EquityIT
asked on
Which woud be optimal, Load Balance or Load Sharing?
Attached is quick image of what I'm trying to accomplish. Currently, all of our branches are connected to our servers at our data center via MPLS using BGP. The MPLS router is a Cisco 2921.
One of our branches is constantly using the entire 1.5M line. Instead of increasing the speed of their T1 current line, which would cost $$$, I'd like to install a cheaper cable line at that office and use load balancing or load sharing. I'm not sure which route to go here. At the branch I have a Cisco 1921. The MPLS T1 is 1.5x1.5M, the cable line is 10x2M.
Somehow, I'd like to get the branch connected to the DC using the MPLS network and then connect them via VPN over the second ISP. I assume I should connect the 1921 VPN directly to the 2921, instead of the ASA 5510. ?
The branch employees are always complaining about slowness so I'd rather not use the 2nd line as a spare, but instead split the traffic up to lighten the load on the MPLS T1, or vice versa and use them as backups in case one fails.
Can someone recommend what configuration would work best for my scenario and then help me configure it?
I've read the following articles but I can't wrap my head around them... http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/VPNLoad/VPN_Load.html
mplsvpn.jpg
One of our branches is constantly using the entire 1.5M line. Instead of increasing the speed of their T1 current line, which would cost $$$, I'd like to install a cheaper cable line at that office and use load balancing or load sharing. I'm not sure which route to go here. At the branch I have a Cisco 1921. The MPLS T1 is 1.5x1.5M, the cable line is 10x2M.
Somehow, I'd like to get the branch connected to the DC using the MPLS network and then connect them via VPN over the second ISP. I assume I should connect the 1921 VPN directly to the 2921, instead of the ASA 5510. ?
The branch employees are always complaining about slowness so I'd rather not use the 2nd line as a spare, but instead split the traffic up to lighten the load on the MPLS T1, or vice versa and use them as backups in case one fails.
Can someone recommend what configuration would work best for my scenario and then help me configure it?
I've read the following articles but I can't wrap my head around them... http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/VPNLoad/VPN_Load.html
mplsvpn.jpg
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I think you will have to redistribute the BGP routes into EIGRP.
Alternately, you can create a second GRE tunnel that goes over the MPLS network, and run EIGRP on both GRE tunnels.
Alternately, you can create a second GRE tunnel that goes over the MPLS network, and run EIGRP on both GRE tunnels.
ASKER
Sorry for the delay. I'm still working on this issue over here.
It appears I have phase 1 working. However phase 2 I don't think is working.
Here is a show crypto isakmp & ipsec sa dump from the Main and Branch routers -
The Main router is behind our Cisco ASA 5510. I have a static Nat setup for XXX.XXX.4.150 to 192.168.100.2. I also added a service policy rule in the ASA, IPSec-Pass-Thru, using the default inspection map.
All I'm seeing is send errors. What else can I check/change?
It appears I have phase 1 working. However phase 2 I don't think is working.
Here is a show crypto isakmp & ipsec sa dump from the Main and Branch routers -
branch#sh cry isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
XXX.XXX.97.22 XXX.XXX.4.150 QM_IDLE 1254 ACTIVE
IPv6 Crypto ISAKMP SA
branch#sh cry ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: COX, local addr XXX.XXX.97.22
protected vrf: (none)
local ident (addr/mask/prot/port): (XXX.XXX.97.22/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (XXX.XXX.4.150/255.255.255.255/47/0)
current_peer XXX.XXX.4.150 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2881, #recv errors 0
local crypto endpt.: XXX.XXX.97.22, remote crypto endpt.: XXX.XXX.4.150
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
branch#
_____________________
main#sh cry isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
XXX.XXX.97.22 192.168.100.2 QM_IDLE 1254 ACTIVE
IPv6 Crypto ISAKMP SA
main#sh cry ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: branch, local addr 192.168.100.2
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.100.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (XXX.XXX.97.22/255.255.255.255/47/0)
current_peer XXX.XXX.97.22 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 3110, #recv errors 0
local crypto endpt.: 192.168.100.2, remote crypto endpt.: XXX.XXX.97.22
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
main#
The Main router is behind our Cisco ASA 5510. I have a static Nat setup for XXX.XXX.4.150 to 192.168.100.2. I also added a service policy rule in the ASA, IPSec-Pass-Thru, using the default inspection map.
All I'm seeing is send errors. What else can I check/change?
Check the transform set, and the access lists that describe the traffic to be encrypted.
ASKER
Transform sets match. I made one change to the Main router access-list and Tunnel interface.
I had the Tunnel set to - which had the private IP behind the ASA.
I changed the tunnel source to match the NAT'd IP.
Here is another sh crypto ipsec sa dump -
I'm getting encaps & decaps but the tunnel isn't coming up. An ideas?
Thank you for your help thus far!
I had the Tunnel set to - which had the private IP behind the ASA.
interface Tunnel1
ip address 192.168.111.1 255.255.255.252
ip pim sparse-dense-mode
keepalive 5 2
tunnel source GigabitEthernet0/0
tunnel destination XXX.XXX.97.22
I changed the tunnel source to match the NAT'd IP.
interface Tunnel1
ip address 192.168.111.1 255.255.255.252
ip pim sparse-dense-mode
keepalive 5 2
tunnel source XXX.XXX.4.150
tunnel destination XXX.XXX.97.22
Here is another sh crypto ipsec sa dump -
main#sh cry ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: MESA, local addr 192.168.100.2
protected vrf: (none)
local ident (addr/mask/prot/port): (XXX.XXX.4.150/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (XXX.XXX.97.22/255.255.255.255/47/0)
current_peer XXX.XXX.97.22 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 425, #pkts encrypt: 425, #pkts digest: 425
#pkts decaps: 1415, #pkts decrypt: 1415, #pkts verify: 1415
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.100.2, remote crypto endpt.: XXX.XXX.97.22
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x68852A55(1753557589)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x3EE4BB50(1055177552)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2003, flow_id: Onboard VPN:3, sibling_flags 80000046, crypto map: MESA
sa timing: remaining key lifetime (k/sec): (4438881/337)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x68852A55(1753557589)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2004, flow_id: Onboard VPN:4, sibling_flags 80000046, crypto map: MESA
sa timing: remaining key lifetime (k/sec): (4438949/337)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
main#sh ip int bri
Interface IP-Address OK? Method Status Protocol
Embedded-Service-Engine0/0 unassigned YES NVRAM administratively down down
GigabitEthernet0/0 192.168.100.2 YES NVRAM up up
GigabitEthernet0/1 XXX.XXX.130.74 YES NVRAM up up
GigabitEthernet0/2 unassigned YES NVRAM administratively down down
Tunnel1 192.168.111.1 YES manual up down
main#
I'm getting encaps & decaps but the tunnel isn't coming up. An ideas?
Thank you for your help thus far!
OK. The problem is that the tunnel source is wrong. (And probably the destination address on the other end.)
You have to use a source address that's on the router itself.
Since you're performing encryption on the ASA, you need to include the inside (non-NAT'd) addresses of the routers as part of the crypto map.
You have to use a source address that's on the router itself.
Since you're performing encryption on the ASA, you need to include the inside (non-NAT'd) addresses of the routers as part of the crypto map.
ASKER
Ok, I the tunnels are up, but not working correctly... At least I think...
I can ping back and forth between the tunnels, 192.168.111.1 & .2.
The branch router 'show crypto ipsec sa' shows that its encapping and the main router is decapping but not encapping.
Is it possible that the main router interface g0/0 can't be the NAT'd interface and the tunnel source? Do I need to out another interface to work? Whats the next step to clean this mess up?
Here is the config and some dumps from the main router -
Here is the config and some dumps from the branch router -
Once again - Thanks!
I can ping back and forth between the tunnels, 192.168.111.1 & .2.
The branch router 'show crypto ipsec sa' shows that its encapping and the main router is decapping but not encapping.
Is it possible that the main router interface g0/0 can't be the NAT'd interface and the tunnel source? Do I need to out another interface to work? Whats the next step to clean this mess up?
Here is the config and some dumps from the main router -
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key 6 ********* address XXX.XXX.97.22
!
crypto ipsec transform-set SET1 esp-aes 256 esp-sha-hmac
!
crypto map BRANCHES 1 ipsec-isakmp
description VPN TO branch
set peer XXX.XXX.97.22
set transform-set SET1
match address branch
!
interface Tunnel1
ip address 192.168.111.1 255.255.255.252
keepalive 5 2
tunnel source GigabitEthernet0/0
tunnel destination 192.168.206.2
!
interface GigabitEthernet0/0
description Connecting to 100.X
ip address 192.168.100.2 255.255.255.0
ip flow ingress
duplex auto
speed auto
crypto map BRANCHES
!
interface GigabitEthernet0/1
description **************
ip address XXX.XXX.130.74 255.255.255.252
ip flow ingress
media-type sfp
service-policy output SHAPE
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
router bgp 65100
bgp log-neighbor-changes
network 192.168.100.0
redistribute connected
redistribute static
neighbor XXX.XXX.130.73 remote-as 209
neighbor XXX.XXX.130.73 soft-reconfiguration inbound
default-information originate
!
ip route 0.0.0.0 0.0.0.0 192.168.100.1
ip route 192.168.101.0 255.255.255.0 192.168.100.3
!
ip access-list extended branch
permit gre host 192.168.100.2 host 192.168.206.2
!
main#sh cry is sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.100.2 XXX.XXX.97.22 QM_IDLE 1265 ACTIVE
IPv6 Crypto ISAKMP SA
main#sh cry ip sa
interface: GigabitEthernet0/0
Crypto map tag: BRANCHES, local addr 192.168.100.2
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.100.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (192.168.206.2/255.255.255.255/47/0)
current_peer XXX.XXX.97.22 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 224, #pkts decrypt: 224, #pkts verify: 224
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.100.2, remote crypto endpt.: XXX.XXX.97.22
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xB581885(190322821)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x72A3EA36(1923344950)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2083, flow_id: Onboard VPN:83, sibling_flags 80000046, crypto map: BRANCHES
sa timing: remaining key lifetime (k/sec): (4415762/2667)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB581885(190322821)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2084, flow_id: Onboard VPN:84, sibling_flags 80000046, crypto map: BRANCHES
sa timing: remaining key lifetime (k/sec): (4415786/2667)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
main#ping 192.168.111.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.111.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/25/32 ms
main#
Here is the config and some dumps from the branch router -
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key 6 ********* address XXX.XXX.4.150
!
crypto ipsec transform-set SET1 esp-aes 256 esp-sha-hmac
!
crypto map IO 1 ipsec-isakmp
description VPN TO IO
set peer XXX.XXX.4.150
set transform-set SET1
match address IO
!
interface Tunnel1
ip address 192.168.111.2 255.255.255.252
keepalive 5 2
tunnel source GigabitEthernet0/1
tunnel destination 192.168.100.2
!
interface GigabitEthernet0/0
description COX
ip address XXX.XXX.97.22 255.255.255.240
duplex auto
speed auto
crypto map IO
!
interface GigabitEthernet0/1
description branch
ip address 192.168.206.2 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
ip address XXX.XXX.107.30 255.255.255.252
encapsulation ppp
!
router bgp 65206
bgp log-neighbor-changes
network 192.168.206.0
neighbor XXX.XXX.107.29 remote-as 209
neighbor XXX.XXX.107.29 soft-reconfiguration inbound
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 XXX.XXX.97.17
!
ip access-list extended INTERNET
permit icmp host XXX.XXX.4.150 host XXX.XXX.97.22 log
permit udp host XXX.XXX.4.150 host XXX.XXX.97.22 eq isakmp log
ip access-list extended IO
permit gre host 192.168.206.2 host 192.168.100.2
!
branch#sh cry is sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
XXX.XXX.4.150 XXX.XXX.97.22 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
branch#sh cry ip sa
interface: GigabitEthernet0/0
Crypto map tag: IO, local addr XXX.XXX.97.22
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.206.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (192.168.100.2/255.255.255.255/47/0)
current_peer XXX.XXX.4.150 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 261, #pkts encrypt: 261, #pkts digest: 261
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: XXX.XXX.97.22, remote crypto endpt.: XXX.XXX.4.150
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x72A3EA36(1923344950)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xB581885(190322821)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2001, flow_id: Onboard VPN:1, sibling_flags 80000046, crypto map: IO
sa timing: remaining key lifetime (k/sec): (4592523/2588)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x72A3EA36(1923344950)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2002, flow_id: Onboard VPN:2, sibling_flags 80000046, crypto map: IO
sa timing: remaining key lifetime (k/sec): (4592495/2588)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
branch#ping 192.168.111.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.111.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/36 ms
branch#
Once again - Thanks!
ASKER
Also, I tried to setup EIGRP, but the branch router wouldn't send hello packets across the tunnel. I'm assuming thats apart of the same problem.
On the main router, add a route command so that traffic to the branch router goes out g0/0.
ip route XXX.XXX.97.22 255.255.255.255. 192.168.100.1
Then, change your tunnel destination to the public IP of the branch router.
ip route XXX.XXX.97.22 255.255.255.255. 192.168.100.1
Then, change your tunnel destination to the public IP of the branch router.
ASKER
Ok, I added the route, no issue, and the Tunnel stays active. But once I change the main router Tunnel dest to the public branch router IP, the Tunnel goes down.
Do you think I need to use another interface on the main router and make it public? To mimic the setup on the branch router... Right now int G0/0 is the NAT'd address and also the Tunnel source. Where as the branch router has a public interface (G0/0) and the Tunnel source is an internal interface (G0/1).
Do you think I need to use another interface on the main router and make it public? To mimic the setup on the branch router... Right now int G0/0 is the NAT'd address and also the Tunnel source. Where as the branch router has a public interface (G0/0) and the Tunnel source is an internal interface (G0/1).
ASKER
router bgp 65206
bgp log-neighbor-changes
network 192.168.XX.XX
neighbor XX.XX.XX.XX remote-as XX
neighbor XX.XX.XX.XX soft-reconfiguration inbound
!
I can also use EIGRP? BGP should only be used for the serial interface. And EIGRP should be used for both serial and Gb interface?