• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 315
  • Last Modified:

load balancing on cisco routers which one to choose

I have two hdsl line 1 router cisco 2911 with two serial interface and 1 firewall asa 5510, where is the best way for configure load balancing for no-stop connections?

Lan has services such as the mail server that I would like to always be available outside.
thanks in advance.
2 Solutions
If you own your own IP block, and are able to advertise that to your ISP('s) via a routing protocol such as BGP, you can make this work. However, I am going to assume that this is not the case, and assume that these are just two separate connections.

There is no true way to make the two lines work for non-stop traffic flow, unless the ISP allows you to turn those lines in to a MultiLink Point to Point interface (MLPPP). MLPPP would make the two connections appear as one bonded connection, and that would allow you to potentially provide non-stop connections if a single link goes down.

The problem comes down to nat. if you were to fail from one link to another, your nat would have to use the IP address(es) assigned to that link. Any user with an open session to an internet service, such as a web server, would end up having that session reset. For the most part, the users would simply need to hit refresh and assuming they weren't in the middle of entering a bunch of info they would just carry on and assume it was a minor blip. Other sessions that are considered more critical and less fault tolerant could be a different story.

Now if you want failover and are OK with sessions dropping when the lines switch, then this can certainly be done. You can lay out your network in two ways, and both have advantages and disadvantages.

2x Internet - router - firewall - lan
2x Internet - firewall - router - lan

With the router connected directly to the internet you get the advantage that the router can perform failover, load balancing, natting, and other features depending on your licensing. Being directly connected to the internet poses some security risks. The firewall would not need to perform any nat function. It would be a very simple firewall that would provide VPN services and stateful firewalling.

With the firewall connected to the internet you would need the Sec Plus License to have redundant internet connections. It would only be able to do failover - load balancing is essentially not an option without doing some strange internal network routing and firewall contexts (not recommended). The firewall would be in charge of NAT, VPN, and statefull firewalling among potential others. Your router might not have any use at this point depending on the rest of your equipment. Being on the inside you can feel safe to run numerous services for voice and routing. There is nothing the router could do to cause the firewall to load balance outgoing connections, so the router is just a router at this point.

Both scenarios have the same session drop problem.

As far as the mail server goes, you just need to setup the NAT's for both internet connections, reverse DNS for both IP's, two MX records with different priorities, and something that just came up recently for me was how to handle OWA/smartphone connections. If you would expect that the primary internet connection (the one that owa DNS queries would normally go to) would be down for an extended period of time, the only way to make sure remote users can get to their mail easily would be to have an externally accessible DNS load balance option. This would be a service that tests both IP addresses to determine reachability, and responds to DNS requests based on availability.
silviovAuthor Commented:
Thank you for the very comprehensive answer, so I could choose between these two options:
1 ask my isp only one IP range for both lines and proceed with the configuration of load balancing in BGP router.
this should be the best solution.

alternatively, if my isp gives me not only a pool of IP, point 2:

2 to configure the router with two serial interfaces for the two lines with two different IP pool and configuarre the ASA firewall in "dual isp"

is that correct?
Sandeep GuptaConsultantCommented:
you can create a route map and apply it to your LAN interface like this

ip access-list 1 permit ip any any

route-map LOAD permit 10
match ip address 1
set interface WAN1 WAN2

int LAN
ip policy route-map LOAD
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now