Solved

ISP loadbalancing and redundancy topology

Posted on 2014-01-20
26
338 Views
Last Modified: 2014-02-17
Hi,

Pls view the attachment

I have two ISP's and connected to Router.

2 vlans configured in Core-Sw i.e vlan10 and vlan 20


Our requirement is

Vlan 10 users should go via ISP1 i.e thru 201.202.203.1

VLAN 20 users should go via ISP2 i.e thru 101.102.103.1

If ISP1 fails, VLAN 10 users should go over ISP2 and once link up it should turn to asusal link ie ISP1

This should be same for VLAN 20 users as well..


Is there work around..


Regards
Ramu
ISP-redundancy-Lab.pdf
0
Comment
Question by:RAMU CH
  • 12
  • 8
  • 6
26 Comments
 
LVL 6

Assisted Solution

by:Jordan Medlen
Jordan Medlen earned 250 total points
ID: 39794063
What type of router is this? If Cisco, for instance, you'd want to configure policy based routing. An example would be...

access-list 10 permit <subnet_vlan_10> <wildcard_mask>
access-list 20 permit <subnet_vlan_20> <wildcard_mask>
!
route-map PBR permit 10
 match ip address 10
 set ip next-hop 201.202.203.1 101.102.103.1
route-map PBR permit 20
 match ip address 20
 set ip next-hop 101.102.103.1 201.202.203.1
!
interface vlan 10
 ip route-cache policy
 ip policy route-map PBR
!
interface vlan 20
 ip route-cache policy
 ip policy route-map PBR

To show the effectiveness of the policy, you can run "show route-map PBR" and see the stats on packets hitting the route-map.
0
 
LVL 11

Accepted Solution

by:
Miftaul earned 250 total points
ID: 39794115
you can do the configuration on the router using PBR and default route. Lets say ISP1 is connected via GigabitEthernet0/0 (201.202.203.1) and ISP2 via GigabitEthernet0/1(101.102.103.1)

Configure an IP SLA
R1(config)# ip sla 100
R1(config)# icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0
R1(config)# timeout 1000
R1(config)# threshold 2
R1(config)# frequency 3
R1(config)# ip sla schedule 100 life forever start-time now

Open in new window

Now create the default route pointed to ISP1 with track object so when the ISP1 interface losses connectivity to internet, traffic will pass via ISP2.
R1(config)# #Static Default route to Primary ISP1 next hop 201.202.203.1 with interface status tracking
R1(config)# ip route 0.0.0.0 0.0.0.0 201.202.203.1 Track 100
R1(config)# 
R1(config)# #Static Default Route to second ISP next-hop 101.102.103.1, we increased the metric to 10 to make it floating
R1(config)# ip route 0.0.0.0 0.0.0.0 101.102.103.1 10

Open in new window

Now all the traffic will pass via ISP1 and failsover to ISP2 when ISP1 looses connectivity.
We will now configure Policy Based Routing to selectively route VLAN20 traffic over ISP2 and fail-over to ISP1, when ISP2 looses connectivity.

Create ACL to catch VLAN20 traffic. Using a route map we will set the next-hop to ISP2 next-hop. and then we apply the route map configuration on the interface connecting to the switch.
ip access-list ext VLAN20Subnet
 10 permit tcp 192.168.101.0 0.0.0.255 any
 20 deny ip any any
!
route-map Go2ISP2 permit 10
 match ip address VLAN20Subnet
 set ip next-hop 101.102.103.2
!
interface Fa0/1
 ip policy route-map Go2ISP2

Open in new window

We need to have NAT configured on both the interfaces connecting to ISP1 and ISP2.
0
 
LVL 1

Author Comment

by:RAMU CH
ID: 39796786
Thanks but what about Firewall (Cisco ASA 5510) configuraiton..?

Where should i NAT the LAN traffic?

Regards
ramu
0
 
LVL 11

Expert Comment

by:Miftaul
ID: 39796833
Is your router connected to ASA5510. You can do NAT in ASA.

Or the switch directly connects to ASA. Pls advise.
0
 
LVL 6

Assisted Solution

by:Jordan Medlen
Jordan Medlen earned 250 total points
ID: 39796932
The firewall changes things from a PBR standpoint. If you can get another IP address for the external interface of your firewall, you can NAT one VLAN to one external IP address on the firewall, and the other VLAN out another. Then you would use your ACL to match those two addresses and route based on those.

For instance in your firewall...

object network obj-192.168.100.0
 subnet 192.168.100.0 255.255.255.0
 nat (inside,outside) dynamic 14.x.x.2
!
object network obj-192.168.101.0
 subnet 192.168.101.0 255.255.255.0
 nat (inside,outside) dynamic 14.x.x.3
!

On your router...

access-list 10 permit host 14.x.x.2
access-list 20 permit host 14.x.x.3
!
route-map PBR permit 10
 match ip address 10
 set ip next-hop 201.202.203.1 101.102.103.1
route-map PBR permit 20
 match ip address 20
 set ip next-hop 101.102.103.1 201.202.203.1
!
interface Fa0/1 <-- Example interface
 ip route-cache policy
 ip policy route-map PBR
!
end
!
copy run start
0
 
LVL 1

Author Comment

by:RAMU CH
ID: 39796948
Thanks for your configuration..

From the above configuration , how to detect ISP failure as there is no Interface tracking

Regards
Ramu
0
 
LVL 6

Assisted Solution

by:Jordan Medlen
Jordan Medlen earned 250 total points
ID: 39796954
You would implement the tracking such as Miftaul added above, if you so chose. That would work. I have implemented PBR in my network for certain paths without tracking, and it works fine. Basically in the route-map statements above, in the next-hop portion, the first IP address is what you want preferred, and if that isn't available, use the second. I have done this for years without tracking and have never had any problems. If you want to use tracking though, Miftaul's contribution would work.
0
 
LVL 11

Expert Comment

by:Miftaul
ID: 39796992
I agree with Jordan Medlen.

The reason Tracking interface is good because sometimes ISP's next-hop might work just fine but ISP itself looses up-link connectivity, then the next-hop is still reachable and the interface is up although there is no internet connectivity. All the traffic are routed to the interface and doesn't go no where. I experienced this many time.
0
 
LVL 6

Expert Comment

by:Jordan Medlen
ID: 39797003
Miftaul is correct that is a potential downside. Both combined configurations would be best.
0
 
LVL 1

Author Comment

by:RAMU CH
ID: 39797172
HI Jordan,

i followed your configuration  but when ISP1 link fails(192.168.200.1) ,it is not redirecting to
192.168.201.1

Pls view the configuration

Regards
Ramu
ISP-R1-configuration.log
ISP-redundancy-and-loadblancing.png
0
 
LVL 6

Expert Comment

by:Jordan Medlen
ID: 39798417
Everything looks correct to me. What do you mean it's not redirecting? How are you testing and where are you testing from? Traffic generated from the router won't be affected, only traffic through the router, specifically the inbound traffic on interface Fa0/1.

Secondly, inbound traffic on the external facing interfaces won't follow the PBR rules implemented as there's no PBR configured on the external interfaces. Does this make sense?
0
 
LVL 1

Author Comment

by:RAMU CH
ID: 39799068
Hi,

I am trying from VLAN 10 PC and when ISP 1 gets down , from VLAN 10 PC is not going over
ISP 2 with Jordan suggested configuration

Regards
Ramu
0
 
LVL 11

Expert Comment

by:Miftaul
ID: 39799093
Did you check the NAT configuration for ISP2.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:RAMU CH
ID: 39799110
Is NAT required at Router Side?

I gave policy based Routes for vlan 10 and vlan 20

I have natted VLAN 10 devices and vlan 20 devices at Firewall itself

Regards
Ramu
0
 
LVL 6

Expert Comment

by:Jordan Medlen
ID: 39799762
NAT should be done at the firewall and as long as you are using globally routable IP addresses (non-RFC 1918) on the external side of the firewall and all interfaces of your router, no NAT should be needed.
0
 
LVL 1

Author Comment

by:RAMU CH
ID: 39799822
I got little bit, pls don't mind, descie more..

If i do NAT in Firewall with Public ip address of ISP-1 for VLAN 10 and VLAN 20 , how
VLAN 20 traffic will be recognised with ISP-2 as it's been NATTED with ISP-1 ip address

Does ISP-2 does route ISP-1 Nat IP address.

Regards
Ram
0
 
LVL 11

Assisted Solution

by:Miftaul
Miftaul earned 250 total points
ID: 39799858
There has to be separate NAT for ISP2.

Isp1 NATed IP will simply not work on ISP2, because public IP blocks are registered and has routes pointing to their own isp in bgp.

You have to have separate NAT over two ISP interfaces, the source and destination could be any any. The default route or the PBR will force packets to reach certain interface and the NAT will take over from there to convert them to publicly routable IP.
0
 
LVL 1

Author Comment

by:RAMU CH
ID: 39800367
Hi,

You mean for vlan 20 traffic , does it need Nat 2 times ,

 one at Firewall for translating VLaN 20 private ip address to ISP-1 public pool ip address
 Second at Router for translating ISP-1 pubic pool ip(for vlan20)  to ISP-2 Public ip address.

Pls clarify on the above..?

My second question is If ISP-1 fails then how VLAN10 traffic with NAtted Ip of ISP-1 public pool ip address converts to ISP-2 public  pool IP address in Router to go over ISP-2.

Do i need to configure again  NAT in router  for VLAN 10 traffic with ISP-2 pool ip address ?, in case  if i do NAT in router with ISP-2 public ip address , when VLan 10 traffic hits Router then automatically convert to ISP-2 public pool ip address and goes over ISP-2 , but our requirement is it should go over ISP-1


FOr vlan 10 , primary isp is ISP-1 and secondary isp is ISP-2 and
For VLAN 20,primary isp is ISP-2 and secondary isp is ISP-1

Pls correct me if i am wrong?
0
 
LVL 1

Author Comment

by:RAMU CH
ID: 39805383
will you pls share the what should be Fw side and Router side configurations

Regards
Ram
0
 
LVL 11

Expert Comment

by:Miftaul
ID: 39805451
Please post your firewall config where the nat is happening.
0
 
LVL 1

Author Comment

by:RAMU CH
ID: 39805502
Hi,

Pls view the Router and Firewall config , which are main for this scenario..

Is there any NAT priority can we configre in Router / Firewall.


How router changes one ISP NAT ip address to other ISP NAT for the same Source traffic.


Regards
Ramu
FW-conf.txt
ISP-R1-configuration.log
0
 
LVL 11

Expert Comment

by:Miftaul
ID: 39805621
Your initial diagram and the configuration here doesn't match at all. The IP Addressing is different.

The router is connecting to two different ISPs and the Pix is between LAN switch and the router. is that correct. Then NAT is to be done in Router not PIX
0
 
LVL 1

Author Comment

by:RAMU CH
ID: 39805662
Correct..May be some where not saved configuration..

The archietecture is what you said..

Can this works :

1.VLAN 10 will be Natted in Firewall and for the Natted public ip , we can configure a Policy based route in cisco Router.

2. VLan 20 will be natted in cisco router with isp2 interface  

3. default routes to ISP1 and ISP2

4. Now give me , if isp1 fails , how vlan 10 isp1 public ip address will be translated to
ISP2 public ip address and the same for vlan 20

Regards
Ram
0
 
LVL 11

Assisted Solution

by:Miftaul
Miftaul earned 250 total points
ID: 39805682
1.VLAN 10 will be Natted in Firewall and for the Natted public ip , we can configure a Policy based route in cisco Router.
Nop, it doesnt work like that. If you are NATing in PIX for both VLAN10 & VLAN20. They both ends up with same ip address, how can a router distinguish between the VLAN subnets. NAT is done for translating private address to public address, do you have public block.
We can nat only VLAN 10 Oon PIX and let the traffic pass through any of the isp unNATed.
Why make it that complex, dont you have access to the router, just do the NAT on router and it will work fine. If you are doing in lab, give us the diagram along with the config, we can give you better advise.

2. VLan 20 will be natted in cisco router with isp2 interface
Yes, its ok.

 3. default routes to ISP1 and ISP2
Its done on router and will be fine with current config.

4. Now give me , if isp1 fails , how vlan 10 isp1 public ip address will be translated to
ISP2 public ip address and the same for vlan 20
We have to configure NAT with route-map, check this link
If you give the diagram with config, we can give you better advise.
0
 
LVL 1

Author Comment

by:RAMU CH
ID: 39809771
Hi,

Here attached the  Diagram.. Pls view..

In that ISSP-1 gave public range ip poool and ISP-2 won't given

You suggest me the needful configuraiton to meet hte below requirement :


Vlan  10 primary isp is ISP-1 and Secondary ISp is ISP-2 .

VLAN 20 primary ISP is ISP-2 and Secondary is ISP-1..


If any ISP fails , then till the active traffic should forward over active ISP..

My question is before ISP failure , Router having NAT entries with respective ISP pool public ip address but when any ISP fails then how router changes NAT entry to the
active ISP public ip address

Regards
ram
ISP-redundancy-Lab.vsd
0
 
LVL 1

Author Closing Comment

by:RAMU CH
ID: 39864520
Thanks to alll
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Hello to you all, I hear of many people congratulate AWS (Amazon Web Services) on how easy it is to spin up and create new EC2 (Elastic Compute Cloud) instances, but then fail and struggle to connect to them using simple tools such as SSH (Secure…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now