cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5026
Views
5
Helpful
8
Replies

Load Balance 2 ISPs' with two 2951 routers and 1 ASA

maheshlogs
Level 1
Level 1

We have 2 CISCO 2951 routers and 1 ASA 5510 firewall. We have 2 internet links from different service providers (Leased Lines).

How we need to configure both the routers for load balance and failover?

8 Replies 8

Ganesh Hariharan
VIP Alumni
VIP Alumni

We have 2 CISCO 2951 routers and 1 ASA 5510 firewall. We have 2 internet links from different service providers (Leased Lines).

How we need to configure both the routers for load balance and failover?

Hi,

If you want to go for failover of links then configure HSRP with tracking configuration so whenever external link goes down oother routers will come to picture and drop default route from ASA towards the vip of the HSRP of the routers.

Check out the below link for more information

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094e8c.shtml

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

maheshlogs
Level 1
Level 1

Hello ganeshh,

Thanks for the quick reply. But infact it works only for failover but we need to configure load balance for both ISPs' along with failover.

Regards

Mahesh

Hello ganeshh,

Thanks for the quick reply. But infact it works only for failover but we need to configure load balance for both ISPs' along with failover.

Regards

Mahesh

Hi Mahesh,

If you are not looking for redundancy and with  1 ASA it appear to be a single point of failure, you  replace your concept of 2 routers with a singe router with multiple WAN interfaces and use policy based routing to route your traffic out the interface you would like.

Two routers, both with 2 WAN interfaces, configured for HSRP, policy based routing on both, and you basically have an active router and a standby router for redundancy.

So what i would suggest as ASA also dont have capabilty for policy based routing in 5500 series,you can go with redundacy setup design,check out the below link for ASA capabilties to support PBR.

https://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#pbr

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

Hi Ganesh,


I have tried GLBP (2 Routers) as well as static routes (1 router with 2 WAN interfaces).


Under GLBP, few users were able to connect to internet whereas the rest of the users were unable to. With Static routes (1 router only), the traffic goes out on both interfaces, but comes back only on 1 interface (The Gi0/0 interface).



If you need detailed info about static route config tried out, below is the same;


 

interface GigabitEthernet0/0
ip address xxx.xxx.xx.xxx 255.255.255.252
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address xxx.xxx.xxx.xx 255.255.255.252
ip nat outside
ip virtual-reassembly
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address 192.168.1.2 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip flow-export version 5
!
ip nat pool isp1 xxx.xxx.xx.xxx xxx.xxx.xx.xxx netmask 255.255.255.252
ip nat pool isp2 xxx.xxx.xxx.xx xxx.xxx.xxx.xx netmask 255.255.255.252
ip nat inside source route-map isp1 pool isp1 overload
ip nat inside source route-map isp2 pool isp2 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
!
access-list 1 permit any
access-list 10 permit any
!
route-map isp2 permit 10
match ip address 1 Gi0/1
set interface GigabitEthernet0/1
!
route-map isp1 permit 10
match ip address 1
match interface GigabitEthernet0/0
set interface GigabitEthernet0/0



Note: IP addresses are the WAN IP address provided by each ISP.


Do the router has correct configuration?


ON ASA, the default route is set to 192.168.1.2 which is Router's LAN IP address (NAT Inside)


Please let me know,

Regards

Mahesh

duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address 192.168.1.2 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip flow-export version 5
!
ip nat pool isp1 xxx.xxx.xx.xxx xxx.xxx.xx.xxx netmask 255.255.255.252
ip nat pool isp2 xxx.xxx.xxx.xx xxx.xxx.xxx.xx netmask 255.255.255.252
ip nat inside source route-map isp1 pool isp1 overload
ip nat inside source route-map isp2 pool isp2 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
!
access-list 1 permit any
access-list 10 permit any
!
route-map isp2 permit 10
match ip address 1 Gi0/1
set interface GigabitEthernet0/1
!
route-map isp1 permit 10
match ip address 1
match interface GigabitEthernet0/0
set interface GigabitEthernet0/0



Note: IP addresses are the WAN IP address provided by each ISP.


Do the router has correct configuration?

Hi Mahesh,

what ip address are configured in acl 1 and why you want to have two checks in ISP1 route map whay dont you try a simple one and then check is it working like

route-map isp1 permit 10

match ip address 1

set interface gig0/1

route-map isp2 permit 10

match ip address 1

set interface gig0/0

Hope to help !!

Ganesh.H

Remember to rate the helpful post

Hi Ganeshh,


No specific IP address has been configured using ACL. It's just a standard ACL entry as specified in the router configuration.

!
access-list  1 permit any
access-list 10 permit any
!


As for the two checks in ISP1 route  map, earlier, i had tried the route-map similar to the one you have advised but with no luck.

route-map isp1 permit 10

match ip address 1

set interface  gig0/1

route-map  isp2 permit 10

match ip address 1

set interface gig0/0

After, i followed the instruction from one of the support forums, which stated the route map similar to the one which exists on the router now.


Please Advise

Regards

Mahesh.M

shailesh.h
Level 1
Level 1

I think you can refer to

Amit Singh
Cisco Employee
Cisco Employee

Ideally, HSRP or GLBP should suffice the requirement. I dont know really why the GLBP didnot work for you but Ideally it should. Did you check with the ISP. Ideally if a traffic exits from your ISP 1, it should come back from the same ISP. The other ISP will not allow your transit traffic and blocks it unless you have you own AS.

Did you try the PFR? PFR will be the ideal choice for you.

http://www.cisco.com/en/US/products/ps8787/products_ios_protocol_option_home.html

HTH,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco