(2) different ISP's - Load balancing with one router...

ptlinva

Hi Everyone,

I’ve been asked to upgrade a client’s router from a 3845 to 3945. Easy enough, grab the old config and put it on the new one.

However, they’ve added a 2^nd ISP and want me to setup load balancing on the router.

Both ISPs are handing off Ethernet connections… I believe ISP1 is 60mb and ISP2 is 40mb/s. Very nice!

My 1^st thought would be to use (2) routers – 1 for each ISP and load balance with a virtual gateway. However, I don’t believe they are going to allow me to do that.

Is there a way to do unequal load balancing from two different ISPs on one router? No owed IP addresses… both circuits have a range of IPs that were given to them from each ISP. They are also NAT'ing and have VPN's setup.

Any comments/suggestions are greatly appreciated. BTW, this kind of job (while working from home on my couch) is why I keep studying for my Cisco certs. I can't wait to be able to do this full-time!

Thanks!
-Paul

FloOz

Maybe using route-maps? Identify the heavy traffic types and send it out the 60mb pipe and have the rest sent to the 40mb? Is BGP being run between your routers and the ISPs?

atorven

How about having 2 default routes tracking each ISP, won't this work?

ptlinva

I believe I'm going to take both of your advice. I'm going to route port 80 and 443 through the new circuit. Everything else will go through the current production circuit.

Today I was able to accomplish migrating over to the 3945 and have shutdown the 3845. Now on to the last piece of the puzzle.

I'm looking at the following URL for advice...

https://supportforums.cisco.com/docs/DOC-8313

I've setup both interfaces and also setup the "ip sla"s.

However, the next command

track 10 rtr...

does not work for me on this 3945 running IOS 15.x. Using help, it does not list "rtr" as an available option. It does give me the ability to use an Interface (ie. g0/0 or g0/2 for the two ISP circuits).

Would either of you (or anyone) be interested in a $$ via PayPal to help me complete my config for this router? I can post the current config here OR email it over.

Thanks everyone. I really do appreciate it.
ptl

iamme4eva

Effective with Cisco IOS Release 12.4(20)T, 12.2(33)SXI1, 12.2(33)SRE and Cisco IOS XE Release 2.4, the track rtr command is replaced by the track ip sla command. See the track ip sla command for more information.

threshold metric through weight (real server)  [Support] - Cisco Systems

powmia

Don't overcomplicate things.

2 interfaces, 3 static routes... for example, if you have int g0/0 (60Mb) and g0/1 (40Mb):

ip route 0.0.0.0 0.0.0.0 g0/0
ip route 0.0.0.0 0.0.0.0 "IP address of ISP interface on g0/0 subnet"
ip route 0.0.0.0 0.0.0.0 g0/1

after that, "sh ip route 0.0.0.0" will show that each route gets a traffic share of 1. Meaning that 33% of bandwidth will go out each route... or, 66% out g0/0 and 33% out g0/1. If you send 100Mb of traffic, that works out to 66Mb on g0/0, and 33Mb on g0/1. Close enough ratio? This method will also allow a down link to automatically withdraw a route without any additional config.

The only thing you should use tracking for, is if you want to track the connectivity all the way through your provider's network (ie, tracking google or opendns out a specific interface, via the "sla" feature tied to a track statement on your static routes).

iamme4eva

powmia - I actually never thought of using static routes like that.

Am I right in saying though that the route would only be withdrawn if the interface went down? That would mean that if your modem or whatever kept the interface up but there was no actual connection, you'd end up dropping a percentage of your traffic...wouldn't "sla"'s be a better way to go to track the actual connectivity to the ISP?

deth1k

You still want route tracking with above setup as it's highly unlikely that ISP's NTU will fail which would mean your port would always be up and black hole 33% of your traffic as you've said. You could track the other end of your /30 ISP assigned for your WAN port.

Also addressing is a problem if you don't have PI space meaning you can't use ISP's one ip range on ISP's 2s network. I would consider getting your own PI / AS or at least PI and run BGP with both, you could run full feed for better load balancing this way.

powmia

iamme4eva, read the last paragraph of my post. If you want to track the connectivity of your ISP, configure a tracking object that tracks the reachability of a remote site, and is sourced from your physical interfaces... tie those to a static route.
The following tracks the reachability through (NOT TO) your providers... to google DNS and OpenDNS... common practice
ip sla 3
icmp-echo 8.8.8.8 source-int g0/0
ip sla 4
icmp-echo 208.67.222.222 source-int g0/0
ip sla 5
icmp-echo 8.8.8.8 source-int g0/1
ip sla 6
icmp-echo 208.67.222.222 source-int g0/1
!
track 3 ip sla 3 reachability
track 4 ip sla 4 reachability
track 5 ip sla 5 reachability
track 6 ip sla 6 reachability
!
track 1 list boolean and
object 3
object 4
track 2 list boolean and
object 5
object 6
!
ip route 0.0.0.0 0.0.0.0 g0/0 track 1
ip route 0.0.0.0 0.0.0.0 "IP address of ISP interface on g0/0 subnet" track 1
ip route 0.0.0.0 0.0.0.0 g0/1 track 2
!
!!Then activate your SLAs.
!
ip sla schedule 3 start-time now life forever
ip sla schedule 4 start-time now life forever
ip sla schedule 5 start-time now life forever
ip sla schedule 6 start-time now life forever



deth1k, lol... they don't want to put a redundant router there, but they're going to buy provider independent space and an AS?

powmia

You could also make that a boolean "or"... your call.

iamme4eva

That's really interesting, thanks. I didn't know you could reference a track object in a track object. Cheers for that!

deth1k

powmia wrote: »

iamme4eva, read the last paragraph of my post. If you want to track the connectivity of your ISP, configure a tracking object that tracks the reachability of a remote site, and is sourced from your physical interfaces... tie those to a static route.
The following tracks the reachability through (NOT TO) your providers... to google DNS and OpenDNS... common practice
ip sla 3
icmp-echo 8.8.8.8 source-int g0/0
ip sla 4
icmp-echo 208.67.222.222 source-int g0/0
ip sla 5
icmp-echo 8.8.8.8 source-int g0/1
ip sla 6
icmp-echo 208.67.222.222 source-int g0/1
!
track 3 ip sla 3 reachability
track 4 ip sla 4 reachability
track 5 ip sla 5 reachability
track 6 ip sla 6 reachability
!
track 1 list boolean and
object 3
object 4
track 2 list boolean and
object 5
object 6
!
ip route 0.0.0.0 0.0.0.0 g0/0 track 1
ip route 0.0.0.0 0.0.0.0 "IP address of ISP interface on g0/0 subnet" track 1
ip route 0.0.0.0 0.0.0.0 g0/1 track 2
!
!!Then activate your SLAs.
!
ip sla schedule 3 start-time now life forever
ip sla schedule 4 start-time now life forever
ip sla schedule 5 start-time now life forever
ip sla schedule 6 start-time now life forever



deth1k, lol... they don't want to put a redundant router there, but they're going to buy provider independent space and an AS?

You don't have to "buy" PI space if you have a decent ISP you can get it on their behalf. Also you don't want "and" in you boolean statement otherwise if one goes down whole track object will go down, better option would be an "or".

Either way, you have an issue with IP addresses from two different ISP's and failure scenario where devices on one side will be without any connectivity. You could do a work around with policy based NAT but devices with static IP's will still have problems.

powmia

iamme4eva, no problem. One last thing, if your router has trouble with it's adjacency lookups (ie, you're not on a ptp link... which I assume you aren't)... it's safer to use something like the following instead of my above config:

ip route 0.0.0.0 0.0.0.0 g0/0 10.0.0.1 track 1
ip route 0.0.0.0 0.0.0.0 10.0.0.1 track 1
ip route 0.0.0.0 0.0.0.0 11.0.0.1 track 2

Keep that in mind.


deth1k,

You told him to get his own PI and AS... You're going to get your own AS without a /18 - /20 block of public addresses? And seriously, your provider isn't going to charge you for that many IPv4 addresses? Who's your provider? I'd like to get an AS for my house.

I told him he had the option of using an "and" or an "or". The reason I used "and" in my config, is because while some people determine that their circumstances merit the behavior that a boolean "or" would provide that config.... 99% of the time... an "or" is a terrible choice. You really want to statically send traffic to a provider that could potentially only have access to half of the internet? If you're concerned about falsely killing a route because your sla target itself went down (which is why I chose two targets, google and openDNS that are clusters of servers, spread throughout the world)... Yes, that would kill both sets of static routes. In that case of paranoia, probably be best to also configure an identical set of everything I showed... but using "floating" static routes and "or" statements.

iamme4eva

I'm not actually doing it - I'm just being nosey and learning from someone else's thread. . One of the reasons I hang out on here is for stuff like this...useful gems that may come in handy one day, and if nothing else, teach me something or give me a new perspective on something.

deth1k

powmia wrote: »

iamme4eva, no problem. One last thing, if your router has trouble with it's adjacency lookups (ie, you're not on a ptp link... which I assume you aren't)... it's safer to use something like the following instead of my above config:

ip route 0.0.0.0 0.0.0.0 g0/0 10.0.0.1 track 1
ip route 0.0.0.0 0.0.0.0 10.0.0.1 track 1
ip route 0.0.0.0 0.0.0.0 11.0.0.1 track 2

Keep that in mind.


deth1k,

You told him to get his own PI and AS... You're going to get your own AS without a /18 - /20 block of public addresses? And seriously, your provider isn't going to charge you for that many IPv4 addresses? Who's your provider? I'd like to get an AS for my house.

I told him he had the option of using an "and" or an "or". The reason I used "and" in my config, is because while some people determine that their circumstances merit the behavior that a boolean "or" would provide that config.... 99% of the time... an "or" is a terrible choice. You really want to statically send traffic to a provider that could potentially only have access to half of the internet? If you're concerned about falsely killing a route because your sla target itself went down (which is why I chose two targets, google and openDNS that are clusters of servers, spread throughout the world)... Yes, that would kill both sets of static routes. In that case of paranoia, probably be best to also configure an identical set of everything I showed... but using "floating" static routes and "or" statements.

Who said anything about /18 or /20? Working closely with your provider you can get /23 and split that into two /24's announcing both to your providers with prepends etc depending on how you'd like to load balance inbound traffic. This way you will maintain connectivity regardless of which uplink has failed. I'm not trying to argue here with you.

powmia

Dude... think about it. If you get it from your provider, It's not provider independent! You need to go through a regional registry to get PI and an AS. If you're telling someone to get a PI and AS, you're going to send them on a goose chase that gets them laughed at by someone at ARIN. Using one provider's space, and getting them and another to punch a hole in their summarization is a completely different subject... and doesn't require an AS... and Most providers won't do that for a /24.

deth1k

dude, i know what you are saying although i work for a provider and we have been able to request PI space on behalf of our customers, they don't necessarily need an AS as the prefix will be maintained by an ISP (ripe object type). so in this instance you could easily to get both ISP's to announce that /24 to the rest of the world.

powmia

Is/was that a common practice for you guys?

deth1k

It used to be for medium sized clients not sure how it is now with IP shortages

powmia

That's what I thought. I imagine it's pretty hard to justify for almost any client now, if not impossible. The only reason I gave you such a hard time, is that the original poster appeared to be a pretty small customer. Though I do feel like calling his client and screaming at them for being willing to accept the recurring cost of a second line, but not the one time purchase of another 3900.