load balancing on cisco routers which one to choose

Posted on 2013-01-16
Last Modified: 2014-11-10
I have two hdsl line 1 router cisco 2911 with two serial interface and 1 firewall asa 5510, where is the best way for configure load balancing for no-stop connections?

Lan has services such as the mail server that I would like to always be available outside.
thanks in advance.
Question by:silviov
LVL 20

Accepted Solution

rauenpc earned 250 total points
Comment Utility
If you own your own IP block, and are able to advertise that to your ISP('s) via a routing protocol such as BGP, you can make this work. However, I am going to assume that this is not the case, and assume that these are just two separate connections.

There is no true way to make the two lines work for non-stop traffic flow, unless the ISP allows you to turn those lines in to a MultiLink Point to Point interface (MLPPP). MLPPP would make the two connections appear as one bonded connection, and that would allow you to potentially provide non-stop connections if a single link goes down.

The problem comes down to nat. if you were to fail from one link to another, your nat would have to use the IP address(es) assigned to that link. Any user with an open session to an internet service, such as a web server, would end up having that session reset. For the most part, the users would simply need to hit refresh and assuming they weren't in the middle of entering a bunch of info they would just carry on and assume it was a minor blip. Other sessions that are considered more critical and less fault tolerant could be a different story.

Now if you want failover and are OK with sessions dropping when the lines switch, then this can certainly be done. You can lay out your network in two ways, and both have advantages and disadvantages.

2x Internet - router - firewall - lan
2x Internet - firewall - router - lan

With the router connected directly to the internet you get the advantage that the router can perform failover, load balancing, natting, and other features depending on your licensing. Being directly connected to the internet poses some security risks. The firewall would not need to perform any nat function. It would be a very simple firewall that would provide VPN services and stateful firewalling.

With the firewall connected to the internet you would need the Sec Plus License to have redundant internet connections. It would only be able to do failover - load balancing is essentially not an option without doing some strange internal network routing and firewall contexts (not recommended). The firewall would be in charge of NAT, VPN, and statefull firewalling among potential others. Your router might not have any use at this point depending on the rest of your equipment. Being on the inside you can feel safe to run numerous services for voice and routing. There is nothing the router could do to cause the firewall to load balance outgoing connections, so the router is just a router at this point.

Both scenarios have the same session drop problem.

As far as the mail server goes, you just need to setup the NAT's for both internet connections, reverse DNS for both IP's, two MX records with different priorities, and something that just came up recently for me was how to handle OWA/smartphone connections. If you would expect that the primary internet connection (the one that owa DNS queries would normally go to) would be down for an extended period of time, the only way to make sure remote users can get to their mail easily would be to have an externally accessible DNS load balance option. This would be a service that tests both IP addresses to determine reachability, and responds to DNS requests based on availability.

Author Comment

Comment Utility
Thank you for the very comprehensive answer, so I could choose between these two options:
1 ask my isp only one IP range for both lines and proceed with the configuration of load balancing in BGP router.
this should be the best solution.

alternatively, if my isp gives me not only a pool of IP, point 2:

2 to configure the router with two serial interfaces for the two lines with two different IP pool and configuarre the ASA firewall in "dual isp"

is that correct?

Assisted Solution

by:Sandeep Gupta
Sandeep Gupta earned 250 total points
Comment Utility
you can create a route map and apply it to your LAN interface like this

ip access-list 1 permit ip any any

route-map LOAD permit 10
match ip address 1
set interface WAN1 WAN2

int LAN
ip policy route-map LOAD

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now