cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1115
Views
15
Helpful
13
Replies

Load Balance multiple ISPs

alvaroadp
Level 1
Level 1

Hello, can anyone point me in the direction where I can add more ISPs to my infrastructure (I am not a AS, so no BGP) and have some sort of load balance ?

Thanks

1 Accepted Solution

Accepted Solutions

Well, should work. In that case remove nat statements for the interface where you have connected the PIX. Leave the two static routes in place.

The thing is that the router with right SW and configuration is able to do NAT, FW, and VPN just like the PIX if not better.

Good luck.

View solution in original post

13 Replies 13

mohammedmahmoud
Level 11
Level 11

Hi there,

You can use an internet load balancer, you can find many, but here is a one that i've heard about, but i strongly recommend going to the BGP alternative as it is the most optimum solution.

http://www.rad-direct.com/Product-LinkProof-Multihoming-Load-Balance-Multiple-ISP-Links.htm

HTH, please rate if it does help,

Mohammed Mahmoud.

For once I do not quite agree with Mohammed.

Today, to work with multiple ISP is not said that you need BGP or expensive appliances.

For examples, in most case when using NAT, it is enough to set multiple static routes to the interfaces doing NAT, and the traffic will load balance nicely and provide fail-over at the same time.

Hope this helps, please rate post if it does

Can you provide some sort of details/directions ? I have a c2801 and a PIX 515e. The PIX does my NAT. I have 2 ISPs plugged on the c2801, but right now I only use one with the PIX, I pretty much would like load balance and fail over...thanks!

Hi Alvaro,

Best design if you move the pix behind the router, that is, the router faces both ISP and does NAT. The PIX, if you want, does firewall only. You could have PIX do NAT for one ISP and router for the other, but things gets more complicated.

Then:

int

ip nat outside

int

ip nat outside

int

ip nat inside

ip nat inside source list 1 interface overload

ip nat inside source list 1 interface overload

ip route 0.0.0.0 0.0.0.0

ip route 0.0.0.0 0.0.0.0

access-list 1 permit 192.168.0.0 0.0.255.255

That's it. If you want one ISP to handle moret raffic than the other, you add specific routes to one ISP (e.g. youtube IP address, or whatever)

As a courtesy to those providing answers, please rate all useful posts!

Sounds great... can I keep the PIX facing the internet ? I do VPN and NAT with it... will that work the same way?

Well, should work. In that case remove nat statements for the interface where you have connected the PIX. Leave the two static routes in place.

The thing is that the router with right SW and configuration is able to do NAT, FW, and VPN just like the PIX if not better.

Good luck.

Thanks a lot, I will give it a try... also I just found about a new feature on PIX 7.x using SLA commands at http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

which might do it for me. I will try both options. Thanks a lot for the input!

Hi Paolo,

I have a clarification here. Suppose my ISP 1 goes down then what will be the sequence of operation?

As NAT oder of operation says it will check routing entry first so it will see the second static route but how will it take the second NAT statement when first NAT statement matches fine. Don't you think it will match take the second static route but will take first NAT statement whcih may create some kind of problem at ISP end?

I believe if I call a policy in my NAT statement to match the interface first and if interface is found up then only trigger the first NAT statement or else move to second NAT statement.

Regards,

Ankur

Hi Paolo,

Thank you for criticizing my opinion, we are all here to gain more experience and knowledge by interacting with each other :)

You are right, doing NAT as you explained is the most simple solution, but don't you agree with me that BGP would be the most scalable and optimum solution?

BR,

Mohammed Mahmoud.

Hi Mohammed,

it's a matter of size. If we were talking about a large organization with high speed circuits and the competence to maintain it, yes I would recommend BGP. But here we mostly deal with small business with at most T1s and broadband. These speeds were justifying BGP ten years ago, not anymore today, as someone else pointed out, it is not just the technical side, but also the administrative one - AS numbers are not given easily and much less provider independent space.

So radware found a market by solving the problem for all customers that cannot run BGP - they are the vast majority.

Cisco doesn't have such an "out of the box" solution, but luckily a simple NAT configuration on the router or PIX does it anyway.

Thank your for your continued support and keep up the good work!

best, Paolo

Hi Paolo,

I do agree with you, but don't you think that simple NATing might introduce a couple of issues, especially that the customer will have 2 classes from 2 different ISPs (we need to control both the upload and the download), ok lets try to put the optimum model out there for people to use NAT regarding this issue.

BR,

Mohammed Mahmoud.

Actually I don't see much of a problem.

Most people don't get many addresses anyway, perhaps one static and many times, only dynamic. If they have servers inside they can either use the most reliable ISP for that, or set two A records in DNS and have a pseudo form of redundancy. Also many people like to have dual ISP just to harden VPN, and this is not a problem neither, just set up two tunnels.

I think that NAT has really revolutionated IP, mostly for good overall.

pretty expensive to get AS. And a lot of paper work too. Several acquaintances tried and got denied. Also, BGP doesn't do automatic load balance... am I mistaken ?

thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: