Load-balancing with 2 ISPs

Load-balancing with 2 ISPs

Network topology:

All hosts with IP addresses ranging from 192.168.1.1 - 192.168.1.126 (first-half) will be using ISP-1 while all hosts with IP addresses ranging from 192.168.1.129 - 192.168.1.254 (second-half) will be using ISP-2. In case of failover, hosts will be using the active ISP to access the Internet. NAT (NAT-overload) is applied on Edge routers to hide the inside network from the ISPs. The customer is using OSPF within the network. Both Edge routers use eBGP connection with the ISPs. Both ISPs only advertise default-route to the customer.

Splitting Host-traffic at Internal router:

On the Internal router, host-traffic is split based on the IP address of the host. Policy-based routing is used on the LAN interface and decision is made based on the IP address. If host IP address falls in the first-half, Internal router will forward the traffic over to Edge-1 router, while if host IP address falls in the second-half, Internal router will forward the traffic over to Edge-2 router. The set ip next-hop verify-availability command is used with tracking object to ensure the next-hop is available. If tracking-object fails, traffic is forwarded based on IP routing.

Splitting host-traffic

route-map Divide_Traffic permit 10

 match ip address 110

 set ip next-hop verify-availability 10.3.3.2 10 track 10

route-map Divide_Traffic permit 20

 match ip address 120

 set ip next-hop verify-availability 10.4.4.2 10 track 20

access-list 110 permit ip 192.168.1.0 0.0.0.127 any

access-list 120 permit ip 192.168.1.128 0.0.0.127 any

interface FastEthernet0/0

 description LAN Interface

 ip address 192.168.1.1 255.255.255.0

 ip policy route-map Divide_Traffic

 ip ospf 1 area 0

 speed 100

 full-duplex

Policy-Based Routing (PBR):

IP SLA is used to ensure the availability of next-hops. The IP address 4.2.2.2 is a global IP address on the Internet. To ensure the Internal router check both next-hops, two instances of IP SLAs are created on the router. Local policy-based routing is implemented to ensure packets originated by Internal router takes proper interfaces i.e. IP SLA packets with source address of 10.3.3.1 should go through Edge-1 router while IP SLA packets with source address of 10.4.4.1 should go through Edge-2 router.

PBR & Next-Hop availability

ip sla 1

 icmp-echo 4.2.2.2 source-interface FastEthernet2/0

 timeout 3000

 threshold 2

 frequency 3

ip sla schedule 1 life forever start-time now

ip sla 2

 icmp-echo 4.2.2.2 source-interface FastEthernet3/0

 timeout 3000

 threshold 2

 frequency 3

ip sla schedule 2 life forever start-time now

track 10 rtr 1 reachability

track 20 rtr 2 reachability

access-list 198 permit ip 10.4.4.0 0.0.0.255 any

access-list 199 permit ip 10.3.3.0 0.0.0.255 any

route-map LOCAL_TRAFFIC permit 10

 match ip address 199

 set ip next-hop 10.3.3.2

 set interface FastEthernet2/0

route-map LOCAL_TRAFFIC permit 20

 match ip address 198

 set ip next-hop 10.4.4.2

 set interface FastEthernet3/0

ip local policy route-map LOCAL_TRAFFIC

interface FastEthernet2/0

 description Connection to Edge-1 router

 ip address 10.3.3.1 255.255.255.0

 ip ospf 1 area 0

 speed 100

 full-duplex

interface FastEthernet3/0

 description Connection to Edge-2 router

 ip address 10.4.4.1 255.255.255.0

 ip ospf 1 area 0

 speed 100

 full-duplex

NAT on Edge routers:

On Edge-1 & Edge-2 routers, NAT is applied. The interesting traffic includes 192.168.1.0/24 network, 10.3.3.0/24 (on Edge-1) and 10.4.4.0/24 (on Edge-2).

NAT on Edge routers

Edge-1 router:

access-list 110 permit ip 192.168.1.0 0.0.0.255 any

access-list 110 permit ip 10.3.3.0 0.0.0.255 any

ip nat inside source list 110 interface Serial0/0 overload

interface Serial0/0

 description To ISP-1

 ip address 172.64.1.1 255.255.255.252

 ip nat outside

interface FastEthernet0/1

 ip address 10.3.3.2 255.255.255.0

 ip nat inside

 ip ospf 1 area 0

Edge-2 router:

access-list 110 permit ip 192.168.1.0 0.0.0.255 any

access-list 110 permit ip 10.4.4.0 0.0.0.255 any

ip nat inside source list 110 interface Serial0/0 overload

interface Serial0/0

 description To ISP-2

 ip address 172.64.2.1 255.255.255.252

 ip nat outside

interface FastEthernet0/1

 ip address 10.4.4.2 255.255.255.0

 ip nat inside

 ip ospf 1 area 0

In action:

The following output shows that both tracking-objects are UP.

Tacking Objects

Internal# show track

Track 10

  Response Time Reporter 1 reachability

  Reachability is Up

    9 changes, last change 00:00:04

  Latest operation return code: Over threshold

  Latest RTT (millisecs) 48

  Tracked by:

    ROUTE-MAP 0

Track 20

  Response Time Reporter 2 reachability

  Reachability is Up

    11 changes, last change 00:40:34

  Latest operation return code: Over threshold

  Latest RTT (millisecs) 32

  Tracked by:

    ROUTE-MAP 0

When a host (IP address: 192.168.1.129) tries to reach global IP address 4.2.2.2, the Internal router forwards the traffic over to Edge-2 router. While when a host (IP address 192.168.1.3) tries to reach same global IP address 4.2.2.2, the Internal router forwards the traffic over to Edge-1 router. The following output on Edge-2 & Edge-1 routers shows that NAT is applied on the source address (host IP address).

NAT on Edge routers

Edge-1# show ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

icmp 172.64.1.1:1      10.3.3.1:1         4.2.2.2:1          4.2.2.2:1

icmp 172.64.1.1:7      192.168.1.3:7      4.2.2.2:7          4.2.2.2:7

Edge-2# show ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

icmp 172.64.2.1:2      10.4.4.1:2         4.2.2.2:2          4.2.2.2:2

icmp 172.64.2.1:6      192.168.1.129:6    4.2.2.2:6          4.2.2.2:6

Testing failover:

While host address (IP address 192.168.1.3) is continuously sending Ping packets to 4.2.2.2, ISP-1 fails. The tracking-object on the Internal router fails and packets are forwarded over to Edge-1 router.

Text Box

Edge-1# show ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

icmp 172.64.1.1:1      10.3.3.1:1         4.2.2.2:1          4.2.2.2:1

icmp 172.64.1.1:10     192.168.1.3:10     4.2.2.2:10         4.2.2.2:10

Internal#

01:54:19.171: %TRACKING-5-STATE: 10 rtr 1 reachability Up->Down

Edge-2# show ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

icmp 172.64.2.1:2      10.4.4.1:2         4.2.2.2:2          4.2.2.2:2

icmp 172.64.2.1:10     192.168.1.3:10     4.2.2.2:10         4.2.2.2:10

Host# ping 4.2.2.2 repeat 500

Type escape sequence to abort.

Sending 500, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.....!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!

Success rate is 98 percent (494/500), round-trip min/avg/max = 1/65/264 ms

Host#