Solved

load balancing two ISP

Posted on 2007-11-22
13
556 Views
Last Modified: 2013-12-14
Hello,

I have some problems when configuring access against two ISP providers.
First of all I`ll describe the scenario.

The customer uses Cisco Router 800 Series, the first ISP uses 7200 series router for PPPoE (VRF) and another ISP uses the Router 2600 series for VPN Tunnel Interface.

So the customer router 800 series is configured to use both PPPoE (VRF) and VPN Virtual Tunnel. (PPPoE (VRF) against one ISP and VPN Virtual Tunnel against another ISP).

So the problem now is that VPN Virtual Tunnel doesn`t  goes down when Dialer0 interface goes up.
Or better to say the VPN Virtual Tunnel goes down, but it takes to long time, is possible to force it ?
I mean force the process where the VPN Tunnel goes down once the Dialer0 interface is up ?
My point here is that tunnel needs to go down once the Dialer0 goes up.

Now when You understod my problem and my question, let me show You the config of these routers below:

Cuscomer router Cisco 800 Series config :

router-800_series#sh config
Using 2006 out of 131072 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxxxxx
!
boot-start-marker
boot-end-marker
!
enable secret ********************
!
aaa new-model
!
!
!
aaa session-id common
!
resource policy
!
ip subnet-zero
ip cef
!
!
!
!
no ip domain lookup
ip domain name xxxxxxxxxx
vpdn enable
!
!
!
!
username admin password ******************
!
!
track 1 interface Dialer0 ip routing
!
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key ****************** address 1.1.1.1 no-xauth
!
!
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
!
crypto ipsec profile ESP-AES-128-SHA-PROFIL
 set transform-set ESP-AES-128-SHA
!
!
!
!
!
interface Tunnel0
 ip address 10.13.1.2 255.255.255.0
 tunnel source Vlan3
 tunnel destination 1.1.1.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ESP-AES-128-SHA-PROFIL
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
 switchport access vlan 3
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Vlan1
 ip address 192.168.40.1 255.255.255.0
 ip helper-address 172.16.10.60
!
interface Vlan3
 ip address 80.80.80.1 255.255.255.0
!
interface Dialer0
 ip address negotiated
 ip mtu 1492
 encapsulation ppp
 dialer pool 1
 ppp authentication chap callin
 ppp chap hostname *********
 ppp chap password *********
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0 track 1
ip route 0.0.0.0 0.0.0.0 80.80.80.10 2
ip route 192.168.4.0 255.255.255.0 Tunnel0 2
!
!
no ip http server
no ip http secure-server
!
access-list 2 permit 172.25.1.0 0.0.0.255
!
!
control-plane
!
!
line con 0
 no modem enable
 transport output all
line aux 0
line vty 0 4
 access-class 2 in
 exec-timeout 0 0
 length 0
 transport input all
!
scheduler max-task-time 5000
end
______________________________________________
VPN Tunnel Router 2600 Series ISP 2:

router_2600#sh config
Using 2624 out of 29688 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxxxxxxxx
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret ***********************
!
aaa new-model
!
!
!
!
aaa session-id common
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
no ip domain lookup
ip domain name xxxxxxx
ip ssh time-out 60
ip ssh authentication-retries 5
!        
multilink bundle-name authenticated
!
!
!
!
!
username admin password ********************
!
!
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key ******************* address 80.80.80.1 no-xauth
!
!
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
!
crypto ipsec profile ESP-AES-128-SHA-PROFIL
 set transform-set ESP-AES-128-SHA
!
!
!
!
!
interface Tunnel0
 ip address 10.13.1.1 255.255.255.0
 tunnel source FastEthernet0/0.99
 tunnel destination 80.80.80.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ESP-AES-128-SHA-PROFIL
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.50
 encapsulation dot1Q 50
 ip address 172.25.1.10 255.255.255.0
!
interface FastEthernet0/0.99
 encapsulation dot1Q 99
 ip address 1.1.1.1 255.255.255.0
!
interface Serial0/0
 no ip address
 shutdown
 no fair-queue
!
interface Serial0/1
 no ip address
 shutdown
!
ip route 0.0.0.0 0.0.0.0 2.2.2.2
ip route 192.168.4.0 255.255.255.0 172.25.1.1
ip route 192.168.9.0 255.255.255.0 172.25.1.1
ip route 192.168.40.0 255.255.255.0 Tunnel0
!
!
no ip http server
no ip http secure-server
!        
access-list 1 permit x.x.x.x
access-list 1 permit x.x.x.x
!
!
!
!
control-plane
!
!
!
line con 0
 password **************
line aux 0
line vty 0 4
 access-class 1 in
 password **************
line vty 5 15
 access-class 1 in
 transport input ssh
!
!
end

router_2600#exit
________________________________________________________

i really hope that someone can figure it out and let us accomplish our goal.

Thank You !!
Best regards




0
Comment
Question by:Shex_
  • 7
  • 6
13 Comments
 
LVL 15

Accepted Solution

by:
wingatesl earned 500 total points
Comment Utility
It looks like you are trying to do a failover between the Tunnel 0 and the Dialer 0. The easy way to do this is y tracking reachability as opposed to the interface

ip sla 1
icmp-echo <IP address that you can track for reachability>
timeout 500
frequency 3
ip sla schedule 1 start now life forever
track 10 rtr 1 reachability
ip route 0.0.0.0 0.0.0.0 <primary path> track 10
ip route 0.0.0.0 0.0.0.0 <secondary path> 5

When the icmp echo fails the track stae changes and removes the route. This way you are not dealing with interface status which can be unreliable.
0
 

Author Comment

by:Shex_
Comment Utility
First of all thank You very much for reply !!

Yes, You have right. The PPPoE (VRF) will be used as a primaty ISP and if this goes down the Virtual VPN Tunnel takes over. So when the PPPoE comes up again than the Virtual VPN Tunnel should go down and the router will than use PPPoE (VRF) again. This is what I want.

Still sure that it will help ? well I also will try this so I`ll let You know !!

You have Your points, I`ll just check this config so we are 100 % sure before I set it as answer, so other people can read the correct config.

Thank You very much again !!
Best regards
0
 
LVL 15

Expert Comment

by:wingatesl
Comment Utility
With your existing configuration, you are waiting for the PPPoE to go down before the tunnel route becomes the default. This method actively probes a host on the other end out your primary route and when it is unreachable it forces all traffic out the other route. I wrote a little about this with the Cisco reference at the bottom of the post. you can read it here (it also goes into detail on the commands)
http://www.inacom-sby.net/Shawn/post/2007/11/Cisco-IP-SLA-for-failover.aspx
0
 

Author Comment

by:Shex_
Comment Utility
I see, very nice detailed explanation, I wish other could be so detailed.
So in all case You mean this will work ? I am not sitting behind these routers right now I can only connect from the office ip address, so I`ll test this tomorrow and I`ll let You know !!

Our problem with config above which we are using now is that Virtual VPN Tunnel don`t go down when the Dialer0 (PPPoE) goes up. So we ned to wait about 15 min for Virtual Tunnel go down. This is not nice at all, we can`t let customers wait so long, therfore I was asking for a solution.

But what and which command specifies "how often" the router will ping the ip address for to check is it reachable or not ?? does it do pings all the time ?? or ??

0
 
LVL 15

Expert Comment

by:wingatesl
Comment Utility
That is the purpose of the frequency command in the SLA
0
 

Author Comment

by:Shex_
Comment Utility
So You mean the frequency 3 is enough ?
0
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 
LVL 15

Expert Comment

by:wingatesl
Comment Utility
The tunnel does not have to go down in this configuration.
0
 

Author Comment

by:Shex_
Comment Utility
I understand, once Dialer0 interface (PPPoE) is comming ut it will become a default first priority route ??
0
 
LVL 15

Expert Comment

by:wingatesl
Comment Utility
Frequency 3 means to ping every 3 seconds. That is correct the dialer route will be the default as soon as the tunnel stops passing traffic.
0
 

Author Comment

by:Shex_
Comment Utility
Hm but we need to use PPPoE as default whole time, which means when this go down the Virtual Tunnel will take over trough another ISP, once the PPPoE is comming up again it needs to take over the default Route this is what I mean, so the Tunnel don`t needs to go down as long as PPPoE is taking over the default route. Am I right in this term ?
0
 
LVL 15

Expert Comment

by:wingatesl
Comment Utility
You are exactly right, that is why it works.
0
 

Author Comment

by:Shex_
Comment Utility
Thank You very much again for helping dude !!!
I understod the whole scenario now.

Still I`ll let you know, just in case....

Best regards
0
 
LVL 15

Expert Comment

by:wingatesl
Comment Utility
No problem, if you need any additional help, just ask. Start a new question and email me a link (my address is in my profile)
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

As dyndns has reduced the capabilities of the free service, I looked around for other free providers of Dynamic DNS service. After testing several I decided to move my DNS hosting to Hurricane Electric as then domains that require dynamic hostnam…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now