Go Premium for a chance to win a PS4. Enter to Win


load balancing on cisco routers which one to choose

Posted on 2013-01-16
Medium Priority
Last Modified: 2014-11-10
I have two hdsl line 1 router cisco 2911 with two serial interface and 1 firewall asa 5510, where is the best way for configure load balancing for no-stop connections?

Lan has services such as the mail server that I would like to always be available outside.
thanks in advance.
Question by:silviov
LVL 20

Accepted Solution

rauenpc earned 1000 total points
ID: 38785302
If you own your own IP block, and are able to advertise that to your ISP('s) via a routing protocol such as BGP, you can make this work. However, I am going to assume that this is not the case, and assume that these are just two separate connections.

There is no true way to make the two lines work for non-stop traffic flow, unless the ISP allows you to turn those lines in to a MultiLink Point to Point interface (MLPPP). MLPPP would make the two connections appear as one bonded connection, and that would allow you to potentially provide non-stop connections if a single link goes down.

The problem comes down to nat. if you were to fail from one link to another, your nat would have to use the IP address(es) assigned to that link. Any user with an open session to an internet service, such as a web server, would end up having that session reset. For the most part, the users would simply need to hit refresh and assuming they weren't in the middle of entering a bunch of info they would just carry on and assume it was a minor blip. Other sessions that are considered more critical and less fault tolerant could be a different story.

Now if you want failover and are OK with sessions dropping when the lines switch, then this can certainly be done. You can lay out your network in two ways, and both have advantages and disadvantages.

2x Internet - router - firewall - lan
2x Internet - firewall - router - lan

With the router connected directly to the internet you get the advantage that the router can perform failover, load balancing, natting, and other features depending on your licensing. Being directly connected to the internet poses some security risks. The firewall would not need to perform any nat function. It would be a very simple firewall that would provide VPN services and stateful firewalling.

With the firewall connected to the internet you would need the Sec Plus License to have redundant internet connections. It would only be able to do failover - load balancing is essentially not an option without doing some strange internal network routing and firewall contexts (not recommended). The firewall would be in charge of NAT, VPN, and statefull firewalling among potential others. Your router might not have any use at this point depending on the rest of your equipment. Being on the inside you can feel safe to run numerous services for voice and routing. There is nothing the router could do to cause the firewall to load balance outgoing connections, so the router is just a router at this point.

Both scenarios have the same session drop problem.

As far as the mail server goes, you just need to setup the NAT's for both internet connections, reverse DNS for both IP's, two MX records with different priorities, and something that just came up recently for me was how to handle OWA/smartphone connections. If you would expect that the primary internet connection (the one that owa DNS queries would normally go to) would be down for an extended period of time, the only way to make sure remote users can get to their mail easily would be to have an externally accessible DNS load balance option. This would be a service that tests both IP addresses to determine reachability, and responds to DNS requests based on availability.

Author Comment

ID: 38786218
Thank you for the very comprehensive answer, so I could choose between these two options:
1 ask my isp only one IP range for both lines and proceed with the configuration of load balancing in BGP router.
this should be the best solution.

alternatively, if my isp gives me not only a pool of IP, point 2:

2 to configure the router with two serial interfaces for the two lines with two different IP pool and configuarre the ASA firewall in "dual isp"

is that correct?

Assisted Solution

by:Sandeep Gupta
Sandeep Gupta earned 1000 total points
ID: 38787231
you can create a route map and apply it to your LAN interface like this

ip access-list 1 permit ip any any

route-map LOAD permit 10
match ip address 1
set interface WAN1 WAN2

int LAN
ip policy route-map LOAD

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question