Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problem With VPN - CEF - Load balancing

Hi.

I have problem whith configure csico 2921. I have 2 ISP (no BGP). I want NAT, LoadBalancing and VPN clients

Now working with ISP2 (ISP1 off)

Whith this config  (attach)  when i turn on  ISP1 the packets losses.

Where is mistake?

How solve this problem?

Please help me.

Thanks.

5 REPLIES
Cisco Employee

Re: Problem With VPN - CEF - Load balancing

Albert,

Can you let me know what exactly you would like to achieve?

I'd suggest using VTI (DVTI for remote access) in a scenario where you want to have two ISPs and IPSec.

What NAT would you like to do?

What would you like to load balance and based on what?

The config you have:

ip route 0.0.0.0 0.0.0.0 195.xxx.xxx.97 track 1
ip route 0.0.0.0 0.0.0.0 85.zzz.zzz.113 track 2

If tracker 1 and tracker 2 are up the router will load balance per packet not per flow, how would you expect the communication to work if you're not multihoming?

Marcin

New Member

Re: Problem With VPN - CEF - Load balancing

I have many workstations and few servers. Connected to 2 ISP - one 2 Mbit/s (ISP1)  and other - 4 Mbit/s (ISP2).

This network should be nated to connect to Internet. Some services should be visible from Internet (from both IPS's)

Mail should leave through one ISP only (ISP1).

I want  per-destination load-balance for outgoing traffic.

Cisco Employee

Re: Problem With VPN - CEF - Load balancing

you can use policy maps and policy based routing to load balance per destination, but in this case one destination will be statically defined for a given destination, and if next hop is unreachable you'll switch to the other.

Have a look at this:

http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a0080211f5c.shtml

New Member

Re: Problem With VPN - CEF - Load balancing

You mean that i should remove that line from config

ip route 0.0.0.0 0.0.0.0 195.xxx.xxx.97 track 1

ip route 0.0.0.0 0.0.0.0 85.zzz.zzz.113 track 2

And add that
!
track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
!
interface GigabitEthernet0/0
description Local LAN$ES_LAN$
ip address 10.0.0.100 255.0.0.0
ip access-group Inside-acl in
ip access-group VPN-2-local out
ip nat inside
ip virtual-reassembly in
ip policy route-map ISP_OUT
duplex auto
speed auto
!
interface GigabitEthernet0/1
description ISP1
bandwidth 2048
ip address 195.XXX.XXX.98 255.255.255.252
ip nat outside
ip virtual-reassembly in
no ip route-cache cef
duplex auto
speed auto
crypto map MobVPN_Map
!
interface GigabitEthernet0/2
description ISP2
bandwidth 4096
ip address 85.zzz.zzz.114 255.255.255.252
ip nat outside
ip virtual-reassembly in
no ip route-cache cef
duplex auto
speed auto
crypto map MobVPN_Map
!
ip sla 1
icmp-echo 195.xxx.xxx.97 source-interface GigabitEthernet0/1
threshold 40
timeout 1000
frequency 3
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 85.zzz.zzz.113 source-interface GigabitEthernet0/2
threshold 40
timeout 1000
frequency 3
ip sla schedule 2 life forever start-time now
!
route-map ISP_OUT permit 10
set ip next-hop verify-availability 195.xxx.xxx.97 track 1
set ip next-hop verify-availability 85.zzz.zzz.113 track 2
!
Please help me to modify that route-map so packets outside to port 25 leave only through ISP1
Thanks.

Cisco Employee

Re: Problem With VPN - CEF - Load balancing

Hi, you have to let your two static routes for other traffic.

To direct the SMTP streams to your first ISP, use something like that:

ip access-list extended SMTP_TRAFFIC

permit tcp any any eq 25

exit

policy map  ISP_OUT pemit 10

match ip address SMTP_TRAFFIC

set ip next hop  verify-availability X.X.X.X track # !track object to the next hop

then aply the policy.

All traffic non matching the ACL will be router normally.
SMTP traffic will be routed to the next-hop you've specified if it is up, otherwise using routing table.

Hope this will help

390
Views
0
Helpful
5
Replies