goes up. So we ned to wait about 15 min for Virtual Tunnel go down. This is not nice at all, we can`t let customers wait so long, therfore I was asking for a solution.

But what and which command specifies "how often" the router will ping the ip address for to check is it reachable or not ?? does it do pings all the time ?? or ??

0
 
wingateslCommented:
That is the purpose of the frequency command in the SLA
0
 
Shex_Author Commented:
So You mean the frequency 3 is enough ?
0
 
wingateslCommented:
The tunnel does not have to go down in this configuration.
0
 
Shex_Author Commented:
I understand, once Dialer0 interface (PPPoE) is comming ut it will become a default first priority route ??
0
 
wingateslCommented:
Frequency 3 means to ping every 3 seconds. That is correct the dialer route will be the default as soon as the tunnel stops passing traffic.
0
 
Shex_Author Commented:
Hm but we need to use PPPoE as default whole time, which means when this go down the Virtual Tunnel will take over trough another ISP, once the PPPoE is comming up again it needs to take over the default Route this is what I mean, so the Tunnel don`t needs to go down as long as PPPoE is taking over the default route. Am I right in this term ?
0
 
wingateslCommented:
You are exactly right, that is why it works.
0
 
Shex_Author Commented:
Thank You very much again for helping dude !!!
I understod the whole scenario now.

Still I`ll let you know, just in case....

Best regards
0
 
wingateslCommented:
No problem, if you need any additional help, just ask. Start a new question and email me a link (my address is in my profile)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now