How to Configure CISCO LB router

doddle

Hi guyzz,,,

I want to configure the cisco 2800 series and model 2851 router for load balancing purpose...

here I am provided with 3 ISP providers how can i configure this???
can u guyzzz pls help me out with this...

SharkDiver

Are you using BGP? If so, there are many attributes that you can use to get this done.

If not, maybe use a route map to send different types of traffic to different next-hop IP addresses.

I just set this up for one of my customers. He purchased two MetroEthernet circuits from us with two different IP address ranges. I programmed the router to send all traffic from one IP address range to the next-hop address of the one MetroE, and all traffic from the other IP address range to the next-hop address of the other MetroE. This was verifiable by using tracert from PCs in each of the ranges.

Incoming traffic is load balanced by default because one set of addresses come one pipe and the other set comes in the other pipe.

doddle

first of all thank u for ur reply .i'm not yet planned ,please suggest which one is best whether BGP r routing map ???which one is easier???

can u please provide me the detailed info about this.... if you want any other details means then i'm ready to give..........

cisco_trooper

You are going to have other requirements with BGP. You will have to get an AS number from ARIN or RIPE depending on where you are, and you will have to acquire your own provider independent IP space that you will own. The requirements for IPv4 IP space are outside the reach of most organizations these days with the IPv4 shortages. Your best and easiest solution is probably going to be the route-map solution to specifically redirect traffic from specific sources out specific links unless you have other requirements other than internet browsing. My question to you is this, however: Do you have incoming external services on any or all of these links?

https://www.arin.net/resources/resource_requests/

Request Forms & Supporting Notes — RIPE Network Coordination Centre

SharkDiver

Yes, I would say the route map is easier if you don't already use BGP with these ISPs.

To create the route map scenario, you need to create ACLs which match the various types of traffic.
Then, you create the route map.
Then you apply the route map to an interface.

For example, to have traffic from 10.0.0.0/8 get forwarded to a next-hop of 192.168.1.1, and traffic from 172.16.0.0/16 get forwarded to a next-hop of 192.168.2.2, you could do the following.

access-list 1 permit 10.0.0.0 0.255.255.255
access-list 2 permit 172.16.0.0 0.0.255.255

route-map PBR1 permit 10
match ip address 1
set ip next-hop 192.168.1.1
route-map PBR1 permit 20
match ip address 2
set ip next-hop 192.168.2.2

Then on the incoming interfaces from the LAN:
ip policy route-map PBR1

BTW, this is usually referred to as Policy Based Routing which is why I called the route-map PBR1.

You could also use extended ACLs to define the traffic.
For instance, you could make ACL 101 match all http traffic and make ACL 102 match all ftp traffic.

pham0329

Just to clarify, do you have multiple routers or do you have one router for all three ISP

networker050184

First question I'd ask is why load balance? Do you really need it or does someone just want the graphs to look even? IMO its much better to run an active/standby link configuration or let traffic figure it's way out naturally with BGP. If you have some actuall need for load balancing then you can look into attributes. My last resort would be some kind of PBR though. Big fan of the K.I.S.S. method myself.

cisco_trooper

networker050184 wrote: »

First question I'd ask is why load balance? Do you really need it or does someone just want the graphs to look even? IMO its much better to run an active/standby link configuration or let traffic figure it's way out naturally with BGP. If you have some actuall need for load balancing then you can look into attributes. My last resort would be some kind of PBR though. Big fan of the K.I.S.S. method myself.

I would agree with this as well. There is no need to artifically load balance the traffic unless you've run out of capacity and opted to buy a 2nd data circuit. PBR can be tricky at time for those inexerienced in routing topologies. Also, you need to make sure PBR is supported in hardware in whichever platform you are using to implement such policies. You don't want to unexpectedly overwhelm the CPU of the router if it is suddenly performing route lookups on every single packet that comes across it.

dtlokee

Policy based routing is a potential solution to the problem but it's not really the best solution for a production environment. You will need to supplement it with some form of next hop reachability SLA to make sure the link is up or you will end up black holing your traffic through that ISP if the link is down. Also you will need to adjust the policy routing becasue you will find that it's not going to load balance across the links evenly. Additionally you will need to implement policy nat to work along with policy routing such that you will only translate the IP address to the correct pool as it's routed to the different ISPs. For a production environment I would look at something like fatpipe or radware for this function (there are others as well but I have had good success with both)

cisco_trooper

Are you attempting to load balance incoming traffic at all? Email, Web Application Farms, or any other external applications?

The FatPipe, RadWare, and F5 products are great, but I wouldn't spend the money on them for outbound traffic. I evaluated all 3 but I've got significant public facing services to load balance across multiple links and multiple locations.

I like F5 the best but it is huge money. FatPipe did a better job than the LinkProof as far as ease of use but I was uncomfortable with it looking like it was just a custom application on a freaking desktop computer. There was also some weird user interface issue that I can't recall off hand. I needed a setting that couldn't be controlled with their user interface and required their support to remotely connect and enable. Not cool. The Link Proof wasn't able to return all DNS record queries that I needed. The only one that did everything I needed it to do and allowed me full control of everything I needed to control was the F5 GTM. The topological load balancing available on the F5 GTM products is great to have, but the cost of this product simply can't be justified if all you are doing is balancing outbound internet traffic. Also, if that is all you are doing, then FatPipe and LinkProof can both fulfill that requirement without issue.

How many users are we talking about? What's the cost in lost revenue and lost wages in a 30 minute internet outage if you have to manually re-route internet traffic? You have to look at the dollars and cents here. It makes perfect sense for large companies to buy load balancers and is down right retarded for small companies.

SharkDiver

Just to clarify, in my situation, I set up what the customer wanted. I suggested bumping the first MetroE from 10Meg to 20Meg instead of installing the second, separate MetroE, but the customer insisted on keeping the traffic separate.

dtlokee

cisco_trooper wrote: »

How many users are we talking about? What's the cost in lost revenue and lost wages in a 30 minute internet outage if you have to manually re-route internet traffic?

For most of my customers a 30 minute outage would be a resume generating event for the entire network engineering staff, that is they would be fired on the spot. Smaller companies might not be a big deal but many companies generate all their revenue via Internet based services so it would be bad to assume that a 30 minute outage is acceptable because it could cost hundreds of thousands of dollars in lost revenue and also potentially lost customers that won't ever return. From what I understand retailers on Amazon can get bumped to the bottom of the search results if their order processing systems become unavailable to Amazon.

Also manual processes to restore connectivity can be ok and well intended as long as it breaks between 8 and 5 and you're in the office. Not so much fun at 3 am when no one can find the network engineer and that 30 minute outage turns into 3 hours.


For me, I'd always prefer an aoutomatic failover process to a manual one no matter how short the time to restore is and I will always make a business case to the principal stakholders in the company why that 10k piece of hardware is going to save them money. I mean if the cheapest solution was inherently the best one then more than likely we wouldn't be using Cisco hardware would we?

cisco_trooper

A 30 minute outage at a large company is definitely a deal breaker and I also prefer the automatic failover. With the information doddle provided I have a hard time believing BGP or load balancers either one will be on the table.

These are the same reasons I made the business case for the F5 GTMs with full support. It's a lot of freaking money but our business lives and dies by internet access and incoming web services. They already saved us an entire day of downtime when one of the carriers had a POP go crazy on them. My 150M MIS circuit was down for several hours. That easily paid the $100K+ price tag of the F5s..

doddle

here i explained my detailed condition. First of all i'm having 3 ISP providers each having ip of 192.168.0/3/2 series.
nearly we have more than 150 pc's each ISP providers have the bandwidth of 5:5 . and we are having 2 routers one for spectranet and other for you broad band. But the main thin why we go for LB router is ,if suppose if a link goes down means then we manually go to indivaidual pc's and change their's IP>. so we go for the LB scheme. /in that LB what we palled is we given the input form thses 3 ISP provider and get a single output which is LB one . if suppose one link goes down means then it automatticallly switch over to another one....
at the same time each ISP providers are give with 2 dns server..
so for that only i need the codes for Cisco 2800 series and model 2851 router configiration

dtlokee

To understand your network setup right now you have all of your PCs set to use one or the other ISP routers as their default gateway? The first step in the process will be to implement the 2851 router inbetween the users and the 3 ISP routers and create a new user (or router segment). It's really not going to be a trival task if you are new to the concepts of networking, routing, subnetting etc.




You would need to implement either failover from one ISP to another or policy routing to help load balance across all 3. As was already stated you would need to do something like:

access-list 1 permit 192.168.1.0 0.0.0.63
access-list 2 permit 192.168.1.64 0.0.0.63
access-list 3 permit 192.168.1.128 0.0.0.127

route-map ISP permit 10
match ip address 1
set ip next-hop 192.168.3.1

route-map ISP permit 20
match ip address 2
set ip next-hop 192.168.3.2

route-map ISP permit 30
match ip address 3
set ip next-hop 192.168.3.3

then on the interface attached to the hosts:

interface gigabit0/0
ip address 192.168.1.1 255.255.255.0
ip policy route-map ISP



That will take the traffic from the different groups of hosts (1-63, 64-127, 128-255) and forward them to different ISP routers.

pham0329

Keep in mind that while with the new setup, you'll have redundant connections to the internet, you've essentially introduced a single point of failure in that if the 2821 goes down, your entire network goes down.

doddle

dtlokee wrote: »

To understand your network setup right now you have all of your PCs set to use one or the other ISP routers as their default gateway? The first step in the process will be to implement the 2851 router inbetween the users and the 3 ISP routers and create a new user (or router segment). It's really not going to be a trival task if you are new to the concepts of networking, routing, subnetting etc.




You would need to implement either failover from one ISP to another or policy routing to help load balance across all 3. As was already stated you would need to do something like:

access-list 1 permit 192.168.1.0 0.0.0.63
access-list 2 permit 192.168.1.64 0.0.0.63
access-list 3 permit 192.168.1.128 0.0.0.127

route-map ISP permit 10
match ip address 1
set ip next-hop 192.168.3.1

route-map ISP permit 20
match ip address 2
set ip next-hop 192.168.3.2

route-map ISP permit 30
match ip address 3
set ip next-hop 192.168.3.3

then on the interface attached to the hosts:

interface gigabit0/0
ip address 192.168.1.1 255.255.255.0
ip policy route-map ISP



That will take the traffic from the different groups of hosts (1-63, 64-127, 128-255) and forward them to different ISP routers.

ya..it's not an easy task for me to implement these things .As a doddler with an intreset in networking i'm agreed to do this one... that's y i'm asking a one month time... to implement this... can u please provide any simulation softwares which is best to implemnt my setup virtually and give me the exaxt result,,,

i request u guyzz give me some more things about how to implemnt these thing......


:):)

doddle

pham0329 wrote: »

Keep in mind that while with the new setup, you'll have redundant connections to the internet, you've essentially introduced a single point of failure in that if the 2821 goes down, your entire network goes down.

In order to avoid this , we have 2 more ISP providers..if suppose if one ISP provider links goes down means we can switch over to another... this s our main concept

Forsaken_GA

doddle wrote: »

In order to avoid this , we have 2 more ISP providers..if suppose if one ISP provider links goes down means we can switch over to another... this s our main concept

I think the point he's trying to make is that if you have three links going to a single router, that router itself is the single point of failure. If anything happens to that router, you're down entirely, so you may want to look into having redundant router connections.

It sounds like you're mostly interested in having proper failover, not necessarily having any load balancing.

My personal preference would be to run BGP with all three providers and let the BGP algorithm sort out best path. If you do that, the router will learn external routes from all three providers, and if one of them goes down, the routes will be withdrawn, and the router will automatically switch over to the other routes. Assuming your link picks up the failure quickly, your'e talking about very fast failover, and likely no interruption.

Barring running BGP as an option, since you're not necessarily looking for load balancing, I'd just set three default routes, with the other two having higher AD than the preferred connection. If that interface ever went down, it'd switch over to one of the other default routes instantly without interruption, but your other two links would go virtually unutilized, they'd only be active during a fault condition.

doddle

ok...now i understand that .... but according to your points....if i configuer the individual routers to handle the failover conditions separatly means.. if suppose the router fails means then the other one will be active and take incharge and that single ISP which is allocated to that router is only be in active conditions and the other two are inactive....Then wat about that single ISP bandwidth...???? consider that 5:5 bandwith of that ISP will be allocated to my entire company?????

tokhss

Been reading through this.. got a question for the guru's..

lets say the OP properly setup failover with 3 ISP via BGP or PBR... what would be the next step to avoid the single point of failure.. the router itself. How would you setup another router to kick in with the same config as the primary router without the users noticing?

so to sum this up.. primary goes down.. backup router kicks in.. users are happy. Would this be a manual thing, like just have a shadow router on standby or can this be done automatically?

Bl8ckr0uter

With a router pair your best bet (in my limited knowledge) would be an HSRP/GLBP Pair that plug into a stack switch set. You can do this automagically with HSRP but the configs won't come over. ASAs have the ability to do mirror the configs AND states for a truly seamless solutions. It is nice! I have deployed several sets of ASAs in this manner and find it is much better for ipsec vpn failover vs the built in ios solution (SSO - It blows hard).Fun with IPsec stateful failover - Packet Life

tokhss

Interesting, so say you have 2 identical routers with the shadow router having the same config as the primary.. essentially, a hot standby.. HSRP would kick in just fine then, right?

In this op's case, no ASA's .. but this is some interesting stuff.

Bl8ckr0uter

Yes (again I am no means an expert) but with HSRP the virtual IP (and Mac) are shared across X routers. You can track things that cause one router to take over over another. The clients point at the virtual gateway and as it goes from device to device (for failure reasons) they don't know the difference. If I recall correctly, this is not stateful (thus SSO) but it works very well. Gateway Load Balance protocol is like HSRP but it also does its namesake (load balancing) and I have it set to look at interface conditions and other things. It would work very well for the OP. I would combine that with a stack of 3750s for the core and he should be good to go.

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_glbp.html
http://www.cisco.com/en/US/tech/tk648/tk362/tk321/tsd_technology_support_sub-protocol_home.html

Forsaken_GA

tokhss wrote: »

Been reading through this.. got a question for the guru's..

lets say the OP properly setup failover with 3 ISP via BGP or PBR... what would be the next step to avoid the single point of failure.. the router itself. How would you setup another router to kick in with the same config as the primary router without the users noticing?

so to sum this up.. primary goes down.. backup router kicks in.. users are happy. Would this be a manual thing, like just have a shadow router on standby or can this be done automatically?

Well it depends. If the router isn't functioning as the default gateway for the internal machines, ie, it's really just a border router, then this is easy. You split your connections between two or more border routers (if all your provider connections are going to one router, then that router is the single point of failure, regardless of the rest of your internal setup), then connect the border routers to each other, and connect them down into the distribution layer. Have them both generate default routes, and when one goes down, the downstream routing will just kick over to the other default route.

If they are functioning as the gateways for the internal hosts, then you need to run something like HSRP or VRRP to handle gateway failover.

Forsaken_GA

doddle wrote: »

ok...now i understand that .... but according to your points....if i configuer the individual routers to handle the failover conditions separatly means.. if suppose the router fails means then the other one will be active and take incharge and that single ISP which is allocated to that router is only be in active conditions and the other two are inactive....Then wat about that single ISP bandwidth...???? consider that 5:5 bandwith of that ISP will be allocated to my entire company?????

Sort of. Depending on your internal routing setup, the three default routes could do load balancing automatically, since they'd essentially be equal cost paths. But I would never do that if I could possibly avoid it. Round Robin routing out a default route is playing russian roulette with your latency. It's kind of a last straw solution. And I would never do it if one of the links was capable of handling all my traffic (and if it wasn't, I'd do my damndest to get the link upgraded before I implemented anything like this)

Which is why I'd prefer to use BGP in these situations. Chances are each of your providers will have better routes to some destinations than the others, so all of your links get some utilization, you have automatic failover in the event of a link going down, and you have the option to do policy routing if you need some finer grained control of the traffic.

doddle

I configured the router with 3 i/p whose bandwidth are 5:5 each, and i'm getting a single output. My doubt is whether i getting a output of 5:5 bandwith or a sum of these 3 ip's bandwidth i.e 15 Mbp's output?? please calrify my doubt guyzzzz :::::

tokhss

I believe you are getting 5:5.. not 15. You would need some sort of bonding on the carrier end to achieve 15 mbit.

doddle

tokhss wrote: »

I believe you are getting 5:5.. not 15. You would need some sort of bonding on the carrier end to achieve 15 mbit.

Bonding which sort of things I needed to get 15 mbps?? If i'm not getting 15 Mbps o/p means then the cost and the bandwidth will be wasted for the 2 other ISP's which are having 5:5 bandwidth.... :P

tokhss

I believe all you have done is properly setup failover via bgp right? You now need to combine the bw or load balance it. this is not my area of expertise. I could be wrong here..

but as of right now.. if 1 person was to download a file, it would not pull BW from all three links at once. It will simply choose the best path to download whatever is required.


Now, if one link gets congested, then the others should become avail but how this part works or is setup is beyond me right now.

If memory serves me right, look up variance command lol.. just a shot in the dark.

edit: i think variance command was related to eigrp.

so.. yeah.. anyone else wanna answer this question?

check this out

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a00800945bf.shtml

pham0329

I'm not sure which approach you went with, but if you're using BGP and only have a default route advertised from the ISP, you can do maximum-path 3 and configure a route map to prepend your AS on the route.