[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 583
  • Last Modified:

Which woud be optimal, Load Balance or Load Sharing?

Attached is quick image of what I'm trying to accomplish. Currently, all of our branches are connected to our servers at our data center via MPLS using BGP. The MPLS router is a Cisco 2921.

One of our branches is constantly using the entire 1.5M line. Instead of increasing the speed of their T1 current line, which would cost $$$, I'd like to install a cheaper cable line at that office and use load balancing or load sharing. I'm not sure which route to go here. At the branch I have a Cisco 1921. The MPLS T1 is 1.5x1.5M, the cable line is 10x2M.

Somehow, I'd like to get the branch connected to the DC using the MPLS network and then connect them via VPN over the second ISP. I assume I should connect the 1921 VPN directly to the 2921, instead of the ASA 5510. ?

The branch employees are always complaining about slowness so I'd rather not use the 2nd line as a spare, but instead split the traffic up to lighten the load on the MPLS T1, or vice versa and use them as backups in case one fails.

Can someone recommend what configuration would work best for my scenario and then help me configure it?

I've read the following articles but I can't wrap my head around them... http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/VPNLoad/VPN_Load.html
mplsvpn.jpg
0
EquityIT
Asked:
EquityIT
  • 6
  • 5
1 Solution
 
asavenerCommented:
1.  Connect the branch with a GRE tunnel (encrypted using IPSec) Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation
2.  Implement EIGRP Configuring EIGRP
3.  Implement unequal cost load balancing How Does Unequal Cost Path Load Balancing (Variance) Work in IGRP and EIGRP?
4.  Tune your EIGRP metrics so that the traffic is balanced the way you want it.
0
 
EquityITAuthor Commented:
So if I have BGP like -

router bgp 65206
 bgp log-neighbor-changes
 network 192.168.XX.XX
 neighbor XX.XX.XX.XX remote-as XX
 neighbor XX.XX.XX.XX soft-reconfiguration inbound
!

I can also use EIGRP? BGP should only be used for the serial interface. And EIGRP should be used for both serial and Gb interface?
0
 
asavenerCommented:
I think you will have to redistribute the BGP routes into EIGRP.

Alternately, you can create a second GRE tunnel that goes over the MPLS network, and run EIGRP on both GRE tunnels.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
EquityITAuthor Commented:
Sorry for the delay. I'm still working on this issue over here.

It appears I have phase 1 working. However phase 2 I don't think is working.

Here is a show crypto isakmp & ipsec sa dump from the Main and Branch routers -

branch#sh cry isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
XXX.XXX.97.22    XXX.XXX.4.150   QM_IDLE           1254 ACTIVE

IPv6 Crypto ISAKMP SA

branch#sh cry ipsec sa

interface: GigabitEthernet0/0
    Crypto map tag: COX, local addr XXX.XXX.97.22

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (XXX.XXX.97.22/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (XXX.XXX.4.150/255.255.255.255/47/0)
   current_peer XXX.XXX.4.150 port 500
     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 2881, #recv errors 0

     local crypto endpt.: XXX.XXX.97.22, remote crypto endpt.: XXX.XXX.4.150
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
branch#
_____________________

main#sh cry isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
XXX.XXX.97.22    192.168.100.2   QM_IDLE           1254 ACTIVE

IPv6 Crypto ISAKMP SA

main#sh cry ipsec sa

interface: GigabitEthernet0/0
    Crypto map tag: branch, local addr 192.168.100.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.100.2/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (XXX.XXX.97.22/255.255.255.255/47/0)
   current_peer XXX.XXX.97.22 port 500
     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 3110, #recv errors 0

     local crypto endpt.: 192.168.100.2, remote crypto endpt.: XXX.XXX.97.22
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
main#

Open in new window


The Main router is behind our Cisco ASA 5510. I have a static Nat setup for XXX.XXX.4.150 to 192.168.100.2. I also added a service policy rule in the ASA, IPSec-Pass-Thru, using the default inspection map.

All I'm seeing is send errors. What else can I check/change?
0
 
asavenerCommented:
Check the transform set, and the access lists that describe the traffic to be encrypted.
0
 
EquityITAuthor Commented:
Transform sets match. I made one change to the Main router access-list and Tunnel interface.

I had the Tunnel set to - which had the private IP behind the ASA.
interface Tunnel1
 ip address 192.168.111.1 255.255.255.252
 ip pim sparse-dense-mode
 keepalive 5 2
 tunnel source GigabitEthernet0/0
 tunnel destination XXX.XXX.97.22

Open in new window


I changed the tunnel source to match the NAT'd IP.
interface Tunnel1
 ip address 192.168.111.1 255.255.255.252
 ip pim sparse-dense-mode
 keepalive 5 2
 tunnel source XXX.XXX.4.150
 tunnel destination XXX.XXX.97.22

Open in new window


Here is another sh crypto ipsec sa dump -
main#sh cry ipsec sa

interface: GigabitEthernet0/0
    Crypto map tag: MESA, local addr 192.168.100.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (XXX.XXX.4.150/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (XXX.XXX.97.22/255.255.255.255/47/0)
   current_peer XXX.XXX.97.22 port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 425, #pkts encrypt: 425, #pkts digest: 425
    #pkts decaps: 1415, #pkts decrypt: 1415, #pkts verify: 1415
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.100.2, remote crypto endpt.: XXX.XXX.97.22
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x68852A55(1753557589)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x3EE4BB50(1055177552)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2003, flow_id: Onboard VPN:3, sibling_flags 80000046, crypto map: MESA
        sa timing: remaining key lifetime (k/sec): (4438881/337)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x68852A55(1753557589)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2004, flow_id: Onboard VPN:4, sibling_flags 80000046, crypto map: MESA
        sa timing: remaining key lifetime (k/sec): (4438949/337)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

main#sh ip int bri
Interface                  IP-Address      OK? Method Status                Protocol
Embedded-Service-Engine0/0 unassigned      YES NVRAM  administratively down down
GigabitEthernet0/0         192.168.100.2   YES NVRAM  up                    up
GigabitEthernet0/1         XXX.XXX.130.74   YES NVRAM  up                    up
GigabitEthernet0/2         unassigned      YES NVRAM  administratively down down
Tunnel1                    192.168.111.1   YES manual up                    down
main#

Open in new window


I'm getting encaps & decaps but the tunnel isn't coming up. An ideas?

Thank you for your help thus far!
0
 
asavenerCommented:
OK.  The problem is that the tunnel source is wrong.  (And probably the destination address on the other end.)

You have to use a source address that's on the router itself.

Since you're performing encryption on the ASA, you need to include the inside (non-NAT'd) addresses of the routers as part of the crypto map.
0
 
EquityITAuthor Commented:
Ok, I the tunnels are up, but not working correctly... At least I think...

I can ping back and forth between the tunnels, 192.168.111.1 & .2.

The branch router 'show crypto ipsec sa' shows that its encapping and the main router is decapping but not encapping.

Is it possible that the main router interface g0/0 can't be the NAT'd interface and the tunnel source? Do I need to out another interface to work? Whats the next step to clean this mess up?

Here is the config and some dumps from the main router -
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key 6 ********* address XXX.XXX.97.22
!
crypto ipsec transform-set SET1 esp-aes 256 esp-sha-hmac
!
crypto map BRANCHES 1 ipsec-isakmp
 description VPN TO branch
 set peer XXX.XXX.97.22
 set transform-set SET1
 match address branch
!
interface Tunnel1
 ip address 192.168.111.1 255.255.255.252
 keepalive 5 2
 tunnel source GigabitEthernet0/0
 tunnel destination 192.168.206.2
!
interface GigabitEthernet0/0
 description Connecting to 100.X
 ip address 192.168.100.2 255.255.255.0
 ip flow ingress
 duplex auto
 speed auto
 crypto map BRANCHES
!
interface GigabitEthernet0/1
 description **************
 ip address XXX.XXX.130.74 255.255.255.252
 ip flow ingress
 media-type sfp
 service-policy output SHAPE
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
!
router bgp 65100
 bgp log-neighbor-changes
 network 192.168.100.0
 redistribute connected
 redistribute static
 neighbor XXX.XXX.130.73 remote-as 209
 neighbor XXX.XXX.130.73 soft-reconfiguration inbound
 default-information originate
!
ip route 0.0.0.0 0.0.0.0 192.168.100.1
ip route 192.168.101.0 255.255.255.0 192.168.100.3
!
ip access-list extended branch
 permit gre host 192.168.100.2 host 192.168.206.2
!
main#sh cry is sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
192.168.100.2   XXX.XXX.97.22    QM_IDLE           1265 ACTIVE

IPv6 Crypto ISAKMP SA

main#sh cry ip sa

interface: GigabitEthernet0/0
    Crypto map tag: BRANCHES, local addr 192.168.100.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.100.2/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (192.168.206.2/255.255.255.255/47/0)
   current_peer XXX.XXX.97.22 port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 224, #pkts decrypt: 224, #pkts verify: 224
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.100.2, remote crypto endpt.: XXX.XXX.97.22
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0xB581885(190322821)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x72A3EA36(1923344950)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2083, flow_id: Onboard VPN:83, sibling_flags 80000046, crypto map: BRANCHES
        sa timing: remaining key lifetime (k/sec): (4415762/2667)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xB581885(190322821)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2084, flow_id: Onboard VPN:84, sibling_flags 80000046, crypto map: BRANCHES
        sa timing: remaining key lifetime (k/sec): (4415786/2667)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
main#ping 192.168.111.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.111.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/25/32 ms
main#

Open in new window


Here is the config and some dumps from the branch router -
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key 6 ********* address XXX.XXX.4.150
!
crypto ipsec transform-set SET1 esp-aes 256 esp-sha-hmac
!
crypto map IO 1 ipsec-isakmp
 description VPN TO IO
 set peer XXX.XXX.4.150
 set transform-set SET1
 match address IO
!
interface Tunnel1
 ip address 192.168.111.2 255.255.255.252
 keepalive 5 2
 tunnel source GigabitEthernet0/1
 tunnel destination 192.168.100.2
!
interface GigabitEthernet0/0
 description COX
 ip address XXX.XXX.97.22 255.255.255.240
 duplex auto
 speed auto
 crypto map IO
!
interface GigabitEthernet0/1
 description branch
 ip address 192.168.206.2 255.255.255.0
 duplex auto
 speed auto
!
interface Serial0/0/0
 ip address XXX.XXX.107.30 255.255.255.252
 encapsulation ppp
!
router bgp 65206
 bgp log-neighbor-changes
 network 192.168.206.0
 neighbor XXX.XXX.107.29 remote-as 209
 neighbor XXX.XXX.107.29 soft-reconfiguration inbound
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 XXX.XXX.97.17
!
ip access-list extended INTERNET
 permit icmp host XXX.XXX.4.150 host XXX.XXX.97.22 log
 permit udp host XXX.XXX.4.150 host XXX.XXX.97.22 eq isakmp log
ip access-list extended IO
 permit gre host 192.168.206.2 host 192.168.100.2
!
branch#sh cry is sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
XXX.XXX.4.150   XXX.XXX.97.22    QM_IDLE           1001 ACTIVE

IPv6 Crypto ISAKMP SA

branch#sh cry ip sa

interface: GigabitEthernet0/0
    Crypto map tag: IO, local addr XXX.XXX.97.22

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.206.2/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (192.168.100.2/255.255.255.255/47/0)
   current_peer XXX.XXX.4.150 port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 261, #pkts encrypt: 261, #pkts digest: 261
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: XXX.XXX.97.22, remote crypto endpt.: XXX.XXX.4.150
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x72A3EA36(1923344950)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xB581885(190322821)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2001, flow_id: Onboard VPN:1, sibling_flags 80000046, crypto map: IO
        sa timing: remaining key lifetime (k/sec): (4592523/2588)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x72A3EA36(1923344950)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2002, flow_id: Onboard VPN:2, sibling_flags 80000046, crypto map: IO
        sa timing: remaining key lifetime (k/sec): (4592495/2588)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
branch#ping 192.168.111.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.111.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/36 ms
branch#

Open in new window


Once again - Thanks!
0
 
EquityITAuthor Commented:
Also, I tried to setup EIGRP, but the branch router wouldn't send hello packets across the tunnel. I'm assuming thats apart of the same problem.
0
 
asavenerCommented:
On the main router, add a route command so that traffic to the branch router goes out g0/0.

ip route XXX.XXX.97.22 255.255.255.255. 192.168.100.1

Then, change your tunnel destination to the public IP of the branch router.
0
 
EquityITAuthor Commented:
Ok, I added the route, no issue, and the Tunnel stays active. But once I change the main router Tunnel dest to the public branch router IP, the Tunnel goes down.

Do you think I need to use another interface on the main router and make it public? To mimic the setup on the branch router... Right now int G0/0 is the NAT'd address and also the Tunnel source. Where as the branch router has a public interface (G0/0) and the Tunnel source is an internal interface (G0/1).
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now