Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Load Balance not working on 2911

Hello folks,

I am having some trouble making Load Balance work on my 2911.

I have followed the instrucions on this site:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080950834.shtml

and APARENTLY it is working, but not in the reality, because I see some packages being NATed thru bot IPS's but when I check on the interfaces I see that one is not receiving / sending anything.

Background:

In G0/0 I have one ISP, in G0/1 another one, in G0/2 my network.

Building configuration...

Current configuration : 6045 bytes

!

! Last configuration change at 15:47:49 UTC Tue Jan 28 2014 by alan

! NVRAM config last updated at 14:32:59 UTC Tue Jan 28 2014 by alan

! NVRAM config last updated at 14:32:59 UTC Tue Jan 28 2014 by alan

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname router1

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200 warnings

!

no aaa new-model

!

!

no ipv6 cef

ip source-route

ip cef

!

!

!

!

ip dhcp pool LAN_DHCP_POOL

network 192.168.0.0 255.255.0.0

default-router 192.168.2.2

domain-name g_bacon

dns-server 8.8.8.8 208.67.222.222

lease 0 8

!

!

no ip domain lookup

ip host router1 192.168.2.2

ip name-server 8.8.8.8

ip name-server 208.67.222.222

ip name-server 8.8.4.4

ip name-server 208.67.220.220

!

multilink bundle-name authenticated

!

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-2101532551

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2101532551

revocation-check none

rsakeypair TP-self-signed-2101532551

!

!

crypto pki certificate chain TP-self-signed-2101532551

certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32313031 35333235 3531301E 170D3131 31323239 32313137

  31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31303135

  33323535 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100DEA3 06574FDF B2B2113F 84A1EF39 04131994 9969F4D9 A3FCC466 D0328CCF

  B219F1AE A3DCC204 CD993BB2 F59C9A7F C251024E F1A575A5 5C382162 D9277CEB

  0356C896 A7A1BB48 8EA4CFF6 DA77B72C 9904A73B 6731A6E0 3004E5EA B44C1F7F

  5667496C 1E8E603D BE9B1AA1 1065E449 F6110C17 1A5FE3B9 3593BF87 96E14DEC

  87FF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 18301680 14E5F8C8 C30593C3 CEAB1874 F94F070B 9674F152 AD301D06

  03551D0E 04160414 E5F8C8C3 0593C3CE AB1874F9 4F070B96 74F152AD 300D0609

  2A864886 F70D0101 05050003 81810092 51314A50 EA812CDA AC97A8D1 2CA06BCC

  6FD5B4A6 DA888322 E2166AB4 0CF340BB E0407C95 584A1BDF 5DC3A6EE 2862E9CF

  7BF0C831 54F06ABF 011664D3 75269FF3 02D434BD 0FD15F32 EB34730C 47FE29D9

  7C2BBF9D 5BDB1D4F EEBFBED5 9B07450E 83DA57B2 1F296D0A 52D39A8F 6A679244

  05C0924C F3FA9A05 BDB28409 53198E

        quit

license udi pid CISCO2911/K9 sn FTX1553AJQU

!

!

username alan privilege 15 secret 5 $1$b6Jk$8iz3K3cTUgSZ.VePkKl5a/

!

redundancy

!

!

!

!

!

class-map match-any PROHIBIDAS

match protocol http host "www.facebook.com"

match protocol http host "www.youtube.com"

match protocol http host "www.pornotube.com"

match protocol http host "www.xvideos.com"

match protocol http host "www.mega.co.nz"

match protocol http host "www.radios-on-line.com.ar"

match protocol http host "www.enlaradio.com.ar"

match protocol http host "www.cienradios.com.ar"

match protocol http host "www.radios-argentina.com.ar"

match protocol http host "www.fmyam.com.ar"

match protocol http host "www.piratebay.org"

class-map match-any P2P

match protocol winmx

match protocol gnutella

match protocol bittorrent

match protocol kazaa2

!

!

policy-map DROP_PROHIBIDAS

class PROHIBIDAS

  drop

class P2P

  drop

!

!

!

!

!

!

!

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description Fibertel

ip address dhcp

ip access-group acl101 in

ip access-group acl101 out

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

no cdp enable

service-policy output DROP_PROHIBIDAS

!

interface GigabitEthernet0/1

description arnet

ip address 186.153.125.138 255.255.255.248

ip access-group acl101 in

ip access-group acl101 out

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

no cdp enable

service-policy output DROP_PROHIBIDAS

!

interface GigabitEthernet0/2

ip address 192.168.2.2 255.255.0.0

ip access-group block_FB in

ip access-group acl101 out

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

duplex auto

speed auto

no cdp enable

!

router rip

version 2

network 192.168.0.0

!

ip forward-protocol nd

!

ip http server

ip http port 8180

ip http access-class 20

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source route-map arnet interface GigabitEthernet0/1 overload

ip nat inside source route-map fibertel interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 track 123

ip route 0.0.0.0 0.0.0.0 200.122.102.1 254

!

ip access-list extended block_FB

deny   ip 192.168.0.0 0.0.255.255 host 173.252.100.16

deny   ip 192.168.0.0 0.0.255.255 173.252.64.0 0.0.63.255

deny   ip 192.168.0.0 0.0.255.255 31.13.24.0 0.0.7.255

deny   ip 192.168.0.0 0.0.255.255 31.13.64.0 0.0.63.255

deny   ip 192.168.0.0 0.0.255.255 66.220.144.0 0.0.15.255

deny   ip 192.168.0.0 0.0.255.255 69.63.176.0 0.0.15.255

deny   ip 192.168.0.0 0.0.255.255 69.171.224.0 0.0.31.255

deny   ip 192.168.0.0 0.0.255.255 74.119.76.0 0.0.3.255

deny   ip 192.168.0.0 0.0.255.255 103.4.96.0 0.0.3.255

deny   ip 192.168.0.0 0.0.255.255 204.15.20.0 0.0.3.255

permit ip 192.168.0.0 0.0.255.255 any

permit ip any any

!

access-list 110 permit ip 192.168.0.0 0.0.255.255 any

!

!

!

!

route-map fibertel permit 10

match ip address 110

match interface GigabitEthernet0/0

!

route-map arnet permit 10

match ip address 110

match interface GigabitEthernet0/1

!

!

!

control-plane

!

!

banner exec ^C^C

banner login ^C^C

banner motd ^C^C

!

line con 0

login local

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

end

So far so good, I check the NAT transactions:

router1#show ip nat trans

Pro Inside global      Inside local       Outside local      Outside global

tcp 200.122.102.74:62114 192.168.0.1:62114 17.151.239.110:443 17.151.239.110:443

tcp 200.122.102.74:62119 192.168.0.1:62119 17.172.233.134:5223 17.172.233.134:5223

tcp 200.122.102.74:34945 192.168.0.2:34945 181.30.241.103:443 181.30.241.103:443

tcp 200.122.102.74:37444 192.168.0.2:37444 173.194.42.230:443 173.194.42.230:443

tcp 200.122.102.74:37695 192.168.0.2:37695 181.30.241.109:80 181.30.241.109:80

tcp 200.122.102.74:40662 192.168.0.2:40662 173.194.74.188:5228 173.194.74.188:5228

tcp 186.153.125.138:41426 192.168.0.2:41426 216.115.101.179:443 216.115.101.179:443

tcp 200.122.102.74:41484 192.168.0.2:41484 216.115.101.179:443 216.115.101.179:443

tcp 200.122.102.74:42381 192.168.0.2:42381 181.30.241.31:80  181.30.241.31:80

tcp 186.153.125.138:42553 192.168.0.2:42553 98.136.223.39:8996 98.136.223.39:8996

and I see that they are going thru both connections.

Buuuuuuuuuuuuut, when I check the interfaces...

router1#show int g0/0

GigabitEthernet0/0 is up, line protocol is up

  Hardware is CN Gigabit Ethernet, address is c464.1354.b8c0 (bia c464.1354.b8c0

)

  Description: Fibertel

  Internet address is 200.122.102.74/24

  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Full Duplex, 100Mbps, media type is RJ45

  output flow-control is XON, input flow-control is XON

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input 00:00:00, output 00:00:00, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 774000 bits/sec, 161 packets/sec

  5 minute output rate 423000 bits/sec, 102 packets/sec

     2133521 packets input, 1223904205 bytes, 0 no buffer

     Received 615778 broadcasts (0 IP multicasts)

     0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     0 watchdog, 0 multicast, 0 pause input

     1065308 packets output, 214203455 bytes, 0 underruns

     0 output errors, 0 collisions, 1 interface resets

     0 unknown protocol drops

     0 babbles, 0 late collision, 0 deferred

     1 lost carrier, 0 no carrier, 0 pause output

     0 output buffer failures, 0 output buffers swapped out

router1#show int g0/1

GigabitEthernet0/1 is up, line protocol is up

  Hardware is CN Gigabit Ethernet, address is c464.1354.b8c1 (bia c464.1354.b8c1

)

  Description: arnet

  Internet address is 186.153.125.138/29

  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Full Duplex, 100Mbps, media type is RJ45

  output flow-control is XON, input flow-control is XON

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input 00:04:01, output 00:00:06, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     208948 packets input, 153515983 bytes, 0 no buffer

     Received 1236 broadcasts (0 IP multicasts)

     0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     0 watchdog, 0 multicast, 0 pause input

     190283 packets output, 45657373 bytes, 0 underruns

     0 output errors, 0 collisions, 0 interface resets

     0 unknown protocol drops

     0 babbles, 0 late collision, 0 deferred

     0 lost carrier, 0 no carrier, 0 pause output

     0 output buffer failures, 0 output buffers swapped out

Everything is going thru G0/0 and nothing in G0/1!

Any ideas on why this is happening?

Thanks in advance for all your help!

Regards,

Alan

Everyone's tags (6)
1 ACCEPTED SOLUTION

Accepted Solutions
Purple

Load Balance not working on 2911

Hi,

yes here you only have one default route installed( the one retrieved from DHCP server) so it can't NAT on the other interface as it can't route out this one.

change your config like this:

no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 track 123

no ip route 0.0.0.0 0.0.0.0 200.122.102.1 254

ip route 0.0.0.0 0.0.0.0  dhcp

ip route 0.0.0.0 0.0.0.0 200.122.102.1 254

Now if you want to track the first route look at this document:

http://www.cisco.com/en/US/docs/ios/dial/configuration/guide/dia_rel_stc_rtg_bckup.html#wp1065528

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
5 REPLIES
Purple

Load Balance not working on 2911

Hi,

if you see the nat translations it means that routing is ok so both routes are installed with same AD, the DHCP learned route and the floating route which is not floating here, sh ip route should confirm or infirm this but before natting from inside to outside routing must be ok so I doubt my reasoning is wrong.

Now in this case you have packets flowing through both interfaces but the load balancing in 1:1 ratio will only be seen with a lot of different src/dest IP because of the way CEF chooses outgoing interface and so maybe you have low traffic  on g0/1 and higher traffic on g0/0 and also TCP NAT entries stay 24 hours in the NAT table so it may not reflect the current traffic flows.

Regards

Alain


Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

Load Balance not working on 2911

Hello Alain,

thanks for the quick response. I don't know why, but it is now not working at all, the config is exactly the same, I havent changed anything.

Here is the sh ip route:

router1#sh ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       + - replicated route, % - next hop override

Gateway of last resort is 200.122.102.1 to network 0.0.0.0

S*    0.0.0.0/0 [254/0] via 200.122.102.1

      172.20.0.0/32 is subnetted, 1 subnets

S        172.20.2.201 [254/0] via 200.122.102.1, GigabitEthernet0/0

      186.153.0.0/16 is variably subnetted, 2 subnets, 2 masks

C        186.153.125.136/29 is directly connected, GigabitEthernet0/1

L        186.153.125.138/32 is directly connected, GigabitEthernet0/1

C     192.168.0.0/16 is directly connected, GigabitEthernet0/2

      192.168.2.0/32 is subnetted, 1 subnets

L        192.168.2.2 is directly connected, GigabitEthernet0/2

      200.122.102.0/24 is variably subnetted, 2 subnets, 2 masks

C        200.122.102.0/24 is directly connected, GigabitEthernet0/0

L        200.122.102.74/32 is directly connected, GigabitEthernet0/0

Aparently everything is working fine there, but I have made testings with heavy traffic (45 PC's connected, and around 20 cell phones, with users using all of them) and I still got no packets in G0/1!

I have cleared the ip nat trans and tried again, and now everything is going thru G0/0, no NAT translations going thru G0/1. I checked the connections again:

router1#sh int g0/0

GigabitEthernet0/0 is up, line protocol is up

  Hardware is CN Gigabit Ethernet, address is c464.1354.b8c0 (bia c464.1354.b8c0

)

  Description: Fibertel

  Internet address is 200.122.102.74/24

  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

     reliability 255/255, txload 1/255, rxload 3/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Full Duplex, 100Mbps, media type is RJ45

  output flow-control is XON, input flow-control is XON

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input 00:00:00, output 00:00:00, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/4/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 1196000 bits/sec, 199 packets/sec

  5 minute output rate 91000 bits/sec, 77 packets/sec

     8774110 packets input, 3623901555 bytes, 0 no buffer

     Received 4768581 broadcasts (0 IP multicasts)

     0 runts, 0 giants, 4 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     0 watchdog, 0 multicast, 0 pause input

     2789501 packets output, 503158455 bytes, 0 underruns

     0 output errors, 0 collisions, 1 interface resets

     0 unknown protocol drops

     0 babbles, 0 late collision, 0 deferred

     1 lost carrier, 0 no carrier, 0 pause output

     0 output buffer failures, 0 output buffers swapped out

router1#sh int g0/1

GigabitEthernet0/1 is up, line protocol is up

  Hardware is CN Gigabit Ethernet, address is c464.1354.b8c1 (bia c464.1354.b8c1

)

  Description: arnet

  Internet address is 186.153.125.138/29

  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Full Duplex, 100Mbps, media type is RJ45

  output flow-control is XON, input flow-control is XON

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input 00:02:06, output 00:00:03, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     215827 packets input, 153933841 bytes, 0 no buffer

     Received 7458 broadcasts (0 IP multicasts)

     0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     0 watchdog, 0 multicast, 0 pause input

     197399 packets output, 46086254 bytes, 0 underruns

     0 output errors, 0 collisions, 0 interface resets

     0 unknown protocol drops

     0 babbles, 0 late collision, 0 deferred

     0 lost carrier, 0 no carrier, 0 pause output

     0 output buffer failures, 0 output buffers swapped out

Any ideas?

Purple

Load Balance not working on 2911

Hi,

yes here you only have one default route installed( the one retrieved from DHCP server) so it can't NAT on the other interface as it can't route out this one.

change your config like this:

no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 track 123

no ip route 0.0.0.0 0.0.0.0 200.122.102.1 254

ip route 0.0.0.0 0.0.0.0  dhcp

ip route 0.0.0.0 0.0.0.0 200.122.102.1 254

Now if you want to track the first route look at this document:

http://www.cisco.com/en/US/docs/ios/dial/configuration/guide/dia_rel_stc_rtg_bckup.html#wp1065528

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

Load Balance not working on 2911

That was the problem Alain. Now its working.

Thanks!

Regards,

Alan

New Member

Load Balance not working on 2911

I will start working with the article you gave me, to see if I can make it work... Thanks again!

1000
Views
0
Helpful
5
Replies
CreatePlease login to create content