Load Balance multiple ISPs

Answered Question
Apr 25th, 2007

Hello, can anyone point me in the direction where I can add more ISPs to my infrastructure (I am not a AS, so no BGP) and have some sort of load balance ?

Thanks

I have this problem too.
0 votes
Correct Answer by Paolo Bevilacqua about 9 years 8 months ago

Well, should work. In that case remove nat statements for the interface where you have connected the PIX. Leave the two static routes in place.

The thing is that the router with right SW and configuration is able to do NAT, FW, and VPN just like the PIX if not better.

Good luck.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.8 (4 ratings)
Loading.
Paolo Bevilacqua Wed, 04/25/2007 - 10:23

For once I do not quite agree with Mohammed.

Today, to work with multiple ISP is not said that you need BGP or expensive appliances.

For examples, in most case when using NAT, it is enough to set multiple static routes to the interfaces doing NAT, and the traffic will load balance nicely and provide fail-over at the same time.

Hope this helps, please rate post if it does

alvaroadp Wed, 04/25/2007 - 10:28

Can you provide some sort of details/directions ? I have a c2801 and a PIX 515e. The PIX does my NAT. I have 2 ISPs plugged on the c2801, but right now I only use one with the PIX, I pretty much would like load balance and fail over...thanks!

Paolo Bevilacqua Wed, 04/25/2007 - 10:45

Hi Alvaro,

Best design if you move the pix behind the router, that is, the router faces both ISP and does NAT. The PIX, if you want, does firewall only. You could have PIX do NAT for one ISP and router for the other, but things gets more complicated.

Then:

int

ip nat outside

int

ip nat outside

int

ip nat inside

ip nat inside source list 1 interface overload

ip nat inside source list 1 interface overload

ip route 0.0.0.0 0.0.0.0

ip route 0.0.0.0 0.0.0.0

access-list 1 permit 192.168.0.0 0.0.255.255

That's it. If you want one ISP to handle moret raffic than the other, you add specific routes to one ISP (e.g. youtube IP address, or whatever)

As a courtesy to those providing answers, please rate all useful posts!

alvaroadp Wed, 04/25/2007 - 11:01

Sounds great... can I keep the PIX facing the internet ? I do VPN and NAT with it... will that work the same way?

Correct Answer
Paolo Bevilacqua Wed, 04/25/2007 - 11:21

Well, should work. In that case remove nat statements for the interface where you have connected the PIX. Leave the two static routes in place.

The thing is that the router with right SW and configuration is able to do NAT, FW, and VPN just like the PIX if not better.

Good luck.

ankbhasi Wed, 04/25/2007 - 22:23

Hi Paolo,

I have a clarification here. Suppose my ISP 1 goes down then what will be the sequence of operation?

As NAT oder of operation says it will check routing entry first so it will see the second static route but how will it take the second NAT statement when first NAT statement matches fine. Don't you think it will match take the second static route but will take first NAT statement whcih may create some kind of problem at ISP end?

I believe if I call a policy in my NAT statement to match the interface first and if interface is found up then only trigger the first NAT statement or else move to second NAT statement.

Regards,

Ankur

mohammedmahmoud Wed, 04/25/2007 - 11:59

Hi Paolo,

Thank you for criticizing my opinion, we are all here to gain more experience and knowledge by interacting with each other :)

You are right, doing NAT as you explained is the most simple solution, but don't you agree with me that BGP would be the most scalable and optimum solution?

BR,

Mohammed Mahmoud.

Paolo Bevilacqua Wed, 04/25/2007 - 14:37

Hi Mohammed,

it's a matter of size. If we were talking about a large organization with high speed circuits and the competence to maintain it, yes I would recommend BGP. But here we mostly deal with small business with at most T1s and broadband. These speeds were justifying BGP ten years ago, not anymore today, as someone else pointed out, it is not just the technical side, but also the administrative one - AS numbers are not given easily and much less provider independent space.

So radware found a market by solving the problem for all customers that cannot run BGP - they are the vast majority.

Cisco doesn't have such an "out of the box" solution, but luckily a simple NAT configuration on the router or PIX does it anyway.

Thank your for your continued support and keep up the good work!

best, Paolo

mohammedmahmoud Thu, 04/26/2007 - 02:43

Hi Paolo,

I do agree with you, but don't you think that simple NATing might introduce a couple of issues, especially that the customer will have 2 classes from 2 different ISPs (we need to control both the upload and the download), ok lets try to put the optimum model out there for people to use NAT regarding this issue.

BR,

Mohammed Mahmoud.

Paolo Bevilacqua Thu, 04/26/2007 - 04:26

Actually I don't see much of a problem.

Most people don't get many addresses anyway, perhaps one static and many times, only dynamic. If they have servers inside they can either use the most reliable ISP for that, or set two A records in DNS and have a pseudo form of redundancy. Also many people like to have dual ISP just to harden VPN, and this is not a problem neither, just set up two tunnels.

I think that NAT has really revolutionated IP, mostly for good overall.

alvaroadp Wed, 04/25/2007 - 10:26

pretty expensive to get AS. And a lot of paper work too. Several acquaintances tried and got denied. Also, BGP doesn't do automatic load balance... am I mistaken ?

thanks

Actions

This Discussion