Dual ISP Network Load Balance

Unanswered Question
Dec 10th, 2009

I will explain scenario in 2 steps :

1. Current Setup :

We have T1 line coming from datacenter to our office connected to serial port of 2621 router. Fastethernet0/0(FE0)  is connected to 2900 Catalyst switch.

Firewall Pix 515E (OS version 8.0) is also going to this 2900 catayst switch. Theere is one cisco vpn connected to this 2900 Catalyst switch too.

Firewall has 6 Ethernet ports, 3 in use(1 to outside from catalyst, 2nd to lan switch, 3rd to Failover PIX)

The T1 line coming from datacenter also provides Public ip addresses which we are using to have VPN, 1-2 servers directly reachable from internet.

2. Proposed Setup :

We want to add one more internet connection through an ISP which will provide it through modem.

Something like below :

network.jpg

So my question is can I accommodate this new internet connection in my current setup without disturbing VPN, Internet, private network access to Datacenter ? Also, I want it to be load balanced Connection instead of Backup ISP connection.

I read http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml which says how to setup 2nd Internet connection as backup Internet but I want it to be load balanced.

Please help me here.

Thanks,

Shashi.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
shashikant.prabhakar Mon, 12/14/2009 - 09:32

Hi There,

It seems either I put it in wrong queue or it is not a good question to ask.

Nobody has replied for last 3 days now.

Shashi.

sachinraja Mon, 12/14/2009 - 10:31

Hi Shashi

This question could have been posted in "Firewall' section instead of Network Management. Anyways, if you query "ASA/PIX Multihoming" in the search space, you would have got some answers... 

well, there has been various views and design strategies for implementing multihoming when you have a device like PIX inbetween.. configuring load balancing in pix isnt directly possible, but you can use other technologies to work with PIX, to have "Load sharing" configured..

In any case, there wouldnt be a per packet load balancing derived out, but it could be manually sharing the load between the PIX's, allocating few VLANs to use context 1, and few context 2.. This is achived by using PIX Security contexts.. more info can be found here:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml#conf

Or you can just have another layer 3 device (like a L3 switch which can run BGP), on the outside side of the PIX, which can effectively do multihoming with protocols like BGP.. PIX would then have a single default gateway, but the L3 switch might have BGP configured to decide which link to use.. In all these cases, anyway, we are only talking about outbound loadbalancing...

Load balancing incoming traffic anyway depends on the BGP configuration done on the extranet routers.. depending on the policy, it chooses either internet1 or internet2 link.. It is hence a very tricky scenario, and you have to understand your traffic flows well , before designing your networks..

Hope this helps.. All the best

Raj

shashikant.prabhakar Tue, 12/15/2009 - 11:50

Hi,

I do not want to use BGP and also any new hardware isn't there anyway to load balance with my current hardware that PIX 515e and Router 2621 ?

Also, if it is not possible at all then here is the 2nd scenario, I would like to go with and I think atleast this should be possible with same hardwares :

1. In normal scenario, both ISPs should be up and running on different subnets, like for datacenter,

10.1.x.x is up and running. For other ISP, 10.10.x.x should be up and running at anytime,

so user will be free to move to any subnet the way he/she wants to access internet.

2. Two ISPs should work as failover, that is, if Primary 10.1.x.x (thought router 2621) goes down
from datacenter, other ISP should come up for all which will let us access internet on 10.1.x.x (instead of 10.10.x.x this time).

Thanks,

Shashi.

sachinraja Tue, 12/15/2009 - 11:57

Hi Shashi

You need to look at multiple contexts on the ASA/PIX hardware as told.. with thse you can basically bundle the vlans to contexts and do load sharing.. without BGP we cant do much with multihoming.. the main issue being the number of default routes which can be added in PIX devices ! its just one..

Failover scenario will anyway work even without multiple context license. you can use IP SLA to track the next hop reachability and have a backup route to trigger if the primary router isnt reachable..  am sure you have the URL to implement the same.

Hope this helps.. all the best.

Raj

shashikant.prabhakar Tue, 12/15/2009 - 12:00

Hi,

Yes, I have the url to do the 2nd point :

1. In normal scenario, both ISPs should be up and running on different subnets, like for datacenter,

10.1.x.x is up and running. For other ISP, 10.10.x.x should be up and running at anytime,

so user will be free to move to any subnet the way he/she wants to access internet.

2. Two ISPs should work as failover, that is, if Primary 10.1.x.x (thought router 2621) goes down
from datacenter, other ISP should come up for all which will let us access internet on 10.1.x.x (instead of 10.10.x.x this time).

but how can I merge 1st point at the same time that is having both internet up and running on different subnet and also having failover scenario ? I am not able to think how will I be able to write rules for other ISP for 10.10.x.x in one scene and 10.1.x.x in other.

Thanks,

Shashi.

sachinraja Tue, 12/15/2009 - 12:26

Hi Shashi

Got your point. Here is the solution which might work:

1) for your first network 10.1.x.x you can have NATs built on ISP 1 IP address say 200.200.1.x .... for the 2nd network 10.10.x.x have NATs built on the 2nd ISP IP address say 140.1.x.x. ....

2) After they get NATed, the PIX basically forwards all the traffic to the first router.. Now, on the first router, you can have a policy based routing configured to route source 140.1.x.x to the second router (first & second routers will be connected back to back)...

3) In this scenario, all traffic from first ISP goes thro your first router, and the traffic to second ISP goes through the 2nd router.. this is just for outbound .. the only issue is, in case of failures, we need to make sure the backup works, and we might have to manually change the NAT IPs to make it work...

4) this is exactly why we would require BGP where in you can have a single common subnet, which can be routed both the ISP 1 and ISP 2 without manual intervention to change the NAT rules !!!!

but if you dont want BGP, or to add devices, then this would be the way to go, but again, this solution has a lot of constraints.... you can also have security contexts as told before to achieve this without manual intervention...

Hope this helps.. all the best..

Raj

Actions

This Discussion