Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ADSL and FR with VPN

Dears,

I have two internet links, one is ADSL connection provided on Etherent of the router (1841)and the other is Frame-Relay link 1MB provided on serial interface of the same Router, both have a common Pulic IP address (/28).

I need to do load balance with them using VPN Nortel as the gateway of the company (Using Only one Tunnel)

Appreciate the early reply

17 REPLIES
Silver

Re: ADSL and FR with VPN

If the VPN gateway behind the 1841 (i.e. between 1841 and internal network), you can use two static routes to carry the load-sharing.

However, you have to clarify two links performance and bandwidth. Otherwise, there may be problem in the tunnel w/ different packet ordering.

Moreover, you may consider to user per-packet load-sharing instead of per-destination, otherwise, the traffic may be running in one link only.

Due to the VPN tunnel is carried outside the router, you have to compare the performance of the tunnel at one link and two links cases. If one link is better than two link, you may consider resiliency instead of load-sharing. By configure resiliency, you can consider to use floating static w/ object tracking to prevent the ADSL WAN down but LAN up issue.

Hope this helps.

New Member

Re: ADSL and FR with VPN

Thank you Jack, I would like to know how I could do the per-packet load-sharing.

Meanwhile, the problem is the VPN connected to the first fastethernet 0/0 and got public IP address at the same subnet of the ADSL The ADSL is connected to the second fastethernet 0/1 of the router, how I can do static route in this case?there will be duplictaion issue.

The other FR link is on serial interfcae and having private IP address.

Cheers

Salah.

Silver

Re: ADSL and FR with VPN

You're welcome. Could you please clarify the network design as below ?

LAN <--> VPN GW <--> 1841 <--ADSL/FR--> Remote router <--> Remote VPN GW <--> Remote LAN

Do you mean you have no IP at ADSL ? or Unnumbered the IP of FE0/0 w/ FE0/1 ?

I will suggest to use below static route for load-sharing.

ip route 0.0.0.0 0.0.0.0

ip route 0.0.0.0 0.0.0.0

and remove the "ip route-cache" at ADSL and serial interace, i.e. ("no ip route-cache").

Check below for info.

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094820.shtml

Or if the router can support CEF, you can use "ip load-sharing per-packet", check below for details and try the configuration to determine which one works for you.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_guide_chapter09186a00800ca6ca.html#1000978

However, I still concern on two link performance and may create problem if load-sharing between them. Better take test and select the best solution.

Hope this helps.

New Member

Re: ADSL and FR with VPN

The VPN connected to first router Ethernet interface which has a public IP addess.

How I could connect the ADSL to second router Ethernet interface which has a public IP as well with same subnet of the first Ethernet interfcae

Silver

Re: ADSL and FR with VPN

In a router, you cannot configure same subent in more than one interface. Unless you are using unnumberin then it use the unnumbered interface address.

Could you please provide a diagram that show how the devices are connectde each other. I still not understand why you need to use same subnet for two interfaces. Thx.

New Member

Re: ADSL and FR with VPN

Note: It is one ISP and one subnet for both connection (ADSL&FR)

ADSL has an Ethernet connection with Public IP, FR has serial with private IP

Silver

Re: ADSL and FR with VPN

Thanks for the diagam. It is much clear. Could you answer below questions ?

1) Will th RHS VPN can connect to the Internet directly ? i.e. w/o require to connect to a router ?

2) I believe the ADSL is using public IP from the ISP and the router at LHS use the pubic which provided by ISP (FR or ADSL) or you own it ?

3) Are the ADSL & FR the same ISP ?

4) How does the FR connet to Internet ? Or it is a private link ? Private address should not able to be used in Internet. Or where to carry the NAT ?

Wait for your feedback.:)

New Member

Re: ADSL and FR with VPN

My answers are below:-

Will th RHS VPN can connect to the Internet directly ? No., it is connected to a rouetr and FW.

2) I believe the ADSL is using public IP from the ISP and the router at LHS use the pubic which provided by ISP (FR or ADSL) or you own it ? We own the router Cisco 1841

3) Are the ADSL & FR the same ISP ? Yes, same ISP

4) How does the FR connet to Internet ? Or it is a private link ? Private address should not able to be used in Internet. Or where to carry the NAT ?

Private on the serial interface but the internet traffic will be carried by public IP address which is the same as the ADSL subnet.

Thanks for your help.

Silver

Re: ADSL and FR with VPN

For Q2, I mean the IP address. But it is ok because you are using the same ISP for two links.

I still no understand on Q4 that if your FR link is also connecting to the Internet, you have to use public IP or the ISP carry the NAT for this link. Please clarify.

If two WAN connections are provided by the same ISP then it should be no issue to advertise the same public address to the Internet.

I believe the IP at private side of VPN should be private and use public IP at the connection to the router. Right ?

Then the VPN connection to the router is also using the public IP, so you can simply to enable two static routes at the routers as I mentioned before to point to the interface as next-hop.

If there is traffic from VPN GW to router, ther router will load-sharing by two equal cost static routes. At the RHS, there is no issue that the VPN is connecting to a FW and router then the Internet. Two VPN should able to build the tunnel.

Could you please provide the 1841 config then I can understand the current design more.

Hope this helps.

New Member

Re: ADSL and FR with VPN

I agree with you to use two static routes, but my qoustataion is, what IP address will be assigned for the Router ethernet interface connected to the ADSL modem, bear in your mind that we are using the 2nd Ethernet for the VPN and it has same subnet of the ADSL Public IP address !!

Silver

Re: ADSL and FR with VPN

As I mentioned before, you can use interface name as the next-hop in static route.

e.g.

ip route 0.0.0.0 0.0.0.0

ip route 0.0.0.0 0.0.0.0

New Member

Re: ADSL and FR with VPN

But what IP address will be assigned for the Fast 0/0 interfcae belong to the ADSL ?Also VPN is connected to the second fast 0/1 having public IP address !!

So you have two devices having public IP address which is couldn't be:

Int fas 0/0

Desc TO VPN

IP address 213.42.180.68

Int fas 0/1

Desc " To ADSL "

IP address ??????????????? (What is the IP address here???

!

ip route 0.0.0.0 0.0.0.0 213.42.180.66 (ADSL)

ip route 0.0.0.0 0.0.0.0

Silver

Re: ADSL and FR with VPN

Please correct me if I understood incorrectly.

I belive the PTT should provide two sets of public IP to you. One for FE 0/0 (VPN connection) and one for the ADSL connection.

If there is only one IP, you can try to use IP unnumbering at FE 0/1 as below :

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094e8d.shtml

int fast 0/1

ip unnumbered fast 0/0

ip route 0.0.0.0 0.0.0.0 fast 0/1

ip route 0.0.0.0 0.0.0.0

Please try it and advise the result.

Hope this helps.

New Member

Re: ADSL and FR with VPN

I can not add ip unnumbered on fast ethernet it gives me error :

Point-to-point (non-multi-access) interfaces only

Silver

Re: ADSL and FR with VPN

If this is the case, if the ISP cannot provide one more IP for the VPN (I believe the original IP is for the WAN connection), there are two options :

1) You may consider to connect the VPN and WAN at the same Ethernet segement / interface and assign the IP to it. Because LAN is shared media, but it also require an IP for the VPN device.

2) To enable NAT in the router, to setup private address at VPN connected interaface and translate it to public at WAN (ISP assigned IP).

I recommend option 2, due to no additional ISP IP is required.

Please advise your preference and the result if you can test it.

New Member

Re: ADSL and FR with VPN

Hi Jack,

Dear Jack,

Sorry to bother you alot in this problem.

I have quotation for option 2, can VPN has private IP address instead of public? How it will terminate the IPSEC session with private IP? Bear in your mind that we are using non Cisco VPN product, I mean the VPN it is not on the Cisco Router 1841 itself.

Thanks for you patient.

Silver

Re: ADSL and FR with VPN

It is fine for me. We share our knowledge and discuss here. ;)

For the option 2, I understood that the VPN device is not a router and attached to the 1841. It certainly can use private address, because I propose to enable the network address translation at the 1841 at the same time to translate the private address of VPN to the public address at ISP side.

From the Internet side, the VPN is using public address due to NAT enabled. From VPN side, it is using private address but able to reach outside via the 1841 Internet router.

So from remote VPN side, it wil treat the local VPN as public IP. There should be no problem on it and it is also the normal practice to implement a VPN device behind the router w/o enough public address.

Below is the sample of NAT :

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f2f.shtml

Hope this helps.

137
Views
0
Helpful
17
Replies
CreatePlease login to create content