load balancing on cisco routers which one to choose

Posted on 2013-01-16
Medium Priority
Last Modified: 2014-11-10
I have two hdsl line 1 router cisco 2911 with two serial interface and 1 firewall asa 5510, where is the best way for configure load balancing for no-stop connections?

Lan has services such as the mail server that I would like to always be available outside.
thanks in advance.
Question by:silviov
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 20

Accepted Solution

rauenpc earned 1000 total points
ID: 38785302
If you own your own IP block, and are able to advertise that to your ISP('s) via a routing protocol such as BGP, you can make this work. However, I am going to assume that this is not the case, and assume that these are just two separate connections.

There is no true way to make the two lines work for non-stop traffic flow, unless the ISP allows you to turn those lines in to a MultiLink Point to Point interface (MLPPP). MLPPP would make the two connections appear as one bonded connection, and that would allow you to potentially provide non-stop connections if a single link goes down.

The problem comes down to nat. if you were to fail from one link to another, your nat would have to use the IP address(es) assigned to that link. Any user with an open session to an internet service, such as a web server, would end up having that session reset. For the most part, the users would simply need to hit refresh and assuming they weren't in the middle of entering a bunch of info they would just carry on and assume it was a minor blip. Other sessions that are considered more critical and less fault tolerant could be a different story.

Now if you want failover and are OK with sessions dropping when the lines switch, then this can certainly be done. You can lay out your network in two ways, and both have advantages and disadvantages.

2x Internet - router - firewall - lan
2x Internet - firewall - router - lan

With the router connected directly to the internet you get the advantage that the router can perform failover, load balancing, natting, and other features depending on your licensing. Being directly connected to the internet poses some security risks. The firewall would not need to perform any nat function. It would be a very simple firewall that would provide VPN services and stateful firewalling.

With the firewall connected to the internet you would need the Sec Plus License to have redundant internet connections. It would only be able to do failover - load balancing is essentially not an option without doing some strange internal network routing and firewall contexts (not recommended). The firewall would be in charge of NAT, VPN, and statefull firewalling among potential others. Your router might not have any use at this point depending on the rest of your equipment. Being on the inside you can feel safe to run numerous services for voice and routing. There is nothing the router could do to cause the firewall to load balance outgoing connections, so the router is just a router at this point.

Both scenarios have the same session drop problem.

As far as the mail server goes, you just need to setup the NAT's for both internet connections, reverse DNS for both IP's, two MX records with different priorities, and something that just came up recently for me was how to handle OWA/smartphone connections. If you would expect that the primary internet connection (the one that owa DNS queries would normally go to) would be down for an extended period of time, the only way to make sure remote users can get to their mail easily would be to have an externally accessible DNS load balance option. This would be a service that tests both IP addresses to determine reachability, and responds to DNS requests based on availability.

Author Comment

ID: 38786218
Thank you for the very comprehensive answer, so I could choose between these two options:
1 ask my isp only one IP range for both lines and proceed with the configuration of load balancing in BGP router.
this should be the best solution.

alternatively, if my isp gives me not only a pool of IP, point 2:

2 to configure the router with two serial interfaces for the two lines with two different IP pool and configuarre the ASA firewall in "dual isp"

is that correct?

Assisted Solution

by:Sandeep Gupta
Sandeep Gupta earned 1000 total points
ID: 38787231
you can create a route map and apply it to your LAN interface like this

ip access-list 1 permit ip any any

route-map LOAD permit 10
match ip address 1
set interface WAN1 WAN2

int LAN
ip policy route-map LOAD

Featured Post

Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Considering cloud tradeoffs and determining the right mix for your organization.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question